REG # FC/MSBA/92 Q: 1 (i) what are the different sources of implementing Risk? (ii) How would you address with application of appropriate strategy?

What is Risk? Risk management is an increasingly important business driver and stakeholders have become much more concerned about risk. Risk may be a driver of strategic decisions, it may be a cause of uncertainty in the organization or it may simply be embedded in the activities of the organization. An enterprise-wide approach to risk management enables an organization to consider the potential Impact of all type of risks on all processes, activities, stakeholders, products and services. Implementing a comprehensive approach will result in an organization benefiting from what is often referred to as the ‗upside of risk‘

Benefits of risk management:

For all types of organizations, there is a need to understand the risks being taken when seeking to achieve objectives and attain the desired level of reward. Organizations need to understand the overall level of risk embedded within their processes and activities. It is important for organizations to recognize and priorities significant risks and identifies the weakest critical controls. When setting out to improve risk management performance, the expected benefits of the risk management initiative should be established in advance. The outputs from successful risk management include compliance, assurance and enhanced decision-making. These outputs will provide benefits by way of improvements in the efficiency of operations, effectiveness of tactics (change projects) and the efficacy of the strategy of the organization.

Risk management principles: Risk management is a process that is under- pinned by a set of principles. Also, it needs to be supported by a structure that is appropriate to the organization and its external environment or context. A successful risk management initiative should be proportionate to the level of risk in the organization (as related to the size, nature and complexity of the organization), aligned with other corporate activities, comprehensive in its scope, embedded into routine activities and dynamic by CORPORATE INFORMATION SYSYTEM


aligned with other corporate activities. Risk classification systems are important because they enable an organization to identify accumulations of similar risks. comprehensive in its scope. tactical risks are typically associated with projects. tactics and operations are most vulnerable. 5 or more years. Evaluation of risks in this way may be enhanced by the use of a risk classification system. These risks are related to operations. Risk classification systems: An important part of analyzing a risk is to determine the nature. A summary of the risk management requirements that should be in place in order to ensure good standards of risk governance are presented by way of following: 1. It is the process whereby organizations methodically address the risks attached to their activities. embedded into routine activities and dynamic by being responsive to changing circumstances. respectively. Definition of risk: It is ―Effect of uncertainty on objectives‖. source or type of impact of the risk. 2: Principles of risk management Risk management is a central part of the strategic management of any organization. A successful risk management initiative should be proportionate to the level of risk in the organization. Therefore. It is important to have a template for recording appropriate information about each risk. CORPORATE INFORMATION SYSYTEM 2 . and the strategic planning horizon for an organization will typically be 3. medium and long term.being responsive to changing circumstances. a change in circumstances or a consequence. In order to assist with the application risk is often described by an event. Nature and impact of risk Risks can impact an organization in the short. acquisitions and product developments. tactics and strategy. Tactics define how an organization intends to achieve change. A risk classification system will also enable an organization to identify which strategies. mergers. Operations are the routine activities of the organization. Recording risk assessments: Risk assessment involves the identification of risks followed by their evaluation or ranking. Strategy sets out the long-term aims of the organization.

(ii) Treat. for example. Ranking or evaluation of risks 3. The risk management process can be presented as a list of co-ordinate activities. The 7 Rs and 4Ts of (hazard) risk management: 1. This ranks the relative importance of each identified risk. In all types of undertaking. Any system of risk CORPORATE INFORMATION SYSYTEM 3 .Risk management should be a continuous process that supports the development and implementation of the strategy of an organization. as well as an understanding of strategic and operational objectives. Responding to significant risks (i)Tolerate. It should methodically address all the risks associated with all of the activities of the organization. (iv) Terminate 4. social. (iii) Transfer. Resourcing controls 5. but extends further to. Reaction planning 6. there is the potential for events that constitute opportunities for benefit (upside). Risk treatment: Risk treatment is the activity of selecting and implementing appropriate control measures to modify the risk. risk avoidance. Risk treatment includes as its major element. This requires an intimate knowledge of the organization. Reviewing the risk management 3: Achieving the benefits of ERM: The key stages in the process are represented as risk assessment & treatment. The result of the risk analysis can be used to produce a risk profile that gives a rating of significance to each risk and provides a tool for prioritising risk treatment efforts. risk transfer and risk financing. threats to success (downside) or an increased degree of uncertainty. political and cultural environment in which it exists. Reporting and monitoring risk performance 7. The risk analysis activity assists the effective and efficient operation of the organization by identifying those risks that require attention by management. the market in which it operates. Recognition or identification of risks 2. the legal. Risk assessment: Risk identification establishes the exposure of the organization to risk and uncertainty. risk control (or mitigation).

