Risk Management in Business: A Case Study
Disclaimer: This dissertation has been submitted by a student. This is not an example of the work written by our professional dissertation writers. You can view samples of our professional work here.
Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UK Essays.
Every day, there is the chance that some sort of business interruption, crisis, disaster, or emergency will occur. Anything that prevents access to key processes and activities can be defined as a disaster.
Companies can experience many different threats to their mission critical systems such as fires, floods, lightning storms and humidity to disgruntled employees, hackers, human error, power failures and viruses. A disaster can happen at any time and it is vital to be prepared in the event that one occurs.
To be prepared for a business interruption, the organization must have a carefully crafted and comprehensive plan that describes risks, impacts, and step-by-step recovery strategies for critical business processes in various disaster and emergency scenarios. Without a plan, the team will be flying blind when an interruption occurs. The plan provides the necessary tools to mitigate interruptions and resume operations as quickly as possible, greatly facilitating decision-making and taking action when there is scant time and stress levels are elevated.
Using the information in the risk assessment to create effective recovery strategies for critical processes in all departments, incorporating these strategies into a comprehensive business continuity plan, and encouraging ownership of the plan across the organization, and ultimately, achieving the highest resiliency possible with limited resources.
Create the recovery strategies department-by-department, process-by-process. This allows each department to focus on strategies specifically relevant to their critical processes without extraneous information from other departments. Do the same for your business continuity plan, writing smaller plans by department. Also, use a template to document your recovery strategies to ensure process consistency across the organization. Finally, have plans reviewed and approved by department heads and distributed to all employees to encourage ownership and pride in the plan.
Each department in the organization will have a comprehensive action plan for business continuity outlining the steps to take to recover vital processes in various emergency scenarios. All employees will have their own copy of the plan, ready to use immediately when a disruption occurs. Employees will take ownership of the organization's business continuity effort and this effort will be further ingrained in the organization's corporate culture.
CHOCOLATE MANUFACTURING COMPANY
The Chocolate Company since inception in 1990 has been largely responsible for satisfying the country's demand for Chocolates and Sugar Confectionery. Situated at Rusayl Industrial Estates in Muscat, Sultanate of Oman, the plant has various lines producing a wide range of confectionery like Éclairs, Toffees, Fudges, Caramels, Hard Boiled Candy and Enrobed Chocolates. These products are available in attractive packaging and premium Gift Boxes making them ideal for gifting as well as for own consumption. Most of the packaging in the Gift Pack segment has been carefully selected to ensure its enduring utility, thereby giving our valued customers an added benefit. The confectionery is produced by experienced personnel under stringent quality control and hygiene standards. State-of-the-art manufacturing facilities ensure products of international quality. The company in its relentless pursuit of quality obtained HACCP Certification in April, 2004.
The Company, through its uncompromising stand on quality and competitive pricing, has successfully penetrated countries all over the Gulf, the African continent, Asia, Australia, New Zealand, Canada, South Africa, USA and the UK.
The principal business processes involved are
- Procurement of raw materials and consumables.
- Production and Quality control.
- Distribution and marketing.
- Inventory Management.
- Pricing and cost control.
- Feedback from consumers and redressal systems.
- Publicity and promotional activities.
- Recruitment and HR.
- Finance & Administration.
- Corporate communications and public relations.
- Legal and secretarial matters.
- Investor relations.
- Maintenance of equipment and other assets.
- Capital expenditure for equipment and other purposes.
- IT systems and telecommunications.
- Transportation and Logistics.
Today, manufacturing sector companies like chocolate manufacturing operates in increasingly complex, competitive and global markets. The ability to manage risks across geographies, products, assets, customer segments and functional departments is of paramount importance. The inability to manage these risks can cause irreparable damages.
Chocolate company will always face the likelihood of being impacted by uncertain or adverse future events. These uncertainties will have an impact on a company's ability to generate capital and shareholders returns. The company Board expects that management will not only look at where the company may be exposed to risk, but also how these risks can be managed to influence favorable business outcomes.
RISK AND RISK MANAGEMENT
Risk Management Methodology followed by the chocolate company
The risk management methodology at the chocolate company encompass the scope of risks to be managed, the process/systems and procedures to manage risk and the roles and responsibilities of individuals involved in risk management. The framework is comprehensive enough to capture all risks that the company is exposed to and have flexibility to accommodate any change in business activities.
The chocolate company's effective risk management methodology includes
- Risk Policy framework.
- Identification of risks.
- Measurement and Impact Assessment.
- Management of the risks.
- Monitoring Reporting and Control.
A. Risk Policy Framework
The following fundamental principles should be considered by the company to develop and implement a proactive risk management program and help them to identify any potential areas of concern:
- Acceptance of a risk management framework: A formal risk management framework is needed at this company, to guide the integration of risk management into the company's day to day operations.
- Corporate governance and risk: At this company,corporate governance is the prime responsibility of the Board of Directors and the General Manager. It combines legal duties with responsibilities to improve and monitor the performance of the company.
- Establish the risk response strategy: Following the agreement on the risk assessment rankings in all functional departments, management action will need to be taken to reduce the risk levels where they have been deemed unacceptably high or alternatively remove constraints where they are preventing the business from pursuing opportunities.
- Assigning responsibility for risk management change process: It is important for the company to ensure that the daily operation of the business supports this strategy and that the staff understands the proposed changes.
- Re-sourcing: Risk management is the responsibility of all levels of management.
- Communication and training: Implementing a communication and training program is important to introduce the concept of risk management.
