Risk Management and Disaster Recovery - Microsoft - Case Study Example

Risk Management Risk management refers to a formal process of evaluating and then taking steps to control a company’s exposure to facing a loss, which is based on the estimates of the probability of loss. (David Robinson, 2006). Traditional risk management looks into the physical and legal causes of risks faced by an organization and financial risk management look into the risks that an organization has to face when using traded financial instruments. In order to understand risk management, we should understand what is risk and treats. What does the tem risk imply? Risk means that there is the likelihood of something untoward happening. For example, launching a space shuttle into space has the risk of the shuttle never returning back to earth. A company may launch a new product, but they have to faced the risk of it not being so-well liked as their older products, thereby their investments carry with them the risk of losses. Threats are risks caused by the behavior of competitors in the market. For example, a major competitor could take all the customers from a company which had a foot hold in the market. Ideal risk management is one which minimizes spending at the same time it maximizes the reduction of the negative effects of risks. Risk management is done by following risk management techniques. Risk management techniques include risk identification, assessment of the risk, risk tolerance and diversification, avoiding risk and reducing the impact of risks, risk transfer, scenario analysis and contingency planning and regret analysis. Following is a brief into each of these techniques: Risk identification and scenario analysis: Identifying risks involves ascertaining those areas or issues which hinder or go against achieving business objectives. Given a particular scenario, what is the likelihood of the risks faced by the company should be marked out. Risk assessment: Here, the impact of the risk in terms of losses and in terms of disruption of work should be analyzed to understand the extent of the impact. Risk identified should be assessed as noticeable, moderate or severe depending on the level of impact. Risk Tolerance: This is a process of looking into whether the risk can be borne by the company without significant damage to work reputation and achieving business goals. Risk Transfer: Here risks which are identified can be obviated, by transferring it to another entity. Avoiding Risk: Here, if the risk is too great then it is better to altogether avoid taking the risk rather than facing the mishap which may cause a great deal of damage to business and work activities. Contingency planning: This involves making plans about what should be done, in the vent of a risk occurring. Regret analysis: This is a process of looking into what the company would lose if they do not take a risk. Part of risk management is business continuity management, which is the process of looking into how a company can face problem situations such as threats and uncertainties and how it can respond to these situations. It is mandatory for suppliers of goods and services to implement business continuity according to the Civil Contingency Act. Through Business continuity an organization shows that it cares for its shareholders and its helps to reduce reputation risk in the event of a disaster. During the process of risk assessment an organization can also do a cost-benefit analysis. A cost benefit analysis is the cost of taking a particular course of action is weighed against the risk of taking that action. One disadvantage in using cost-benefit analysis is that it does not reflect the attitude of all stakeholders of the organization. Disaster recovery Risk management also involves taking steps for disaster recovery planning. Disaster recovery (DR) planning is the process of making arrangements and procedures in advance in order to enable an organization to respond to disaster situations. In order to do this critical business functions within a defined time frame, minimizing loss, and restoring affected areas. (Ajay Gidh, 2003). An effective DR plan includes making an assessment of the vulnerabilities that an organization is exposed and developing a plan to overcome these vulnerabilities. The impact any disaster, which an organization likely to face, on the working of the organization should be full assessed and adequate initiative must be in place to help the cope with the disaster. These initiatives will help the organization to survive a disaster and to re-establish normal business operations. Initiatives taken by an organization to recover from a disaster should ensure that the organization can resume it’s critical operations within a reasonable time frame. Therefore they need to implement a disaster prevention program which minimizes the duration of a serious disruption to their business operations. It should help them to co-ordinate the various recovery tasks they have put in place and most importantly reduce complexity of the recovery effort. In this paper, the organization chosen for study is Microsoft. We first analyze the core services of the organization and then look into a possible disaster scenario which the organization may have to face and a plan for the organization to come out it. Microsoft The organization which is going to be discussed in this paper is Microsoft. Microsoft has released Windows XP and in the following study we will be making an analysis of the risks the corporation faces in the release of this product. Though Windows XP was released in …., it has been criticized for it’s limitations. Microsoft Corporation, is a multinational computer technology corporation. It has an annual revenue of US$44.28 billion and employs about 71,553 employees in 102 countries as of July 2006. Over the years, since its inception Microsoft has been providing user with a wide range of software products for computing devices. The most popular and the most widely-used products of Microsoft is Microsoft Windows operating system and the Microsoft Office suite of productivity software. In doing this the company was able to fulfill it’s goal which was to have "A computer on every desk and in every home, running Microsoft software”. Microsoft is an organization which values qualities of honesty, integrity, openness, constructive self-criticism, personal excellence, continual self-improvement, and mutual respect. Time and time again they have been seen to take on big challenge and seen through most of them. for example when Microsoft had to take on the daunting task of transition from MS-DOS to Windows, they came up with Microsoft Office. This