Q The coursework is for M67: Fundamentals of Risk management,the chance of future risk can have a dramatic impact Home, - M67: Fundamentals of Risk management M67: Fundamentals of Risk management 1. The main aspect that could affect public perception of the incident is the media. The media has been known to be in charge of many factors, and it could affect how the public could see the incident. If the media chooses to portray the incident as an accident on behalf of the airline, or a mistake on the side of the pilot, the people are likely to believe what the media portrays (Sadgrove, 2016). Thus, it would essential to control the media in such an event, as anything that is against the airline could impact the reputation of the airline. This could also impact the reputational aspect of the business as well. It would thus be essential to look at the reason behind the near-miss, and try to control the narrative as much as possible. It is essential to note that the airline is a budget airline, and cannot afford to alienate any of the customers. If the media chose to portray the incident as the fault of the airline, then it would affect the perception of the public to a large extent. 2. The other issue that would affect the perception of the public would be social media and the dread and chances of risk. The airline is a budget airline, and it is expected that the parts and the machinery would not be as perfect as it would be for a luxury airline. There has already been a recording of the near miss accident of the airline, and this would have impacted the perception of the public (Wu, Chen and Olsen, 2014). Dread and the chance of future risk can have a dramatic impact on the perception of the public. Risk perception is the subjective judgement of the characteristics and the severity of the risks. Thus, it would be known that risk perception is extremely personal. One of the major risks that have been thus been perceived is the fear and dread that would be in the minds of the people. They might not be willing to travel in the airline, since there are other budget airlines that are also capable of taking the customers to various places. The dread in the minds of the people would affect the perception of the public to a very large extent. 3. The first risk would be that of infrastructure vulnerabilities. These are able to provide easy fodder for the hackers as well. Because of the infrastructure vulnerabilities many direct insurers might be open to risks and attacks. This also includes last-generation software that is not taken into consideration, and there can be an immense amount of damage that is done (Uhl and Gollenia, 2016). The second risk would be that of identity theft. This can result in client-account breaches. This would be due to the fact that files that are stored in servers might not be protected adequately enough. It could result in compromised accounts, which could potentially destroy the business in the long term. The third risk would be that if automated threats. Most automated services such as Denial of Service would have a direct impact on the organization and it could also have a direct impact on the way that the clients are served by KC plc. The fourth risk would be a systematic infection from malicious code. There have been reported cases where malicious code from ransomware has taken the company hostage, and this would have resulted in an extreme situation. Depending on the company and the type of clients that are insured by the organization, the ransom could be a great amount, or it could be a very small amount as well (Honey, 2017). Even if the ransom is paid, the chances of the organization getting files that are restored or undamaged are also not very high. If the organization caters to government clients or big businesses, this could lead to the company becoming bankrupt, and it could also lead to large issues for the organization as well. The final risk would be that of lawsuits. If the client has any compromised data that is on the files, then it could be open to lawsuits from the clients as well. It is the legal responsibility of the organization to ensure that all the data that is stored in the organization that is related to the client is safe and stored responsibility. All of the above are risks that should be taken seriously in order to ensure that the organization is successful in keeping the data of the company, and the reputation of the company intact, so that there is little damage that is done to the organization. 4. In order to ensure that all the data is backed up and all the data is safely stored and the chances of ransomware are less, the organization should make sure that all the data is stored carefully in cloud storage. Many advanced forms of cloud technology can ensure that there are security features that will ensure that many forms of protection are available for the data that is stored online (Business, 2017). This will ensure that the chances of malicious code being spread onto the system would be less, and in the case of ransomware, it would ensure that there is backup of the data, so that if the files have been damaged or removed, there is backup of the files. Ensuring cloud storage can reduce the chances of the risks that have been mentioned in the above statement, and it could also decrease the chances of the lawsuit. Since a rival organization has been attacked and the data is compromised, the KC plc should ensure that there is data that is kept on the clouds, and the password of the same is only given to a few, trusted employees so that the chances of a hack and data being compromised are also reduced. In order to mitigate the risks that are related to data breach, infrastructure vulnerabilities, identity theft and denial of services amongst the many data and software related issues, the organization must ensure that all the data must be backed online. In addition to this, they should also hire an IT service that specializes in keeping data safe and handles the sensitive data of the client (Haimes, 2015). They must be thoroughly vetted beforehand, but they can be hired to handle the special cases, and to conduct checks of all the computers to ensure that the data has not been breached or that ransomware, which can lie dormant in computers for years, has not been accessed either. The organization should also have disaster recovery plan, which is crucial for a company that handles the insurance data of many clients. In case of a disaster, which could be related to employee error, nature or software error, the organization must ensure that there is a systematic process to retrieve the data that is kept on cloud servers. 