- Monitoring of risk management process: To ensure that risk responses gaps are filled and that the risk responses continue to operate effectively and remain appropriate in light of changing conditions.
B. Identification of Various Risks of The Company
While drafting this Risk management Policy, the primary risk exposures at the company X that are identified is provided below, which are inclusive but not exhaustive and it will be the responsibility of the Risk Management Committee to review these on a periodic basis.
I. Market Risks
It is the risk that the value of the company will be adversely affected by movements in market rates or prices, foreign exchange rates, national & global fluctuations, credit spreads and/or commodity prices resulting in a loss to earnings and capital.
The market risks identified at this chocolate company are as follows
- Government Policy risks
- Product Risks
- Environmental risks
- Volatility of export orders
- Price Competition in the local & export market
- Currency fluctuation for export orders
II. Operational Risks
The operational risks identified at chocolate company are as follows
- Fire & Allied Risks
- Machinery breakdown/ obsolescence
- Volatility of Raw material & Packing material prices
- Quality/ Ageing risks of Raw material/ Packing material
- Delivery risk of Suppliers
- Loss of data & information- IT security
- Manpower Availability risks
- Inventory carrying risk
III. Reputation Risks
These are risks arising from negative public opinion resulting from failures of process, strategy or corporate governance.
The Reputation risks identified at this company are as follows
- Product expiry/Shelf life
- Corporate Governance
IV. Credit Risks
Non receipt of receivables or delay in receipts is the credit risks attributable to the company.
These may be identified as
- Payment risk from customers-local
- Payment risk from Customers- export
- Security from customers
- Advance to Suppliers
V. Liquidity Risks
The possibility is that the company will be unable to fund present and future financial obligations.
These may be identified as
- Cash flow & working capital management
- CAPEX decisions
- Cost overruns
VI. Strategic Risks
Risk those are arising from adverse business decisions or the improper implementation of such decisions.
These may be identified as follows
- Business Plan forecasts.
- Attrition of key people.
C. Risk Prioritizing and Impact Assessment
To adequately capture institutions risk exposure, risk measurement should represent aggregate exposure of the company to both risk type and business line and encompass short run as well as long run impact on it. To the maximum possible extent the company should establish systems / models that quantify their risk profile. However, in some risk categories, quantification is quite difficult and complex. Wherever it is not possible to quantify risks, qualitative measures should be adopted to capture those risks.
The company should utilize a Risk Matrix to evaluate the level of risks which are identified in the Company. The Risk Matrix is formed by assessing the probability of the risk, the severity of the risk, and the quality of control that exists specific to those risks. Scoring is attributed for each the three parameters namely probability, severity and Internal control. The aggregate score is computed and ranking of the risks is ascertained.
- The probability of the impact occurring is arranged ranging from low to high. Scores assigned as 4 for High, 2 for medium and 1 for low.
- Severity of the Risk is assessed as High, Medium and low based on the experience and normal prudence. Scores assigned as 4 for High, 2 for medium and 1 for low.
- Quality of Internal control is also similarly categorized as high, medium and low. The scores assigned in the reverse order since the better the existing control the lower is the impact and vice-versa. So scores here can be assigned as 4 for Low, 2 for Medium and 1 for High.
- Aggregate Score was thereafter computed after adding the individual scores for each parameter.
Company's Risk Matrix using the above method is shown in Annexure I
ii. Impact Assessment
The company being a medium scale manufacturing unit should focus on the manageable risks like Operational risks, Liquidity risks and Strategic risks. Market risks, Credit risks and Reputation risks though an integral part of risk management may not need detailed impact assessment at this stage unless the probability of such factors seem to be out of proportions in time to come. Impact assessment of the Operational risks, liquidity risks and strategic risks at the company termed herein as Manageable risks, can be assessed as follows
Risk associated with any event has two components, loss severity and loss probability. Loss, in itself consists of expected and unexpected components. The unexpected loss component could be severe or catastrophic. Usually, expected losses are adjusted for in pricing or in reserve allocation. Unexpected losses require capital allocation. Given that operational risk, liquidity and strategic risk events are most often subject to internal control, any manageable risk system that passively measures these risks would clearly be inadequate.
Once risk factors are identified as likely causes of the Risk losses, mitigating steps need to be initiated. While quantification would indicate risk magnitude and capital charges, it may not by itself suggest mitigating steps. This makes it advisable for the company to combine qualitative and quantitative approaches to manageable Risk.
The broad steps involved here would be:
- determine the types of operational losses that could occur
- identify the causal risk factors
- estimate the size and likelihood of losses
- Mitigate associated risks
Qualitative approaches involve
- Expert / collective judgment.
Critical Self-Assessment: (CSA):
This is one of the common qualitative bottom-up approaches where line managers of the company can critically analyze their business processes given specific scenarios to identify potential risks and gaps in their risk management processes. Tools like questionnaires, checklists and workshops are used to help the managers analyze the risk profile of their business units. The key idea behind this method is that businesses managers of this company are in the best position identify and manage the Operational Risks pertaining to their business units.
Employing the services of external (or internal) auditors to review the business processes of a business unit is another approach. This process not only helps identify risks but also helps put in place the oversight organization for the manageable risks.
Key Risk Indicators (KRI)
Using the KRI approach the company can blend the qualitative and quantitative aspects of Operational Risk management. Factors that have predictive value and that can be easily measured with minimum time lag can serve as risk indicators. Some risk indicators inherently carry risk related information, for instance, indicators like sales volumes, order size, etc. Others are indirect indicators, for instance, production budgets, production lifecycle, performance appraisal etc. Key indicators are identified from several potential factors and are tracked over time. The predictive capabilities of the indicators are tested through regression analysis on historical loss data and indicator measurements. Based on such analysis, the set of indicators of the company being tracked can be modified suitably. Over time, as the model gets refined, the set of indicators can provide early warning signals for operational losses.