It also gives the organization the opportunity to focus on the intended benefits for the coming year. strategy and protocols should be recorded in a risk management policy for the organization.effectiveness of internal control relates to the cost of implementing the control compared to the risk reduction benefits achieved. The cost. A risk management policy should include the following sections:  Risk management and internal control objectives (governance)  Statement of the attitude of the organization to risk (risk strategy)  Description of the risk aware culture or control environment  Level and nature of risk that is acceptable (risk appetite)  Risk management organization and arrangements (risk architecture)  Details of procedures for risk recognition and ranking (risk assessment)  List of documentation for analyzing and reporting risk (risk protocols)  Risk mitigation requirements and control mechanisms (risk response)  Allocation of risk management roles and responsibilities  Risk management training topics and priorities  Criteria for monitoring and benchmarking of risks  Allocation of appropriate resources to risk management  Risk activities and risk priorities for the coming year 5: Implementing and benchmarking: Risk assessment is a fundamentally important part of the risk management process. In order to achieve a comprehensive risk management approach. This ensures that the overall risk management approach is in line with current best practice. Effectiveness of internal control is the degree to which the risk will either be eliminated or reduced by the proposed control measures. Many organizations issue an updated version of their risk management policy each year. 4: Planning and designing: There are a number of factors that should be considered when designing and planning an ERM initiative. Details of the risk architecture. an organization needs to undertake suitable and sufficient risk assessments. CORPORATE INFORMATION SYSYTEM 4 . identify the risk priorities and ensure that appropriate attention is paid to emerging risks.treatment should provide efficient and effective internal controls.

Flow charts and dependency Analysis of processes and operations within the analysis organization to identify critical components that are key to success. Risk assessment techniques:       Questionnaires and checklists Use of structured questionnaires and checklists to collect information to assist with the recognition of the significant risks. risk assessment of all proposed projects should be undertaken and further risk assessments should be undertaken throughout the project. performance and preparedness of the organization. as well as routine monitoring of risk performance indicators. One way of ensuring that risk is part of business decision-making is to ensure that a risk assessment is attached to all strategy papers presented to the Board. 6: Measuring and monitoring: Monitoring and measuring extends to the evaluation of culture. Any monitoring and measuring process should also determine whether:  The measures adopted achieved the intended result CORPORATE INFORMATION SYSYTEM 5 . stakeholder expectations or key dependencies Inspections and audits Physical inspections of premises and activities and audits of compliance with established systems and procedures. Workshops and brainstorming Collection and sharing of ideas and discussion of the events that could impact the objectives. The scope of activities covered by monitoring and measuring also includes monitoring of risk improvement recommendations and evaluation of the embedding of risk management activities in the organization. Likewise. HAZOP and FMEA approaches Hazard and Operability studies and Failure Modes Effects Analysis are quantitative technical failure analysis techniques.A range of the most common risk assessment techniques is set out are: Establish risk assessment procedures Risk assessment will be required as part of the decision-making processes intended to exploit business opportunities. SWOT and PESTLE analyses Strengths Weaknesses Opportunities Threats (SWOT) and Political Economic Social Technological Legal Environmental (PESTLE) analyses offer structured approaches to risk recognition.

Risk reporting provides information on historical losses and trends. CORPORATE INFORMATION SYSYTEM 6 . 7: Learning and reporting: Completing the feedback loop on the risk management process involves the important steps of learning from experience and reporting on performance. In order to learn from experience.  Lessons can be learned for future assessments and controls. External reporting should provide useful information to stakeholders on the status of risk management and the actions that are being taken to ensure continuous improvement in performance. The procedures adopted were efficient  Sufficient information was available for the risk assessment. However. risk disclosure is a more forward-looking activity that anticipates emerging risks. an organization needs to review risk performance indicators and measure the contribution that enterprise risk management has made to the success of the organization.  Improved knowledge would have helped to reach better decisions. There is a clear difference between measuring and monitoring risk performance and undertaking steps to learn from experience to improve the risk management process and framework. Important lessons can be learned that will assist with improving the design of the support framework and the implementation framework.

