Abstract
The main objective of the research is to determine the effect of an information system on risk management through an analysis of a real organisation. The study will be carried out through a structured survey and data will be collected using a questionnaire.
It is likely that this project will teach companies to protect themselves from loss and learn lessons from participants.
Background and the problem domain
The major concern of this paper is risk management. All organisations face uncertainties at one point or another. If left unmitigated, risks can lead to substantial losses or even ultimate failure of businesses.
Consequently, firms need to embrace certain options that can assist them in the process of handling these risks. Organisations, have limited resources that minimise the options available for risk management.
Therefore, they must resort to creative and cost effective ways of dealing with risks; one of these methods is the use of information systems.
Prior to looking at ways in which information systems relate to risk management, it is essential to outline the process of risk management. The latter term is a discipline on its own, which makes it difficult to summarise the processes involved in a small proposal.
However, in short, risk management entails nine steps. The first is characterisation of the system, which involves the characterisation of the system one is analysing.
The next step is identification of threats; these may be natural, such as hurricanes or floods; human such as cyber attacks, data loss, fire, physical weapons; environmental such as water damage, pollution or power failure.
Vulnerability identification is the third step; these are all the potential flaws that may lead to manifestation of the threat.
Thereafter, one must conduct control analysis as a fourth step. The analysis involves relating threats and vulnerabilities.
Fifth, one should perform a likelihood determination. Usually, likelihood is determined through percentages; one must quantify the possibility of manifestation of a threat against the vulnerability associated with it.
As a sixth step, the business needs to carry out an impact analysis of the threat. A threat may have an effect on the capabilities of an organisation. It may lead to financial losses or the loss of human life.
The seventh step is the actual risk determination phase. This entails the impact of a threat as measured against vulnerability and after involvement of a tangible compromise.
Risk determination precedes control recommendations that may range from mitigation, acceptance, transference, and avoidance.
Finally, an organisation ought to document the results of the findings as the ninth step.
After an analysis of what is involved in the risk management process, it is necessary to look at how this relates to information systems. Most literature on information systems and risk management tends to focus on how risk management affects information systems.
Sample cases include Birch and McEvoy (1992), Wiseman (1992) and Audit Commission (1990). While this approach is useful, it is not the point of focus of the paper. Instead, more emphasis will be given to the reverse; the role of information systems in risk management.
Some analyses have tried to look into this subject but most of them tend to dwell on specialty organisations such as finance or insurance firms. Examples of such researches include Gibson (1997), Picoult (1996) and Lawrence (1995).
This approach is too narrow to be applied to other firms in non-financial sectors such as retail, manufacturing or food. Consequently, it is necessary to expand the application of information systems in risk management to a wider range of organisations.
Some researches have also focused on the importance of information systems in risk management, but most of them are highly descriptive. A typical example was a research carried out by SANS (2006).
The company focused on general applications and IS tools used to improve risk management. Only broad discussions were made about the association between these two terminologies but relevant examples were missing in the paper.
This research will attempt to fill all the above mentioned gaps. First, it will focus on the effect of information system on risk management and not vice verse. Furthermore, it will cover an organisation that does not fall in the financial sector, so that other companies can relate to it.
Finally, the paper will not focus on common generalisations about the subject matter; instead, it will look at the successful application of IS in risk management at a chosen organisation.
Objectives
The main objective of this research is to determine how information systems improve risk management in a real organisation. When covering this main objective, some minor objectives will also be covered and they include: to determine how information systems boost risk assessment and to analyse how the effectiveness of risk control is enhanced through information systems.
Since all the minor and main research objectives will be analysed under the lens of a real organisation, then the study will set the pace for other organisations who are interested in improving their risk management efforts.
It will surpass the field of finance and assist companies in other industries as well. The paper will show the lessons learnt when merging these two concepts and thus contribute to the discipline tremendously.
Companies will protect themselves from losses and thus increase their profit margins. Some of them may even prevent closure of business as brought on by preventable threats.
Project
This research will employ the use of a structured survey. It would have been possible to use a number of other methods, but they would not have produced results in the short amount of time available for completion of the project.
Observational techniques would have been a possible approach. However, observation of a company that applies IS in risk management would be difficult to do as some things cannot be detected.
Furthermore, it would take too long to obtain results as one must wait for the occurrence of a certain action before it is documented (Creswell 2008).
A second method would have been the experimental one in which the researcher manipulates one variable so as to determine the effect of that action on another variable. The problem with this approach is that companies are unlikely to let a stranger manipulate their work in order to answer a research question.
The method is not very practical for vast test subjects such as whole organisations. If only one entity was involved, then the method would have been feasible.
Furthermore, it is too slow as manipulation of variables would take long. Sometimes it is difficult to control confounding factors in this research approach.
When carrying out the structured survey of a real organisation, data will be collected through the use of structured questionnaires. The participants will be selected from the organisation using random sampling.
They will sit in an interview with the researcher and respond to the questions in the questionnaire. This method is not flawless; some respondents may refuse to answer certain questions. Others may not have the time to spare for the interview.
Alternatively, those who participate in the interview may alter their responses in order to sound more informed than they really are. Regardless of these inadequacies, this method is quite suitable because it allows one to summarise the responses in short and precise answers.
Furthermore it is easier to conduct a quantitative analysis of the results. Respondents will not stray from the subject matter.
When studying a complex subject like risk assessment, it is best to make the data collection as structured as possible so as to get direct responses to the research questions (Dawson 2002).
The following is the schedule for project implementation: First, a thorough literature review will be done in the first two weeks of the project. This will give a general idea of the details in the questionnaire or the specific questions in the form.
In the next two weeks, the researcher will request for permission to conduct the survey in the organisation and also compile a list of questions.
This two-week interval will also involve creation of the first section of the research report; including the introduction, background to the study, objectives and research methods. The next two weeks will involve data collection where several participants will participate in structured interviews.
The next two weeks will involve data analysis of findings and confirmation or nullification of the research hypothesis. The last few weeks will involve completion of the research report (Kothari 1985).
Resources
Data for literature review will come from books on risk management and information systems. Journals on the subject matters will also be quite useful on getting direct information concerning the role of information systems in risk management.
Government and company reports done on the same subject will also be analysed. Finally, the research will also visit some websites that talk about the chosen organisation in order to provide additional information.
References
Audit Commission 1990, Preparing an information technology strategy, HMSO, London.
Birch, D & McEvoy, N 1992, ‘Risk analysis for information systems’, Journal of Information Technology, vol. 7 no 1, pp. 44-53.
Creswell, J 2008, Educational research: planning, conducting and evaluating quantitative and qualitative research, Pearson Education, Upper Saddle River, NJ.
Dawson, C 2002, Practical research methods, UBS Publishers, New York.
Gibson, M 1997, ‘Information systems for risk management’, Federal Reserve Board, pp 1-15.
Lawrence, D 1995, Aggregating credit exposures: The simulation approach, Risk Publications, London.
Kothari, C 1985, Research methodology – methods and techniques, Wiley Eastern Limited, New Delhi.
Picoult, E 1996, ‘Measuring pre-settlement credit risk on a portfolio basis’, Proceedings of a Joint Central Bank Research Conference, pp. 56.
SANS 2006, An introduction to information system risk management. Web.
Wiseman, D 1992, ‘Information economics: A practical approach to valuing information systems’, Journal of Information Technology, vol. 7 no. 3, pp. 169-179.