D. Management of the risks
Managing Market Risks: The chocolate company may be exposed to Market Risk in variety of ways as described earlier such as environmental issues, export orders, future contracts, Price competition, customer profile and marine transportation risks. Besides, market risk may also arise from activities categorized as off-balance sheet item.
- Government Policy Risks: Change in government policies, tax rates, introduction of new tax regimes, reduction or abolition of incentives etc carry risk to any entity in terms of its costing and pricing. In the short and medium term the company does not perceive any major risk in this segment, however the management has to be aware of any forthcoming changes that the government might envisage. Should there be any drastic change in Government policies that would affect its profitability especially in case of exports; the Company has contingency plans for producing at an alternative location outside Oman.
- Product Risks: Since the product is that of food item the company has to be 100% careful to maintain the product quality, product specification, pack sizes, contents in each pack etc. Producing lesser or poor quality products and not as per specification is a risk which company X needs to constantly be aware off. To mitigate such risks the company X should
- develop a well defined production policy
- develop a well defined Quality control and checks policy
- develop a well defined storage and Distribution policy
- Environmental risks: The company does not use and generate hazardous substances in its manufacturing operations. Hence the chances that the company may in future are subject to liabilities relating to the investigation and clean-up of contaminated areas is negligible. However the company should have a laid down policy of disposal of waste at pre-designed disposal points mainly for the rejected, expired and damaged items of raw materials, finished products and packing materials.
- Volatility of export orders: Some customers and sectors served by the company are directly dependent on general economic development, competition and frequent fluctuations in demand for their products. The prices for these products are, in part, dependent on the prevailing relationship between supply and demand. Possible price fluctuations are therefore apt to have a direct influence on each customer's working capital management decisions, with subsequent influence on the customer's Order Intake. This may lead to volatility in the development of Order Intake of the company. The company has a policy of geographically diversifying its customer base, as also expanding the customer base in each export market, so that transfer to less volatile locations can be made in short notice.
- Price Competition in the local & export market: The Company does business in very competitive local and export markets. In spite of the competition the company has a 70% market share in the local market and its export business is expanding.Both these local and export markets in which it competes are highly fragmented, with a few large, international manufacturers competing against each other and against a high number of smaller, local companies. Sometimes new entrants or existing players suddenly lower their prices to get rid of the company's products. This has, in some cases, adversely impacted sales margins realized by certain of company's products.
To mitigate this risk the company has taken the following steps:
- Maintaining complete information of its Competitors with respect to their latest technological developments, market strategies, new investments, management changes etc.
- Has developed emergency alternative plans to introduce different product ranges with minimal structural changes with similar or lower prices.
- Currency fluctuation for export orders:The Company exports its products to a large number of countries like Canada, USA, Australia, African countries, and the Middle East. Almost all export orders of the company are fixed in US dollars. Since Omani Rail is pegged with US Dollars, the fluctuation of the currencies in would have negligible impact on the export realizations at company X. Company X has a policy of booking export orders in terms of US dollars to avoid the risk of currency fluctuations.
Managing Operational Risks: Being a chocolate manufacturing company, it deals with the retail market. The most important risks are those of Operational risks. Operational risk is associated with human error, system failures and inadequate procedures and controls. It is the risk of loss arising from the potential that inadequate information system; technology failures, breaches in internal controls, fraud, unforeseen catastrophes, or other operational problems may result in unexpected losses or reputation problems.
- Fire & Allied risks: These are general risks applicable to almost all establishments. This includes Material damage to the company's property due to Fire & lightning, Earthquake, Third party impact, Accidental damage, explosion, riot & strike, storm & tempest, burst pipes, Own Vehicle impact, malicious damage, and theft. The company should take necessary steps in mitigating such risks by taking
“Property All Risks Insurance Policy”
“Loss of profit insurance cover”
- Machinery breakdown/ obsolescence: This risk identified is a major risk element as the company has been established two decades earlier by using imported refurbished Plant
and machinery. Though most of the machinery is in running condition as of now the chances of spare part obsolescence is quite high in a majority of such machines. The physical status and the possible mitigation for major machinery can be shown in ANNEXTURE II
- Volatility of Raw Material/ Packing Material prices: The Company faces a medium level risk in its Raw material & Packing material prices. The main raw materials at are Sugar, Glucose, Milk Powder, vegetable fat, coconut, coco & whey powders. The packing material required is Wrappers, Bags, Gift boxes, Gift Tins and cartoons. Other than a few packing materials almost all of the raw materials and packing materials are imported as shown below
Country of import
- Quality risk Raw material & Packing material: This is a medium sized risk and the company should take reasonable care to mitigate such risks. Since the majority of the raw materials and packing materials are imported by the company, the purchase committee should implementing a stringent policy of
- Should have a multiple suppliers from the same country or region.
- Should have proper Quality checks for each Consignment while receiving delivery.
- Should have a stringent penalty clause on variation of specifications in the agreements with suppliers.
- Delivery risk of Suppliers: This is major risk element at the company because of the fact that in most cases purchases are imported and made through Letter of Credits. Non Delivery or delayed delivery in such purchases may affect the performance of the company. The company is implementing proper penalty clauses in the purchase agreement for delayed and/ or non-delivery of the ordered items.
- Transporting risks: In case of local sales, the company transports the products mostly through its own personnel. The company therefore, takes a general Transit Insurance policy covering accidents and theft.
