Risk management is very critical to the success of any project in an organization and must therefore be developed during the planning stages of the project implementation process.

Risk register
Risk management is very critical to the success of any project in an organization and must therefore be developed during the planning stages of the project implementation process. Various in Practical approaches are engaged in Creating a Risk Management Plan. A risk register comes in as one crucial step in the completion of the risk management process.
A risk register is thus a management tool that identifies, and manages risks to acceptable levels through a review and updating process. The main purpose of a risk register is to allow an organization identify, record and attempt mitigating potential risks to the organization. It allows them to assign risk ownership to individuals within the organization in an effort to track mitigation strategies. Risk registers take the format of a simple document, spreadsheet, or a database system. However, the most effective format is a simple table as it presents a great deal of information in a few pages. The risk register otherwise known as risk log shows the essential records of identified risks, their severity, and the steps of actions that are supposed to be taken in order to alleviate the pain. It provides a framework for problems threatening the delivery of the anticipated benefits. Actions are then instigated to reduce the potential impact of the specific. There is no venture that does not involve risk. Risks exist because of uncertainty. All business decisions under the condition of risk and uncertainty. Uncertainty impacts significantly on private investment decisions. Risk and uncertainty arise due to uncertain behavior of the market forces, government policies, and external influences on the domestic market, changing business environments, emergence of competitors with highly competitive products, social and political changes in the country.
The paper seeks to develop a risk register by first identifying risks emanating from various aspects of the company’s global marketplace activities such manufacturing uncertainties, problems with suppliers, political instability, and currency fluctuations. It also seeks to discuss the sources of each risk and evaluate the risk level of severity of the all risks and their impact. The likelihood of occurrence and controllability are also keenly discussed. Finally, the paper suggests an appropriate risk response for each risk. This paper will identify the risk and analyses all risk events. It will also analyze the probability and the consequence of each risk and rate the risk to find the potential of risk event. Based on the risk probability and their consequence, the paper will suggest response strategies and the response method. It will finally make a risk register and give recommendation to prevent negative effect of the risk and hence maximize the opportunity for the team.
The changing nature of modern business in its scope and coverage has led to rapid evolution of risks to more complex levels in the business environment. This changing nature has dramatically increased the scope and potential impact of risks inherent in day-to-day operations. Companies now face an ever-changing array of risks to their property, people and reputation. In addition to threat of crime, civil, terrorism, religious and social conflict, both man-made and natural disasters are also major sources of threat. Risks also arise from suppliers, business partners, and from within organizations. In a world of increasing competition and litigation, prudent organizations have began to view risk as an integral component of business planning and operating processes. This has led to corporate risk management. Organizations are now concerned about different types of risks such as enterprise fraud management, security risk assessment, business risk management, enterprise fraud management and corporate risk management. Any given risk leads to losses in different areas. Companies face a number of risks which stem primarily from the nature of doing their business. A company may lose revenues, human resources, produce goods or fail to provide services. Some of identified risks their sources, level of severity of their impacts, and their likelihood of occurrence are summarized below: In the recent past, risk management has taken a more prominent role in data protection as the new era of information technologies continue to unfold more advanced and proliferated system. Organizations have shifted focus attention on accountability for data processing, in addition to compliance with data protection regulations. There are numerous examples, however the most prominent include.
1 Volatile political system
Generally, underdeveloped countries experience a higher degree of political risk as a result of the poor volatile political systems and economic conditions. In such countries, the biggest risks faced by foreign investors in developing countries are immature political systems. The chief concern becomes expropriation risk that is the possibility that host governments may seize foreign-owned assets. In an effort to mitigate this, there is need for stronger international law to reduce the symbiotic nature of growth in emerging economies. This can be achieved through reduced asset seizures to nearly. According to George Chifor, interest in emerging markets has soared. More value can be extracted from foreign enterprises through subtle instrument of regulatory control rather than outright seizures. The risk of government discriminatorily changing laws, regulations governing an investment is a way that reduces an investor’s financial returns. Political uncertainty or rather policy risk and regulatory uncertainty should thus be tamed through formulation of internationally acceptable policies that cannot be manipulated through the dynamic nature of local politics of the day and political interests.

