GROUP B RISK ANALYSIS

Risk analysis is the process of defining and analyzing the dangers to individuals, businesses and government agencies posed by potential natural and human-caused adverse events. In IT, a risk analysis report can be used to align technology-related objectives with a company's business objectives. A risk analysis report can be either quantitative or qualitative. In quantitative risk analysis, an attempt is made to numerically determine the probabilities of various adverse events and the likely extent of the losses if a particular event takes place. Qualitative risk analysis, which is used more often, does not involve numerical probabilities or predictions of loss. Instead, the qualitative method involves defining the various threats, determining the extent of vulnerabilities and devising countermeasures should an attack occur. Risk Analysis helps you identify and manage potential problems that could undermine key business initiatives or projects. Risk is made up of two things: the probability of something going wrong, and the negative consequences that will happen if it does. You carry out a Risk Analysis by first identifying the possible threats that you face, and by then estimating the likelihood that these threats will materialize. Risk Analysis can be quite involved, and it's useful in a variety of situations. To do an in-depth analysis, you'll need to draw on detailed information such as project plans, financial data, security protocols, marketing forecasts, or other relevant information.

Inventory control risks affect all companies regardless of how much inventory the company carries. A small business typically has a large amount of its cash tied up in inventory. With such a large financial investment in his business, the small business person must make every effort to reduce the risks associated with carrying inventory.

TYPE OF RISK Below are typical Risk That may affect the Business Theft Theft remains one of the greatest risks associated with controlling inventory, especially highvalue inventory. Companies spend millions of dollars each year to create inventory control policies and safeguards to prevent theft, but theft still occurs on a regular basis. Theft can occur in a number ways. A thief may walk out of a warehouse with a carton of shoes Some warehouses have little to no security or use inside access to generate stamp and creative inventory adjustments that move inventory out of the inventory management system. Lost Inventory Lost inventory remains a thorn in the side of any company. Tight inventory control policies combined with well-trained personnel help prevent losses. Inventory acts as an asset on a company balance sheet (although some really consider it a liability). Any time inventory gets lost, the company writes that asset off the books. Remember, a company equity equals the total of its assets minus its liabilities. Whenever a company writes off inventory, it technically reduces the equity of the company. Loss occurs in many forms, including physical loss of the product and errors during receipt of a product. Damage Occasionally, products get damaged during normal business operations. Some industries have a higher risk of damaged product than others. Consider the paper products industry as an example. Industries with highbdamaged goods put inventory control policies in place to minimize damage. For instance, in order to reduce the risk of crushed boxes a shirt manufacturer might require a maximum stack height of four rows of cartons per pallet, even though the pallet can hold significantly more weight. Life cycle All products go through the following phases of market growth, introduction, growth, maturity, decline and withdrawal. These phases are known as the product life cycle. A product entering the decline and withdrawal phase of its life cycle becomes a very high inventory risk. Manufacturers want to produce enough units and parts to meet the existing demand and fill service orders, but they do not want to get stuck with obsolete inventory. Because of the possible financial risk, companies usually implement strict inventory control policies on products entering the final two phases of their life cycle. Shelf life 2

Products with a shelf life pose another inventory control risk. A walk through the local grocery store finds hundreds of products with a shelf life from milk, to eggs and meat. The shorter a product shelf life the greater the inventory risk. For example, bagged salad greens typically have a 10-day shelf life. For the Store Managers, this requires very tight observation and inventory control policies. Medical device manufacturers also experience this kind of inventory control risk.

When to Use Risk Analysis Risk analysis is useful in many situations, for example, when you're:

Planning projects, to help you anticipate and neutralize possible problems. Deciding whether or not to move forward with a project. Improving safety and managing potential risks in the workplace. Preparing for events such as equipment or technology failure, theft, staff sickness, or natural disasters. Planning for changes in your environment, such as new competitors coming into the market, or changes to government policy.

ORDERING MANAGEMENT SYSTEM RISK ANALYSIS EXAMINATION This proposed ordering management system for ShopRite Supermarket, identifiers the following steps to carry out risk analysis. 1. Identify Threats The first step in Risk Analysis is to identify the existing and possible threats that you might face. These can come from many different sources. For instance:

Human - from illness, death, injury, or other loss of a key individual. Operational - from disruption to supplies and operations, loss of access to essential assets, or failures in distribution. Reputational - from loss of customer or employee confidence, or damage to market reputation. Procedural - from failures of accountability, internal systems and controls; or from fraud. Project - from going over budget, taking too long on key tasks, or experiencing issues with product or service quality. Financial - from business failure, stock market fluctuations, interest rate changes, or nonavailability of funding. Technical - from advances in technology, or from technical failure. Natural - from weather, natural disasters, or disease. Political - from changes in tax, public opinion, government policy, or foreign influence. Structural - from dangerous chemicals, poor lighting, falling boxes, or any situation where staff, products, or technology can be harmed. 3

