Introduction
Company X is a computer manufacturer. As such it is vulnerable to a series of risks within its internal environment as well as its external ones. Technology and human based factors are particularly applicable in this scenario.
Risk register
Sources
The eight sources of risk identified for Company X are: currency fluctuations, competition for the product, theft of goods, unforeseen alterations in distribution and production methods, incompetent administrators, changes in trade policy, machine failure and an earthquake. The major source of currency fluctuations is the acquisitions of foreign legal tender that will need to be converted into home currency.
In other words, this is an economic factor. Although Company X is an international company, it is still headquartered in the United States and will need to channel their profits back to the US dollar. If the exchange rate at a certain point in time is high in a foreign country, it may be low in the home country such that profits which were estimated to be high there may actually end up being very low in the US (FEMA, 20010).
Therefore, this volatility is what imposes risk the business. Competition for the product (another economic factor) stems from the fact that the computer manufacturing industry is moderately competitive. Therefore, there will be other companies that will try to offer more or less the same products and features that the company is offering and this will threaten its profitability.
Theft of goods is affected by the level of insecurity within a country. Nonetheless, any business can lose its commodities through this avenue because it is not easily predictable. Theft is essentially a human factor. Changes can occur in distribution and production of the computers thus causing obsolescence or production of inferior goods.
If a competitor creates a better way of producing goods and Company X insists on using traditional techniques, it could easily go out of business or witness a substantial loss in market share. These disruptions are technological factors. Incompetent administrators may be a source of business risk because managers or employees are subject to flaws and may not always be in a position to do what is right.
Human factors such as these represent internal factors that the company can be subjected to. Changes in trade policy stem from political factors or those ones that have been instated by a particular government. To this end, they could affect Company X’s profitability as well as its position within the computer manufacturing industry. Machine failure is a physical factor that relates to the resources owned by a particular enterprise.
Since this organization engages in production processes, it is highly dependent on machines and may experiences losses in profits because manufacturing is essential to the profitability of this company. Lastly, an earthquake stems from a natural force that can occur and cause a standstill to Company X’s operations.
Risk level
The likelihood of occurrence of the earthquake is quite relatively low because the area where Company X is headquartered has ever experienced an earthquake although this was a decade ago. Furthermore, statistics indicate that there is no predictable pattern to this. On the other hand, the severity of impact would be quite intense; this would lead to a total standstill of the company’s production processes.
Its controllability would also be quite difficult for the company. Given all these factors then the earthquake has a high risk to the business. On other hand, theft is more likely to occur than the latter. The severity of impact is also relatively serious as the firm could lose a lot in terms of its stock. However, because theft is controllable through security measures then it can be kept under check.
This means that it is highly risky if the right measures have not been instated. Changes in trade policy are quite likely to occur. However, their effects may not be as severe as the first two types of risks so this would make them low risk. Changes in production and distribution also have a very high likelihood of occurrence.
They are external factors and cannot be controlled. Even their severity of impact can be very high so utmost precedence should be given to this matter. Because of that, it is likely that this type of risk is high risk. Currency fluctuations are sometimes predictable and their impact may not be too severe. This is therefore a low risk issue. Machine failure is an internal factor; it can be controlled by continual checks and maintenance.
Its impact would be very immense to Company X; because of the ability to control it, then this kind of risk is moderate. Incompetent administrators are an internal issue; they can be controlled by hiring the right staff. However, when they do the wrong thing, this could have serious repercussions on the organization.
To this end, this is a moderate risk. Lastly, competition for the product is quite difficult to predict and it would have severe repercussions. Nonetheless, the company can stay ahead of others by taking certain steps.
Risk response
In order to reduce the damage caused by theft, certain security measures will need to be enforced. For example, all stock within the company premises will need to be placed in heavily protected premises that have strong steel structures around them.
Additionally, the company could avoid putting all its goods under one roof so that the risk is spread. It should also select a safe neighborhood that is secluded from human populations that would easily access the material. Currency fluctuation risks can be reduced by using one currency to estimate profits.
Competition for the product can be put under control by investing in research and development within the company so that it can always be ahead of its peers. Similarly, the company could deal with disruptions in the distribution and production of the products through the same avenue i.e. continual investment in research and development. Incompetent administrators can be handled by doing thorough job recruitment.
The firm can instate a policy of promoting only those employees who have served in subordinate positions so that it can be sure about the character of its administrators or so that it can avoid the possibility of hiring an unethical person. Changes in trade policy are difficult to predict and estimate.
Company X should simply acknowledge that they exist. However, to minimize the risk, it needs to look for partner countries that have a high level of political stability.
Machine failure can be mitigated by instating a continuous process of quality control which will automatically detect machine defaults that could lead to failure. Earthquakes cannot be prevented but their effects can be reduced if the company invested in a good insurance policy as well distributes its warehouses to various parts of the country so that the damage is not too severe.
How the identified risks emanates from the company’s global marketplace activities
Currency fluctuations are determined by the issue of global marketplaces. Some of the stated challenges are related to the manner in which these enterprises go about dealing with their underlying problems. Company X is an international company and it has distribution systems in various parts of the world.
