Risk 1: Lack of focus on IT/IS strategy

Outcomes

– The company’s business strategy is not supported by IT/IS strategy, leading to failure

– Business opportunities missed due to poor IT/IS strategy

– Wasted resources due to lack of strategic leadership and direction

详细阐述：

A fundamental starting point of a well-managed and controlled information system is the development of an information system strategy. A major risk to the long-term success of our business is our lack of strategic focus on information systems and its importance to achieving our overall business strategy. If our business strategy is not supported and integrated with our information systems strategy, then it is likely that our overall business objectives will not be successfully achieved.

Without adequate focus on the strategic importance of information systems then it is likely that business opportunities such as innovation in product and service delivery could be missed which may harm our competitive advantage and result in our competitors moving ahead of us. Likely also to waste resources on ineffective systems which do not add value to our business.

 

Recommended actions

– Employ an IT director

– Align the business strategy with the IT/IS strategy

 

详细阐述：

A contributory factor towards this lack of focus on the importance of an information systems strategy is the fact that we do not have an IT director who can lead our information systems development needs. For a business of our size and the nature of the dynamic technological developments occurring, an IT director would seem to be essential. We should therefore consider the employment of an IT director who would then provide a strategic focus and direction for our information systems to ensure that the information system strategy is supported and it enhances the overall business strategy.

 

As stated above, it is likely that business opportunities could be missed as a result of a poor focus on IT/IS strategy. Therefore, a key recommendation is that we must ensure that any strategy we consider in the future must be aligned to our IT/IS strategy. We should consider how our IT/IS capabilities and activities can enhance or potentially inhibit our strategic direction and how we must develop out IT/IS capabilities to support our strategic direction.

 

Risk 2: Cyber and data security breaches

Outcomes

– Loss of key organisational and customer data

– Severe business interruption leading to loss of business

– Damage to reputation and financial cost due to compensation and legal claims

详细阐述：

Cyber and data security breaches are a significant threat to modern businesses, including XX company. As an organisation, we could be vulnerable to the threat of external hacking of our key organisational data. A considerable threat could also be that of virus infection which could corrupt, or in the worst-case scenario, delete or disable our critical operating systems. The consequences

of such threats are that our business would suffer severe interruption, particularly our online booking facility for customers which would be unable to function, leading to loss of business and dissatisfied customers.

 

Similarly, internal physical and access control weakness in our information systems environment could lead to system failure or corruption of data. Allowing unauthorised or untrained staff access to our information systems could result in data breaches and incorrect processing of bookings or transactions. Correcting these errors will be costly and time consuming. Consequently, any breaches to the security of our information is likely to be highly damaging to our reputation and also may result in costly compensation claims from customers who have been affected by any such breaches.

 

Recommended actions

– Invest in the latest cyber security systems and controls

– Implement and upgrade information systems physical and access control environment

详细阐述：

Recommended actions

We must make sure that we operate the latest industry standard firewalls and virus protection software and procedures. Regular testing of our security systems should be carried out and back-ups of all our data undertaken regularly and stored separately.

 

Access to our systems internally should be given to only authorised and trained staff. Authority of systems usage should be set and authorisation controls such as passwords and user ID systems should be used at all times. The system should produce regular reports on systems access and usage which should be monitored by IT staff and any exceptions should be reported.

 

Risk 3: Business continuity threat

Outcomes

– Unable to operate effectively due to no disaster recovery plan

– Loss of business/damage to reputation

– Cease to operate

 

Outcomes

There is a lack of awareness at board level of the importance of our critical information systems on the continuity of our operations and the need to ensure that we have plans in place to ensure business continuity, should a disaster event take place.

With insufficient planning and risk assessment it is likely that HiLite will not be ready for a business-critical event.

 

This may result in the business being unable to operate for a period of time, within which we will lose customers, and revenue will be severely affected. Our reputation is also likely to be damaged if our disaster recovery plans are ineffective or inadequate.

In the worst-case scenario, the business may not be recoverable and we could go out of business.

 

Recommended actions

The board must implement a disaster recovery plan to encompass a range of potential threats to our information systems including terrorist attacks, cyber-attacks, fire, flood or any other potential critical systems threat. We need to assess which disasters may occur and assess their level of threat to the business and ensure we have sufficient arrangements to manage such an event.

 

This reiterates a point made in a previous slide that the focus of information systems should be at the strategic/board level of the organisation. Our information systems should be seen not only as critically important business assets but also as key drivers of our business strategy and therefore it is important that we have a strategic focus and direction for our information systems.