5. Risk appetite can be defined as the amount of risk that an organization is willing to take in order to meet their objectives, which might be strategic in nature. Risk appetite is an extremely important part of any business and is the main reason that most businesses take the action that they do in the amount of time that they do the action. Risk management is an essential element of any business and is the main reason that many investors are able to fund their business and create successes out of small business (Oreski and Oreski, 2014). Risk tolerance is the tolerable deviation that is taken from the average risk appetite. Risk tolerance often depends on the individual, and is often situation at hand. Many situations demand a high-risk tolerance, while many others do not have a specified risk tolerance in mind. This could be due to a number of factors, many amongst them dependent upon the organization. On a whole, risk appetite is thought of as the same across the industry. Many jobs, such as those in the pharmaceutical industry, have a high-risk appetite, since there is a significant amount of risk in the businesses of research and development of drugs itself. Many others, such as the banking and insurance industry do not have such a high risk-appetite. The two main methods that can be suggested to the organization in order to reduce the risk tolerance and appetite and to manage the risks that are taken by the organization are: i. Using a risk matrix to identify the risk: The risk matrix is an extremely important element in identifying the necessary risks. The main reason that a risk matrix is used is to assess the probability of a risk, and to look at the amount of impact that the risk could have (Alencar, boriz and Carnaghan, 2014). Based on that, the risk assessment matric would have four main columns, define by colour. The risks that are in red would require urgent action to be taken, and since this can have a direct impact on the organization, they would have to be taken care of immediately. The risks that are in orange would also need to addressed immediately, but not as urgently as the risks that are in red. The risks in yellow and green would be low-level risks that can either be ignored for the time being, or they would not need to have any action taken against them. A risk assessment matrix would ensure that the organization does not have a high risk tolerance, and this would help in ensure that the risks that need immediate action are taken care of. The risk assessment matrix of a normal company would look like the below picture. However, it would be different for the case of the company (Reason, 2016). This would be of immense benefit in ensuring that the organization documents the risk that is allotted to them. ii. Another method is quite common is the risk management process. There are four main actions in this process, and depending on the type of risk, they can be taken. The first would be to look at whether the risk can be transferred. If so, an organization can try passing the risk to another body, one that is capable of handling the risk on an everyday basis. The second step would be to look at whether the organization can accept the risk. In which case, the organization can take on the risk head-on, and try to find solutions to the risk as much as possible. The third solution would be to reduce the risk. The organization should try to have checks on every possible method and step in order to reduce the risk as much as it possibly can. This can be tedious for the organization, but it is a step that should be taken. The fourth one would be to avoid the risk altogether, so that there is no possible loss to the organization (Aven, 2016). b. JH plc should try to adopt effective risk reduction frameworks and techniques that are capable of handling the risk. This should be taken into consideration immediately when the risk management is discussed. Some of the processes that are included in risk reduction frameworks and techniques include master agreements, third party credit enhancements and collateralization of transactions, netting arrangements, including guarantees and letters of credit. Contingency planning, which can help organizations reduce the risk of operation should also be considered by the firm in order to ensure that they are effective in reducing the risk to a very large extent. These risk reduction frameworks can be effective, and it can be used by the organization to ensure that in the future, when risks have to be taken, they are assessed carefully and thoroughly so that the regulator is able to understand the risks and to show to the regulator that they are able to manage the risks (Cayirci, Garaga, Santana and Roudier, 2014). Since JH plc is a small company that is based in the United Kingdom, and have just been fined for a lack of formal risk management procedures, the organization should consider hiring an external agency in order to mitigate the risks. By consulting in a company that specializes in having formal risk management procedures, JH plc can show the regulator that they are serious in their needs and abilities to have a formal risk management process and are doing everything that they possibly can in order to ensure that they have managed the risk. While this has been done by the board once, the board should consider having a review almost every year so that the regulator can check on the work of the firm. It would be essential for the organization to document the risks that have been taken by them, and an external agency can help the organization to document the risk tolerance and risk appetite better (Kumar, Himes and Kritzer, 2014). The risk management process would also have to be taken into consideration, and any chances of the risk management process being successful would depend entirely on the organization. JH plc should thus, try to appeal to the regulator on the basis of the work that they have done, and the work that they have promised to do. Many of the frameworks might be successful for the organization in ensuring that they are able to manage and mitigate the risks that they have taken. It would also benefit in them having to explain to the regulator and justify the future risks that they are about to take. Risks are incurred for almost every organization, and it would be essential that the organization look into the details of risk management. 