In the PMBOK (Project Management Body of Knowledge) Guide, one of the most important of the Nine Knowledge Areas in Project Management is Project Risk Management. Simply put, project risk management deals primarily with the need for project leaders and managers to learn how to compensate and think ahead to minimize the potential for things to go wrong. There are several steps to the risk management process that a project leader must consider, and which are typically explored in risk management courses and training bundles: risk management planning, risk analysis, risk response/monitoring/control, and identifying the risks of a project (Business Wire, 2011). Project risk management, in its ability to enhance opportunities and minimize negative consequences of actions taken without foresight, is perhaps the most important area of knowledge required for project management. In the following, risk management principles will be outlined and applied to examples of security leaks in projects and more public examples of enterprise and project pitfalls, to demonstrate the importance and utility of project risk management.
The overall goal of risk management is to improve on the possibility of positive risks and decrease the chances of negative risks being taken. When embarking on a project, it is vital to minimize and manage risk as much as possible, so as not to sacrifice substantial time and effort on something that could have been avoided. Potential failures are ideally tracked down through risk management practices, then transferred to a third party or avoided altogether. Six processes typically occur within risk management: risk planning, identification, qualitative and quantitative risk analysis, risk response planning, and risk monitoring and control.
During risk planning, the actual task of risk management itself is organized and articulated. Here, the amount of resources allotted to risk management is decided through proper acknowledgement of the factors at state, and the available resources. Enterprise Environmental Factors include the organization's level of risk it is willing to tolerate, and are factored into the initial risk planning. Organizational Process Assets include risk management approaches that already exist, and can be implemented in these particular situations. From here, a Project Management Plan is created to cement the risk management process decided on (IEEE, 2011).
The importance of risk management is made clear in the projects, individuals and organizations who do experience failure and setbacks due to poor assessment of risk their own project managers undertook. In the case study “Boss, I Think Someone Stole Our Customer Data,” four potential solutions for the problem of a security leak at a major electronics company - Flayton Electronics - in which thousands of customers had their information leaked and abused due to a downed firewall that left them vulnerable. The solution, involving repairing the weaknesses in the firm’s data security, is the most effective solution available to them. The company must move quickly in order to address the lawsuits that are sure to occur, as addressing the situation as fast as possible will prevent people from having a case for them hiding this information from their customers. This will provide effective risk management, lessening the likelihood of damage the company receives from this development (Alexander & Sheedy, 2005).
In addition to ensuring the data security of the company and fixing those weaknesses, brand restoration has to take place. The biggest problem that Flayton faces is the decimation of their reputation and the trust that customers are meant to have in them. The restoration of their data security will not mean anything if steps are not taken to appease the customers and urge them to stay with Flayton Electronics. The customers must be given immediate transparency, as that will make them feel like a part of the process, and the steps to provide customer support will make sure they are taken care of. The most important thing to consider is responsiveness; seeming like they are on top of a situation is much better than hiding things from the customers, who will suspect a problem if nothing is told to them.
In order to perform risk management on this particular problem, for example, the following actions could have been taken:
Fixing firm’s weaknesses in data security
This is the first priority, as the basics of network and data security must be attended to so another attack like this does not happen again.
* Develop brand-restoration strategy
A close second in priority, steps must be quickly taken to ensure the perception that Flayton is a transparent company that respects its customers and is honest with them. The following steps can provide incentive for existing customers to remain with Flayton, and lessen the negative perception of the company:
* Notify affected customers rapidly
* Set up toll free information hotlines
* Offer credit-monitoring services
* Offer discounts and sales
* Meet with critics of company
* Develop and promote new web pages outlining reforms
* Develop responsiveness of developments in communiqués to stakeholders
These keep the customers well-informed on the process that Flayton is taking to address this very public and dangerous breach of security. To leave customers out of the loop on their data being stolen would be nothing short of criminal, and so the better solution is to own up to the error as quickly as possible and enlist the help of the customer in solving this crisis. These steps help to do that, while making the customer feel like a part of the solution. Involving them in the fixing of the problem will engender greater customer sympathy.
In the case of Flayton Electronics, the problem occurred when the firewall in the wireless inventory-control system was left open, allowing the customer information and internal company data to be broadcast for all to see. From this downed firewall, which had been open for an indeterminate amount of time, the data was easily hacked into and retrieved, due to negligence on the part of the data security staff. This came as a result of severe lack of oversight and continuity between the staff who oversaw the system; they had left it down at some point for whatever reason, and forgot to take it back up.
In light of this particular problem, the most helpful solution is to find a way to make sure that firewalls are never down. This can be done through ensuring a trustworthy, loyal staff that avoids the quick turnover problems that were encountered in those previous positions. Providing greater financial and benefit incentives to these employees could facilitate longer retention of staff. What’s more, the networking department should have tighter oversight, with more dedicated and long-working staff maintaining control and supervision over the areas the newer employees are overseeing. This would prevent sections of data security from being forgotten about by fired or resigned employees – supervisors would be able to access their files and projects at any time, and scheduled, detailed network security scans should be implemented to detect any holes in security at any given time.
Flayton Electronics requires a substantial change in its data security measures, as recent history indicates. In order to prevent future breaches, the existing holes in data security must be filled, and precautions must be taken to prevent this same incident from occurring again. In this project management plan, measures and safeguards will be detailed to make the changes necessary to make the data security sufficient once more. Maintaining the safety of the network infrastructure is absolutely vital to the continued success of the company (Moteff, 2005).
As the primary problem was the firewall downage, this is the most important factor to address. Regular security scans must be performed on a twice-a-day basis to perform a thorough check on the status of the firewall and overall network security. These would be supervised by the network administrator, and would be comprehensive to ensure that no intentional leaks were created. Brand reputation would be restored through transparency in these checks; reports on network security would be emailed to customers to ensure that they know the status of their information.
Supervisors and network administrators would be given master codes to oversee all aspects of network software and hardware, and higher starting salaries and benefits would be offered to network security personnel, thus decreasing the chances of turnover (Stoneburner et al., 2002). In the event of personnel changes, steps would be immediately taken to ensure that all of their work is recognized and finished for them. Potential obstacles would be the budgetary restrictions of that department, which might already be thin, if the employee turnover is sufficiently high (Gorrod, 2004).
With the help of these measures, Flayton Electronics can prove itself a trustworthy and secure company to provide one’s contact information to. The retention and security of one’s personal data is a big component in deciding whether or not to continue business with a company – as a result, this is one of the most important factors in a company that deals primarily with this information. Through using a project management and risk assessment plan which emphasizes the repairing of data security and the restoration of brand reputation, Flayton can find the most effective and expedient way to repair its business after this catastrophe.
-
The Bernie Madoff scheme, one of the most recent and high-profile cases of high-end fraud in 21st century America, created substantial financial damage to many investors and businesses. In order to protect themselves, there are a number of risk management practices that private investors could employ to prevent themselves from enduring such a disastrous situation again. First, investors could “deploy more time toward, and employ more diligence in, assuring themselves that the funds in which they have invested or may invest use independent custodians and other service providers” (Krug, p. 6). One of the biggest red flags for Madoff’s investment scheme was the lack of an independent accounting firm to keep track of the investments; as it stood, Madoff kept the accounting in-house and small (only one individual person was in charge of auditing Madoff’s entire empire), making it much easier to hide the true nature of the investments (Fitzgerald, 2008). However, a neutral accounting auditor would have been able to see the discrepancies put forth by Madoff and his team; therefore, hiring on independent custodians would have been a wise move to make sure that Madoff’s investment plan was legitimate.
Secondly, they could learn more about investment strategies involved and utilized by their investment firms, so as to determine exactly how capital management will occur. In the case of Bernie Madoff, investigation of his risk profile and his “split strike conversion” strategy would have helped to show just how inflated his performance estimates were, and that a realistic replication of returns would not match his estimates by a wide margin. With the help of quantitative risk systems, it is easy to see just how these funds would actually behave, which is far lower than how Madoff would make it seem. By using these strategies, it would be much easier to sniff out fraudulent deals by shady firms like Madoff’s (Douady et al., 2009).
Lastly, private investors could have avoided the risk by not just relying on the cult of personality to dictate their investment strategies. Many investors did not look closely enough at the actual plan that Madoff put forward, instead merely wishing to get close to the person they believed “knew what they were doing.” By virtue of his reputation, Madoff lured in private investors who did not know about the investment market by assuring them that he was an expert; since his name was well known, being the former chief executive of NASDAQ, novices to the game trusted him to handle their finances well. The best strategy for private investors, however, is to look at an investment from an objective viewpoint, foregoing the big name in front of it and looking at how the investment would affect them (Huddleston, 2011).
In the case of these examples and more, project risk management is shown to be incredibly useful. In the PMBOK model, the six processes of risk management - planning, risk identification, qualitative/quantitative risk analysis, risk response planning, monitoring and control - provide a systematic and effective means for project leaders and managers to determine the best ways to control their resources and accomplish tasks without overreaching and risking more than they can afford.
References
Alexander, C. and Sheedy, E. (2005). The Professional Risk Managers' Handbook: A
Comprehensive Guide to Current Theory and Best Practices. PRMIA Publications.
Business Wire. (2011). Research and markets: project risk management (PMBOK guide - Fourth
edition - aligned). Business Wire.
Douady, R., Abdulali, A., & Adlerberg, I. (2009). The Madoff Case: Quantitative Beats
Qualitative!. Riskdata, 2, 1-6.
FITZGERALD, J. (2008, December 18). Madoff’s financial empire audited by tiny firm:
one
guy. The Seattle Times. EBSCOHost.
Gorrod, M. (2004). Risk Management Systems: Technology Trends (Finance and Capital
Markets). Basingstoke: Palgrave Macmillan.
Huddleston, P. (n.d.). Risk Management in the Post-Madoff Era of Fraud. Risk Management
Magazine. EBSCOHost.
IEEE (2011). IEEE Guide--Adoption of the Project Management Institute (PMI(R)) Standard A
Guide to the Project Management Body of Knowledge (PMBOK(R) Guide)--Fourth
Edition. Project Management Institute.
McNulty, E. (2007) Boss, I think someone stole our customer data. Harvard Business Review
Sept 07: 48-56.
Moteff, J. (2005). Risk Management and Critical Infrastructure Protection: Assessing,
Integrating, and Managing Threats, Vulnerabilities and Consequences (Report).
Washington DC: Congressional Research Service.
Stoneburner, G.; Goguen, A. and Feringa, A. (July 2002). Risk Management Guide for
Information Technology Systems. Gaithersburg, MD: National Institute of Standards and
Technology.