2. Estimate Risk Once we've identified the threats the supermarket will be facing, we need to work out both the likelihood of these threats being realized, and their possible impact. One way of doing this is to make our best estimate of the probability of the event occurring, and then multiply this by the amount it will cost you to set things right if it happens. This gives you a value for the risk: Risk Value = Probability of Event x Cost of Event As a simple example, let's say that you've identified a risk that your rent may increase substantially. You think that there's an 80 percent chance of this happening within the next year, because your landlord has recently increased rents for other businesses. If this happens, it will cost your business an extra $500,000 over the next year. So the risk value of the rent increase is: 0.80 (Probability of Event) x $500,000 (Cost of Event) = $400,000 (Risk Value) 3. Manage Risk Once we've identified the value of the risks the system will face, we have come out with ways of managing them. When you do this, it's important to choose cost-effective approaches - in many cases, there's no point in spending more to eliminate a risk than the cost of the event if it occurs. So, it may be better to accept the risk than it is to use excessive resources to eliminate it. Be sensible in how you apply this, though, especially if this involves ethical decisions or affects people's safety.

The system can manage risks by:

Using existing assets - this may involve reusing or redeploying existing equipment, improving existing methods and systems, changing people's responsibilities, improving accountability and internal controls, and so on. The system can also manage risks by adding or changing things. For instance, you could do this by choosing different materials, by improving safety procedures or safety gear, or by adding a layer of security to your organization's IT systems. Developing a contingency plan - this is where you accept a risk, but develops a plan to minimize its effects if it happens. A good contingency plan will allow you to take action immediately, and with the minimum of project control, if you find yourself in a crisis. Contingency plans also form 4

a key part of Business Continuity Planning (BCP) or Business Continuity Management (BCM). Investing in new resources - your Risk Analysis will help you decide whether you need to bring in additional resources to counter the risk. This can include insuring the risk this is particularly important where the risk is so great that it can threaten your solvency. You might also want to develop a procedural prevention plan. This defines the activities that need to take place every day, week, month, or year to monitor or mitigate the risks you've identified. For example, you may want to arrange a daily backup of computer files, yearly testing of your building's sprinkler system, or a monthly check on your organization's security system.

4. Review Once the system has carried out a Risk Analysis and have managed risks appropriately, the system will also conduct regular reviews. This is because the costs and impacts of some risks may change, other risks may become obsolete, and new risks may appear. These reviews may involve re-doing your Risk Analysis, as well as testing systems and plans appropriately. RISK ANALYSIS PROCESS Regardless of the prevention techniques employed, possible threats that could arise inside or outside the organization need to be assessed. Although the exact nature of potential disasters or their resulting consequences are difficult to determine, it is beneficial to perform a comprehensive risk assessment of all threats that can realistically occur to the organization. Regardless of the type of threat, the goals of business recovery planning are to ensure the safety of customers, employees and other personnel during and following a disaster. The relative probability of a disaster occurring should be determined. Items to consider in determining the probability of a specific disaster should include, but not be limited to: geographic location, topography of the area, proximity to major sources of power, bodies of water and airports, degree of accessibility to facilities within the organization, history of local utility companies in providing uninterrupted services, history of the areas susceptibility to natural threats, proximity to major highways which transport hazardous waste and combustible products. Potential exposures may be classified as natural, technical, or human threats. Examples include: Natural Threats: 5

internal flooding, external flooding, internal fire, external fire, seismic activity, high winds, snow and ice storms, volcanic eruption, tornado, hurricane, epidemic, tidal wave, typhoon. Technical Threats: power failure/fluctuation, heating, ventilation or air conditioning failure, malfunction or failure of CPU, failure of system software, failure of application software, telecommunications failure, gas leaks, communications failure, nuclear fallout. Human Threats: robbery, bomb threats, embezzlement, extortion, burglary, vandalism, terrorism, civil disorder, chemical spill, sabotage, explosion, war, biological contamination, radiation contamination, hazardous waste, vehicle crash, airport proximity, work stoppage (Internal/External), computer crime.