6. The two main significant risk categories that are important for the organization would be operational risk and reputational and legal risk. Operational risk would have to deal with the risks that arise during the operation or day-to-day work of the company. Operational risks are extremely important, since EN plc has been formed after the merger of two different insurance companies. Most of the employees would be new and getting to know and trust the other. There are major operational issues that arise during the merger and immediately after the merger as well. These operational issues would lead to a rise in mental risks and it would cause significant damage to the newly merged company if the operational risks are not addressed (Djemame, Armstrong, Guitart and Macias, 2016). These could have to do with contingency planning as well, and it is important to note that this has too be immediately, or the newly merged company, which is not as strong, would fail, and the risks might be too large for the organization to handle, in which case it would shut down. The other significant risk category would be reputational and legal. Mots organizations have a reputational risk that they are capable to taking every day. Every time that they take on a client or take a risk, there is the chance that their reputation could suffer or that they might suffer from legal issues as well (Chang, 2014). This is extremely important to keep in mind, especially in this situation of the merger. A reputational and legal risk would affect the organization in a very large way as well. Most newly merged companies are not as stable as companies that are around for a long time, and this can have a significant effect on the merger. If the merger is not solid, and there are issues that need to be worked out, clients, especially major clients would need to be informed of the risks. This would need to be done in order to ensure that clients do not file lawsuits against the organization, or spread rumours, which could destroy the reputation of the firm. This is thus, also a risk that has to be kept in the mind of the regulator. These are risks that can destroy the organization if they are not paid attention to carefully. In order to determine and analyse assets if risk events while considering potential catastrophic risk events can be various tools and technologies that are required in order to understand the risk that can be caused in a company. The warehouse has several data that is being stored online in a database and which can become a threat to security if leaked. In order to save this data from being leaked, several factors or points are supposed to be taken care of. The very first thing that should be taken care of is eliminating the unauthorised access. Only the authorised person who has been given the right and has the credentials in order to access the data should be given access to the data. There are supposed to be some of the limitations which are necessary in order to access the data (Zenti and Pallotta, 2013). Fundamentals of Risk management 9 Risk Analysis is to spot and identify extortions that someone might possibly experience. These will return from many alternative bases for example, they might be: Financial factors – Exchange fluctuations, Business failure, and non-availability of funding, and rate changes. Operational factors – Interruption in operations, failures in distribution, and loss of access to essential assets ( Zenti and Pallotta, 2013). Reputational factor – Lack of client or worker self-confidence, or harm to promote the name Procedural factor– Failures of not being answerable, control, internal systems, or from fraud Human – Wellness, injury, injury, or alternative loss of a crucial individual. Project factor – Taking too long on key tasks, Going over budget or experiencing problems with the quality of the product and service Political – Changes in opinion, government policy, tax, or foreign power. Natural – Weather, natural disasters, or disease (Hsieh, 2015). Structural – Unsafe substances, poor light, falling boxes, or any scenario wherever employees, goods, or knowledge will be injured. Here, the valuable assets of every part have been given and as per that the maximum possible risk can be identified. In both the warehouse, the maximum possibility of risk as per the above points can be 70-80%. In the rest, it can be 30-50%. The risk analysis that is done cannot be the exact number but can determine the possibilities of the risks that can occur and on which certain steps can be taken in order to avoid the threats. In addition to this, a threat to security is the major point which is supposed to be taken care of (BIRGÖREN, 2017). 2. The loss that can be caused in a warehouse can be calculated by the risk assets that are identified. The warehouse A building consists of the value assets around 3.1 Million dollars = 70% assumptions The warehouse A consists of the stock and events around 2.2 million dollars = 80% assumptions IT system and office contents are around 1 million dollars which should be half for Warehouse A. Fundamentals of Risk management 10 That means 0.5 million dollars = 50% of the half. An Individual fleet vehicle consists of around 0.1 million dollars = 20% The total vehicle fleet consists of around 2.0 million dollars value asset = 50% Now to calculate how much the maximum possible loss would be: 70% of 3.1 million dollars + 80% of 2.2 million dollars + 50% of 0.5 million dollars + 20% of 0.1 million dollars + 50% of 2.0 million dollars = 2.17 million + 1.76 million + 0.25 million + 0.02 million + 1.0 million = 5.2 million dollars. So, as per the assumptions made, a total possible loss in Warehouse A would be 5.2 million dollars. 