2 Project not fully funded
Project funding is categorized as an external risk as it is associated with the impact on a project’s cash flow arising from lack of availability of funds or higher funding costs. Project funding faces a number challenges for a number of reasons. Projects that are joint ventures are one area that is faced with such threats of poor project funding. Joint ventures fail to reach clearly stated agreements on financial responsibilities for the partners and thus lag due to lack of finances. Secondly, budget constraints are also a factor affecting projects funding and is thus an area that affects project funding. Thirdly, uncertainty of project costs is also a threat. Project costs are uncertain and funding allocations do not necessarily match the costs required. Projects are inherently subject to a cost overrun risk. Proposed funding allocation model are integrated with project selection decision-making and thus provides a basis for more effective project control. Project lacking full funding support leads to project delays a as most of the projects will take more than the stipulated time to meet them. Delays results from delayed implementation time for projects. The primary objective of poor project funding resonates around the issue of time. Project that lacking full funding support has a very high impact on organizational qualitative risk assessment. Project lacking full funding support leads can be mitigated through a comprehensive risk assessment plan. Poor project funding has a high probability of causing undesired levels of poorly implemented projects and is thus a major threat,

3) Manufacturing uncertainty

Manufacturing uncertainty is one of the major causes of risk in the product market.
While risk can be estimated, and ensured, uncertainty cannot. Uncertainty is a complete ignorance of future and no amount of technical adjustment can change our basic ignorance of the future. The probability of risk arising from manufacturing uncertainty are measured objectively, while that of the uncertainty can be measured through the subjective probability depending on the marginal utility of money of an individual companies. Companies’ have a risk of increased marginal utility of money, with decreasing marginal utility of money and the risk neutral with constant marginal utility of money.

4) Differing site conditions
Differing site conditions are caused by unexpected geotechnical issues. They are also as a result of Natural or manmade obstructions. This causes increased project costs. The primary objective of differing site conditions are the costs. This risk has a Medium probability of occurrence and has a medium impact on organization.
Contractors frequently face the risk of differing site conditions from those anticipated in their bids. For instance existing facilities, that form part of the contract work, differ in their location, makeup, or the state of repair from information in the bid documents from what would be apparent to a contractor making a prebid inspection. If the differing site conditions should have been discovered or anticipated by the contractor and the contractor failed to do so, the chances of receiving additional compensation through a change order are very low. However, if condition differs from what is indicated in plans and specifications or from inspections, the likelihood of receiving additional compensation for changes is quite high.

In an effort to reduce the risk, negotiating for a differing site conditions clause in contract or against an owner’s disclaimer of these conditions. It is important to be knowledge on the extent and limitations of information supplied by the owner benefits and the limitations of the contract language. Inadequate subsurface information accompanied by a disclaimer is a red flag. Conduct a thorough investigation of the site prior to the bid and document the investigation and results. It is also crucial to promptly notify the contractor of unforeseen site conditions encountered, even if you are not yet certain that you will be submitting a change order request. Lacking notice is a strong defense against claims of differing site conditions, since owners have to be given an opportunity to seek more economical course of action.
5) Macroeconomics Risks

The economic downturn poses a risk to sales development. This is caused by accounting team or rather the sales teams. Macroeconomics Risks arise from poor economy and may also arise from lack of enough jobs. If people fail to purchase as much as it is expected in the market place there is also a chance that the company will face macroeconomics Risks. Macroeconomics risk have a high likelihood Occurrence since, there are no effective ways that can be able to provide sound implementation strategies to cater for economic changes. Economic variations are subject to fluctuations of the economic trends. Microeconomics risk has high severity as they affect the monetary capacity of the company to manufacture or process and deliver to its target market thus a low level of controllability of these risks.

