Risk Assessment Of All World Airways Using The COBIT Framework
2049 Words9 Pages
Risk Assessment of All World Airways using the COBIT framework
Information Systems-Strategy & Consulting | 10-Aug-2014
ATLAS CONSULTING GROUP
Amaresh Ch. Panda
Sri Valli T.
Task 1 - Compile a list of risks for each of the five areas identified by the CFO for the risk assessment. Group thoughts by section, using the details that Don has provided, understanding of the COBIT risk management issues and understanding of IT issues.
The CFO has identified 5 chief areas under which the risks need to be grouped. The ACG has identified the following list of risks under each category –
The most prominent risk that the company is faced with is the inexperience…show more content… • Legacy systems unable to cope up with modern demands.
• Parts of applications that are not outsourced have to be developed internally – Internal expertise poses a risk.
• Data security in an outsourced scenario.
• Compliance with PCI-DSS and other regulatory entities like Sarbanes-Oxley act.
• Contractual obligations of the leased data centers.
• Risk of the outsourced company undergoing financial distress.
• High investment in internal IT systems.
• Financial obligations in case of breach of security.
• Future losses impeding investment in IT (Since the company incurring losses from the past 6 quarters).
Human Resources Risk
• Outsourcing might render employees from AWA jobless.
• The laid-off AWA employees will find it difficult to find new jobs because of economic slump.
• Internal applications developed in COBOL and cannot be outsourced run a risk of maintenance due to scarcity of programmers.
• European work rules make laying off workers difficult – hence the outsourcing might be slow paced enough to make it unprofitable.
• The culture of the outsourcing company might be incompatible with AWA.
• The competitors have already outsourced their IT applications – They have a first mover…show more content… Past events have taught us that a few events are very likely to occur – for example – infection of IT systems by a virus; whereas an earthquake resulting in catastrophic failure is highly unlikely though not impossible.
Significance – The Significance of a risk/event is measured by the extent to which it affects the business operations. For example – Laying off workers, which is a HR risk, will not affect the normal operation of a business in a big way – hence it is low significance. On the other hand, getting into a regulatory compliance issue tarnishes the image of the company in a big way and hence is a high significance event.
Using the above model of risk/ranking matrix, each risk has been ranked in accordance with its likelihood of occurrence as well as its significance, for each category -
IT Risks Ranking
Catastrophic failure of IT systems. 7
Legacy systems unable to cope up with modern demands. 6
Internal expertise poses a risk. 5
Data security in an outsourced scenario. 8
Compliance with PCI-DSS and other regulatory entities like Sarbanes-Oxley act. 9
Financial Risks Ranking
Contractual obligations of the leased data centers.