Product-driven businesses have a differentiated product of some sort. that would be a scope-driven business. and infrastructure. is such a company. For example. It is often called a What The Market Will Bear (WTMWB) price. scope. Cost and Asset options Key Resource:Key resources are the strategic assets you need in place. and sometimes infrastructure. On the one hand. a repeatable set of processes. and you need in place to a greater or more targeted degree than your competitors. Telecommunications is traditionally an infrastructure business Revenue stream (Pricing): What the Market Will Bear In markets where there is little or no competition. such R&D (research and development). highly repeatable area. the company that makes the popular app Angry Birds. The Business Model Canvas proposes that there are three core business types: product. This strategy sets the price based on the maximum price the market will pay for the product. production.NO: 2 Business Model Revenue. CORPORATE INFORMATION SYSYTEM 7 . These businesses typically have key knowledge about their segment. and marketing costs. companies can employ a pricing strategy that optimizes profits. Scope-driven businesses create some synergy around a particular Customer Segment. Infrastructure-driven businesses achieve economies of scale in a specific. like service centers. Key resources in product-driven businesses are typically key talent in critical areas of expertise and accumulated intellectual property related to their offering. the company wants to realize the highest profits possible in the shortest amount of time to help recoup high start-up costs.NAME: SAAD AMEER REG # FC/MSBA/110 Q. if you started a business that would take care of all the IT needs for law firms. These tend to have similar types of Key Resources.

95 or Rs29.000 rather than 8 million.995. This strategy typically works because those likely to buy a new product – the Innovators and Early Adopters – are not particularly price sensitive. your company can employ a WTMWB strategy. pricing strategies should begin with a Gross Profit Margin Targets (GPMT) strategy. a tub of CORPORATE INFORMATION SYSYTEM 8 .79 and $5. Depending on the amount of memory the buyer chooses. If there is considerable uniqueness and desirability built into the product brand. Most humans focus on the most significant digit – the ―2‖ in this case. it is usually a mistake to price an entrée at Rs31.99 instead of Rs30. At the same time. It also aims for a GPMT. If not. To them Rs29. Apple is using a MSD strategy in addition to a WTMWB strategy because the i-Phone has uniqueness built-in since Apple controls the platform. Instead it will be priced at Rs32-. Once your company knows the cost of sales (cost of goods and services sold) of a particular product and the Gross Profit Margin Target. Companies typically know the gross profit margin they need to pay back their expenses and generate positive net income and cash flow. it priced a tub of this margarine at between $5. Gross Profit Margin Target In almost all cases. people do not think the food is as good if MSD pricing is used in a high-end restaurant.95 or Rs29. but which is in the 30 to 50% GPM range of well-positioned products in competitive markets. For some reason. When Johnson & Johnson launched a margarine developed in Finland that lowers cholesterol. Apple has priced its new i-Phone 5S at $199. and $399 for those that opt for a two-year contract.99. There are exceptions. you might consider other effective pricing strategies. $299. Most Significant Digit Pricing For products that will be sold to consumers.29. Combining all three If a product is positioned as unique.95. In upscale restaurants.99 seems a lot less than Rs30 even though it is only 1 to 5Paisa less. Even expensive homes in Beverly Hills might sell for Rs7. it may not want its profits to be so attractive as to competition to enter the market within the time window it needs to build market share and establish a leadership position.On the other. smart marketing companies will typically use all three of these strategies in combination. which is not officially published. Why? Studies and experience show that sales will be significantly higher if a product is priced at say Rs. most companies employ a Most Significant Digit (MSD) pricing strategy.

many speculated that J&J priced the product at 8C.95 – a nickel less than the price of 2C. And. which used MSD and WTMWB strategies. to copy. you might consider selling the product for Rs29.5%. Based on this pricing. what gives you control over the price is the uniqueness built into your positioning. Pricing your products When you are pricing your products. it would be a good idea to also employ an MSD pricing strategy. or branding. If you have created a product image that is impossible.regular margarine sold for 99¢. strategy. if you are a manufacturer that is targeting a GPM of 50% and your cost of sales is Rs15. which gave it a GPMT of roughly 87. For example. CORPORATE INFORMATION SYSYTEM 9 . or very difficult. if you sell your product in a consumer market. you can employ a WTMWB price that will give you a good GPM that enables you to achieve your desired GPMT.

any mobile device is more vulnerable to security breaches. As a general rule. Encrypt your remote data. 5. Encrypt your remote data.NAME: MUBEEN AHMED REG # FC/MSBA/95 Q. . ranging from attacks against communication links to simply having the device stolen. Here are five tips that can greatly enhance the security of your CRM system. but only authorized parties can. and many applications use wireless connections to talk to the server. 2. Beware of phishing 1. 3. such as notebook computers that employees bring into the field. Encryption is the process of encoding messages (or information) in such a way that third parties cannot read it. Educate your staff.NO 3: What security principles will you apply on RD services’ CRM system? And why? How would you manage incidents after occurrence? Security policies for CRM system CRM is a fertile ground for security breaches. Watch your wireless connections. most CRM applications involve mobile devices. By their nature. Encryption doesn't prevent hacking but it prevents the hacker from reading the data that is encrypted CORPORATE INFORMATION SYSYTEM 10 . 1. Consider role-based security 4.