6) Consumer Demand Risks
Consumer demand risks are risks that accrue from lack the ability to respond to consumer wants or demands quickly enough, thus leading a short-term revenue loss. The marketing team is responsible for this consumer interest’s change that subjects a company to consumer demand risks. Consumer demand risks can also occur if other companies offer newer and better products to the market. Consumers demand risks have medium chances of occurrence since the consumer market responds with fluctuations of consumer needs. Severity of Impact to consumer demand risks is medium with medium controllability industry
Contingency plan.
The importance of designing a contingency plan emerges from an analysis of the risks that organization faces. Contingency plans are essentials are useful in thinking about new and ongoing projects in addressing business-critical operations through identifying critical business functions, and it outlines ways to minimize losses. This paper conducts a risk analysis to identify various risks that a business faces and evaluates the potential to of this risk to significantly disrupt a business. A risk analysis usually results into a list of potential threats and thus producing a contingency plan may be overwhelming. It is therefore important to prioritize these risks
A company would follow a few strategic pre-incident changes to ensure the well-being of the enterprise through following steps. Firstly, it is important to prioritize risks. Making sure you don’t plan too much is the greatest challenges of contingency planning. Organizations should carefully balance between adequately preparing, to respond effectively to a crisis situation when it occurs, and over-preparing for something that may never happen. Creating a balance can be achieved through preparing risk impact charts to find a balance. Risk charts help companies analyze the impact of each risk, and estimate a likelihood of it occurring. Through this charts, companies can identify which risks require expenses and effort of risk mitigation. Business processes which are essential to long-term survival like maintaining market share and customer satisfaction are typically at the top of the list.

Prior arrangements when developing a contingency plan should consider:
 Maintaining the business operations which are the main goal through closely evaluating what the organization needs to do to deliver a minimum level of service and functionality.
 Defining the time periods by specifying what must be done as the immediate action of implementation.
 Identifying the trigger that is what specifically, cause you to implement the contingency plan. Organizations need to decide actions to take, and determine the staff to be in charge all through all stages and the type of reporting process they must follow.
 Keeping the plan simple is critically important. A clear and plain language works to enable the process of implementation from all avenues.
 Considering related resource restrictions is also an important aspect of will enable the organization to be able to function the same way if you have to implement a different plan.
 Identifying the customer’s needs in the contingency plan facilitates the identification of the minimum requirement to continue with its day to day operations.
Contingency plans are standard operating procedures and must therefore provide initial training on the plan, and always keep everyone up-to-date on the emerging changes. Companies need to provide standard way of documenting the company’s planning process, and find opportunities for performance improvement.
Sources of Risks
Risk in terms of severity of the impact, likelihood of occurrence, and controllability.

Business Contingency Plan
Businesses require a plan to manage its risks. The contingency planning and risk assessment is one method of analyzing the risks the business might face and the actions that should be taken to reduce or avoid the impacts of such. Sometimes it’s difficult to plan for every possible emergency; however, almost all businesses can identify those.
Strategic pre-incident changes the company would follow to ensure the well-being of the enterprise.
Analysis of potential threats
Companies reaction and response to a disaster depend on the extend and the nature of that disaster. Disasters like Tornado or Flood might cause destruction of Information technology infrastructure. Disasters such as pandemic diseases will only affect the company’s personnel while the machinery and the building remain unaffected. Disasters such as the terrorist attack will affect the network while leaving the hardware functionality of personnel unaffected. However, bombings will destroy the network components and human life. Loss of power or power blackouts will render equipments unusable although it cannot last for a long time. Therefore, prior planning should be in place to counteract in case of any threats.
Areas of responsibility

The main important tool to manage the disaster during or immediately after it has occurred is to assign the employees areas of responsibility and also to establish communication hierarchy. Also training the personnel to be prepared in such circumstances and how to recover from such should be done.
Emergency contact information
When planning for pre-incident changes, updated contact information should be kept. These contacts should be of help when the disaster occurs. This updated information should include the company’s personnel and security services and emergency personnel like the police, fire department, security services and the building maintenance personnel.
Recovery teams

After the disaster, teamwork will be able to put into place the situation of the company.BCP should have a responsibility of appointing a team to carry out the recovery. This team should consist of the specialist who has experience in disaster management. This team will help each other with the emergency services and should fully access any tool including equipments that deemed to be of help.
Off-site backup of important data