Furthermore, even production is being done in more than one country. Currency fluctuations may affect the company positively if the company’s laborers come from a country with a relatively low currency value compared to that of the Dollar.
In this regard, the company can save a lot of labor costs simply because the value of the legal tender in their home country is high. On the other hand, the company can be affected negatively if the alterations are done in a manner that disfavors the Dollar. Because of this decision to select global marketplaces, the company must be ready to adjust accordingly so that it can deal with those losses that stem from currency changes.
Contingency plan
The risk under consideration is the potential disruption of business due to a tornado at the area around the company’s location. This would be the business contingency plan is such an event:
Strategic changes
The company will need to gather all its members together and ensure that every individual is around. A search will have to be instated once it has been found that some members are missing. Right after the tornado, the organization will need to make use of its food, water and medical supplies that had been stored by the firm. This will aid those who had been physically affected by the disaster or those who are in shock.
After a number of days when the physical well being of the workers has been ascertained, it would be essential to start looking into other technical aspects of the business. The company may have to use some of the inventories that it had set aside for such an occurrence.
Power lines may have been destroyed by the tornado so the company will need to resort to alternative power sources that it should already have in place before any disaster. Similarly, communication links need to be properly analyzed and reinstated.
The tornado may have destroyed its equipment so it would definitely be a good idea for the firm to keep a high level of inventories for important equipment at other locations.
It should also go back to some of the backup systems that it had put in place for its media so that crucial information is reinstated (Swartz, 1998). In this case, it is assumed that the organization already has a variety of data recovery technologies in place. It can therefore utilize them in trying to acquire information that is vital to the operation of the company.
Although the company may be subjected to a local disaster like a tornado, it still needs to continue in operation because it serves international clients. It can ensure this by taking immediate actions and midterm actions to ensure that operations continue as before. The firm should define the threshold for disaster declaration. Once the tornado has occurred, it should be declared as a disaster as soon damage has been assessed.
It should select a business continuity team which should be responsible for company changes after the tornado. There ought to be a name list and contact details of all the personnel within the organization. The stakeholders within the company and outside need to be addressed through a valid communication plan. Strategies for relocation need to be in place if the tornado had destroyed infrastructure.
Once relocation has been done then the company may actually be in a position to restore their functions. They need to do this by first starting with identification of critical services and business processes and then strategizing on how to implement it.
The company may also protect itself from dire effects of a tornado by instating measures that ensure rapid continuity. It can secure the premises and other infrastructure through reinforcement. It needs to have strategies on back up data in another location and must also possess personnel who can easily take on these tasks.
Ethical use and protection of sensitive data
Details about employees and their performance, pay or their private data can be classified as sensitive information. A tornado may cause confusion and loss of certain devices such as laptops that contain this sensitive information. The company can protect it by using encryptions and also by using a series of passwords for authorized personnel only.
Sensitive information by its very nature is very important to the running of the business so it needs to be available when possible.
The company can protect itself against power outages that may emanate from the tornado by having an automatic backup system. This type of data can be protected even in the event of a tornado through the use of digital signatures which create an atmosphere for making the material as authentic as possible (Kokolakis, 2008)
Ethical use and protection o sensitive data will be ensured through two major pathways; they include confidentiality and integrity. Confidentiality refers to the disclosure of information only to those that are authorized. In this case, if the company possesses information about credit numbers for clients, then it will ensure confidentiality by only placing it in one database and a back up.
If the information had been in many systems then it is likely that an unwarranted party may have gained access to it. Confidentiality breaches will be avoided during the disaster by placing the back up in another distant location and by recovering stolen laptops or PCs.
Integrity can ensure protection of sensitive data by preventing unprofessional or wrong alteration of information during disasters. This aspect can be ascertained by instating a system that will countercheck information after a disaster with backups.
Backup copies can be protected through a number of ways; physical controls like using cable locks and barricades can be used. Also, since technology is applicable, security cameras may be instated so as to ascertain that no individual tampers with the backup copies. Roles within the firm will be separated so as to prevent unauthorized conduction of transactions when dealing with the backups.
The backups will also be classified as public, confidential, private or sensitive and different security controls instated for each class. The sensitive and confidential information will utilize the tightest controls. These controls will include firewalls, data encryption, network detection systems for intruders and the usual passwords.
The policies that will be in place will be guidelines and standards on protecting confidential information. This will be done by instatement of certain password policies as well as corporate security policies.
Members will be told about measures that can be instated once they break the policies and similarly, recruitment strategies should involve security of confidential information by ensuring that new employees understand the importance of protecting sensitive information.
Ethical use and protection of customer records
The company may have credit card numbers for individuals that it carries online transactions with. The disaster may have caused a loss of the database that contains this information. Therefore, there may be a need to use backups. This will expose customer information to a certain level. The company can restrict access to the backups by only permitting authorized personnel to access those files.
