Posted: September 19th, 2022

final analysis


Module 05 Content

  1. Create a risk assessment plan for your company and do a thorough risk assessment analysis. Assess the ramifications of the risks you identify and make recommendations to mitigate those risks.

    Your assignment should meet the following requirements:

    6-8 pages long, not including the cover page and reference page.
    Conform to APA Style.
    For your final project, you will compile all of the weekly deliverables from Modules 02-04 and submit as a final project. Be sure to include your risk assessment plan in this final deliverable.

    Compile your deliverables into a paper with the following sections (Hint: make these your level 1 heading per APA format, remembering the title of the paper is your heading for your introduction):
    IT Governance and Risk Control Plan
    Business Continuity and Service Level Agreements
    Risk Status Report
    IT Audit Process
    Risk Assessment Plan and Analysis
    After compiling the weekly deliverables, condense the information into a paper 8-10 pages long, and keep only the most substantial information.

    Your assignment should meet the following requirements:
    Be 8-10 pages long, not including the cover page and reference page.
    Conform to APA Style.
    Support your answers with at least six current scholarly journal articles (not more than five years old). The Rasmussen Library is a great place to find resources.
    Be clearly and well-written, concise, and logical, using excellent grammar and style techniques. You are being graded in part on the quality of your writing. If you need assistance with your writing style and APA format, start with the Writing and APA guides at the Rasmussen Library.

Running head: FINAL ANALYSIS 1

Final Analysis

Jennifer Simmons

Rasmussen College

CIS4189C#: Risk Management and Business Continuity

Cliff Krahenbill

September 8, 2019


Final Analysis


According to John Spacey with Simplicable, risk management is the process in which one

identifies, assesses, reduces and accepts risk. (2016) Traditionally this is done by avoiding,

mitigating, transferring, or accepting the risks. Business continuity is often referred to as an

umbrella under which risk management and disaster recovery reside. TechTarget defines business

continuity management as a framework for identifying an organization’s risk of exposure to

threats, both internal and external. Baham et. Al (2017) defines disaster recovery as a subset of

business continuity. This subset focuses on the process of creating and executing a plan for how

an organization can continue operational functions, whether it is partial or complete, after a

disaster or disruption. Disasters can be anything from a natural disaster such as an earthquake or

hurricane, or a manmade disaster such as theft or a terrorist attack.

Risk avoidance is often the quickest and simplest way that an organization can

manage a risk once it’s identified. Avoidance is when the agency chooses not to engage in an

activity or multiple activities in which there is a risk. Risk mitigation is different from avoidance

in which the agency chooses to engage in the risky behavior but decides to make the activity

safer by trying to lessen the impact or risk associated with the activity. This choice is mostly used

when the risk cannot be avoided. Risk transference is often when a business chooses to transfer

the risk from themselves to another agency or organization. Finally, there is risk acceptance. Risk

acceptance usually occurs when an organization analyzes the risk of an activity and finds the

benefit outweighs the associated risk.

IT Risk management is when the principles of risk management are applied to an IT

organization to manage IT-specific risks. Techopedia states that IT risk management aims to


manage the risk that comes with owning, operating, adopting, influencing, and being involved

with the use of IT as part of a larger business. This means that the same ideas behind risk

management, avoidance, mitigation, transference, and acceptance, can be applied to the

Information Technology industry and should be taken into account just like it would in any other

industry. CA Technologies, an American multinational software company, calculates that in a

survey of 200 companies in North America and Europe IT downtime cost $150,000 a year for

each company. Additionally, CA Technologies found that, despite IT downtime being a common

and lengthy ordeal, of the 200 companies surveyed, 56% of American and 30% of European

companies do not have a good disaster recovery plan. Baham et. al. (2017) also attributes this

costly experience due to an organization’s dependence on their technological infrastructure. In

the survey by CA Technologies, businesses stated that the IT downtime they experienced cause

substantial damage to their reputations, staff morale, and customer loyalty.

IT Governance and Risk Control Plan

A risk control plan is a plan devised specifically to ensure that any threat, vulnerability,

or loss can be identified and mitigated. Risks can compromise SalusCare’s ability to perform and

function as an organization or cause damage to the organization’s assets. Risk monitoring is

crucial for the success of an organization as it requires the organization to think critically about

the state of the company as a whole. As such, ignoring or disregarding operational risks of any

kind can put the organization, its clients, and its staff at risk. Analyzing, monitoring, and

planning for risk is the best way to protect them.

Information systems.

The following are some risks identified during the risk assessment of the Information Systems



 Email Scams and Attachments – Information Systems

 Theft of Mobile Devices from Remote Employees – Information Systems

 Unauthorized Access to Patient Records – Information Systems


The following is the primary risk identified during the assessment of the Facilities Department:

 Safety Precautions are not Followed – Facilities


The following are some risks identified during the assessment of the Accounting Department:

 Unauthorized Access to Accounting Software – Accounting

 Outgoing Checks do not match bank statements – Accounting

Crisis support.

The following are some risks identified while assessing the Crisis Support Team:

 Patient Violence – Crisis Support

 Imminent Threats from Patients – Crisis Support

Service Level Agreement

This service level agreement (SLA) describes the levels of service that SalusCare (‘the client’) will
receive from Entech (‘the supplier’).

This SLA should be read alongside the IT support contract between the client and the supplier. Although
the SLA covers key areas of the client’s IT systems and support, the support contract may include areas
not covered by this SLA.


The client depends on IT equipment, software and services (together: ‘the IT system’) that are provided,
maintained and supported by the supplier. Some of these items are of critical importance to the business.

This service level agreement sets out what levels of availability and support the client is guaranteed to
receive for specific parts of the IT system. It also explains what penalties will be applied to the supplier
should it fail to meet these levels.