An effective plan for business continuity should address the techniques to restoring the critical data if during the disaster is destroyed. Great attention should be given to data storage and backing up such data. If a disaster such as Tornado or a bomb occurs, data in this instance will definitely be affected, and loss may occur. Copies of such data should be made and stored on removable Medias and kept far away from the business location. Another effective way is backing up to internet i.e., using Google drive cloud backup. The backed up data should also be accessed by the company’s key personnel even before the disaster occurs.
Backup power arrangements
Most disasters occurring usually causes loss of electrical power. Since losing power in itself is a disaster on its own, plan to curb this should be established. The best plan is to have UPS which incase of power loss will keep the system running. Power generators should be purchased so that it will provide power when electrical power is lost. Personnel should be trained on how to switch of these generators if they are not self switching (automatic).
Alternative communications strategy
Sometimes, company’s communication tools such as phones and internets may be down. Since communication is an essential tool for companies, a plan to overcome such should be set up. Other methods of communications such as ham radios should be used during disaster time.
Alternative site of operations
BCP should figure out an alternative building in a different location which should be used in case of a disaster occurring and affecting the current building.
Essential equipment/services backup
It some instance, some equipments can be recovered from the disaster and moved to a new site. Others might be destroyed or rendered useless and can be repaired.BCP should identify which of the equipments to be used and which one are not.
Recovery phase
BCP should address a step by step process of restoring the business operations to an earlier state before the disaster. This step by step process should include assessment of the degree of damage caused, the estimated recovery cost to be met and the monitoring process of its recovery.

The ethical use and protection of sensitive data.
Within a data system, there is a distinction between general information which are generally helpful to an organization as it carries out its mission and sensitive information which are confidential and vital to an organization as it carries out its mission. For example, a data file with “help” instructions for website users is a “general” support component within organizations data system. While the files are important to users facing a web problem, the data are not vital to running an organization or organization system; nor are they private in nature or otherwise subject to confidentiality restrictions. On the other hand, data about organizations targets are both confidential and vital to the organization’s core objective.
Ethical standards for protecting sensitive information are higher than those for general information. However, exception of some directory information that may be considered a part of the public record. An organization information (e.g., price lists) are substantially a private matter and, as such, are supposed to be treated and kept confidential since they are not the public’s business or a data handler’s business, unless there is a legitimate to perform officially assigned responsibilities.
Canon 3 addresses the need to be aware of laws and policies governing data collection and reporting which includes the confidentiality of private data about individuals. The principle of canon 9 addresses the responsibility of organizations to establish and enforce procedures that will put these safeguards in place.
Recommended Practices and Training
Identify which data are considered to be sensitive (private and/or vital to operations).
Develop and implement a robust data security plan that includes specific precautions for sensitive data, such as the following.
Limit access privileges strictly to data handlers who “need to know” the information to conduct their official duties and responsibilities.
Review and reauthorize user access privileges on an annual basis.
Limit remote access privileges so that data in a secure location cannot be exported to a site that is not secure (e.g., downloads from a secure database into an Excel or PDF file at home).
Maintain high standards for verifying data requests and data sharing. Due diligence prior to sharing data is more than just identifying who wants the data. Ask questions such as: Why do they want it? How will they use it? Will they destroy it properly? How can proper handling be verified? Will they sign an acceptable use agreement? Note that it is often helpful to have these questions answered in writing.
Mandate password rules that make it difficult for hackers to guess. For example, passwords should be six or more characters in length and include at least one letter and one number, as well as an asterisk, exclamation point, or other special characters. Passwords should not be names or words that appear in a dictionary.
Require the use of secure transmission technologies, including secure servers, authentication tools, and encryption algorithms.
Store data securely. This requires appropriate physical security, software security, access security, network security, and related behavioral management security.
Establish and enforce security expectations for portable data storage media, including laptop computers, external hard drives, portable drives, etc.
Establish and enforce policies governing the release of student data (both private and directory information) in compliance with FERPA, as well as related state and local privacy laws and regulations.
Train all data handlers to understand their responsibilities with respect to FERPA and other applicable statutes and regulations.
Require written permission from a parent to release nondirectory information subject to the exceptions identified in FERPA.
Train all data handlers to identify which data are general information and which are sensitive.
Ensure that data handlers understand the expectations and consequences of FERPA, HIPAA, and related state or local privacy laws.
Train individuals based on their access privileges to sensitive data. Nontechnical staff with access privileges—such as teachers, administrators, or data clerks—need to understand the data system’s security safeguards and how they can follow them. Include discussions about the “why” of security as well as the “how,” so that learners can internalize this ethical principle and apply it to their work.
The ethical use and protection of customer records.
Companies deals with many people while rendering services and producing goods to the community. For certain services and products to be provided effectively, customers must reveal their personal information which should be threaded with utmost confidentiality and its security protected. Maintaining this information becomes a challenge. With modern technology, instant retrieval and access of organizations data can be done within a short time. lot of people in the company can get access to this customers information could be risky.
The obligation for not revealing customers information should be looked upon any company and incase of disaster which renders the information vulnerable, measures to curb that should be designed. Procedures should be laid down for customer’s information disclosure. Access or disclosure sought falls within the permitted purposes that do not require the customer’s prior consent. Top management must implement procedures to enable them to account for such disclosures. Once customer’s information is released, management executives must keep records and implement other procedures to ensure that they are able to account to the customer for such disclosures, upon the customer’s request.
To prevent such disclosure during or before the disaster, the measures which should be put in place include:-