Communication plan
In anticipation of an adverse event, communication to vendors will need to be done in order to ensure support. Communication to the IT team will be done concerning prevalence of data safeguards as well as procedures that will be followed in those scenarios.
Thereafter communication to all team members concerning inventories ought to done and planned. Fire suppression and first fire detection will also need to be communicated between administrators. Also, communication prior to an adverse event should include making plans for maintaining reserves for food and medical supplies.
Upon occurrence of the disaster, the first aspect of communication will start with the emergency services where the company will have a liaison officer who can then convey information to members of the emergency services.
After an assessment of all the damage done to the firm and identification of the functions that have come to a halt, communication will need to be made from the head of the recovery team to other members of the recovery team as well. Thereafter, the recovery team will communicate to the staff to give them information about fellow staff members who may be injured, admitted in hospital or missing.
They also need to know about the organization’s expectations from them i.e. whether they are expected to work or not. Usually, this can be done through a help line, personal calls or even local radio announcements if the staff members have already gone home.
Members of the recovery team will need to establish a decision for the next step forward and they should communicate this to employees as well as other stakeholders like suppliers and transporters. The firm cannot also ignore the public because they are an essential part of the company’s operations. It would do them a lot of good if they dispelled the rumors by constantly feeding the public with accurate information.
They can do this through the media. Lastly, there should be debriefing such that the emergency can teach the organization’s stakeholders some critical lessons from the experience. Afterwards, certain parties like insurance agents and partner organizations need to be informed about the events that have taken place within the firm (Dimattia, 2001).
Prior to an event, the communication plan needs to be tested by all members of the organization. They need to be informed about all the necessary steps that they should take with respect to communication. All the members who will carry out those activities should be identified and told about the expectations that the organization has for them in the future.
Restoring operations
If the tornado had a huge impact then there will be a need to start business operations in a fresh manner. Before this is done, the organization will need to identify all of the damage caused by the tornado. This may include injuries to staff, damages to the building, damages to the stock of the company, damages to some equipment and vehicles consumed.
The company will need to establish the minimum applications and functions that are needed and then start with the data recovery process. The next step should be to convene a recovery team. They will be given information about all the key personnel. The rest of the members will also be told about any missing groups.
The decision on the next course will be taken and there will be communication to all the concerned business partners. A review of the BCP will need to be done and all the procedures followed. It may be necessary to relocate to a second workplace site as the tornado may have destroyed conditions in the first location.
This means that all the telecommunication and infrastructure in the first site will need to be instated in the second. Thereafter, there should be replication of methods between these two sites. Various functions will be restored and respective staff put back in their positions so as to begin.
Recommendations on ways of implementing, monitoring and adjusting the BCP
A business continuity plan must be related to the business under consideration. This means that the most critical functions need to be covered in the BCP and since these functions keep changing, then one must adjust accordingly.
Issues such as staff wages, distribution, sales need to be revisited and the impact of a disaster analyzed. There should also be a re-examination of the resources that will be crucial to the recovery process. Also, the extent of damage to the business can be estimated through a continual assessment of the plan.
First of all, the plan will be implemented through the crisis command groups in conjunction with the rest of the organization. The team will be in charge of assessment of damage cost, management of movement of people to a secondary site as well the restoration of the technical components of the workplace.
On the other hand, a process of restoring lost staff will need to be done and the HR crisis team will be responsible for this. Other issues like data recovery will be done by the IT team while the actual infrastructure requirements will be done by the technical team.
An emergency can be declared on by the head of the crisis command team. This individual will be known before any disaster and in case he or she is involved in the disaster then a second command crisis team leader will be selected just so that he can remain on standby.
The plan will be monitored on an annual basis in three major areas; staff awareness, the technical solutions as well as verifications or testing. This implies that human and non human factors are dealt with adequately. It is also likely that one year would not cause undue inconveniences to the organization. The plan evaluation will be carried by the company’s top administration because they will be in a position to look at the bigger picture.
The adjustments will communicated to the company through a meeting and all the necessary adjustments will be done by allocating the tasks amongst concerned individuals. Training will be done by taking employees through a disaster recovery course. On the other hand, specific teams will be expected to know about disaster recovery in their own departments so these trainings will be done practical within the workplace through an outsourced firm.
Conclusion
Most important to the business continuity plan is the element of circular examinations. In other words, once a disaster has occurred, an organization must take the time to learn from the experience.
Otherwise, it would be pointless to invest all that time and resources only to find that there were not adequate mechanisms to deal with the disaster and then repeat the same thing again without ever really learning from it. Consistent review of the business continuity plan is always the best way of ensuring that a company’s business is not overly interrupted due to occurrence of a disaster or calamity.
Reference
Dhillon, G. (2007). Principles of information systems security. NY: Wiley and Sons.
Kokolakis, S. (2008). Information systems security. London: Chapman and Hall.
Swartz, E., Herbane, B. & Elliot, D. (1998). BCP Planning in the UK finance sector.
FEMA (2006). Purpose of standard checklist criteria in business recovery. Web.
Dimattia, S. (2001). Planning for continuity, Library journal, 32.