Plan-Do-Check-Act Cycle

The Plan-Do-Check-Act (PDCA) cycle refers to a four step model that is used to implement change. It is illustrated using a circle which means that in the same manner the circle bears no end, the PDCA cycle should be implemented throughout to attain continuous improvement. This model is applicable in many situations such as; model for continuous improvement, commencement of a new improvement project, development of new product of service, change implementation and panning of data collection and analysis. The PDCA cycle also known as the Deming Cycle begins with the Planning where a goal or purpose is identified. This is followed by the DO step where the plan is put into action. The next step of Checking is comprised of monitoring the outcomes to test the validity of the plan and whether success is being achieved. The final step of Act is essential for integrating the learning goals derived from the whole process and creating adjustments to the whole process. The four steps form a never-ending cycle for continuous improvement. 

Risk management as stipulated in AS/NZS ISO/IEC 31000:2009 involves the consideration of the possibility of risks occurring and the options available to reduce the uncertainty posed by the occurrence of these risks. In describing the principles of risk management, AS/NZS ISO/IEC 31000:2009 identifies that a good risk management should facilitate the attainment of an organization’s goals through continuous review of its components, processes and systems. This is exactly what the PDCA cycle aims to achieve; facilitating continuous improvements. The AS/NZS ISO/IEC 31000:2009 has two major risk management processes. These include; framework and processes. The framework acts as overall structure and operation of the process of risk management while the process describes ways in which risks are identified, analyzed, and treated. The framework in risk management is a mirror of the Plan, do, check, act cycle that is common in most management system designs. The framework is attained through policy and governance which are attained through a continuous process of design (plan), implementation (do), monitoring and review (check), and continual improvement (act) (Bricker, 2011).

While the PDCA cycle is effective in change management, it comes with its shortcomings. One of the shortcomings is the rigidity of the cycle thereby leaving limited room for variations. This arises due to the fact that the process recommends a step-by-step process that works best when conditions are perfect. While the Do step allows consideration of options, the commencement of the project closes this opportunity. Another shortcoming lies on the fact that the cycle focuses on the process while giving very limited regard to the results. Despite its quality –control mechanism being in place, the final results is mostly tied to the process. This aspect makes it difficult to manage and respond to the fast changing client’s needs. This slows down the whole process (Bondigas, 2016).

References

Bondigas, A. (2016). Weaknesses of the Deming Cycle. Retrieved from http://smallbusiness.chron.com/weaknesses-deming-cycle-74907.html

Bricker, G. (2011). The Basics of ISO 3100- Risk Management . Retrieved from http://perspectives.avalution.com/2011/the-basics-of-iso-31000-risk-management/

Exercise 2: ISO/IEC 27001:2013

Information Technology-security techniques- Information security management systems

The ISO/IEC 27001:2013 provides specific requirements needed for establishing, implementing, review and continuous improvement on information security management system in an organization. The standard is an improvement from an earlier version of ISO/IEC 27001:2005. The ISO/IEC 27001:2013 provides general requirements that are applicable to any industry of any type, size, or nature. The standards are joint efforts of the ISO and IEC through a joint committee. The standard provides a yard stick by which organizations are measured to determine their adherence and formal compliance accreditation certificate issued after an audit.

The official name of the ISO/IEC 27001:2013 is “Information Technology- Security Techniques-Information Security Management Systems-Requirements. The ISO/IEC 27001:2013 collectively has ten clauses which include; scope, references, terms and definitions, context of organization, leadership planning, support, operation, performance evaluation and improvement. This standard’s adoption in any organization is a strategic decision that the executives makes. The presence of information security management system in an organization as the standard suggests depends on the organizations aspirations, objectives, security requirements, processes and the size of the organization.

Clause 4 discusses the context of the organization by addressing the depreciated concept of preventive action and determining the context of ISMS though bringing together relevant external and internal issues. Under the clause 5 of leadership, the top management is tasked with the responsibility of establishing information security policy. Clause 6 which deals with planning emphasizes on the need for information security assessment and treatment in an organization. It goes on to give the features that organization’s security objectives need to have.

Clause 7 deals with support where organizations are required to come up with resources to establish, implement, maintain and enhance improvements to the ISMS. The standard further provides the requirement for competence, awareness, and communication. This clause provides details on the components of the documented information. Clause 8 entails the operation and it relates to how the plans and processes are executed. The actions execution is pegged on the information security objective as developed in clause 6. The performance of the information system need to assessed at pre-determined intervals or when major changed are about to happen or occurs. Under the clause 9 on performance and evaluation, the process of monitoring, measurement, analysis, and evaluation are described. The clause require one to evaluate the information security performance and apply this information in determining what needs to be measured and monitored, at what time, by who, and through which means. Performance and evaluation is also to be conducted through the internal audit and management review. The final clause on improvement offers solutions to be used in the instances of nonconformities and necessary actions.  The clause also details more on how corrective actions taken against arising nonconformities need to be drafted.