- Inventory carrying risk: Inventory Carrying risks are of three types:
- Storage risk
- Overstocking & under stocking risk
- Expiry risk
- Storage risk
The storage policies currently are
Raw Materials - Glucose
Stored In godown
Raw Materials- others
Stored in godown
Packing Materials - Gift Tins, Cartoons
Stored In godown
Packing Materials - Wrapper, Bags. Gift Boxes
Stored in godown
Stored in godown
The company can keeps the entire inventory in closed warehouses.
- Over-stocking & Under-stocking: The company can maintain a good optimized production planning system in correlation with its sales plan so that it can have a optimum stocking policy. The current production plan is quite satisfactory and hence the risk is low to medium. But the company is mostly dependent on Export market, the volatility of export orders may lead to overstocking or under-stocking of inventory.
- Expiry risks: This risk is low to medium. Expiry risks of inventory can be mitigated by proper planning of Sales, Purchase, Production and Distribution. The Storekeeper needs to maintain up-to-date records. A system is being implemented to provide on-line information about the stock position i.e. the quantity in stock, Re-order period, Ordering level and the Expiry dates of each of the Raw material, packing material and finished stocks to the Sales, Production and Purchase department so that immediate action can be taken by the respective departments.
- Manpower Availability risks: There is a shortage of skilled manpower in Oman. This is however met with the expatriate staff employed mainly from the sub-continent. The company therefore faces a medium risk in terms of availability of skilled manpower. The company can met unskilled manpower availability with the local Omani population and also from expatriate staff. The gap of skilled labor availability is likely to increase and therefore the costs also increase. To mitigate such risks, the company can develop long term strategy to invest in higher capacity production machines so that the requirement of manpower is kept low.
- Accidents: The Company can face a chance of accidents at the factory, however the accident risks at the company is low, as it does not deal with hazardous material and the production processes are not complex. However the company may face risks from mechanical or electrical installations which can't be entirely ruled out. So the company needs to take the following steps:
- By providing ELCB (Electric Leakage Circuit Breakers) in all electrical circuits and ACB's for the main transformers
- By providing Hot masks to the manpower
- Having a good machinery breakdown policy
- Constant monitoring of the gas line leakages
The company needs have a Manpower Accidents and Injury Policy to cover the possibility of injury or death of manpower within the factory premises.
Managing Reputation Risks
Reputation of the company may also get hamper in various situations some of which are
Contamination-hygiene: Being in the Food sector the company should take utmost precaution to avoid any sort of contamination in its products which will reach to the general mass. The company should take precaution for the quality of the raw material and packing material that is required for the entire production process and the stocking procedure.
The company can follow the following policy:
- Stringent Quality control checks of Raw materials and packing materials
- Stringent Quality checks of the entire production process
- Maintaining Hygiene standards of the Government of Oman both in production and stocking.
- Sample testing at each stage
- Have a third Party damage policy insurance coverage owing to contamination
- Product expiry/Shelf life risks: This is again a very vital risk to the company as it is in the Food sector. The Government of Oman is very stringent in its laws to avoid expired products to be sold to the general public. So the company should take utmost care to avoid this risk by
- providing a stringent Distribution policy of its finished products
- Checks and controls before distribution of products.
- Monitoring distributed products on a daily basis
- Attributing Responsibility to a Senior Personnel for the management
- Corporate Governance: Corporate Governance Policies and Procedures manual are already in place at the company. Hence the risk associated with it is low. The management has to ensure proper compliance of the policies already undertaken to avoid any risk of reputation arising out of non-compliance of corporate governance.
Managing Credit Risks:
- Credibility Risk of Customers: The Company should develop a credit policy based on regions, volume and credibility ranking of the parties.
- Export: The Company exports to a wide range of countries. The contacts of customers are mainly through visits and through mail. It is initially very difficult to assess the credibility of the customers abroad. The risk element is therefore medium and high.
The company should mitigate this risk in the following manner:
- The company should back up the export orders by Letter of Credit from the parties.
- In case L/C mode is not practicable, the company can ask for advance payments or Security deposit, or post dated cheques which will cover the entire order taken prior to effecting delivery of the goods.
- The company currently did not enter into any distribution agreement with any export party and deals with parties on a case to case basis The Company can set up a network of distributors for handling exports sales as far as practicable. The company can also set up more than one distributor; in each region/country, so that price advantage can be achieved through minimal risk. The company should select distributors with proven track record, and the distributorship agreement should be through a internationally binding legal contract.
- Local: Local sales are affected by the company mainly to retail customers like supermarkets and hypermarkets, small shops and to two distributors in the interior.
The company should take the following steps:
- Sale to all hypermarkets and supermarkets where the volumes are above a certain limit are, as far as possible, affected by means of an annual contract with all modalities and terms and conditions clearly laid out.
- For single shop outlets, the company may face the risk of shop closing down and non-payment or delayed payment.
To counter this company should maintain small stocks with such shops and should have a regular but frequent collection system.
- In case of distributors the company should have legally binding distribution agreements.
- Limit setting: An important element of credit risk management is to establish exposure limits for each single customer and distributors. The company is in the process of developing its limit structure. The size of the limits shall be based on the credit strength of the customer, genuine requirement of credit, economic conditions and the customer's risk tolerance. Credit limits shall be reviewed regularly at least annually or more frequently if the customer's credit quality deteriorates. All requests of increase in credit limits should be substantiated.
- Credit Administration: Ongoing administration of the credit portfolio is an essential part of the credit process.
