Identifying and Managing Business Risks
Introduction
A risk is a probability that something with an undesirable effect will occur. Risk management involves steps and policies taken by a company to eliminate these risks or reduce the possibility of their occurrence. A risk management plan is prepared to predict the risks, estimate their impact and severity, and suggest possible responses. Health Network allows clients to access the kind of healthcare services they require over the internet at the right locations. It faces several risks that can lead to losses for the company.
Health Network handles electronic transactions between various medical institutions and personnel. Operating over the internet exposes the company to various threats that can compromise company operations. The company’s production resources are co-located and managed by third-party data centre holding vendors. The existing risk management strategy is out of date and a brand one is required (Cleden, 2017). This is the new risk management plan for Health Network. This plan covers the risks to the company, compliance laws and regulations affecting Health Network, the risk management task-force and their roles, and ways in which the risks discussed can be mitigated.
Scope
The Health Network risk management plan consists of the risks facing the company, analysis of the possible impacts and the severity of the risks, the compliance laws and regulations the company must follow, the roles and responsibilities of different stakeholders responsible for risk management and procedures needed to monitor, respond, and control the risks.
Health Network must observe state and federal laws, practices and conventions to ensure clients and staff are protected from various risks. Failure to adhere to state and federal compliance laws can lead to security incidents with legal implications. Failure to comply with the compliance laws is a risk. Audits are done to ensure that compliance laws are met by covered entities. Client and staff need to be assured their information stays protected and is only available to authorized personnel (Hartmann, 2017). A number of compliance laws are relevant to Health Network’s operations.
The Health Insurance Portability and Accountability Act of 1996(HIPAA) offers rules that protect the seclution and privacy of covered entities. It is a national standard to ensure security of electronic protected health information (e-PHI). HIPAA contains procedures that ensure the confidentiality and safety of information that covered entities transmit electronically. The HIPAA rule provides safeguards that guide the company on how to secure covered entities.
Security personnel – the company should designate officials to implement the security procedures. Information access management – This involves role-based access that only allows authorized users to access company resources. Security management process – the company must put in place measures to reduce operational risks. Workforce training and management – proper training must be provided to the workforce regarding security details and appropriate sanctions against policy violation. Evaluation – the company must periodically review how well the security rule is observed.
Risk management processes involve several departments and individuals each with their responsibilities and roles. The executive leadership should be made aware of the risk management plan. The management needs to be aware of the plan for them to approve the policies. The Project Management Office needs to be involved in the plan for them to implement the risk management plan. Project managers are responsible for the risk management policies. They provide valuable feedback on how well the planned policies work to mitigate risks. Project teams actively work on the suggested policies. The company’s clients are valuable in suggesting possible improvements in the policies and any issues they notice in the system.
Risk Mitigation Plan
A review of the current risk management plan has shown several possible risks to the company. The company could lose information because of hardware being detached from the production system.
Organization information or resources could be lost or stolen. This can expose the company to information breach. Company assets contain login details and user credentials that belong to employees. Sensitive data stored in company assets can be compromised resulting in financial or data losses (Nicholas, 2017). The company needs to formulate security policies to prevent theft or loss of company assets. Information stored on company-owned assets should be encrypted to prevent any attackers with a compromised machine from accessing sensitive information.
Output outages generated by events such as natural disasters, management adjust, or unstable software could result to loss of customers. Unpredicted events present a possible hindrance to production. They are difficult to plan for due to their unpredictable nature. Data in the company needs to be backed up in a location away from the main servers. The company can insure itself against natural occurrences to transfer the risk from the company. Software updates need to be run frequently to reduce the possibility of unstable software.
Company products being accessible from the internet expose the company to internet security threats. The internet exposes the company to various forms of cyber-attacks. Cyber criminals target companies that handle numerous online transactions. The Company handles sensitive financial information that in the wrong hands can hinder operations and lead to losses for the company. To minimize the possibility of internet threats, the company needs to make sure all internet activities are encrypted.
The company is susceptible to insider threats. Health Network employees can expose sensitive company information to unauthorized personnel. Company employees have access to the company’s assets and are well aware of the security procedures the company uses. Company assets and finances are at risk from theft by a rogue insider. The company should put in place policies that discourage insiders from going rogue. Sanctions against suspicious employee behaviour will discourage insider attacks.
Regulatory changes may impact operation. A change in the laws can lead to mandatory changes in company policies or operation norms. The company has limited options when it comes to serious regulatory changes. The company has to comply with the laws of the land.
References
- Cleden, D. (2017). Managing project uncertainty. Routledge.
- Hartmann, T., & Driessen, P. (2017). The flood risk management plan: towards spatial water governance. Journal of Flood Risk Management, 10(2), 145-154.
- Nicholas, J. M., & Steyn, H. (2017). Project management for engineering, business and technology. Routledge.
Identifying and Managing Business Risks. (2019, Dec 04). Retrieved from https://papersowl.com/examples/identifying-and-managing-business-risks/