This SLA forms an important part of the contract between the client and the supplier. It aims to enable the
two parties to work together effectively.


This SLA is between:

The client: The supplier:
2789 Ortiz Avenue
Fort Myers, FL 33905
Key contact: Edmund Kemper


12578 Commonwealth Dr
Fort Myers, FL 33913
Key contact: Penelope Garcia


Dates and reviews.

This agreement begins on and will run for a period of 24 months.

It may be reviewed at any point, by mutual agreement. It may also be reviewed if there are any changes to
the client’s IT system.


This SLA is written in a spirit of partnership. The supplier will always do everything possible to rectify
every issue in a timely manner.

However, there are a few exclusions. This SLA does not apply to:

 Software, equipment or services not purchased via and managed by the supplier

Additionally, this SLA does not apply when:

 The problem has been caused by using equipment, software or service(s) in a way that is not

 The client has made unauthorized changes to the configuration or set up of affected equipment,
software or services.

 The client has prevented the supplier from performing required maintenance and update tasks.
 The issue has been caused by unsupported equipment, software or other services.

This SLA does not apply in circumstances that could be reasonably said to be beyond the supplier’s
control. For instance: floods, war, acts of god and so on.

This SLA also does not apply if the client is in breach of its contract with the supplier for any reason (e.g.
late payment of fees).

Having said all that, Entech aims to be helpful and accommodating at all times, and will do its absolute
best to assist SalusCare wherever possible.


Guaranteed uptime.

Uptime levels.

In order to enable the client to do business effectively, the supplier guarantees that certain items will be
available for a certain percentage of time.

Measurement and penalties.

Uptime is measured the using supplier’s automated systems, over each calendar month. It is calculated to
the nearest minute, based on the number of minutes in the given month (for instance, a 31-day month
contains 44,640 minutes).

If uptime for any item drops below the relevant threshold, a penalty will be applied in the form of a credit
for the client.

This means the following month’s fee payable by the client will be reduced on a sliding scale.

The level of penalty will be calculated depending on the number of hours for which the service was
unavailable, minus the downtime permitted by the SLA:

Priority level Penalty per hour
(Pro-rated to nearest minute)

1 5% of total monthly fee

2 2% of total monthly fee

3 1% of total monthly fee

Important notes:

 Uptime penalties in any month are capped at 50% of the total monthly fee

 Uptime measurements exclude periods of routine maintenance. These must be agreed between the
supplier and client in advance.

Guaranteed response times.

When the client raises a support issue with the supplier, the supplier promises to respond in a timely

Response times.

The response time measures how long it takes the supplier to respond to a support request raised via the
supplier’s online support system.

Response times are measured from the moment the client submits a support request via the supplier’s
online support system.


Response times apply during standard working hours (9am — 5.30pm) only, unless the contract between
the client and supplier specifically includes provisions for out of hours support.

Severity levels.

The severity levels shown in the tables above are defined as follows:

 Fatal: Complete degradation — all users and critical functions affected. Item or service
completely unavailable.

 Severe: Significant degradation — large number of users or critical functions affected.

 Medium: Limited degradation — limited number of users or functions affected. Business
processes can continue.

 Minor: Small degradation — few users or one user affected. Business processes can continue.

Measurement and penalties.

Important notes:

 Response time penalties in any month are capped at 50% of the total monthly fee.

 Response times are measured during working hours (9am — 5.30pm).

For instance, if an issue is reported at 5.00pm with a response time of 60 minutes, the supplier has
until 9.30am the following day to respond.

Resolution times.

The supplier will always endeavor to resolve problems as swiftly as possible. It recognizes that the
client’s computer systems are key to its business and that any downtime can cost money.

However, the supplier is unable to provide guaranteed resolution times. This is because the nature and
causes of problems can vary enormously.

In all cases, the supplier will make its best efforts to resolve problems as quickly as possible. It will also
provide frequent progress reports to the client.

Right of termination.

The supplier recognizes that it provides services that are critical to the client’s business.

If the supplier consistently fails to meet the service levels described in this document, the client may
terminate its entire contract with the supplier, with no penalty.

This right is available to the client if the supplier fails to meet these service levels more than five times
in any single calendar month.




Baham, C., Hirschheim, R., Calderon, A. A., & Kisekka, V. (2017). An Agile Methodology for the

Disaster Recovery of Information Systems Under Catastrophic Scenarios. Journal of

Management Information Systems,34(3), 633-663. doi:10.1080/07421222.2017.1372996

Harris, C. IT downtime costs $26.5 billion in lost revenue. InformationWeek. 2010. Available at:$265-billion-in-lostrevenue/d/d-


Horton, M. (2018, December 20). Common Examples of Risk Management. Retrieved from


Kivisto, A. J. (2015). Violence Risk Assessment and Management in Outpatient Clinical Practice.

Journal of Clinical Psychology, 72(4), 329–349. doi: 10.1002/jclp.22243

Rouse, M., & Goulart, K. (n.d.). What is business continuity management (BCM)? – Definition from Retrieved from


Schub, T., & Kornusky, J. (2018). Patient Violence: Risk and Management Strategies in the

Behavioral Healthcare Setting. CINAHL Information Systems.

Shaw, K. (2018, January 23). What is disaster recovery? How to ensure business continuity.

Retrieved from



Spacey, J. (2017, February 24). 33 Risk Management Examples. Retrieved from

Techopedia. (n.d.). What is IT Risk Management? – Definition from Techopedia. Retrieved from

  1. Date Field 1:

Expert paper writers are just a few clicks away

Place an order in 3 easy steps. Takes less than 5 mins.

Calculate the price of your order

You will get a personal manager and a discount.
We'll send you the first draft for approval by at
Total price: