Compu-Abel Inc

Financial risks can arise from volatile capital movements and the risks of social, economic, and environmental degradation created by spreading operations over a global base of operations.

Traditionally, responsibility for completing a mission and the resources needed to pursue it is aligned with organizational boundaries. However, key drivers in the business environment, such as the globalization of business and the fast pace of technological change have resulted in increased merging of IT Departments and partnering within business units of organizations. It is now common for multiple organizations to work collaboratively in pursuit of a single mission, which creates a degree of programmatic and process complexity that can be difficult to manage effectively. In today's business global business environment, management and staff must be able to deal with intricate and unclear interrelationships and dependencies among technologies, data, tasks, activities, processes, and people. Mission success in these complex environments requires people to sort through the inherent complexity when making important decisions. Effective risk management that is based on a solid conceptual foundation is an essential part of this decision-making process. This technical note begins to define this foundation by identifying the basic elements of risk and exploring how these elements can affect the potential for mission success.

Competitiveness cannot be achieved without achieving the benefits of global Integration and coordination as well as the benefits of localization, which include flexibility, proximity, and quick response time.

Technology: appropriate solutions to support compliance, technology business model, information security, competing information technology (IT) priorities, and outsourcing. It is evident that a new approach, one that provides a sustainable, productive, and cost-effective means to address these issues, is essential.


Threat Elements:
 

Threat Category Trigger Vulnerability
    

     Mission Threat Process execution A fundamental flaw, or weaknesses, in the purpose and scope of a work process
     Design Threat Process execution An inherent weakness in the layout of a work process
     Activity Threat Process execution A flaw, or weaknesses, arising from the manner in which activities are managed and performed
     Environment Threat Process execution An inherent constraint, weakness, or flaw in the
overarching operational environment in which a process is conducted
     Event Threat Event Specific vulnerabilities that, when combined with the triggering event, place a mission at risk


The trigger and vulnerability associated with each category of threat are highlighted below. The table explicitly highlights the fundamental difference between event threats and the other four categories. Whereas an event threat is triggered by an unpredictable occurrence, threats from the other four categories are triggered whenever a work process is executed; no external trigger or occurrence is needed to produce risk. This section explores the specific mechanics of threats, beginning with event threats.

Categories of Operational Threat

Mission Threats

Process execution: Fundamental flaws, or weaknesses, in the purpose and scope of a work process within the IT Department

The mission is the cornerstone of a work process, defining what success looks like. If that definition is skewed or flawed, the entire system could be out of balance, producing unexpected or unwanted results. A mission threat is a fundamental flaw, or weaknesses, in the purpose and scope of a work process. It injects considerable vulnerability into the very foundation of a work process, exposing it to a substantial amount of operational risk. This vulnerability can manifest itself in a number of tangible ways, affecting all aspects of the process, from the layout and arrangement of activities to the resources assigned to those activities. Examples of mission threats include the following:

1) Funding is insufficient to complete the core mission objectives.
2) Time is insufficient to complete the core mission objectives.
3) Resources are insufficient to complete the core mission objectives.
4) Mission objectives are unclear or unarticulated.
5) The mission does not meet customer requirements and needs.
6) Mission objectives are not defined and documented.
7) Local missions are not aligned with the overarching mission.

Design Threats
Design Threat: Process execution: An inherent weakness in the layout of a work process
While the mission describes the goal or objectives being pursued, the design of a process delineates the roadmap for achieving the mission. A design threat is an inherent weakness in the layout of a work process. It can have far-reaching consequences because it embeds risk within the structure of a process. Common design threats include:

1) The process is not defined and documented.
2) The process is overly complex or inefficient.
     a) Unnecessary tasks are performed.
     b) There are bottlenecks.
3) The process does not conform to accepted policy and practice.
4) Procedures for performing tasks are not defined and documented.
5) Roles and responsibilities are not defined and documented.
6) Quality assurance is not built into the process.
7) Supporting technologies are not designed to facilitate process execution.
8) Facilities (i.e., physical layout of work space and equipment) do not support efficient
execution of the process.
9) Performance measures or metrics for managing the process are not defined.

Activity Threats
Activity Threat: Process execution: A flaw, or weaknesses, arising from the manner in which activities are managed and performed

Activity management builds upon the structural elements of a work process by assembling, organizing, and overseeing the resources needed to execute that plan. An activity threat is a flaw, or weaknesses, arising from the manner in which activities are managed and performed. A variety of circumstances can produce this type of threat, ranging from people’s actions to unreliable performance of support technologies. In essence, activity threats occur when actual performance deviates from what was planned or anticipated (e.g., as outlined in the design). Potential activity threats include the following:

1) Staff members do not possess the necessary knowledge, skills, and abilities to perform
expected tasks.
2) Staffing levels are insufficient to complete all assigned tasks.
3) Staff members do not receive adequate training related to domain knowledge.
4) Staff members do not receive adequate training related to process execution.
5) The staff does not efficiently execute the process as defined.
6) Inputs to an activity are not accurate and complete when received (i.e., they contain
defects).
7) Inputs to an activity are not received on time.
8) Management does not facilitate completion of the process.
9) Risk is not managed effectively.
10) Problems are not resolved quickly.
11) Supporting technologies
     a) are unreliable
     b) do not perform as expected
     c) do not work well together where required (i.e., are not interoperable)

Environment Threats
Environment Threat: Process execution: An inherent constraint, weakness, or flaw in the overarching operational environment in which a process is conducted
An environment threat is an inherent constraint, weakness, or flaw in the overarching operational environment in which a process is conducted. It represents an inherited source of risk, which makes it difficult to manage in many instances.
The following list includes some of the more common environment threats:

1) Responsible Authority (Who reports to who and where)
2) Who is going to perform what IT functions for:
     a) Development and implementation of new applications,
     b) Change management of current applications
     c) Access to programs and data (security)
     d) Computer operations for:
          i) Backup and Recovery
         ii) Disaster Control
         iii) Batch Jobs
     e) Who is responsible for writing and delivering Globalized SOPs (Standard Operating Procedures) and processes
3) The organization does not reward desired behaviors.
4) Organizational lines of authority are not well defined.
5) Staff morale is low.
6) Organizational politics adversely affect process execution.
7) There is lack of cooperation across functional boundaries.
8) Communication barriers prevent candid exchanges of information between people
throughout the organization.
9) Stakeholder pressures adversely affect process execution.
10) The physical working environment does not contribute to staff effectiveness.

Event Threats
Event Threat: Event: Specific vulnerabilities that, when combined with the triggering event, place a mission at risk

An event threat is a set of circumstances triggered by an unpredictable occurrence that introduces unexpected change into a work process. This unpredictable event must combine with one or more vulnerabilities to produce risk. Typically, these vulnerabilities lie dormant within a work process and do not produce any visible effect on performance during day-to-day operations. However, certain events in combination with these dormant, apparently benign, vulnerabilities place a mission at risk. Examples of event threats include:

1) surges in workload
2) loss of key personnel (management and staff)
3) cyber-security breaches
4) computer viruses and other types of malicious code
5) physical-security breaches
6) natural disasters (floods, earthquakes, etc.)
7) changes in policies and regulations
8) changes in budget and resources
9) changes in core mission objectives
10) changes in schedule or funding
11) introduction of new technology
12) changes in customer needs and requirements

These five categories of operational threat thus define a broad range of threats that can put mission success in jeopardy. All threats can be decomposed into two basic elements: (1) a trigger and (2) one or more vulnerabilities. However, there are differences in how threats from different categories arise. The circumstances required to produce an event threat differ from those needed to create threats from the other four categories.