Exercise 3

Concept of Risk and Risk Management

My conceptualization for risk and risk management was formed on the basis of goal setting and their achievement. Risk refers to the uncertainty that surrounds the future events and outcomes.  A risk is a way of expressing the likelihood and impact of a possible future event with a potential of influencing the attainment of the organization (Peter-Berg, 2010). On this regard, I viewed risk as those uncertain events that may hinder the attainment of set goals. When these risks are identified, they need to be mitigated and measure put in place to ensure that their adverse effects are kept to the minimal. Taking this in the It perspective, I consider a risk as the occurrence of an event that breaches the information systems security despite all protective, alert, and preventive measure being put in place.

Risk management on the other hand is the process of applying management policies, procedures and practices with an aim of identifying, assessing, and addressing nay unforeseeable events (risks).risk management is a process rather than an event and therefore occurs in stages. This processed in initiated with the identification of all possible risks that may affect the attainment of the objectives. The most likely causes of these objectives are then established. Controls are identified and put in place in an effort to mitigate the occurrence of risks and absorption of the effects when the risks occur. there should be determination of the likelihood and description of consequences. The risks should then be rated according to their severity and other controls added.

Risk management is best understood when viewed as a systematic approach used to set the best alternative under uncertainty conditions trough identifying, assessing, understanding, responding to, and communicating risk issues. Risk management is all about recognizing that set objectives may fail to be achieved due to unforeseen event occurring. In this connection, risk management entails a process of decision making with a goal of ensuring then attainment of the organizational goal at both the individual level and the functional levels (Peter-Berg, 2010).

The process of risk management tool is a management process that is proactive and structured approach necessary to handle and manage negative outcomes, respond to them when they occur and discover potential opportunities in a given situation. Every situation presents its own risky challenges. Every organization should have a risk management strategy stipulating how the management should handle various risks within their line of business. Risks to an organization’s goals may be related to the environment, technological, legal, financial, and technical issues. A risky even is considered when there is a chance and likelihood of occurrence. Risk management process requires the development of risk management culture. it is through this culture that the vision, mission, and objectives of an organization will be streamlined to consider potential risks. This requires the development of limits and boundaries which are then communicated. These govern the acceptable levels of risk practices and outcomes.

References

Peter- Berg, H. (2010). Risk Management: Procedures, Methods, and Experiences. RT & A.

Exercise 1

Plan-Do-Check-Act Cycle

The Plan-Do-Check-Act (PDCA) cycle refers to a four step model that is used to implement change. It is illustrated using a circle which means that in the same manner the circle bears no end, the PDCA cycle should be implemented throughout to attain continuous improvement. This model is applicable in many situations such as; model for continuous improvement, commencement of a new improvement project, development of new product of service, change implementation and panning of data collection and analysis. The PDCA cycle also known as the Deming Cycle begins with the Planning where a goal or purpose is identified. This is followed by the DO step where the plan is put into action. The next step of Checking is comprised of monitoring the outcomes to test the validity of the plan and whether success is being achieved. The final step of Act is essential for integrating the learning goals derived from the whole process and creating adjustments to the whole process. The four steps form a never-ending cycle for continuous improvement. 

Risk management as stipulated in AS/NZS ISO/IEC 31000:2009 involves the consideration of the possibility of risks occurring and the options available to reduce the uncertainty posed by the occurrence of these risks. In describing the principles of risk management, AS/NZS ISO/IEC 31000:2009 identifies that a good risk management should facilitate the attainment of an organization’s goals through continuous review of its components, processes and systems. This is exactly what the PDCA cycle aims to achieve; facilitating continuous improvements. The AS/NZS ISO/IEC 31000:2009 has two major risk management processes. These include; framework and processes. The framework acts as overall structure and operation of the process of risk management while the process describes ways in which risks are identified, analyzed, and treated. The framework in risk management is a mirror of the Plan, do, check, act cycle that is common in most management system designs. The framework is attained through policy and governance which are attained through a continuous process of design (plan), implementation (do), monitoring and review (check), and continual improvement (act) (Bricker, 2011).

While the PDCA cycle is effective in change management, it comes with its shortcomings. One of the shortcomings is the rigidity of the cycle thereby leaving limited room for variations. This arises due to the fact that the process recommends a step-by-step process that works best when conditions are perfect. While the Do step allows consideration of options, the commencement of the project closes this opportunity. Another shortcoming lies on the fact that the cycle focuses on the process while giving very limited regard to the results. Despite its quality –control mechanism being in place, the final results is mostly tied to the process. This aspect makes it difficult to manage and respond to the fast changing client’s needs. This slows down the whole process (Bondigas, 2016).

