With the increase in technology the risk management has become necessary for the organizations in order to keep the data and information safe from cyber attacks and breaches. Governance is basically the structure, which the company uses to protect the resources and controls the IT decision making. The areas of risk are identified before decision making and hence are managed accordingly.
This report analyses the processes for risk management and response plans. Assessing the need for the top-down approach for the security system of the organization and identifying the issues of the non-compliance to an IT regulation and hence displaying the impacts of the same.
Risk management is basically the internal and external influence faced by the organization that makes it uncertain to understand the extent in which the organization can achieve or exceed their objectives (Glendon, Clarke & McKenna, 2016). Risk management is important because without it any firm cannot define its objective for the future. Its main purpose is to identify the risks, reduce or allocate the risks, provide a solution for better decision making and response plan accordingly (McNeil, Frey & Embrechts, 2015). Risk management in Information system (Taking an organization as example like: ABC Heathcare) assists in consoling the property values and claims policies, exposure of information, providing the tracker and management of reporting capabilities that enable the users to monitor and control the cost of risk management.
Process of Risk Management includes management of policies, procedures and practical work on the task, establishing the identifying, context, assessing, analyzing, treating, communicating and monitoring (AS/NZS ISO 31000:2009) (Marcelino-Sádaba et al, 2014). Risk Management objectives:
Identifying the Risk-Identifying the inhibits ability to meet the objective like prolonged IT network outage, delay of provisional important information, failure to seize a commercial opportunities or some other things that mat enhance to meet objectives.
Identifying the Cause- The causes that may force things to occur in the organization.
Identifying the Controls- Identifying the controls that may have been in place and are aimed for reduction likelihood of the risks from happening in the first place (Ayyub, 2014). And if it happens what measures should be taken to reduce the impact are to be justified.
Establishing the likelihood and Consequence Descriptions-The consequences descriptors, depends upon then context of the analysis. If the analysis relate to the working unit of any financial loss or losses of a key staff member would have greater impact on the working unit.
Establishing the Risk Rating Descriptive- It overviews the meaning like Low, Moderate, High or Extremely risky that needs to be decided (Pritchard & PMP, 2014).
Adding other controls- Risks that are rated high or extreme must have addition controls applied to it, to reduce the rate of risk to acceptable level.
Making a decision- After detecting the risk, still there are some risks rated as high and a decision must be made, weather to go ahead or stop the activity.
Monitoring and review- Monitoring the risks and regular review of the risk profile plays a key role of an effective risk management (Aven, 2015).
Risk Responses have five major points:
Top-down approach may lead to insignificant solutions as insufficient data in hand, for identifying the exact nature of risks and what should be its mitigation exercise.
Top-down approach has three main steps in ABC Healthcare:
First Step: Risk analysis- Risk identified as employee’s misuse of product or misbehavior with the patient.
Second Step: The attachment of the risks with processes- The identified risk are hence attached to the entity’s activities process according to priority.
Third Step: Evaluation and prioritize of risks- Selecting the priority of the major risk the action is taken accordingly and it has a two dimensional graph (frequency/impact) in the form of matrix of criticality (Young & Leveson, 2014).
Here in the given organization (ABC Healthcare) the Non-Compliance are detected as violating the HIPAA (Health Insurance Portability and Accountability) rules. Failure to comply in the organization can result in civil and criminal penalties (Kostopoulos, Gounaris & Rizomyliotis, 2014).
Training in use of new technologies are somewhat violated. Lower maintenance may cost in the reputation of the organization resulting in customer loss (Kostopoulos, Gounaris & Rizomyliotis, 2014). In any health care organization violation of HIPAA like releasing unauthorized health information through carelessness, providing someone else’s information to other person is known to be a violation. This sometimes happens when two or more people have similar name.
HIPAA Act of 1996, was passed for protecting an employee’s health insurance coverage when people used to loss or change their jobs. It has provision that ensures the confidentiality and privacy of identifiable health issues. HIPAA is enforced by HHS Office for Civil Rights, concentrating on Privacy and Security rules. Enforcement of the rule was enforced April 14 2003 onwards. Failure of the HIPAA penalized in degree of violation levels are I). The lowest level: where the individual is unaware of the violation. Minimum cost $100, II). The highest level: due to willful negligence. Maximum cost $50,000, III) additional charges applicable repeat violation (Kostopoulos, Gounaris & Rizomyliotis, 2014).
Comparing and contrasting the use-of-technology policies:
|
SANS Institute Acceptable Use |
Policy ISSA Acceptable use |
|
Protect the reports to be theft, data loss or unauthorized party to interact |
Perform laws, highest ethical principles |
|
Access, Use and share information up to the authorized extent |
Maintain Security, responsibilities with honesty |
|
Network maintenance follows Infosec Audit Policy |
Maintain reputation of the company |
|
Devices accessing internet comply with minimum access policy |
Perform any professional activities |
|
Emails, passwords, employee database are kept protected |
Not intentionally injure college or the ethic of the organization |
Acceptable Aspects for the Organization: To meet the need of the organization the policies that can be adopted is the SANS policies. This policy will help in building the authority stricter and can have more experienced people conducting in the events. The policy prohibits irresponsible activities around the organization (Young & Leveson,2014). This will protect the reputation of the healthcare organization and the IT network will be more secure from data breaches and hacking.
Conclusion:
Risk management plays an integral part in good management. This application of risk management allows the improvement in better decision making and process. Keeping the data safe and avoiding all kinds of data breaching in the organization. Effective risk management hence have the involvement of systematic application of policies management, procedures, practices and should include a very clear understanding of the roles and responsibilities. HIPAA sets the standard for protecting sensitive patient data and refers to those standards that protect individual medical records and other PHI. Ensuring protection and on violating these rules may lead one in serious issue.
References:
Glendon, A. I., Clarke, S., & McKenna, E. (2016). Human safety and risk management. Crc Press.
McNeil, A. J., Frey, R., & Embrechts, P. (2015). Quantitative risk management: Concepts, techniques and tools. Princeton university press.
Marcelino-Sádaba, S., Pérez-Ezcurdia, A., Lazcano, A. M. E., & Villanueva, P. (2014). Project risk management methodology for small firms. International Journal of Project Management, 32(2), 327-340.
Ayyub, B. M. (2014). Risk analysis in engineering and economics. CRC Press.
Aven, T. (2015). Risk analysis. John Wiley & Sons.
Pritchard, C. L., & PMP, P. R. (2014). Risk management: concepts and guidance. CRC Press.
Young, W., & Leveson, N. G. (2014). An integrated approach to safety and security based on systems theory. Communications of the ACM, 57(2), 31-35.
Kostopoulos, G., Gounaris, S., & Rizomyliotis, I. (2014). How to reduce the negative impact of customer non-compliance: an empirical study. Journal of Strategic Marketing, 22(6), 513-529.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download