Firewall is software or hardware-based network security system that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not. such as USB drives. 4) Do you have an independent firewall on your mobile products? Although Windows XP and Vista both come with firewalls. authentication methods in place of passwords? More secure authentication methods can involve separate physical keys. business-critical information should be protected by encryption.11i (IEEE 802. more secure. 2. This is more secure if you keep the key separate from the computer. Turning off wifi when you don't need it is an easy way to prevent unauthorized access. Data is at its most exposed when it is in transit. Do you turn off the wifi client when you're not using it? If your wifi client is left on an intruder can try to use it to break into your computer. Firewalls can be defined in many ways according to your level of understanding. Do you use the appropriate level of wifi encryption? Wifi communications can be encrypted with WPA (Wifi Protected Access) or 802. This is especially true if you use wifi or other wireless connections to transmit your data to the home office. 2. all confidential data on mobile devices should be encrypted. especially if you're using a wireless connection.11 amendment used to facilitate secure end-to-end communication for wireless local area networks (WLAN)) standards to make interception much more difficult. do you use other. CORPORATE INFORMATION SYSYTEM 11 .11i is an IEEE 802. 3) Alternatively.1) Do you encrypt data on laptops and other mobile devices? As a first line of defense. 2) Do you have password protection on all mobile devices? Do you require strong passwords and frequent changes? Many organizations use combinations of numbers and letters at least six characters long and have users change them every 30 to 60 days. many experts recommend adding a more secure third-party product. 1. The older WEP (Wired Equivalent Privacy) standard is much less secure. Consider using software to encrypt everything on your notebooks. based on applied rule set. At the very least. which need to be plugged into a computer to make files accessible. Watch your wireless connections. as on a key chain in your pocket or purse — not in the computer case.

2) Do you have an ongoing security education program? Are your people made aware of the dangers of sharing. 5. disable them. It's not always possible to have VPN. but if your configuration allows for one. 4. it's a good idea to use it. Employees assigned to a classification only have access to the privileges associated with that role. You may want to consider a policy of never using ―open‖ (non password protected) wifi hot spots in airports. Do you use VPNs (Virtual Private Networks) when available? A VPN is just what it sounds like: a private connection between your remote system and your server running over the public network. Essentially. etc. it is used to uniquely identify any given wireless network) before using them? Setting up a fake SSID is one way to access a wifi session. each with a specific bundle of access and other privileges. not their position in the organization. 4. this involves setting up an access point on top of another wifi hot spot in such a way that there is at least an equal chance that anyone logging in through the hot spot will connect through the phony access point — which will then read and record the entire session. Consider role-based security. 1) Do you keep employees up to date on security best practices? All the hardware in the world won't help if staff doesn‘t understand enough to take basic precautions to prevent systems from being compromised. Role-based security refers to establishing a series of finely grained classifications of your employees.3. If you aren't using them. 2) Do you use the least-access principle in defining and assigning roles? Each role should give employees the privileges they need to do their job and no more. Do you verify SSIDs (service set identifier. VPNs are more secure than a conventional connection. Do you keep file and printer sharing disabled on your laptop? File and printer sharing are useful. Educate your staff. but they also open dangerous vulnerabilities. 1) Are your roles carefully chosen? In designing roles you should consider what employees actually do. coffee shops and other public places to transact business. 3.? 3) Are your people trained not to open attachments from unknown sources? CORPORATE INFORMATION SYSYTEM 12 . writing down passwords.