software gave Microsoft an edge, thereby helping them to gain advantage over application-software competitors, such as WordPerfect and Lotus 1-2-3. Microsoft went on to grab other markets through products such as MSNBC cable television network, the MSN Internet portal, and the Microsoft Encarta multimedia encyclopedia. Such a huge corporation, offering so many products and services to it’s customer faces challenges in every decision that it make. Taking an example Microsoft release of Window XP, we will first look at the features that this product has to offer to it’s user and then the risk which the organization faces during the time of product release and to this day, if certain drawbacks are not removed. Microsoft Windows XP Windows XP is an operating system released by Microsoft in the year 2001. According to IDC analyst, about 400 million copies are in use as of January 2006. This product is the successor to Microsoft’s Windows 2000 and Windows Me. The uniqueness of this product lies in the fact that it is the first consumer-oriented operating system developed on Windows NT kernel and architecture. Some of the important features of Windows XP, improved code protection, ability to identify software which is running in the environment and control its ability to execute such as viruses, facilities which provide multiple applications to run simultaneously and provision of Windows Media Player, which combines all of common digital media activities into a single, easy-to-use player. It give it’s users a sophisticated access control mechanism, whereby specific users can be given permission of certain files. It enables them to encrypt file where required so that one user’s file cannot be read by another. Windows XP, bring more user-friendliness than it’s earlier versions through it graphic user interface, which has a three-dimensional look, making viewing more easier for the eyes. In offering such attractive features, Microsoft intended to retain it’s foothold in the world-wide use of Windows operating system. This being the business objective, what are the risks that Microsoft had to face when they released this product? Risks faced by Microsoft with Windows XP Risk which Microsoft knew that it had to encounter when it released Windows XP was user reaction to it and it’ compatibility issues and these represent the list of risks identified by Microsoft. The many risks which it had ascertained as part of it’s scenario analysis and which were faced by user after the product came into use are as follows: Though people who used Windows XP were impressed with it’s qualities of offering user friendliness, stability, speed and performance, they were a little concerned when they found that it was not compatible with some software that has been developed specifically for earlier versions of Windows. In trying to provide more user-friendly options, Microsoft, has given the options to view the images as a slide show when opening a file folder which ahs digital image files. This may be fine with new user, but advanced users may find this new scheme somewhat cluttered and cumbersome. There are many users who use Norton anti-virus, but when it is installed with Windows XP, XP halted the installation program and give an alert about a "known compatibility issue”. Microsoft recommends that its users should not use Windows XP's program for installing software such as system utilities, virus detection programs, and data-backup utilities because they work so closely with the kernel of the operating system. User also will experience problem when they use older DOS-based games and applications. Risks were assessed by looking into how deep the risk will affect business objectives, which is the wide-usage and popularity of Window XP software. In the case of Microsoft, which is an established concern in software development, the impact of risk issues of user acceptability and compatibility of the software with other software, really does not have too much of an impact. User did use Windows XP because of Microsoft brand name and because of window is a widely used operating system, therefore upgrading is seems a more likely thing that people would do. This leads to the issues of risk tolerance, wherein since risk impact is not sever, Microsoft can tolerate the risk of users who find problem-issues when using the software. Since the software has wide usability and is an upgrade on the existing operating system, there is no point in considering risk avoidance. Since risk is not avoided here, it leads to the next issue which is contingency planning. In order to deal with the problems which arise due to risks, Microsoft will have to plan on when it will release the patches or fixes which user face when the use Windows XP, the cost of doing this versus after product release versus the cost of delivering the product without these issues at a later point of time and releasing a new version without all or some of any of the issue users face when using Windows XP. Developing a contingency plan would be a better option as regret analysis will only reveal that if they did not give an upgrade through Windows XP their business can be captured by their competitors. Looking into how a user feels when dealing with problem issues in using window operating system, as in the case of Windows XP SP2, if is found that users felt that SP2 did little to improve their system's practical security. It left too many services and networking components enabled and permissions given were unclear thereby making IE and OE vulnerable to malicious scripts. (Thomas C Greene, 2004). This indicates a lack of trust in the software security system, which if not properly rectified can lead to a disaster situation in the future. The possible disaster situation would be people switching to alternative software as operating system instead of using windows; this will result in huge losses for the company. Such a disaster recovery plan will include working as much as possible to remove defect which users felt they simply could not deal with any more and releasing the product under a different package to user to make it acceptable. This will mitigate some of the loss incurred in losing the market to competitors, through it may take sometime for the company to gain an edge over it’s competitors. Disaster Recovery Plan Taking another Microsoft product as an example, Microsoft was forced to create a Media Player-free version of XP called XP N. This was chiefly due to ruling of the EC in March 2004 which came about because the EC felt that Microsoft had broken EU competition law. When Microsoft decided to create this product, it faced the risk of the product not being