Case Study: Fleyton Electronics: Risk Management Plan for Customers’ Credit Card Data Leaks Prevention Project

Fleyton Electronics: Risk Management Plan for Customers’ Credit Card Data Leaks Prevention Project

Introduction

This document is a risk management plan for customers’ credit card data leaks at Fleyton Electronics. It defines the risks and the risk management process to be employed by the firm in protecting customer credit card data from leaking at points of sale and in mitigating negative effects of such leaks. The CIO is responsible for reviewing and maintaining the risk management plan to ensure that the risk process remains appropriate to deal with customers’ credit card data leaks. The risk management plan of the Fleyton Electronics will involve the scope and objectives of the risk management process, risk tools and techniques, and the implementation review and control of the risks involved (McNeil, Frey & Embrechts, 2010). Therefore, the risk management plan directs Fleyton Electronics on the evaluation and control of the company’s risks.

Project Description and Objectives

The Union Century Bank established that customers’ credit card information was leaking at Fleytons Electronics Stores. This was through their regular examination of patterns in fraudulent accounts where they found above-average number of bad cards having been used in our stores. This information was shared with the management of Fleytons Electronic Stores who initiated this risk management plan for the firm.

The scope and objectives of the risk management plan for Customers Credit Card Data Leaks Project are as follows;

  • To protect customers’ credit card data from leaking to unauthorized individuals
  • To create awareness of the risk of customers’ credit cards data leaks throughout the organization and develop an approach to its prevention, detection, and mitigation.
  • To identify, measure, control, report and review any business risk that might result from customer credit card data leaks at the firms’ points of sale, whether out of negligence, or otherwise.
  • Develop a response mechanism to customer credit card data leaks at the organization’s points of sale, both towards solving the data leak itself and communications to the customers, public, and law enforcers.
  • Allocate optimal organizational resources towards the mitigation and prevention of the customer credit card data leak risks.
  • To reduce lawsuits and other liabilities that might arise from credit card data leaks at Fleyton electronics stores’ points of sale.
  • To clearly assign the responsibility of specific risk management areas to specific officers of the firm.
  • To work with other stakeholders in the credit card payments industry in the development and application of industry standards developed

Risk Tools and Techniques

The following tools and techniques will be used in the risk management process of the Customer’ Credit Card Data Leak Prevention Project.

  1. Risk Identification-this is the understanding of a potential occurrences in the leak of credit card data that might positively or negatively harm the operations of the Fleyton Electronics. Identification of the risks using the following techniques;
  2. Review of records, checklists, and other available literature
  3. Brainstorming by all members of Fleytons Electronics involved in security matters and the senior management.
  4. Developing and analyzing assumptions that are to be followed in the project
  5. Use diagrams to depict relationships between variables involved.
  6. Creation of a risk register to record identified risks
  7. Risk Assessment

Customer credit card data leak risk threshold shall be measured by the:

  • Proportion of customer credit data leaked to the whole population of customers who use their credit cards at the Fleyton Electronics point of sales as shown below.
  • The vulnerability of the firm’s infrastructure in cases of hacking and loss of data.
  • The integrity of employees handling sensitive data and related infrastructure.

Probability and impact assessment for each identified risk threshold is as in the table below

  • Response Planning

The response strategy selected will depend on the nature of risk. The response strategy will be both in the internal activities of the organization as well as the external environment. Response to risks shall be recorded in the risk register.

  • Reporting

Risk report to issues and the Vice President Loss Prevention. Such reports will be included in the risk register. Risk reports will be issued to line managers and functional heads from junior officers and then the CIO who will prepare the final report for the Vice President Loss Prevention. The risk committee requires the provision of ad hoc reports to stakeholders and project team.The company’s risk reporting should be in line with the risk aggregation capabilities and the risk reporting policies of Fleyton Electronics. The risk reports should look at the disappointing facts of relevant part necessary for improvement in the company.  The reports of Fleyton Electronics are created on the value-based culture that leads to responsible risk management programs. The organizational need to anchor risk management is based on the operational and strategic control aspects in the risk management program (McNeil, Frey & Embrechts, 2010). Therefore, the risk reports should provide a systematic business model and measure to avoiding the credit card leaks to the public.