3. The loss that can be caused in a warehouse B can be calculated by the risk assets that are identified. The warehouse B building consists of the value assets around 2.9 Million dollars = 70% assumptions The warehouse A consists of the stock and events around 1.4 million dollars = 80% assumptions IT system and office contents are around 1 million dollars which should be half for Warehouse A. That means 0.5 million dollars = 50% of the half. An Individual fleet vehicle consists of around 0.1 million dollars = 20% The total vehicle fleet consists of around 2.0 million dollars value asset = 50% Now to calculate how much the maximum possible loss would be: 70% of 2.9 million dollars + 80% of 1.4 million dollars + 50% of 0.5 million dollars + 20% of 0.1 million dollars + 50% of 2.0 million dollars = 2.03 million + 1.12 million + 0.25 million + 0.02 million + 1.0 million = 4.42 million dollars. So, as per the assumptions made, a total possible loss in Warehouse A would be 4.42 million dollars. Answer 6 In order to reduce the insurance costs, there are 5 actions that can be taken based on the needs of the client. The client has a food business, which includes transportation fleets and a range of employees as well. Since they have threatened the organization into listening to their actions, it is essential that in order to keep the company on a s a client, there are significant changes that need to be made by the organization. Some of the recommended changes that need to be made are: a) Reviewing auto and equipment schedules: The organization has claimed that they have a commercial motor fleet. The motor fleet, which is large and can have a significant impact on the premiums, is the one that has the greatest number of claims that are attached to it. The premium spend on the motor fleet is very high, and the motor fleet claim experience is very poor. Thus, it would be advisable to the client that they review the schedule of the vehicles that are covered, and equipment policy. Regular checks on the motor fleet and vehicles is advised. The reasons behind the high number of claims has to be investigated, and if it is because of the quality of the vehicles, then they have to be replaced (Stempora, 2015). This would be beneficial for the client, since it could mean that they would have a significant fleet of vehicles that are new and adapted to the latest technology. Auto physical damage is something that can cover most of the claims that have been made, then a separate insurance for the motor fleet needs to be arranged almost immediately. b) Reviewing machine equipment: A large section of the frozen business empire is in the freezing and storing equipment. The client would have a large amount of equipment that needs to be checked and reviewed. Having equipment that is up to date is important, since it could be the difference between damaged equipment, which could lead to a number of claims, and a high premium, which is something that is undesirable, not just for the consumer but also for the insurance companies (Monahan and Skeem, 2014). By having the latest equipment, the company could ensure that the premium is kept at the minimum level, which is also extremely desirable. c) Reviewing unneeded or overlapping charges: In most insurance claims, there might be overlapping charges that are made This could be in regards to the equipment cost, which sometimes is able to cover both the computers where the data is stored, as well as the freezing and storing equipment, and the insurance cost related to data, which is stored in computers. Businesses tend to change over time, and policy covers don’t usually change with the business. The policy might also cover risks that no longer exist, which is why it is essential for the business to look at the risks that are being covered (Olivieri and Pitacio, 2015). It is thus, essential to go over the documents and consult with the agent. This would ensure that the insured policy is up to date, and there are no buildings covered that are not in the property list. d) Keeping employees and workers in mind: The compensation coverage that is provided to workers, and the total number of employees in the workplace is something that can also cost the company in terms of the insurance that they have. If workers are not classified correctly, then it would lead to a chaos, which could mean that the organization may be paying more for the workers than they need to. Workers are an essential part of the organization however, and thus need to be kept in mind when drafting new insurance policies and premiums. Workers also need to be trained correctly. A worker who is not trained properly might hurt themselves or damage the equipment, the cost of which is taken out of the insurance plan. There can be significant changes made to the insurance plan if the workers are trained in a professional manner (Fiksel, 2015). e) Update the insurance file: The insurance file for the organization might not be updated, since they have been a client for the same insurance firm for a long time. The copies of claims forms, and other necessary data might not be available altogether or at once (Outrevill, 2014). Thus, it would be necessary to review the file in order to ensure that the policy that is available works for the organization. These are 5 actions that should be taken by the organization in order to ensure that the changes that they have made would reduce the cost of the programme. Answer 7 a) The first event would have to be that the government of some country, for example the United States of America, or China does not approve of the phone and refuses to let it launch in the country. The second action would be that the smartphone manufacturer finds a better deal, and the specialist component is not available for sale to the company since it was sold to a rival organization (Aven, 2014). b) Risk management would involve identifying the potential risks and preventing them. If the organization does indeed assess all possible risks