Marketing department of the company should perform the following functions:
- The Marketing department should take the responsibility to ensure completeness of documentation (Sale agreements, guarantees, delivery etc) in accordance with approved terms and conditions. Outstanding documents should be tracked and followed up to ensure execution and receipt.
- The customers should be communicated ahead of time as and when the payment becomes due. Any exceptions such as non-payment or late payment should be tagged and communicated to the management. Proper records and updates should also be made after receipt.
- The Marketing department should devise procedural guidelines and standards for maintenance of credit files. The credit files not only include all correspondence with the customer but should also contain sufficient information necessary to assess financial health of the customer and its repayment performance.
- Credit risk rating of Customers individual Credit exposure at the company. An internal rating framework is being formulated to facilitate such aspects as Customer selection, assessing credit limits and frequency and intensity of monitoring
Managing Liquidity Risks
Liquidity risk is medium risk for this company. It arises when the cushion provided by the liquid assets are not sufficient enough to meet its obligation. The company's current Net Worth condition, though improved in the recent years is still not conducive to attract bankers and so the company has a medium range risk of not attaining its working capital requirements or for Capex decisions especially when it is in its growth path. Liquidity risks at the company arise due to Cash flow & working capital gaps, Capex requirements and Cost overruns.
Some early warning indicators provided below, that may not necessarily always lead to liquidity problem for the company; however these have potential to ignite such a problem. Consequently management needs to watch carefully such indicators and exercise further scrutiny/analysis wherever it deems appropriate.
Examples of such internal indicators are:
- A negative trend or significantly increased risk in any area or product line.
- Concentrations in either assets or liabilities.
- Deterioration in quality of products.
- A decline in earnings performance or projections.
- A large size of off-balance sheet exposure.
- Deteriorating third party evaluation about the company
An effective liquidity risk management would include systems to identify measure, monitor and control its liquidity exposures. Management should be able to accurately identify and quantify the primary sources of the company liquidity risk in a timely manner. To properly identify the sources, management should understand both existing as well as future risk that it can be exposed.
Key elements of an effective risk management process should include an efficient MIS, systems to measure, monitor and control existing as well as future liquidity risks and reporting them to senior management. An effective management information system (MIS) is essential for sound liquidity management decisions. Information should be readily available for day-to-day liquidity management and risk control, as well as during times of stress. Data should be appropriately consolidated, comprehensive yet succinct, focused, and available in a timely manner.
An effective measurement and monitoring system is essential for adequate management of liquidity risk. Consequently intends to institute systems that will enable it to capture liquidity risk ahead of time, so that appropriate remedial measures could be prompted to avoid any significant losses. Some commonly used liquidity measurement and monitoring techniques are:
- Contingency Funding Plans: In order to develop a comprehensive liquidity risk management framework, the company should have way out plans for stress scenarios. A CFP is a projection of future cash flows and funding sources of the company representing management's best estimate of balance sheet changes that may result from a liquidity event. A CFP can provide a useful framework for managing liquidity risk both short term and in the long term. Further it helps ensure that a financial institution can prudently and efficiently manage routine and extraordinary fluctuations in liquidity.
- Cash Flow Projections: At the basic level the company may utilize flow measures to determine their cash position. A cash flow projection estimates company's inflows and outflows and thus net deficit or surplus (GAP) over a time horizon.
- Liquidity Ratios and Limits: The Company may use a variety of ratios to quantify liquidity. These ratios can also be used to create limits for liquidity management. However, such ratios would be meaningless unless used regularly and interpreted taking into account qualitative factors.
- Internal Controls: In order to have effective implementation of policies and procedures, the company should institute review process that should ensure the compliance of various procedures and limits prescribed by senior management.
Managing Strategic Risks
These are risks arising from adverse business decisions or the improper implementation of such decisions.
- Business Plan forecasts: Risks arising out of insufficient and ineffective Business plans may severely affect the performance of the company. The company is presently formulating a detailed Business Plan covering all functions of the company like Marketing, Production, Purchase, and Financing based on the following:
- A detailed Financial Model which will have all components and assumptions, the basis for the projections of the Business plan for the following year.
- The financial model would bring out the Sensitivity and Risk analysis of the company's under various projected scenarios.
- The Business Plan will be finalized based on the most optimal solution,
- The Business Plan will be broken up functionally and periodically preferably monthly.
- Actual Monthly Variance analysis of the Business Plan with the actual's should form part of the MIS and management action.
- Attrition of key people: Key management personnel are assets of the company. Large attrition rates can affect the company severely in the short and medium term. The company should take effective steps to retain and key management personnel. The company should need to arise to replace key personnel; the company is in the process of implementing a succession plan so that adverse effects on business are suitably mitigated.
The company should introduce
- Performance based incentive and promotion schemes so that the right candidates are rewarded
- Congenial working atmosphere by introducing TQM or other management techniques to enhance capabilities of existing management staff.
- .Monitoring, Reporting & Control
An effective monitoring process is essential for adequately managing all the identified risks. The Risk management Committee need to establish a program to
- Monitor assessment of the exposure to all types of operational risk faced by the company;
- Assess the quality and appropriateness of mitigating actions, including the extent to which identifiable risks can be transferred outside the company; and
- Ensure that adequate controls and systems are in place to identify and address problems before they become major concerns.
It is essential that
- Responsibility for the monitoring and controlling of all types of risks should be with the Risk Management Committee;
- The Committee should ensure that an agreed definition of all types of risks together with a mechanism for monitoring, assessing and reporting is designed and implemented;
- This mechanism should be appropriate to the scale of risk and activity undertaken.