In understanding the international risk-reporting framework, Fleyton should make risked decisions in a timely manner in order to ensure the stability of the risk management program.  Risk reporting is done based on the progress monitored by the risk committee of the company and supervisory guidelines from identified institutions. The risk committee identifies the suitability of the risks to be included in the risk reports

  • Implementation Review and Control

Agreed activities as per the risk management plan will be implemented. The stakeholders to identify new risks will review them on a regular basis. The activities assist in checking the progress of existing risks and agreed-upon responses, and assess the effectiveness of the process. These activities include the adoption of advanced technological applications and the process of identifying and reviewing the risks. In the implementation review and control of the risk management, Fleyton Electronics should align itself with the current technological advancement.  The alignment of the business with the current technology helps to maintain the business competitive and enhance growth (McNeil, Frey & Embrechts, 2010).  Fleyton Electronics can adopt recent computer and software application to minimize the risks of data loss in the credit cards. This enhances the company integrity and availability in improving the operational and financial performance of the business. 

Current information technology adoption exposes the business to the current risk of the credit card leaks. These include weak security, inaccurate data and information, and incomplete transactions. The review of the risk management program allows the management to obtain the reliable information on the risks. Implementation and review can lead the business to different control that mitigates risk related to the development of new applications. It provides an understanding of the key communication approaches on the risks involved and creation of relevant relationships with the clients.  In order to integrate security in the development of the applications, Fleyton Electronics should ensure the availability of adequate finances. This includes testing and measuring of the additional techniques to be installed in the company to enhance effective risk management. Throughout the implementation review, Fleyton Electronics is able to address the key risk in the modification of its credit cards leaking system.  Activities agreed on the risk management plans are used in the implementation review and control of the risk process (Culp, 2002).

Risk Threshold

The risk threshold section provides acceptable levels of risks by Fleyton Electronics if the credit cards are hacked.  The risk thresholds seek to provide the acceptable risks by the company. In most organizations, they set a risk policy that identifies the risk threshold.  In Fleyton Electronics, the risk threshold schedule identifies the project risks that are acceptable by the company. The risk thresholds assist in determining the negative threats that can be accepted if the company can tolerate the inconveniences with the balance of its benefits. As indicated in the figure below, the proportion of customer credit leaked is grouped into four of the risk thresholds. Theses include the high risk at 15 percent, medium risks at 6 to 14 percent risks and low risks at 1-5 percent of the proportion of credit cards that can be hacked at Fleyton Electronics.

Fig.1 Risk Threshold Schedule

Risk threshold Proportion of customer credit card leaked
   
HIGH >15%
MEDIUM 6%-14%
LOW 1%-5%
NIL 0%

The risk levels have been defined as the proportion of credit cards hacked at Fleytons Electronics. They are measured as high, medium, low and nil, which are >15%, 6-14%, 1%-5%, and 0% respectively.

Based on the nature of Fleyton Electronic operations, the values of risk levels in the threshold schedule are justifiable. At high risk of the credit cards being hacked, the business has an acceptable rate of 15 per cent. In most occasions, the credit cards can be hacked, but the 15 percent is justifiable. In the case of 14 percent to medium risk, it is relevant due to the ability of the business to control the risks. In spite of all, the business accepts 1 to 5 per cent of the lower risks on its business operations.  Therefore, the different levels of risks acceptable by the business are justifiable considering the nature of the business.

