Organization background
In the area of information technology, the process adoption of new innovative technology is facing various challenges. The emerging and globalizing world has made it essential for organizations to adopt strategic and innovative changes to their existing information system to adopt innovation in their organizational operations. This adoption of innovative changes is to take a competitive advantage in the era of competitive businesses. In the field of information technology, the process of technical innovation is characterized by inherent uncertainty (Mathur, Mathur, and Pandya 2015). In this field of information system and information system, investments made in the new technologies have a variety of risks associated with it as the newer technologies implemented to offer an improved performance may offer a lower performance as well. Researches done in the past n technology adoption for the new management information system (MIS) have identified several conceptual models and frameworks. These conceptual models and frameworks are introduced to take decision for the adoption of an effective and efficient management information system for the successful achievement of improved performance of the organizational operations (Fountas, et al., 2015). There models and frameworks include a technology acceptance model as well.
This report identifies the information system and information technology in Xero is done. This is done to understand the current information system and information technology of the company in order to analyze the system and make a risk assessment for the same. This report will make a risk analysis of information system used in the Xero for managing its data and providing the best solutions to its customers in order to maintain their quality of work. In the last section of this report, some recommendations are made for the organization regarding its current information system and information technology that is being used for a long time.
Xero is a New Zealand based public software company offering cloud-based accounting software to its clients operating in SMEs. The company has its offices in New Zealand, Australia, US, UK, and South Africa. The company was founded in 2006 in New Zealand. The company was started with an objective to help SMEs in terms of their business with the accounting help. Today, the company is successfully employing more than 2,000 people. In the year 2014 and 2015 company was recognized as World’s Most Innovative Growth Company by Forbes. The innovative growth of the company reflects the success of its information system (Xero, 2018b). With a collaborative team, spirit company works closely with its partners, customers, and other friends within the industry to move forward in the direction of the innovative business and product development. The main purpose of doing business in an innovative way is to turn the company into an online business platform for the world (Xero, 2018a).
Role of information system in business organizations
In studies, it is described that the information system is an organized combination of people, communication networks, policies, hardware, and software that are used to collect process and disseminates the information within an organization. In business organizations, people rely on different means of communication like physical devices ass hardware, communication channels as a network, and procedure or instructions as software. Emerging global world has made the business organization to enhance the efficiency of their communication and data processing systems by strategic innovations (Laudon, & Laudon, 2015). For organizations like Xero, which is providing financial accounting software to its employees, information system plays an important role as the information that they collect from their customers is very sensitive and confidential as well. In this manner, they are required to provide an innovative and advanced information system. It is the information system of the company that carries this sensitive and confidential information which shows that information system is the key element of an organization to maintain its service quality and product security as well.
In the research, several risks and risk factor related to the information system and projects are identified. These risks and risk factors identified in these studies made it more important for organizations to use an organized framework within their information system that they are using (Feng, Wang, & Li, 2014). These organized frameworks help the organization to understand the possible risks and risk factors also help to find a strategic alternative to mitigate the threat of risk. In information technology, most of the risk factors identified in studies apply to their software development projects instead of their information used in their operations.
In the emerging world, organizations are using technology-based devices to operate their information system and enhance its efficiency. Technical devices used in the information system of an organization may create any damage to the system or may lose some data due to its technical error as well. Therefore, in order to keep the information systems working efficiently and safely, risk assessment is very important. An effective risk assessment of an information system ensures that the information system that the organization using, is safe and effective to make their business growing (Wu, Chen, & Olson, 2014).
The information system of business organizations is associated with its system components as well as other industry threats that may cause any harm. These risks can be categorized into two major categories as risks associated with the computerized environment and risks due to cyber-crime.
Risk management in an information system
In the technically advanced world business organizations use computerized systems into their information system to make it easier and more efficient. Although these computerized system components used in an information system make it efficient and easier, use of these computerized components is associated with some risks as well. These risks associated with the computerized information system are listed as below:
Power loss: In case if the organization uses a computerized framework within its information system, it may suffer at timer when power loses take place in the system. Business organizations are relying on a computerized framework for their information system and a timer when power loses their whole information system gets affected and might lose its connectivity with other components of the organization for communicating some important information on time.