- Risk metrics or “Key Risk Indicators” (KRIs) should be established for all types of risks to ensure the escalation of significant risk issues to appropriate management levels. KRIs are most easily established during the risk assessment phase. Regular reviews should be carried out by internal audit, or other qualified parties, to analyze the control environment and test the effectiveness of implemented controls, thereby ensuring business operations are conducted in a controlled manner.
The company is currently setting up a Risk Reporting system. The Reporting system will ensure that information is received by the appropriate people, on a timely basis, in a form and format that will aid in the monitoring and control of the business. The reporting process will include information such as
- The critical risks facing, or potentially facing, the company;
- Risk events and issues together with intended remedial actions;
- The effectiveness of actions taken;
- Details of plans formulated to address any exposures where appropriate;
- Areas of stress where crystallization of the risks is imminent; and
- The status of steps taken to address the risks.
The company has an information system that is fairly accurate, informative and timely to ensure dissemination of information to management to support compliance with board policy. Reporting of risk measures will be regular and will clearly compare current exposures to policy limits. Further past forecast or risk estimates will be compared with actual results to identify any shortcomings in risk measurement techniques. The board on regular basis needs to review these reports. While the types of reports for board and senior management could vary depending upon overall risk profile of the company, at a minimum following reports will be prepared
- Summaries of the company's aggregate risk exposure for each type of risk identified
- Reports demonstrating the company's compliance with policies and limits
- Summaries of finding of risk reviews of risk policies, procedures and the adequacy of risk measurement system including any findings of internal/external auditors or consultants
The company's internal control structure will ensure the effectiveness of process relating to comprehensive risk management. Establishing and maintaining an effective system of controls including the enforcement of official lines of authority and appropriate segregation of duties, is one of the management's most important responsibilities. Persons responsible for risk monitoring and control procedures should be independent of the functions they review. Key elements of internal control process include internal audit and review and an effective risk limit structure.
Although a framework of formal, written policies and procedures is critical, it needs to be reinforced through a strong control culture that promotes sound risk management practices. The company will have policies, processes and procedures to control or mitigate material risks. The company will assess the feasibility of alternative risk limitation and control strategies and should adjust their risk profile using appropriate strategies, in light of their overall risk appetite and profile. Control activities will be an integral part of the regular activities of the company to ensure effectiveness of the risk control mechanism.
The company may look forward for the following benefits by implementing a robust Risk management policy as enumerated in this guideline
- Improves corporate experience and general communication
- Leads to a common understanding and improved team spirit
- Helps develop the staff to assess risks
- Demonstrates a responsible approach to customers
- Provides a fresh view of the personnel issues in the company
- Focuses management attention on the real and most important issues
- Identifies and allocates responsibility to the best risk owner
- Enables a more objective comparison of alternatives
- Allows a more meaningful assessment of contingencies
- Increases the likelihood of the company to adhere to its Business Plans
ASSET AND ASSET MANAGEMENT
In today's business environment information technology (IT) resources, including data, are some of the most important assets owned by organizations. Earthquakes, cyclones, hurricanes, floods, hackers, computer viruses, sabotage and terrorist attacks are disasters that threaten these assets. Organizations need to be prepared for and be able to respond to these attacks.
The chocolate manufacturing company should now focus to gear up its systems and processes so that it can sustain the growth pattern quite efficiently and effectively. One such tool is that it can have a well designed information system with the help of the latest technology. Information Technology is responsible for providing methods and processes to protect company data, systems software and computing resources. Like all processes, systems and technology, the Information technology system and process of any organization should be guided by the rules and regulations by which its existence and functioning can be safeguarded. Using the latest technology the company can
- maximizes their productive benefit to the Company
- protects the Company's confidential and proprietary information
- protect the Company from exposure to liability for unauthorized acts
CURRENT STATUS OF THE COMPANY
- The company at present has an IT executive to look after the IT functions of the company. The IT executive reports to the Finance Manager.
- The maintenance of the IT hardware (except the server) is done in house and through vendors under supervision of the IT executive. The ERP system installed i.e. Focus RT is under Annual Maintenance contract.
- Networking of all computers at the Factory cum office building of SOO is established through a Local Area Network (LAN) which was professionally installed by a local company. There are four switches one with 20 ports, one with 16 ports and the other two with 8 and 4 ports respectively.
- There is a Central Server of Dell-Poweredge (Rack server)-210-19627having PE2950 III Quad Core Xenon X5460, 3.16 GHZ, 2x6 MB,133 MHz's, 4 GB RAM, 17” LCD Dell Wide.The Operating system is SBS, Microsoft Small Business Server Premium, 2003, OEM with 5 Users Cal. (including Win Server 2003, Exchange 2003, SQL 2000, ISA 2000 etc. It has an APC 2.2. KVA UPS with standby time of 25 minutes and an anti-virus software- Symantec Antivirus endpoint protection 11.0 IN LIC.
- There is no separate Server room but is kept is a separate enclosure in the accounts department which is kept under lock and key. The air-conditioning of the room can provide sufficient cooling required for the server.
- The company currently has 18 PC's, 6 Laptop computers and 8 Printers plus a Bar coding system. 6 PCs have Intel core 2 Duo processors, one with Intel Celeron 200 GHZ, 10 with Pentium 4 and onw eith Pentium 3 processors. All have 1 GB RAM.
- All the PC's and Laptops have Windows XP SP2, OS and MS Office 2003 installed.
- The ERP installed is Focus RT which has applications including Finance. Payroll, S & D and Inventory. There is no separate Production software..
- Internet connectivity is through ADSL broad band connection. There area routers installed from which all PCs and server is connected.