Definitions of Probability and Impact

RISK THRESHOLDS PROPORTION OF CUSTOMER CREDIT CARD LEAKED PROBABILITY IMPACT ON FLEYTON ELECTRONICS’   BUSINESS OBJECTIVES
      COST REPUTATION EFFECTS ON OPERATIONS AND FINANCIAL PERFORMANCE
HIGH >15% 15% -$10,000,000 It might result in a very high level of negative reputation as they may lead to media attention It will have a profound effect on the operations and financial performance of Fleyton Electronics
MEDIUM 6%-14% 15% -$8,000,000 Medium level of negative reputation It might have a relatively high effect on the operations and financial performance of the Fleyton Electronics
LOW 1%-5% 60% -$4,000,000 Low level of negative reputation It might have a relatively low effect on the operations and financial performance of the Fleyton Electronics
NIL 0% 10% $0.00 No change No effect on the operations of Fleyton electronics
100%

Key

Probability Distribution

This is the probability that any of the risk levels above occurs during the operations of the company’s activities. The probability distributions are shown in percentages that range from 0 to 100 percent. This indicates the likelihood that a certain risk will occurs in the business.  Based on the four risks, high skills have a likelihood of 15 per cent, medium have 15 per cent, low have 60 per cent, and nil has 10 per likelihood. Fleyton Electronics should be keen on the risk levels in the company in order to control its risks effectively. The different probabilities indicate the effects of possible risk occurrences in the company activities.

Cost

This is a quantification of opportunities that may be lost due to credit card data leak, such as lost sales and costs that may be incurred in defending lawsuits, investing in infrastructure, and fines. The allocation of costs depending on the proportion of cards leaked on the different risk levels rather than the probability distributions. At high risks, Fleyton Electronics will incur costs of $ 10,000,000, at medium risks it will incur $ 8,000,000, at lower risks proportion it incur $ 4,000,000, while at lower risks it will incur no costs. Therefore, the higher the rates of credit cards leaked, the more costs are incurred in the business.

 Reputation                                  

This is the effect of each level of exposure of credit card data leaking risk on the reputation of the store. The exposes of the credit cards to leaks exposes the company to operational risks that places their close competitors on the gain. The operation of the business is subject to intense competition in the industry. Many companies offer credit cards in the industrial sector. The levels of credit card leaks in Fleyton Electronics expose the company to the risks of losing its customers to close competitors (Culp, 2002). Thus, increased exposure of the credit cards to data leaks has adverse effects on the reputation of the company.

Effects of the Operations and Financial Performance of Fleyton Electronics

This is the effect of each level of exposure of credit card data leaking risk on the operations and financial performance of the store. The risk management department in the company states that the risk involved in the company affected customer satisfaction. The breach of secret affected their confidentiality and credibility on the services offered by Fleyton Electronics. In addition, Fleyton is required to operate under certain regulatory framework in the technology industry. Some of the regulatory framework requires that the organization should maintain confidentiality and professionalism in its operations (Duckert, 2010).  The risks involved in the operations of the business contravene the regulation and thus affects the smooth running of the company. Certain risk includes systems failures, hacking of ten risks and lack of secrecy.  This eventually affects the credibility and the ability of the company to maintain appropriate levels of safety in the company. 

Based on the operational risk in the section, Fleyton Electronics are affected by the reputational concerns that may reduce their financial earnings. The revenues of the company depend on the public image of the company to its prospective and existing customers. The evaluation of the financial and business performance of Fleyton Electronics reveals a reduction in the investments of the company. The company depends on external sources of funds for its operations. Based on the assessments of risks, the investors are unwilling to invest in the company. This indicates the adverse effects of the existing risk in Fleyton Electronics.  High levels of risks in the company can reduce financial performance due to reduced revenues in each financial year.

References

Culp, L . C. (2002). The risk management process: business strategy and tactics. New York: John Wiley & Sons

Duckert, H. G. (2010). Practical enterprise risk management: a business process approach. New York: John Wiley & Sons

McNeil, A. J., Frey, R., & Embrechts, P. (2010). Quantitative risk management: concepts, techniques, and tools. Princeton, NJ: Princeton university press.