RESEARCH PROPOSAL

Evaluating Risk Management for

Information Systems
Assessing risk management process for information systems used by
an Indian ISP company

Prepared by

Masoom

PROJECT TITLE
Evaluation of Risk management for information systems a case of Indian
ISP (Internet Service Provider) Company
PROJECT SUMMARY
Information systems are now the major resource required by organizations to operate.
Information systems have nearly replaced manual working and have increased efficiency of
the organizations as the core business functions gets real attention for the management. As
per Sarigiannidis & Chatzoglou, (2014) IT systems are the backbone of any company as it
manages and integrates various business functions. Increase in use of IT systems has also
increased the risks associated with them. IT risk management is a process that has a core
purpose similar to any other risk management process i.e. to identify risks and develop
strategies to manage the likely impact of those risks. Mohd-Rahim, Chen, Boussabaine,
Abdul-Rahman & Wood, (2014) noted that not many years have passed for organizations in
developing countries, like India, are using information systems to manage business functions.
Information systems help in increasing the efficiency of the organization as well as enhance
customer experience.
This research study will focus on risk management process for two types of risks associated
with information systems used in broadband industry of India. For a case study, a local
broadband service provider will be selected in order to evaluate the risk management process
to manage security and implementation risks.

LITERATURE REVIEW
Information and technology has seen various evolutions and current digital age is a lot
different than a decade ago (Mohd-Rahim et al, 2014). According to LOBATO, BITTAR,
NETO, MACHADO, DE ALMEIDA & MEIRA, (2013) the world is converging and
information systems are interacting with each other in order to increase efficiency. LOBATO
et al, (2013) further argued that information systems are used in organizations to manage
different business functions such as finance, marketing, IT, HRM and Commercial etc. It is
important to integrate different information systems that are implanted to manage different
business functions.
Page 1 of 7

According to Lundqvist, (2014) information systems are used by internal and external
customers of an organization. As the number of users of an information system increases, it
becomes more vulnerable to various risks. Champan, (2014) highlighted security risk as the
major threat to IT system, which could be from internal as well as external customers.
Implementation risk is also identified by Champan, (2014) associated with information
systems that could have negative impacts on companys finances.
As per LOBATO et al, (2013) risk is a positive or negative impact of any uncertain event. It
has been suggested by Mohd-Rahim et al, (2014) that risk does not only have negative impact
as it can have positive impact on organizations as well. Sarigiannidis & Chatzoglou, (2014)
related the risk with the concept of probability where the likelihood of future event is
measured. However, usually risk management strategies are defined in order to cater negative
impact of risks associated with various projects.
According to LOBATO et al, (2013)the process of risk management starts with the
identification of risks. Risk identification is very important step and requires a detailed
overview of the market situation and also the internal and external factors. Once the risks are
identified that can be further processed for next steps such as assessment of likely impact
either positive or negative. Lundqvist, (2014) argues that risk identification defines the fate of
risk management strategies/policies as if the risks left unidentified can result in bigger loss.
Once, the impact of risks is calculated qualitatively or quantitatively through risk assessment,
priorities are set.
The future remains uncertain always however, the role of fate is been significantly reduced
through the emergence of risk management concepts. Organizations can devise strategies to
identify the likely impacts of identified risks and define mitigation strategies that allow the
companies to avoid uncertain events with negative impacts (Sarigiannidis & Chatzoglou,
2014).
Due to convergence of telecommunication and computing, the use of IT systems has been
significantly increased across the globe. The increasing dependence of business functions on
information systems has also increased the risks associated with information systems
(Sarigiannidis & Chatzoglou, 2014). According to Mohd-Rahim et al, (2014) for information
Page 2 of 7

systems, the threats associated with the outcomes of these systems are termed as risks.
However, ELLUL & YERRAMILLI, (2013) argues that risks can also be the opportunities
that an organization can exploit to generate benefit. ELLUL & YERRAMILLI, (2013) also
tried to quantify the impact of risk through an expression i.e. R = P * I. Where R is exposure
to risk, P is probability or likelihood and I is the quantified figure of likely impact.
There are different types of risks associated with IT projects however; we discuss here only
two types to which information systems are vulnerable. Exposure of information systems to
risks is measured in amount. However, not all the risks are translated to amounts as some
risks are likely to trigger other processes that could have negative impact on companys
reputation or image. Security risk is the most important and top rated risks associated with
information systems. As per Champan, (2014) risks to information pertaining to the
customers of the company are huge and in case of negative impact the company may suffer
severe reputation issue in the market. Security risks to information systems are managed
through risk identification and management (LOBATO et al, 2013). Security breach to IT
systems through internal or external environment can lead towards fraudulent activity that has
negative financial impact as well.
Project implementation risk is also associated with IT projects that can have negative impacts
on the business. As per Sarigiannidis & Chatzoglou, (2014) information systems are
implemented in organizations to manage data and information along with the flow of
information for effective communication among internal and external customers.
Implementation has certain timelines, cost and communication with various departments. If
timely implementation is not achieved then cost might go up for the entire project and also
various other risks could trigger related to system stability and security.
Teller, Kock & Gemnden, (2014) discussed two methodologies to assess risk associated to
information systems. Quantitative risk assessment is a methodology to measure expected risk
in financial terms. As per Teller et al, (2014) Annual Loss Expectancy (ALE) is calculated for
security risks in large organizations where information systems are in place. Annual loss
expectancy is calculated by multiplying single loss expectancy with annual rate of occurrence
of security risks.