Communication failure: A failure of communicating devices may create an interruption into a computer-based information system and may cause a delay in communicating some important data or information that may cause a serious harm to the business and organization system as well. Such risks are mainly associated with communicating devices such as the internet, and other information exchange devices (Dumais, et al., 2016).
Fire: Computerized information system environment is surrounded by power sources and a small circuit problem in these power sources may create fire alarming situation in the organization. Fire situation in an organization causes a hazardous damage to the company assets as well as information data that they have stored into the system. Sometimes, this fire can damage complete data storage of the company and organization may lose a lot.
Misuse of employee: In any computerized information system, the dissatisfied employee can harm the system significantly by disclosing some sensitive information to the competitors or may destroy the IT components of the system intentionally. Such gestures from employees are not predictable therefore systems must be secured against this kind of risks.
Technical failure: Since technology is the creation for betterment but sometimes technology may fail due to some technical or manual errors occurred in the system process. These errors will cause only a small technical failure but this small technical failure may cause big harm to the organization and its information system. Technical failure can make whole information system on shut-down and that is the complete failure of the system. These risks are common in technical failures, therefore, risks related to the technical failure must be considered for the computerized environment of any information system in the business world.
Need of risk assessment
Malicious code: Computerized systems are sensitive towards the malicious files. These systems such incidents may lose the control of genuine authority and some other authority illegally may take control over the whole system. In such incidents, some malicious programs or viruses may create some torjan hours, logic bombs, or worms to the organization’s information system.
Theft or destruction of computerized sources: In an information system linked to the computerized environment, risk of stealing these computerized systems or components is high and the organization has to ensure the security of this system at any cost. Any computerized components that are linked with the system may have data and information related to the organization and its business. Such information, if given to the competitors in the market, they can harm the organization a lot.
Fraud: It is an unlawful activity primarily related to the illegal use of sensitive information that can cause serious damage to the victim authorities. In IT industry for an organization like Xero, fraud can cause a lot of damage to the victim as their software is designed to access the financial activities and found in financial activities can cause economic loss to the victim. Due to such incidents company may lose its economic as well as reputation in the market. The information system of IT companies must be secured with high security to avoid fraud incidents.
Sabotage: It is an intentional attack on the web pages to misguide the authorities in order to steal some genuine or sensitive information. In the technical world, people use such techniques to mislead the company in another direction by damaging their web pages. So that they can easily take control over their information system to know about their strategic business and gets a competitive advantage. This is the result of increasing competition (Lee, Bagheri, & Kao, 2015). Organizations want to take a competitive advantage and they can go beyond the lawful activities and choose such ways to get that competitive advantage. Although, these activities are unlawful and fall into the criminal activities need of the business market makes an organization to perform such activities (Harrison, & Lock, 2017).
Computer viruses: With the technical advancement people get some really dangerous alternatives to take control over other authority’s systems. In order to take control over higher authority systems, people associate with cyber-crime activities use computer virus. This virus is a malicious program that the user gets with the installation of some malicious program or may get during visit of some specific web page. In such actions, target system installs this virus unwillingly and may lose their control over their own system. In this virus, there are computerize codes to access the target system from a distance. Information systems once lose their control from genuine authority may cause serious damage in terms of economy or reputation of the business organization.
Risks associated with the information system of business organizations
Embezzlement: It is illegally or unlawful misappropriation of money from the responsible authority to control the electronic fund transfer. In such cases, generally, organization employees are engaged. Some employees intentionally perform these activities for their own greed. They can use their trust to know the authentication requirements and can get access to the system illegally. Once they get the charge they make illegal money transfers for their own benefit and the responsible authorities are considered a victim of the crime.
Sniffers: There are several processes and software’s to detect the security ID and passwords that attacker use to get an access to the personal accounts in the information system and illegally steal the information for their own personal benefits.