Limit access to customer’s information to authorized individuals only.
Ensure that institutional policies and practices with respect to confidentiality, security and release of information are consistent with regulations and laws.
Educate company’s personnel on confidentiality and data security requirements, take steps to ensure all employees are aware of and understand their responsibilities to keep customers information confidential and secure, and impose sanctions for violations.
Implement technical (including, if appropriate, the use of encryption), administrative and physical safeguards to protect transaction record files and computerized data against unauthorized use, access and disclosure and ensure data confidentiality, integrity and availability.
Conduct periodic data security audits and risk assessments.
Develop systems that enable organizations to track (and, if required, report) the use, access and disclosure of organizations records.
Provide for appropriate disaster recovery.
Establish guidelines for masking customer’s identifiers in committee minutes and other working documents in which the identity is not necessary.
Establish policies and procedures to provide to the customer an accounting of uses and disclosures of the customer’s health information.
Create guidelines for securing necessary permissions for the release of transaction information for research, education, utilization review and other purposes.
Identify special situations that require consultation with senior management prior to use or release of information.
Obtain written agreements that detail the obligations of confidentiality and security for individuals, third parties and agencies that receive company’s records information, unless the circumstances warrant an exception.
Follow all applicable policies and procedures regarding privacy of customer information even if information is in the public domain.
In the event of a security breach, conduct a timely and thorough investigation and notify customers promptly if appropriate to mitigate harm in accordance with applicable state law.
Establish adequate policies and procedures to mitigate the harm caused by the unauthorized use, access or disclosure of company’s information to the extent required by state law.
Participate in the public dialogue on confidentiality issues such as employer use of company’s information, public health reporting, and appropriate uses and disclosures of information in health information exchanges.
The communication plan to be used during and following the disruption.
An effective communication system for emergency and disaster management should be properly planned. Alerts should be send via email or overhead paging systems. Text messages and voice calls will also be used to give instructions on evacuations and relocations. Communications systems will be used to update on communicate on situation status and giving directions on the safe place to run to. Communication systems for external emergency should fit to business methods of continuity which include giving notification to family members of the death or the injured. It can as well be used to discuss the disaster situation with media and to inform the share holders on the status.
To communicate during emergency is a challenging task to carry out, emergency communication strategies should be planned in order to prepare the response when need occurs. These plan should gain full support from the key management and continuous review as well as regular updating is essential for its effectiveness. These emergency communication plans must be able to carry out the following:-
 Quick launch
 Informational to top management
 Informational to spokesperson of disaster
 It should facilitate distribution media coverage

Restoring operations after the disruption has occurred (post-incident).
After the disaster has been contained and system control has been regained, incident recovery is set to begin. The recovery team then assesses the in the depth of the damage caused to enable the next step to follow in restoring the systems. During this process of determination, any information found should be treated with a lot of confidentiality and integrity should be maintained. Once the determination stage is over, recovery process kicks off and the steps followed should include:-Identification and resolving of vulnerabilities that caused the occurrence of the disaster. Addressing of the preventive measures which failed to deter the disaster from occurring. Addressing will include upgrading or replacing the system. The monitoring capabilities are improved or installed if there was none. Backed up data is now retrieved and entered into the systems The services and processes are then examined and restored The systems ate then closely monitored to see if their functionality was affected. Confidence restoration of the employees is then restored. The restoration team conducts a review that is meant to give detailed events that really took place from the kick off of disaster to its recovery and correct where necessary. After all these have been done; the routine duties resumes.
Implementation plan in which you recommend ways of implementing, monitoring, and adjusting the BCP.

