| dc.description.abstract | This study focused on information systems risk management practices within Practical Action. The study assessed Practical Action's level of assurance in terms of information availability, security, optimal performance and compliance as related to guarantee of business continuity in view of vulnerability of information processing and flow channels. The study investigated risk awareness, the frequency of occurrence of human related risks and the general level of preparedness in mitigating human related risks, natural risks and environmental risks situations in the organisation. The purpose of the study was to establish the importance of information systems in regard to business continuity.
This was a descriptive case study that aimed at assessing information systems risk management practices in Practical Action. This study reviewed literature on general risk management and information systems risk management in order incorporate other views in the study. The research targeted seven (7) countries in four different continents of the world. The study population included all the 14 information technology staff in the seven countries. Data was collected by use of standard structured questionnaires which were emailed to the respondents and online communication from the respondents. The study achieved 68.5% response rate. The data was analysed quantitatively (means, frequencies and percentages) using SPSS and presented by use of frequency tables, histograms and pie charts.
The study findings revealed that Practical Action has averagely performed well in terms of risk. management with an average of 54.5% showing success in key preparedness indicators and
45.5% showing lack of success in key preparedness indicators used in t11estudy. The results also
showed that 49% have no awareness at all which closely related to low level of preparedness. There is therefore a relationship between theawareness levels and the level of preparedness. The results also showed that IT risk management is on ad hoc basis. The senior management teams in each country has left the role of managing information systems risk to IT experts instead of integrating it within the general organisational risk management.
There is great need for organisations to develop a comprehensive and all inclusive policy on the use of information systems to reduce the risks arising from insiders (employees). There is generally low awareness among staff on information systems risks that could arise from natural, environmental and human related risk causes. For effective information systems risk management, the senior management have to deal with the issues of information systems risks in an integrated manner and not consider other risks and leave out what has turned out to be the backbone of the organisation - information systems. The low levels of preparedness in case of a disaster is a clear indication that the management has not embraced information systems risk as part of the overall organisational risk management. | en |