Management of risks in any system is a systematic process of several steps that essential to manage and control risks. The complete process of risk management involves or includes the procedure and series of steps to identify, analyze, evaluate, treat, monitor, and communicate these risks to prepare a strategic risk mitigation program. Since the risks management is an iterative process and it is used repetitively in any system, it is called risk management cycle as well (Heckmann, Comes, & Nickel, 2015). A simple risk management cycle involves below mentioned some essential steps:
- Risk identification
- Risk analysis
- Risk evaluation
- Risk mitigation
- Implementation of management strategies
- Risk control
- Re-access and re-evaluation of risk management strategies
This process can be defined in a cyclic process as well with the help of below-given diagram showing the cyclic arrangement of these risk management steps:
Risk management cycle
(Source from: Author)
In order to identify the risk factors associated with internal as well as the external environment of the organization’s information system are accessed to the full exposer. Information systems are exposed to several direct and indirect risks (Galliers, & Leidner, 2014). These risks primarily emerge to the frequently changing technology used in an information system. These frequent changes in the technology create a gap between technical security protections applied and the actual protection required for the system. Therefore, in this step management, technical implementations applied to the information system are accessed to identify the risks associated with them (Laudon, & Laudon, 2016).
Second step after identifying the risks associated with the information system is to analyze and evaluate these risks. This evaluation is made to decide whether to adopt the risk or to prepare a strategy for its mitigation. This decision for adoption or mitigation of a risk depends on its impact on the business. Therefore, in this step overall impact of the risk on the organization or its business is evaluated in materialized form and decision is to be made on the basis of this evaluation. In this context main purpose of risk evaluation is to identify the probability of threats and their exploitation to the organization and its business (Xu, et al., 2014).
Risks to the computerized environment
Probability of threat is the chances of occurrence the risk in practice and its exposer is defined as its impact on the business. To identify the probability of a risk different risk matrixes and models are use3d by the management. This probability along with the exposer value defines the risk matrix value for the particular risk. This step is one of he most critical steps in complete risk management for any information system as it decides the requirement of strategic planning for mitigation plan and also decides the economic impact as well due to all the risks identified in the risk identification step (Eason, 2014).
Since in the previous two steps potential threats are identified, now it is the time to review organization’s information system to identify any loopholes or any weakness in the system that is exploited to the potential threats. This step assists the previous step of risk evaluation in making decisions for the mitigation plan (Wade, & Hulland, 2004).
Different strategies are available in the literature of risk management of any organization. On the basis of findings in risk evaluation and risk assessment steps, an efficient strategy is selected to mitigate or deal with the risk and its exploitation to the organization (Nduwimfura, & Zheng, 2015). Including administrative and technical controls, there are several measures which can be used by an organization to control or mitigate the identified risks and their exposer. Some of these measures are as following:
Transference: Transference is the process of shifting a risk from one authority to another to deal with it more efficiently. For IT system this technique is not used widely as they are exposed to data linked with the systems and any information leakage by the third party may cause serious damage to the organization. But in our daily lives, individuals use this technique more often. All the insurances including car insurance, health insurance, and life insurance are common examples of transferring risk from one party to a third party (Azhar, Khalfan, & Maqsood, 2015).
Acceptance: It is the practice of allowing an information system to work with a prior knowledge of the risk. These are risks with low risk-matrix value. Such risk does not impact the organization that much as they require mitigating them. Therefore, in order to make the risk management economic these risks are accepted by the organization to occur with complete allowance (Nicholson, & Mather, 2014).
Avoidance: In this practice, organization avoids the operation or a system in order to avoid that particular risk. This mitigation strategy is used for risks having the highest matrix value or causing a huge impact on the information system (Lewis, et al., 2016).
In this process, at the beginning management has to take approvals from higher authorities to apply all the strategies prepared to mitigate risks identified in the risk management process. This must have a plan of action of milestones to support the actions (Ericson, 2015).
Risk mitigations are measures and control for risks, therefore, excessive risk and excessive control are not useful aspects for any organization. With this consideration, management has to balance between risk and control.
Information system of organizations in this progressive world will continuously update and expand itself in terms of its technology and management of operations. Software applications of an information system are the updates for it. These changes will introduce new risks to the information system which have to be analyzed to identify the concern of previously mitigated risks (Oinas-Kukkonen, & Harjumaa, 2018).