Implementation of BCP involves some activities which include:-Development of various plans which take into consideration the capacity and data security not forgetting the disaster recovery plan. Monitoring and monitoring of these plans require constants reviews and adjustments to remain up to date and effective. These plans should address the objectives of data recovery and disaster management for an organization. These plans should work in combinations of each other or individually depending on the organization size involved. Larger organizations are mostly complicated and the combinations of these plans will mostly be required. Tasks performed during planning process include:-
 Evaluating the effects of the new infrastructure implementation.
 Analyzing if the desired outcomes of IT can be achieved by introduction of new technology.
 Evaluating if the expectations of infrastructure standards are valid.
Develop availability plan
This plan explains that a plan should ensure service availability. It also addresses the components related to the services such as the software and hardware and the concerned personnel.
The design for high availability is more cost effective and efficient compared to retrofitting. Meticulous use of redundancy will enable services to put into account failures of its components Tasks which should be managed should include identification, documentation and scheduling of regular preventive maintenance. The importance of managing these tasks is to ensure that the undertaking of this plan is in accordance to set specifications. Continuous reviewing of this plan, its requirements and its performance will ensure ongoing alignment between the information technology and the business itself. Technology should be actively investigated for improvements and development.
Develop capacity plan
The Capacity plan seeks to explain the techniques for assessing the overall service and performance of its components. The information in the plan is used to develop the acquisition and configuring or even upgrading the general tasks. The information also enables the management to assess the current capacities and resources required to be upgraded comparing with future expected capacity. This plan can be implemented in three phases:-
 Business planning capacity which seeks to elaborate on business requirements service
 Capacity planning which seeks to bring clear picture on end to end service capacity and
 Component capacity which seeks to point out on individual components making up the service.
 This plan is best effective during the design phase. Adjustment of service and its components .The relationship between the business and the plan will help in identifying the factors which are likely to affect the capacity. These factors might include the change of business usage patterns. This plan will help review this general changes. This plan can be implemented using:-
 incremental method versus replacement method scaling up method versus Scaling out
 method new technology method
 Parallel method versus hub-and-spoke method
If possible, establishment of automation in monitoring should be established. Historically, performance in different circumstances has provides good evaluation into the service behavior; it can also retain and store information for analyzing and trending predictions.
Develop data security plan
Data security plan seeks to elaborate how the services will be designed to be accepted by all levels of security. It shows the existing security threats and the implementation proposals to mitigate these threats. This plan should address the goals of information security. These goals are data confidentiality which states that nobody should be able to see any confidential data for the company without authorization. Data integrity which states that all users should feel confident regarding the data presented to them in matters of accuracy. The data should not be modified in any way. Data availability is another goal of this plan that users should access the data they need in abundance at any time. This plan should generate overall security policy which is supported by the business to address the requirements and the escalation procedures of data and security incidents. The policy generated should regularly be communicated to all employees’ trough awareness campaign. Technical measures for malicious security breaches should be implemented If possible; automated tools should be used as it helps in managing the security for data. Regular security audit should also be performed as it ensures the security for data is intact.
Develop monitoring plan
Monitoring plan states the process by which all services will be monitored. The information required and the results should be monitored. Information about monitoring requirements design activities most of which should be proactive. The monitoring capability should match the infrastructure for effective accomplishment. For automated monitoring, alert responses are expected. This will reduce errors while on the other hand improving the response times of the personnel.
Review and approve plans
For these plans, changes in infrastructure and updates and also implementations should work together. Identifying of common set of technologies should be shared as much as possible. The business working together with Information Technology department should first approve these plans. All activities and actions should be consistent and in alignment to the information technology standards. Customized solutions should be avoided at all costs.