While Remote Desktop is more secure than remote administration tools such as VNC that do not encrypt the entire session. Windows 7. However. any time Administrator access to a system is granted remotely there are risks.4) Are they taught not to add ―gray ware. This vulnerability can allow unauthorized access to your session using a man-in-the-middle attack. For example. You should have a policy for dealing with suspicious emails and make sure your employees are aware of what constitutes a ―suspicious‖ email. and Windows Server 2003/2008. many people aren't aware of the specific danger signs of phishing emails. While the idea of phishing is common knowledge. Phishing and its variants are a major source of security breaches. The access occurs via the Internet or through another network in another geographical location and allows users to interact with that system as if they were physically at their own computer. Most people know that phishing involves sending phony email messages with the aim of getting the victim to submit confidential information such as credit card numbers or account details. Beware of phishing. preventing anyone from viewing your session by listening on the network. The following tips will help to secure Remote Desktop access to both desktops and server that you support. How secure is Windows Remote Desktop? Remote Desktop sessions operate over an encrypted channel. Remote Desktop can be secured using SSL/TLS in Windows Vista. However.‖ such as unauthorized file sharing applications to their systems? 5. there is vulnerability in the method used to encrypt sessions in earlier versions of RDP. government agencies or banks willnever ask you to submit confidential information in an email. CORPORATE INFORMATION SYSYTEM 13 . Remote desktop A remote desktop is a separate program or feature found on most operating systems that allows a user to access an operating computer system's desktop. it still succeeds because organizations don't make a point of alerting their employees to the dangers. USB devices with the ability to recreate a remote user‘s desktop are commonly called secure portable offices.

Older versions may not support high encryption and may have other security flaws. If you are using Remote Desktop clients on other platforms. as NLA provides an extra level of authentication before a connection is established.. 4. Restrict access using firewalls Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389). Make sure you are running the latest versions of both the client and server software by enabling and auditing automatic Microsoft Updates. make sure they are still supported and that you have the latest versions. and Windows Server 2008 also provide Network Level Authentication (NLA) by default. 2. It is best to leave this in place. As an alternative to support off-campus connectivity. Refer to the campus password complexity guidelines for tips.Basic Security Tips for Remote Desktop 1. This should be considered a required step before enabling Remote Desktop. You should only configure Remote Desktop servers to allow connections without NLA if you use Remote Desktop clients on other platforms that don't support it. 3. and add the campus VPN network address pool to your RDP firewall exception rule. Using an RDP Gateway is highly recommended for restricting RDP access to desktops and servers (see discussion below). Update your software On advantage of using Remote Desktop rather than 3rd party remote admin tools is that components are automatically updated to the latest security fixes in the standard Microsoft patch cycle. CORPORATE INFORMATION SYSYTEM 14 . Windows 7. Use strong passwords Use a strong password on any accounts with access to Remote Desktop. Enable Network Level Authentication Windows Vista. you can use the campus VPN software to get a campus IP address.

remove all administrative access via RDP and only allow user accounts requiring RDP service. A typical MS operating system will have the following setting by default as seen in the Local Security Policy: The problem is that ―Administrators‖ is here by default. For Departments that manage many machines remotely. If Remote Desktop is not used for system administration. If you have multiple Administrator accounts on your computer. CORPORATE INFORMATION SYSYTEM 15 . Although a password convention to avoid identical local admin passwords on the local machine and tightly controlling access to these passwords or conventions is recommended. 4. and your ―Local Admin‖ account is in administrators. remove the local Administrator account from RDP access at and add a technical group instead. Use the System control panel to add users to the Remote Desktop Users group. 1. you should limit remote access only to those accounts that need it. go to "Allow logon through Terminal Services. Remove the Administrators group and leave the Remote Desktop Users group. all Administrators can log in to Remote Desktop. Under Local Policies-->User Rights Assignment.5. Limit users who can log in using Remote Desktop By default. Click Start-->Programs-->Administrative Tools-->Local Security Policy 2." Or ―Allow logon through Remote Desktop Services‖ 3.

CORPORATE INFORMATION SYSYTEM 16 . using ―Restricted Groups‖ via Group Policy is also helpful. To control access to the systems even more.using a local admin account to work on a machine remotely does not properly log and identify the user using the system. It is best to override the local security policy with a Group Policy Setting.

you have removed the problematic ―local administrator account‖ having RDP access. but using the steps above. Set an account lockout policy By setting your computer to lock an account for a period of time after a number of incorrect guesses. Go to Start-->Programs-->Administrative Tools-->Local Security Policy 2. Going forward. CORPORATE INFORMATION SYSYTEM 17 .If you use a ―Restricted Group‖ setting to place your group e. 6. you will help prevent hackers from using automated password guessing tools from gaining access to your system (this is known as a "brute-force" attack). To set an account lockout policy: 1. ―CAMPUS\LAW-TECHIES‖ into ―Administrators‖ and ―Remote Desktop Users‖. 3 invalid attempts with 3 minute lockout durations are reasonable choices. whenever new machines are added in the OU under the GPO. set values for all three options. your settings will be correct. your techies will still have administrative access remotely. Under Account Policies-->Account Lockout Policies.g.