The planning process should identify and measure the likelihood of all potential risks and the impact on the organization if that threat occurred. To do this, each department should be analyzed separately. Although the main computer system may be the single greatest risk, it is not the only important concern. Even in the most automated organizations, some departments may not be computerized or automated at all. In fully automated departments, important records remain outside the system, such as legal files, PC data, software stored on diskettes, or supporting documentation for data entry. The impact can be rated as: 0= No impact or interruption in operations, 1= Noticeable impact, interruption in operations for up to 8 hours, 2= Damage to equipment and/or facilities, interruption in operations for 8 - 48 hours, 3= Major damage to the equipment and/or facilities, interruption in operations for more than 48 hours. All main office and/or computer center functions must be relocated. Certain assumptions may be necessary to uniformly apply ratings to each potential threat. Following are typical assumptions that can be used during the risk assessment process: 1. Although impact ratings could range between 1 and 3 for any facility given a specific set of circumstances, ratings applied should reflect anticipated, likely or expected impact on each area. 2. Each potential threat should be assumed to be localized to the facility being rated. 6

3. Although one potential threat could lead to another potential threat (e.g., a hurricane could spawn tornados), no domino effect should be assumed. 4. If the result of the threat would not warrant movement to an alternate site(s), the impact should be rated no higher than a 2. 5. The risk assessment should be performed by facility. To measure the potential risks, a weighted point rating system can be used. Each level of probability can be assigned points as follows: Probability Points High 10 Medium 5 Low 1 To obtain a weighted risk rating, probability points should be multiplied by the highest impact rating for each facility. For example, if the probability of hurricanes is high (10 points) and the impact rating to a facility is 3 (indicating that a move to alternate facilities would be required), then the weighted risk factor is 30 (10 x 3). Based on this rating method, threats that pose the greatest risk (e.g., 15 points and above) can be identified. Considerations in analyzing risk include: 1. Investigating the frequency of particular types of disasters (often versus seldom). 2. Determining the degree of predictability of the disaster. 3. Analyzing the speed of onset of the disaster (sudden versus gradual). 4. Determining the amount of forewarning associated with the disaster. 5. Estimating the duration of the disaster. 6. Considering the impact of a disaster based on two scenarios; a. Vital records are destroyed 7

b. Vital records are not destroyed. 7. Identifying the consequences of a disaster, such as; a. Personnel availability b. Personal injuries c. Loss of operating capability d. Loss of assets e. Facility damage. 8. Determining the existing and required redundancy levels throughout the organization to accommodate critical systems and functions, including; a. Hardware b. Information c. Communication d. Personnel e. Services. 9. Estimating potential dollar loss; a. Increased operating costs b. Loss of business opportunities c. Loss of financial management capa- bility d. Loss of assets e. Negative media coverage f. Loss of stockholder confidence g. Loss of goodwill h. Loss of income i. Loss of competitive edge j. Legal actions. 10. Estimating potential losses for each business function based on the financial and service impact and the length of time the organization can operate without this business function. The 8

impact of a disaster related to a business function depends on the type of outage that occurs and the time that elapses before normal operations can be resumed. 11. Determining the cost of contingency planning. DISASTER PREVENTION Because a goal of business recovery planning is to ensure the safety of personnel and assets during and following a disaster, a critical aspect of the risk analysis process is to identify the preparedness and preventive measures in place at any point in time. Once the potential areas of high exposure to the organization are identified, additional preventative measures can be considered for implementation. Disaster prevention and preparedness begins at the top of an organization. The attitude of senior management toward security and prevention should permeate the entire organization. Therefore, managements support of disaster planning can focus attention on good security and prevention techniques and better prepare the organization for the unwelcome and unwanted. Disaster prevention techniques include two categories: procedural prevention and physical prevention. Procedural prevention relates to activities performed on a day-to-day, month-to-month, or annual basis, relating to security and recovery. Procedural prevention begins with assigning responsibility for overall security of the organization to an individual with adequate competence and authority to meet the challenges. The objective of procedural prevention is to define activities necessary to prevent various types of disasters and ensure that these activities are performed regularly. Physical prevention and preparedness for disaster begins when a site is constructed. It includes special requirements for building construction, as well as fire protection for various equipment components. Special considerations include: computer area, fire detection and extinguishing systems, record(s) protection, air conditioning, heating and ventilation, electrical supply and UPS systems, emergency procedures, vault storage area(s), archival systems.

SECURITY AND CONTROL CONSIDERATIONS Security and controls refer to all the measures adopted within an organization to safeguard assets, ensure the accuracy and reliability of records, and encourage operational efficiency and adherence to prescribed procedures. The system of internal controls also includes the measures adopted to safeguard the computer system. The nature of internal controls is such that certain control procedures are necessary for a proper execution of other control procedures. This interdependence of control procedures may be significant because certain control objectives that appear to have been achieved may, in fact, not have been achieved because of weaknesses in other control procedures upon which they depend. Concern over this interdependence of control procedures may be greater with a computerized system than with a manual system because computer operations often have a greater concentration of functions, and certain manual control procedures may depend on automated control procedures, even though that dependence is not readily apparent. Adequate computer internal controls are a vital aspect of an automated system. Security is an increasing concern because computer systems are increasingly complex. Particular security concerns result from the proliferation of PCs, local area networking, and on-line systems that allow more access to the mainframe and departmental computers. Modern technology provides computer thieves with powerful new electronic safecracking tools. Computer internal controls are especially important because computer processing can circumvent traditional security and control techniques. There are two types of computer control techniques: (1) general controls that affect all computer systems, and (2) application controls that are unique to specific applications. Important areas of concern related to general computer internal controls include: organization controls, systems development and maintenance controls, documentation controls, access controls, data and procedural controls, physical security, password security systems, communications security. Application controls are security techniques that are unique to a specific computer application system. Application controls are classified as: input controls, processing controls, output controls.