accepted. This risk actually occurred as Microsoft had priced the product on XP N was the same price as the standard version of XP. As a result many retailers and computer resellers indicated they won't sell the product. The time and money spent in developing this product was a loss for the company. The only option for Microsoft is to get into their contingency plan for dealing with this impact of this problem. The disaster recovery plan for this situation involves taking back the product from the European market and then re-releasing it at a later date, after coming to a consensus with the EU on the price issue. This will help Microsoft to mitigate the loss incurred in developing and releasing the software for the European market. Not releasing the product at all will not help because the European market is a huge one and gain a foothold would mean tremendous gains, which Microsoft would have to lose to it’s competitor if it does not implement a disaster recovery plan to come out of it. Another product which was a failure for Microsoft is Microsoft Bob. This product is a graphical user interface which was designed for novice computer users and it was released by the company in March 1995. The product did not have any impact n the users and as a result it was alter stopped. In the word of Microsoft CEO Steve Ballmer, Microsoft was one project "we [had] undertaken ... where we decided that we have not succeeded and let's stop”. In this situation the disaster recovery plan will involves taking steps to tune up the produce more to the need of a new computer user and searching a different market for the product. Since the product is meant for novice user, it will do well if it is released in regions where people have less exposure to using computers and require assistance or in the field of education and learning of children in computers. If the company had implemented this disaster recovery plan, the time and investment made into the development of them produce could have been gained rather than have it complete stopped. Recently Microsoft has agreed to make modest changes to Windows XP in response to criticism from an antitrust compliance committee. In a court filing on Wednesday, the US Justice Department and some states charged that web-related resources, such as saved HTML files, continued to be denoted by an Internet Explorer icon, even when IE was not the default browser. User stated that when Internet Explorer in XP was disabled, it did not automatically delete user-created shortcuts pointing at the application. The disaster recovery plan for this situation would be for Microsoft to do what the antitrust compliance committee it to do and also to make a through assessment of the risk posed by bugs in it’s software to the people who used it’s software. Microsoft is the most used operating system, which means that it is used by organizations to store critical data. Loss of such data can result in gains to their competitors. Therefore, Microsoft has to not just what the antitrust compliance committee asks it to change but provide more features in order to reinforce customer confidence. Conclusion In ideal risk management, all possible risks are identified and priorities are assigned to risks based on the severity of impact and the probability of loss occurring. Importance is given to the handling of risks which give a great deal of loss, while risks with lower probability of occurrence and lower loss are handled later. In this paper the organization under study is Microsoft and we looked into the possible risks faced by the corporation on release of it’s product Windows XP. In the eventually of a severe risk, Microsoft would have to withdraw any product it releases as it did in the case of the product Microsoft Bob. Risk situation can be more severe than this and can be more complicated. Take for example, the situation of an oil company with many rigging site all over the world. Explosion due to malfunction in any of them will result in severe loss of life and damage to property. In such a situation risk management is absolute necessary in order to mitigate the loss in terms of human resources, company reputation and money. It is vital for an organization to develop a disaster recovery plan, in order to resume operation in the event of a disaster occurring. In the case of a software company such as Microsoft, if the disaster of a lawsuit comes or customer reject a product they have produced, their disaster recovery plan, will involve negotiations with those who want changes, what these changes would be and taking steps to implement them as quick as possible so that they do not a market. In the case of an oil company which is have site globally; a possible disaster situation is an explosion to take place in any site. Their disaster recovery plan would involve, providing medical assistance to employee, taking steps quickly to put out the fire and resuming operation as soon as possible to reinforce customer confidence. Disaster recovery plan become very important in situation where a disaster result in loss of life and property as for example in the case of people working in a nuclear power plant. Ant disaster event in the working of the plant will have serious impact in the lives of the people who work there as well as in the lives of the people living in the region. A disaster recovery plan, would include taking steps to minimize such loss of life. If risk management has to be effective, manager must clearly understand the factor which a firm can control and factors which are clearly beyond their control. Only them can they identify the real risk involved and prepare themselves to face it as most business decision involve some degree of risk taking and risk tolerance. The systematic identification and assessment of risk, a frank discussion of risk tolerance and the use of a variety of techniques to mitigate risk will lead to good strategic planning. References Robinson., David., Primer on the Management of Risk and Uncertainty Greene, Thomas., (2004), WinXP SP2 = security placebo? Graeme Wearden, (2005)Windows XP-lite 'not value for money' Richard Richtmyer ,(2001)Opening up Windows XP Ajay Gidh (2003), What is disaster recovery planning, Microsoft Bob., Our Mission GregorK    2005., The Windows XP SP2 connection limit. http://www.phex.org/mambo/content/view/49/33/ Richard Richtmyer ,(2001)., Senator targets Windows XP Computer Slows When You Click Multiple Icons in Windows XP Microsoft Industry Partners Help Boost Small-Business Success Microsoft Announces Windows XP and Office XP Some programs seem to stop working after you install Windows XP Service Pack 2 How to use Windows XP., Read More