- The company is currently envisaging shifting to expand its business and so have one separate Factory building in the Rusayl area plus two branch offices in the city. The IT system is to be extended in those areas in similar lines. After expansion SOO shall go for a leased line for internet connectivity.
MAJOR IT POLICIES TO BE ADOPTED BY THE COMPANY
- Responsibilities to be adopted by the finance manager are
- Adequate protection and confidentiality of all corporate data and proprietary software systems, whether held centrally, on local access media, or remotely.
- To ensure the continued availability of data and programs to all authorized members of staffs.
- To ensure integrity of all data and configuration controls
- Access to information and business processes need to be controlled on the basis of business and security requirements. A formal procedure needs to be in place to control the allocation of access rights to information systems and services. The procedure needs to cover all stages in the life cycle of user access, from the initial registration of new users to the formal de-registration of users who no longer require access to information system and services.
- The company can separate the management or execution of certain duties or areas of responsibility, in order to reduce opportunities for unauthorized modification or misuse of information or services
- Internet and other external service access are restricted to authorized personnel only.
- Access to sensitive data on all laptop computers is to be secured through encryption or other means, to provide confidentiality of data in the event of loss or theft of equipment.
- Only authorized and licensed software may be installed and installation only to be performed by I.T. Department staff (in absence the Finance department). In the event of unauthorized software being discovered, it will be removed from the workstation immediately
- Systems should be monitored to detect deviation from access control policy and record monitored events to provide evidence in case of security incidents
- All CD/DVD drives and removable media from external sources must be virus checked before they are used within the organization
- Passwords must consist of a mixture of at least 8 alphanumeric characters and must be changed every 60 days and must be unique
- Workstation configurations may only be changed with the approval of the I.T. Department staff
- The physical security of computer equipment will conform to recognized loss prevention guidelines.
- Back- up copies of business information and software should be taken regularly. Adequate back- up facilities should be provided to ensure that all essential business information and software can be recovered following a media failure
- Security requirements will be identified and agreed prior to the development of information systems
- Appropriate controls and audit trails or activity logs will be designed into application system, including user written applications. These should include the validation of input data, internal processing and output data
USER REGISTRATION PROCEDURE TO BE FOLLOWED BY THE COMPANY
The company should have a formal user registration and de- registration procedure for granting access to all multi-user information systems and services. The registration process needs to include
- Using unique user IDs, so that users can be linked to and made responsible for their actions.
- Checking that the user has authorization from the system owner for the use of the information system or service. Separate approval for access rights from management may be appropriate.
- Checking that the level of access granted is appropriate to the business purpose and does not compromise segregation of duties.
- Ensuring service providers do not provide access until authorization procedure is completed.
- Maintaining a record of all persons registered to use the service
- Immediately removing access rights of users who have changed jobs or left the organization. Periodically checking for, and removing, redundant user IDs and accounts.
- Including conditions in staff contracts and service contracts that specify sanctions if unauthorized access is attempted by staffs and service agents.
- Privileges should be allocated to individuals on a need- to - use basis and on an event- by event basis, i.e., the minimum requirement for the functional role only when needed.
LOGICAL ACCESS AND PASSWORD SECURITY
Operating System Access Control
Security facilities at the operating system level should be used to restrict access to computer resources. These facilities are capable of performing the following tasks
- Identifying and verifying the identity and if necessary, the terminal or location of each authorized user.
- Recording successful and failed system access
- Providing appropriate means for authentication through a quality password policy where applicable, restricting the connection time of the user
Application Access Control
- Users should be given sufficient rights to all systems to enable them to perform their job function. User rights will be kept to a minimum at all times.
- Users requiring access to systems must make a written application on the forms provided by the IT Department where possible, no one person will have full rights to any system. The IT Department will control network/ server passwords and system passwords will be assigned by the system administrator in the end- user department. The IT executive will be responsible for maintaining the data integrity of the end- user's department's data and for determining end- user access rights.
PASSWORD SECURITY METHODOLOGY TO BE FOLLOWED BY THE COMPANY
- Access to network/ servers and systems to be done by individual username and password.
- Usernames and passwords should not be shared by users.
- Usernames and passwords should not be written down.
- Usernames may consist of initials and surnames.
- All users need to have an alphanumeric password of at least 8 characters.
- Intruder detection will be implemented wherever possible. The user account should be locked after three incorrect attempts.
- Network/ server supervisor passwords and system supervisor passwords to be stored in secure location in case of an emergency or disaster, for example, a fire safe in the IT Department.
- Auditing to be implemented on all systems to record login attempts / failures, successful logins and changes made to all systems.
- Use of login username on Server systems and the administrator username on Windows is to be kept at a minimum.
- Access to network/ server's to be restricted to normal working hours. Users requiring access outside normal working hours will request such access in writing on the forms provided by the IT Department.
CLEAR DESK AND CLEAR SCREEN POLICY
When not in use, paper and computer media should be stored in suitable locked cabinets and/ or other forms of secured furniture, especially outside working hours.
- Sensitive and critical business information should be locked away (ideally in a fire resistant safe or cabinet) when not required, especially when the office is vacated.
- PC's and computer terminals and printers should not be left logged on when unattended and should be protected by key locks, passwords or other controls when not in use.
- Incoming and outgoing mail points and unattended fax and telex machines should be protected
- Sensitive or classified information, when printed, should be cleared from printers immediately.
- The company should maintain all working files of all PCs to be under separate folders in the public server. The IT department should be responsible to keep the backups of all files including system and database files in the server.