before trying to find a possible solution for the risks, it is essential that they would have tried to mitigate the above risks as much as possible. A part of this would be to involve themselves in a promotional strategy so that the government is able to understand the importance of these phones. It would also involve ensuring that the government permits are applied for beforehand, and any issues that arise are cleared up. This has happened in the case of Huawei entering the American market, where since the phone was from a chinses brand, the American government refused to provide permission for the phone company to launch their phone. This has caused a significant amount of delays for many other companies, and should thus, be taken care of via risk management and assessment. The second risk would be that of the specialist component supplier. The organization should ensure that the component, if unique to the company, is trademarked or copyrighted, so that there is no other company that can legally use the same data that they have for the other products (Hammer, 2015). The component supplier should also have contracts that strictly stipulate that they cannot supply the same component to any other company, regardless of the amount of money that they get. The contract should be in such terms that the company would go bankrupt if they tried to break the contract. This is essential in ensuring that the supplier risk is mitigated in the best way possible. In order to conduct risk management, it is important that the organization categorize the risks based on the severity and probability of occurrence. c) Internal Stakeholders: The internal stakeholders for the organization would have to be the employees, board of directors and the research staff, which includes scientists that work or consult for the company. The internal stakeholders are those that belong to the organization, and those that are directly benefited by the business of the organization. They are the ones who are affected if the organization faces losses or if the organization is unable to make a profit (Hillson and Murray-Webster, 2017). Internal stakeholders are those that are interested in the activities of the organization, but belong to the business. In the case of a pharmaceutical company, the researchers and scientists that are responsible for creating the drug are the ones that are the biggest stakeholders, and the ones that have to be engaged with the most. They are also the most important of the stakeholders (Graham and Kaye, 2015). External stakeholders: External Stakeholders would be the governments of UK and the overseas country, along with the consumers or customers of the organization. The external stakeholders are those that are affected and interested in the business, but are not formally employed or work in the organization. In the above case, the governments and the customers are both important external stakeholders in the organization. d) The employees who are working in the organization would contribute a significant amount to the organization in terms of the risks overseas. In order to start the company, there would be many employees who would have offered the promotion and the job of working in the overseas location, and would have been given a raise as well. These employees would thus, be responsible for a large part of the businesses and any mistake on their end could result in the organization facing a tremendous amount of loss as well (Engermann and Henderson, 2014). Thus, the employees who are working in the organization would contribute the risk management and assessment, since each employee that is sent overseas to oversee the company could increase the chances of issues. The future employees who are from the country would also have to be factored in when assessing the risk of taking the company overseas. These factors have to be kept in mind, since in most cases, it is these representatives that are responsible for directly selling the product to the consumers, and if they are efficient at their jobs, then the risk would increase significantly. The scientists, as mentioned before, would contribute to the risk management and assessment as well. It would be important to note whether the organization is planning on employing researchers and scientists in the oversea country, or whether they would be conducting the research in UK. This would change the risks completely. Since the board is primarily in the UK, and since it is the scientists and the researchers who are responsible for creating the drugs, it is important to ensure that they are creating the drugs in a manner that reduces the chances of risks, which might be easier to do from the UK. Until the organization does not reduce the risk, it would be a waste of effort for the organization have scientists in the overseas country. Once the company has set up in the country, only then can they effectively ensure that the scientists are sent there in order to create new pharmaceutical drugs that are effective on the population of the particular country, which is why the organization must mitigate the risk that arises from this stakeholder (Eckles, Hoyt and Miller, 2014). The board of directors and the management would be another important stakeholder that must be kept in mind when looking at the organization and the risks that they are taking. The organization has successfully ensured that they are capable of entering a different, market. However, the market conditions in the country might not be stable, and due to external or internal factors there could be the chance of the company failing (Bromiley, McShane and Nair, 2015). In that case, it would be up to the board of directors and the management staff that the decisions to keep the company afloat would depend on. Thus, it is essential that the management staff and other elements of the board of directors be aware of the risk that they are willing to take, since they are the ones who would be affected by the risk the most. It might end up destroying their reputation and they would also lose a significant amount of income as well. Risk management and assessment in regards to the internal stakeholders would have to be done