Page 3 of 7

Qualitative risk assessment is somewhat different from quantitative where rating is associated
with the type of risks. Qualitative risk assessment evaluates the likelihood of occurrence of
event and then assigns a degree of probability such as high risk, medium risk and low risk
(Teller et al, 2014). Such assessment technique is used where quantifying the risks in
financial terms is not possible.

PROPOSED METHODOLOGY AND EXPECTED OUTCOME

This research study is a qualitative research study where primary and secondary data will be
collected to analyze and achieve research objectives. The research is explanatory in nature as
it answers the questions like why and how. To be specific the researcher intends to find
why risks are associated with the information systems and how they are assessed and
managed. An inductive approach will be used to carry out this research study. Since, the
topic of risk management has significant knowledge, but specific to a particular industry in
India, the existing knowledge is not sufficient to follow deductive approach to develop and
test hypotheses later.
A survey methodology will be chosen to collect data for this research study. Primary data
will be collected in the form of interviews (email and telephone) from the IT managers of one
of the ISP operating in India. Questionnaire will be prepared that would be used to collect
data from the respondents in qualitative form. Qualitative data collection allows the
researcher to get in-depth review of the problem area where different aspects can be covered.
Secondary data will be collected from authentic sources such as EBESCO, j-Store, and
university library for journals, articles and books related to risks management for IT projects.
The expected outcome is the answer of research questions which are mentioned earlier under
project summary. This research study will be able to identify the type of risks associated with
information systems in India and also the way case company is assessing and managing those
risks. Following are proposed research questions that would clearly mentions
1. Assessing security risks associated with information systems used by a Indian internet
service provider company
2. Assessing implementation risks associated with information systems used at a Indian
internet service provider company

REQUIRED RESOURCES
Page 4 of 7

Since, the research study is a qualitative research therefore no such specialist equipment is
required. However, the researcher is conducting research from UK therefore, data collection
will require telephonic and email conversations. Personal reference of the researcher will be
used to get permission for interviews from the managers working in a broadband company
operating in India. Telephone and personal computer is required in order to complete data
collection and data analysis activity. To be more specific MS office suit is required to compile
the report and final dissertation further, access to university library and online databases such
as EBESCO is required.

PREREQUISITE KNOWLEDGE/SKILLS REQUIRED

The basic knowledge about the subject matter is required by the researcher. Concept of risk
is not new to the researcher and the identification and management of the risks to any project
is important. However, the concept of risk management for IT projects is a relatively
unexplored field by the research therefore; a preliminary research has been conducted in
order to have clear understanding of subject area.
Interview skills are required by the researcher that will enable him to extract maximum
possible, but focused, data from the respondents. Since, the data collection activity will be
conducted over telephone or email therefore; the ability to maintain respondents attention
and interest is required to have concrete data collection.
MS office skills are required in order to draft a report as the MS Word application will be
used to draft all the documents and record the analysis.

PROJECT PLAN
W1

W2

W3

Proposal Submission
Secondary data collection
Literature Review
Methodology
Questionnaire design
Primary Data Collection
Data Analysis
Introduction
Final Draft Preparation
Final Submission

Page 5 of 7

W4

W5

W6

W7

W8

REFERENCES

Champan, R.J. 2014, The Rules of Project Risk Management: Implementation

Guidelines for Major Projects, Gower Pub Co; New edition (January 28, 2014)
ELLUL, A, & YERRAMILLI, V 2013, 'Stronger Risk Controls, Lower Risk:
Evidence from U.S. Bank Holding Companies', Journal Of Finance, 68, 5, pp. 1757-

1803
LOBATO, L, BITTAR, T, NETO, P, MACHADO, I, DE ALMEIDA, E, & MEIRA, S
2013, 'RISK MANAGEMENT IN SOFTWARE PRODUCT LINE ENGINEERING:
A MAPPING STUDY', International Journal Of Software Engineering & Knowledge

Engineering, 23, 4, pp. 523-558

Lundqvist, SA 2014, 'An Exploratory Study of Enterprise Risk Management: Pillars

of ERM', Journal Of Accounting, Auditing & Finance, 29, 3, pp. 393-429

Mohd-Rahim, F, Chen, W, Boussabaine, H, Abdul-Rahman, H, & Wood, L 2014,
'Factor reduction and clustering for operational risk in software development', Journal

Of Operational Risk, 9, 3, pp. 53-88

Sarigiannidis, L, & Chatzoglou, P 2014, 'Quality vs risk: An investigation of their
relationship in software development projects', International Journal Of Project

Management, 32, 6, pp. 1073-1082

Teller, J, Kock, A, & Gemnden, H 2014, 'Risk Management in Project Portfolios Is
More Than Managing Project Risks: A Contingency Perspective on Risk
Management', Project Management Journal, 45, 4, pp. 67-80

Page 6 of 7