- A minimum level of back- up information, together with accurate and complete records of the back- up copies and document restoration procedures, should be stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site.
- Backup should be taken automatically on a daily basis in workstations other than the server.
- Every week three sets of backups should be taken by the IT department and hand over the same to the General Manager, Finance manager and any other person as decided by the General Manager, who should carry the backup hard drives outside the office location on the same day.
- Back up information should be given an appropriate level of physical and environmental protection consistent with the policies applied at the main site.
- Back up media should be regularly tested, where practicable, to ensure that they can be relied upon for emergency use when necessary.
- Restoration procedures should be regularly checked and tested to ensure that they are effective and that they can be completed within the time allotted in the operational procedures for recovery.
SERVER SPECIFIC SECURITY
- The company should have a separate specific suite to accommodate the Servers. The Computer suite should
- Contain an adequate air conditioning system to provide a stable operating environment to reduce the risk of system crashes due to component failure.
- No water, rain water or drainage pipes should run within or above the computer suite to reduce the risk of flooding.
- The floor within the computer suite should be a raised false floor to allow computer cables to run beneath the floor and reduce the risk of damage to computer equipment in the case of flooding.
- Power points should be raised from the floor to allow the smooth shutdown of the computer systems in case of flooding.
- UPS should be provided to the computer suite to help protect the computer systems in the case of a mains power failure.
- Access to the Servers should be restricted to IT Department staff.
- All contractors working within the computer suite should be supervised at all times and the IT Department should be notified of their presence and provided with details of all work to be carried out, at least 48 hours in advance of its commencement.
- The operating system should be kept up to date and patched on a regular basis
- Servers should be checked daily for viruses
- Servers should be locked in a secured room
- Users possessing the Admin/ Administrator/ root rights should be limited to trained members of the IT Department staffs only
- Use of Admin/ Administrator/ root accounts should be kept to a minimum.
- Assigning security equivalences that give one user the same access rights as another user should be avoided where possible.
- User's access to data and applications should be limited by the access control features.
- The system auditing facilities should be enabled
- Users must logout or lock their workstations when they leave their workstations for any length of time
- All unused workstations must be switched off outside working hours
- All accounts should be assigned with a password of a minimum of 8 characters
- Users should change their passwords every 60 days
- Unique passwords should be used
- The number of grace logins should be limited to 3
- The number of concurrent connections should be limited to 1
- Network login time restrictions should be enforced preventing users from logging in to the network outside normal working hours
Switches: LAN equipment, routers and switches should be kept in secure areas.. Access to switches should be restricted to IT Department staffs only. Other staffs and contractors requiring access to switches should notify to the IT department in advance so that necessary supervision can be arranged.
Workstations:Users must logout their workstations when they leave their workstations for any length of time. Alternatively, Windows workstations may be locked.
- All network wiring should be fully documented
- All unused network points should be de- activated when not in use
- All network cables should be periodically scanned and readings recorded for future reference
- Users should not place or store any items on top of network cabling
- Redundant cabling schemes should be used whenever possible.
- All servers should be kept securely under lock and key
- Access to the system console and server disk/ tape drives should be restricted to authorized IT Department staff only.
- All servers should be fitted with UPS' s that also condition the power supply
- All routers, switches and other critical network equipment should also be fitted with UPS' s
- In the event of a mains power failure, the UPS's should have sufficient power to keep the network and servers running until the generator take over.
- Software should be installed on all servers to implement an orderly shutdown in the event of a total power failure.
- All UPS's should be tested periodically.
- The IT Department should keep a full inventory of all computer equipment and software in use throughout the company
- Computer hardware and software audits should be carried out periodically via the use of a desktop inventory package. These audits should be used to track unauthorized copies of software and unauthorized changes to hardware and software configurations
TCP/IP & INTERNET SECURITY
Permanent connections to the internet should be via the means of a firewall (Sonic) to regulate network traffic
- Permanent connections to other external networks, for offsite processing, etc should be done via the means of a firewall to regulate network traffic
- All incoming e-mails should be scanned by the organization's e-mail content scanner
- The I.T. Department should have up to date virus scanning software for scanning and removal of suspected viruses. Corporate file- servers will be protected with virus scanning software.
- Workstations should be protected by virus- scanning software. All workstation and server anti- virus software should be regularly updated with the latest anti- virus patches by the I.T. Department.
- No removable media like CD/DVD/Pen/flash drives that is brought in from outside the organization should not be used until it is scanned. New commercial software should be scanned before it is installed as it occasionally contains viruses.
- All systems should be built from original, clean master copies, whose write protection has always been in place. Only original master copies should be used until virus scanning has taken place
- All removable media containing executable software (software with .EXE and .COM extensions) should be right protected wherever possible
- All demonstrations by vendors should be run on their machines and not the organization's.
- Where there is a business need for third party access, a risk assessment should be carried out to determine the security implications and control requirements. These controls should be agreed and defined in the contract with the third party, including allowance for designation of other eligible participants and conditions for their access.
- Shareware should not to be used, as shareware is one of the most common infection sources. If it is absolutely necessary to use shareware, it must be thoroughly scanned before use.
- To enable data to be recovered in the event of a virus outbreak, regular back-ups should be taken by the I.T. Department.
- Management should strongly endorse the Organization's anti- virus policies. Users shoul
Cite This Dissertation
To export a reference to this article please select a referencing stye below:Reference Copied to Clipboard.Reference Copied to Clipboard.Reference Copied to Clipboard.Reference Copied to Clipboard.Reference Copied to Clipboard.Reference Copied to Clipboard.Reference Copied to Clipboard.