effectively in order to ensure that the risks can be mitigated at a later time. The external stakeholders would be the government and the consumers. In most cases, the external stakeholders are more essential than the internal stakeholders, since the internal stakeholders of the company are often dependent on the external stakeholders. The government of both the UK and the overseas company is an external stakeholder. The government of the oversea company might have given the company incentives and benefits in order to get the company to shift to their location. This is important, since in the case of the risk, the organization would have to depend on the government in order to reduce the risk as much as possible. The risk assessment and management process would change depending on the rules and regulations that are put forward by the government on the company (Farrell and Gallaghar, 2015). This would not just depend on the overseas government. The company falls under UK law, since it is a UK company, and thus, any changes that are made by the UK government might also affect the risk mitigation and risk assessment process. It would thus be important to note that it is not just the government of the country where the factory is being developed, but the country where the company is from that the risk might originate from. The final external stakeholder would be the consumers. The consumers might be the most important external stakeholders, since they are the ones that are responsible for ensuring that company has enough profits in order to stay afloat as well. There are a number of risks that are associated with the consumers, and when shifting to a new country, it is important to note that the minds of the consumers, due to various factors such as culture might not take the same medication that they have in the UK. The consumers in UK might not want to buy their products from a company that does not hire UK workers, and this might also be considered as a risk by most of the agencies. The consumers can create the highest number of risks for the organization, and must thus, be kept in mind when looking at risk mitigation strategies (Lam, 2014). a) There are 3 main sources of information for any new data system. In the case of an insurance the types of sources might change, but the type of data source would remain the same nonetheless. i) Primary Source: The primary source of data in the case of the insurer would be the customers themselves. Whenever a customer has a change in the policy or a change in the way that they are doing business, the organization must ensure that the data is fed into the system. This can be done by having the customer sign up or change the policy online (Wolke, 2017). The customer would then be able to feed the data that is required directly into the system. This is beneficial since many of the changes or addition that the customer wants can be done directly by the customer and the data can be fed directly into the system, which can reduce the amount of time and the chances of error for the customer as well. This also reduces the risk of lawsuits for the customers and can have a significant impact the way that the customer views the organization (Cummins and Weiss, 2014). The primary source of information is often the most important source, and it is important to keep this source of information open, so that the changes are reduced as much as possible. ii) Secondary source: the second source of information would be the insurance agents. They would be able to collect the data from the customers and be able to feed it into the system. Collection of data from secondary sources can lead to many issues for the organization. However, in most cases, it can be beneficial to the organization as well, since the data tends to be more accurate. The secondary source of information must be checked often and measures have to be taken in order to ensure that this method is the most beneficial for the organization. Most secondary sources have to be checked for reliability and thus, in the case of the organization, only the most trusted agents should be able to enter the information into the system, in order to make sure that the information is accurate and trustworthy (Chang, 2014). The secondary source of information is the one that often garners the most information, and this can be difficult for the system if it is not set-up properly. iii) Tertiary source: The tertiary source of information would often be the data experts who would be checking the information and linking key words to specific websites. It would also most often be the program developers and those who have the capacity to change the program. The tertiary sources of information are not to be trusted, which is why they must be cross-checked and referenced by the primary or secondary sources of data (Sempora, 2015). The tertiary sources of data would also have a significant impact on the data system and must therefore be taken with the utmost care. The tertiary sources of data are also the sources that can the most significant impact on the data system. The above are the four main sources of information that have primarily been used to affect the organization, and thus must be considered when making a new IT system for the insurer. b) The three main data entry systems can have significant impacts on the insurer. They can often lead to issues for the insurer and can cause significant risks for the insurer as well. However, the effect that they depend from the source. i) Primary system: The primary source of information can have the most impact if the information system is not set up properly. Since this source of data is often the customer themselves, if the system is not set up properly, it could lead to the loss of reputation for the company. If the data entry system is not pleasing or difficult for the customer, then they could change to another company, since it might be too much of a hassle for them to go to the insurer’s office everyday and make the changes that they require (Lam, 2014). It is also from this end that any changes suggested to the system be taken seriously, in order to ensure that the impact that this can have if the data