References

Bondigas, A. (2016). Weaknesses of the Deming Cycle. Retrieved from http://smallbusiness.chron.com/weaknesses-deming-cycle-74907.html

Bricker, G. (2011). The Basics of ISO 3100- Risk Management . Retrieved from http://perspectives.avalution.com/2011/the-basics-of-iso-31000-risk-management/

Exercise 2: ISO/IEC 27001:2013

Information Technology-security techniques- Information security management systems

The ISO/IEC 27001:2013 provides specific requirements needed for establishing, implementing, review and continuous improvement on information security management system in an organization. The standard is an improvement from an earlier version of ISO/IEC 27001:2005. The ISO/IEC 27001:2013 provides general requirements that are applicable to any industry of any type, size, or nature. The standards are joint efforts of the ISO and IEC through a joint committee. The standard provides a yard stick by which organizations are measured to determine their adherence and formal compliance accreditation certificate issued after an audit.

The official name of the ISO/IEC 27001:2013 is “Information Technology- Security Techniques-Information Security Management Systems-Requirements. The ISO/IEC 27001:2013 collectively has ten clauses which include; scope, references, terms and definitions, context of organization, leadership planning, support, operation, performance evaluation and improvement. This standard’s adoption in any organization is a strategic decision that the executives makes. The presence of information security management system in an organization as the standard suggests depends on the organizations aspirations, objectives, security requirements, processes and the size of the organization.

Clause 4 discusses the context of the organization by addressing the depreciated concept of preventive action and determining the context of ISMS though bringing together relevant external and internal issues. Under the clause 5 of leadership, the top management is tasked with the responsibility of establishing information security policy. Clause 6 which deals with planning emphasizes on the need for information security assessment and treatment in an organization. It goes on to give the features that organization’s security objectives need to have.

Clause 7 deals with support where organizations are required to come up with resources to establish, implement, maintain and enhance improvements to the ISMS. The standard further provides the requirement for competence, awareness, and communication. This clause provides details on the components of the documented information. Clause 8 entails the operation and it relates to how the plans and processes are executed. The actions execution is pegged on the information security objective as developed in clause 6. The performance of the information system need to assessed at pre-determined intervals or when major changed are about to happen or occurs. Under the clause 9 on performance and evaluation, the process of monitoring, measurement, analysis, and evaluation are described. The clause require one to evaluate the information security performance and apply this information in determining what needs to be measured and monitored, at what time, by who, and through which means. Performance and evaluation is also to be conducted through the internal audit and management review. The final clause on improvement offers solutions to be used in the instances of nonconformities and necessary actions.  The clause also details more on how corrective actions taken against arising nonconformities need to be drafted.

Exercise 3

Concept of Risk and Risk Management

My conceptualization for risk and risk management was formed on the basis of goal setting and their achievement. Risk refers to the uncertainty that surrounds the future events and outcomes.  A risk is a way of expressing the likelihood and impact of a possible future event with a potential of influencing the attainment of the organization (Peter-Berg, 2010). On this regard, I viewed risk as those uncertain events that may hinder the attainment of set goals. When these risks are identified, they need to be mitigated and measure put in place to ensure that their adverse effects are kept to the minimal. Taking this in the It perspective, I consider a risk as the occurrence of an event that breaches the information systems security despite all protective, alert, and preventive measure being put in place.

Risk management on the other hand is the process of applying management policies, procedures and practices with an aim of identifying, assessing, and addressing nay unforeseeable events (risks).risk management is a process rather than an event and therefore occurs in stages. This processed in initiated with the identification of all possible risks that may affect the attainment of the objectives. The most likely causes of these objectives are then established. Controls are identified and put in place in an effort to mitigate the occurrence of risks and absorption of the effects when the risks occur. there should be determination of the likelihood and description of consequences. The risks should then be rated according to their severity and other controls added.

Risk management is best understood when viewed as a systematic approach used to set the best alternative under uncertainty conditions trough identifying, assessing, understanding, responding to, and communicating risk issues. Risk management is all about recognizing that set objectives may fail to be achieved due to unforeseen event occurring. In this connection, risk management entails a process of decision making with a goal of ensuring then attainment of the organizational goal at both the individual level and the functional levels (Peter-Berg, 2010).

The process of risk management tool is a management process that is proactive and structured approach necessary to handle and manage negative outcomes, respond to them when they occur and discover potential opportunities in a given situation. Every situation presents its own risky challenges. Every organization should have a risk management strategy stipulating how the management should handle various risks within their line of business. Risks to an organization’s goals may be related to the environment, technological, legal, financial, and technical issues. A risky even is considered when there is a chance and likelihood of occurrence. Risk management process requires the development of risk management culture. it is through this culture that the vision, mission, and objectives of an organization will be streamlined to consider potential risks. This requires the development of limits and boundaries which are then communicated. These govern the acceptable levels of risk practices and outcomes.

References

Peter- Berg, H. (2010). Risk Management: Procedures, Methods, and Experiences. RT & A.