Conclusion
Above report concludes that organizations in the emerging technical world are using computerized information system for their organizational operations to manage all the data and information they require to sustain their business. In these systems, all the computerized systems are liable to risk attacks from within the organization elements as well as external cyber attackers. In order to mitigate or control these risks, organization management have to prepare a risk mitigation or control program so that all the risks associated with their information system can be analyzed and appropriate strategic actions required to mitigate these risks can be taken. All the decision-related aspects of the risk management program make it essential to perform this implementation of a strategic risk management cycle.
References
Azhar, S., Khalfan, M., & Maqsood, T. (2015). Building information modeling (BIM): now and beyond. Construction Economics and Building, 12(4), pp. 15-28.
Dumais, S., Cutrell, E., Cadiz, J. J., Jancke, G., Sarin, R., & Robbins, D. C. (2016, January). Stuff I’ve seen: a system for personal information retrieval and re-use. In ACM SIGIR Forum,49(2), pp. 28-35.
Eason, K. D. (2014). Information technology and organizational change. US: CRC Press.
Ericson, C. A. (2015). Hazard analysis techniques for system safety. US; John Wiley & Sons.
Feng, N., Wang, H. J., & Li, M. (2014). A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis. Information sciences, 256, pp. 57-73.
Fountas, S., Carli, G., Sørensen, C. G., Tsiropoulos, Z., Cavalaris, C., Vatsanidou, A., … & Tisserye, B. (2015). Farm management information systems: Current situation and future perspectives. Computers and Electronics in Agriculture, 115, pp. 40-50.
Galliers, R. D., & Leidner, D. E. (2014). Strategic information management: challenges and strategies in managing information systems. US: Routledge.
Harrison, F., & Lock, D. (2017). Advanced project management: a structured approach. US: Routledge.
Heckmann, I., Comes, T., & Nickel, S. (2015). A critical review on supply chain risk–Definition, measure and modeling. Omega, 52, pp. 119-132.
Laudon, K. C., & Laudon, J. P. (2015). Management information systems, Vol. 8. US: Prentice Hall.
Laudon, K. C., & Laudon, J. P. (2016). Management information system. India: Pearson Education.
Lee, J., Bagheri, B., & Kao, H. A. (2015). A cyber-physical systems architecture for industry 4.0-based manufacturing systems. Manufacturing Letters, 3, 18-23.
Lewis, K. A., Tzilivakis, J., Warner, D. J., & Green, A. (2016). An international database for pesticide risk assessments and management. Human and Ecological Risk Assessment: An International Journal, 22(4), 1050-1064.
Mathur, N., Mathur, H., and Pandya T., (2015). Risk management in information system of organization: A conceptual framework. International Journal of Novel Research in Computer Science and Software Engineering, 2(1), pp. 82-88.
Nduwimfura, P., & Zheng, J., (2015). A review of risk management for information systems outsourcing. International Journal of Business, Humanities, and Technology, 5(4), pp. 28-33.
Nicholson, M. C., & Mather, T. N. (2014). Methods for evaluating Lyme disease risks using geographic information systems and geospatial analysis. Journal of Medical Entomology, 33(5), pp. 711-720.
Oinas-Kukkonen, H., & Harjumaa, M. (2018). Persuasive systems design: key issues, process model and system features. In Routledge Handbook of Policy Design. US: Routledge.
Wade, M., & Hulland, J. (2004). The resource-based view and information systems research: Review, extension, and suggestions for future research. MIS Quarterly, 28(1), pp. 107-142.
Wu, D. D., Chen, S. H., & Olson, D. L. (2014). Business intelligence in risk management: Some recent progress. Information Sciences, 256(20), pp. 1-7.
Xero, (2018a). When small business is beautiful business. Retrieved from: https://www.xero.com/au/
Xero, (2018b). About us. Retrieved from: https://www.xero.com/au/about/
Xu, B., Da Xu, L., Cai, H., Xie, C., Hu, J., & Bu, F. (2014). Ubiquitous data accessing method in IoT-based information system for emergency medical services. IEEE Trans. Industrial Informatics, 10(2), pp. 1578-1586.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
