Risk analysis and Contingency plans

Risk Analysis

Building control into a system will involve the organisation in costs and overheads. Additional staffing may be required to implement or supervise the controls, more storage space or more powerful processors might be needed to provide additional data needed for audit purposes.

As with any other business decision a balance must be kept between the costs provided by the introduction of controls against the likely benefits. In deciding what level of control to impose on a system, the organisation will perform a risk analysis. This will identify the probability of a particular problem occurring (i.e. how often it is likely to happen) and the resulting loss incurred. This is then balanced against the cost of protecting against the problem.

Contingency Plans

A variety of strategies exist to cope with situations when, for one reason or another, data or computing facilities are lost. By planning in advance of the disaster, organisations can ensure that recovery can be as speedy and as trouble free as possible. The actual strategy employed will depend on how critical the data or computing facility is to the organisation.

In situations where the information system is crucial to the running of the organisation – for example banking or credit card companies, entire computing facilities may be duplicated. Should one of the centres fail then the remaining one is able to take over processing for the entire organisation. This is an expensive solution but provides a high level of security.

If many applications, such as large stores, where POS terminals are linked to a central computer, there will be a backup manual system that will allow the store to continue trading if the main computer is ‘down’. The POS reverts to acting as a till and transactions can be recorded onto tape cartridge so that the stock file can be brought up to date when the system is restored. Some functionality may be lost and extra staff may be needed to help process transactions.

Some organisations will contract out their backup facilities to specialist firms who will provide computing facilities in an emergency. The cost of maintaining the emergency facility is spread amongst the different organisations who contract with the specialist firm. This arrangement obviously depends on backup data being available to bring the emergency facility on-line when needed.

Recovery from data loss will be built into the backup strategy operated by the organisation.
It is important to remember that, for many organisations, access to the information system and the integrity of the data stored in the system will be crucial to the organisations continued existence. On-line transaction systems are particularly vulnerable when system failure occurs.
As with the introduction of controls, the provision of a contingency plan will involve overheads. This may involve duplicating the cost of the data processing centre or it may simply involve providing more expensive POS terminals with sufficient built in processing power to operate off-line. Here again a cost-benefit analysis is important. In deciding what contingency plan to adopt the organisation will consider:

  • The cost of setting up the plan – addition hardware etc. that is needed.
  • The cost of maintaining the plan
  • How probable the disaster is
  • How completely the plan will restore normal working
  • How quickly the plan will restore normal working
  • The costs of incomplete or lengthy restoration.

Generally however, the law imposes a duty but leaves it to the individual organisation to set up procedures and structures to ensure compliance. There are a variety of methods available to employers to help ensure that their employees are aware of and comply with the law. Whatever methods are used, it will be important to put some form of monitoring in place to ensure that the law is being complied with and to identify and remedy any breaches. Appointing a co-ordinator who, besides monitoring compliance can also take on a staff training or awareness-raising role best does this.