system is not set up properly be minimal. The system is based on the information given by the customer, which is why it should be simple and easy to access as well. This could reduce the possibility of lawsuits for the company as well. ii) Secondary system: The secondary system is the one that can have the most impact on the insurer. It through this that the hacks and ransomware, along with any other damaging software can be installed into the system. System vulnerabilities and other issues are the main cause of this damage. Secondary sources of information, which often include the agents, are the ones that have direct access to the system, along with the tertiary sources. This means that the maintenance and keeping of the system is up to them. The impact that it could have on the insurer is a significant amount of loss (Wolke, 2017). If there is a data breach or failure, the insurer might have to get new systems in place to ensure that it does not happen again. This would mean that the insurer might have to incur a significant amount of loss of reputation and financial loss as well. This could damage the system to a great extent. iii) Tertiary source of information: The tertiary source of information might also damage the insurer and lead to many issues. This can be due to the type of information. If the tertiary source is the developer of the program, then they could develop the program in such a way that it could have a significant amount of damage and be open to any attacks (Fiksel, 2015). This means that for the insurer, it would have to be a huge loss, since they would have to get the program changed, or if the case is of ransomware, pay for the data and face the lawsuits as well. The tertiary source of information however, has the chances of having the least damaging impact on the insurer, which is why it is often ignored in the most cases. a) There are many actions that can be taken by the organization in order to ensure that the risk maturity process happens in a smoother and easier way. i) Risk Appetite Management: In risk appetite management, the risk-reward trade-offs, defining risk tolerances, responsibility for risk and looking at whether the organization is capable of handling potential risk is taken into consideration. This is one action that is important since it would mean the difference between the organization handling the risk appetite effectively or being a slave to the industry culture of the times, and being unable to handle the risk management (Aven, 2014). This is an important action that must be taken with the board of directors, and there must be clear steps to indicate the action. This is because risk appetite can have a significant impact on risk management process as well. ii) Uncovering risks: Uncovering the risks that are associated with the organization is also one of the major steps that have to be taken. A risk assessment matrix can have significant impact on the organization. The risk assessment matrix is provided below. The red indicates risks that need immediate action. The orange indicates the risks that are medium, and need to be taken care of as well. The yellow and green indicate risks that are not important and can be taken care of at a later time (Outrevill, 2014). The risk assessment matrix can help in identifying risks that need immediate risk management, and can be impacted by the organization. Identifying risk is the most important action that needs to be taken in order to effectively ensure that the risk is mitigated. Resiliency and sustainability of the business: Operational planning, business continuity and other sustainability actions are advanced with a risk-based procedure is how this action is generally taken (Sadgrove, 2016). It is important to look at resiliency and other sustainability options as well, since a significant portion of risk management is about the sustainability of the business. By having a sustainable business, the possibility of risk is reduced to a very large extent, which is why it is essential that this is an action that is taken seriously as well. iii) Performance Management and ERM process management: Performance management and ERM process management are both essential actions and attributes that should be kept in mind when looking at risk management. Performance management is the process by which an organization is capable of executing on the visions and strategies of the organization (Honey, 2017). By having a successful performance management system, the organization ensures that the risks that are taken are worth taking. By having ERM process management, the organization also ensures that the progress of risk maturity is being taken in a manner that is consistent. Both these methods go a long way in identifying the risks that have been taken. Identify, assess, evaluate, mitigate, and monitor risks is the method that is most consistent. b) Risk maturity is an essential step in achieving risk management. Risk maturity can be defined as a benchmarking tool that can measure how successfully and effectively the organization has been implementing enterprise risk management within the organization. There are many benefits to having risk maturity. Two of the benefits are: i) Both hard and soft benefits: Risk Maturity is one of the only methods of having risk management that is able to provide the insurer with both hard and soft benefits, i.e., benefits that they can see and measure. It is able to provide both tangible measures and success matrices, which is why it is often an essential element in almost every major organization (Haimes, 2015). The hard benefits can be seen in the revenue growth and often in the stock volatility cut as well, which is why it is an important part of the market. ii) It is an internal assessment: Though most organizations call an external agency in order to provide the tool and conduct the assessment, many organizations choose to conduct the assessment themselves, which is why it is extremely beneficial to small organizations, or those that handle data of a sensitive nature (Reason, 2016). Organizations can conduct the assessment and benchmark themselves, which keeps the data privacy of the organization intact.