10

INSURANCE CONSIDERATIONS Adequate insurance coverage is a key consideration when developing a business recovery plan and performing a risk analysis. Having a disaster plan and testing it regularly may not, in itself, lower insurance rates in all circumstances. However, a good plan can reduce risks and address many concerns of the underwriter, in addition to affecting the cost or availability of the insurance. Most insurance agencies specializing in business interruption coverage can provide the organization with an estimate of anticipated business interruption costs. Many organizations that have experienced a disaster indicate that their costs were significantly higher than expected in sustaining temporary operations during recovery. Most business interruption coverages include lost revenues following a disaster. Extra expense coverage includes all additional expenses until normal operations can be resumed. However, coverages differ in the definition of resumption of services. As a part of the risk analysis, these coverages should be discussed in detail with the insurer to determine their adequacy. To provide adequate proof of loss to an insurance company, the organization may need to contract with a public adjuster who may charge between three and ten percent of recovered assets for the adjustment fee. Asset records become extremely important as the adjustment process takes place. Types of insurance coverages to be considered may include: computer hardware replacement, extra expense coverage, business interruption coverage, valuable paper and records coverage, errors and omissions coverage, fidelity coverage, media transportation coverage. With estimates of the costs of these coverages, management can make reasonable decisions on the type and amount of insurance to carry. These estimates also allow management to determine to what extent the organization should selfinsure against certain losses.

11

RECORDS Records can be classified in one of the three following categories: vital records, important records, and useful records. Vital records are irreplaceable. Important records can be obtained or reproduced at considerable expense and only after considerable delay. Useful records would cause inconvenience if lost, but can be replaced without considerable expense. Vital and important records should be duplicated and stored in an area protected from fire or its effects. Records kept in the computer room should be minimized and should be stored in closed metal files or cabinets. Records stored outside the computer room should be in fire-resistant file cabinets with fire resistance of at least two hours. Protection of records also depends on the particular threat that is present. An important consideration is the speed of onset and the amount of time available to act. This could range from gathering papers hastily and exiting quickly to an orderly securing of documents in a vault. Identifying records and information is most critical for ensuring the continuity of operations. A systematic approach to records management is also an important part of the risk analysis process and business recovery planning. Additional benefits include: reduced storage costs, expedited service, federal and state statutory compliance. Records should not be retained only as proof of financial transactions, but also to verify compliance with legal and statutory requirements. In addition, businesses must satisfy retention requirements as an organization and employer. These records are used for independent examination and verification of sound business practices. Federal and state requirements for records retention must be analyzed. Each organization should have its legal counsel approve its own retention schedule. As well as retaining records, the organization should be aware of the specific record salvage procedures to follow for different types of media after a disaster.

12

CONCLUSION The risk analysis process is an important aspect of business recovery planning. The probability of a disaster occurring in an organization is highly uncertain. Organizations should also develop written, comprehensive business recovery plans that address all the critical operations and functions of the business. The plan should include documented and tested procedures, which, if followed, will ensure the ongoing availability of critical resources and continuity of operations. A business recovery plan, however, is similar to liability insurance. It provides a certain level of comfort in knowing that if a major catastrophe occurs, it will not result in financial disaster for the organization. Insurance, by itself, does not provide the means to ensure continuity of the organizations operations, and may not compensate for the incalculable loss of business during the interruption or the business that never returns.

REFERENCE Retrieved from http://www.benthamscience.com/open/toimej/articles/V003/13TOIMEJ.pdf On 28th September 2012. Retrieved from http://www.dummies.com/how-to/content/how-to-assess-inventorymanagement-control-risk.html On 30th September 2012 Retrieved from Inventory Control Risk by Kenneth Hamlett, Demand Media http://smallbusiness.chron.com/inventory-control-risk2225.html On 30th September 2012 Retrieved from ABB, Project Support, (1994) ABB Automation material, (2001), Management of Opportunities and Risks

13

Archibald, R.D., (1976), Managing High-Technology Programs and Projects, John Wiley & Sons, New York Kotter, J.P., (1996), Leading change, Harvard Business School Press, Boston PMI Standards Committee, (2000), A Guide to the Project Management Body of Uppsala http://en.wikipedia.org/wiki/Work_breakdown_structure, 2006- 11-21. 46

14