Select Page

In this Performance Task Assessment, you will analyze a case study in order to demonstrate your ability to assess information systems security, legal, and ethical risks and develop plans for mitigating information systems risks. You are strongly encouraged to use the Academic Writing Expectations Checklist when completing this Assessment.Professional Skill: Written Communication, Critical Thinking and Information Literacy are assessed in this Competency.Your response to this Assessment should:
Reflect the criteria provided in the Rubric.
Adhere to the required length.
Conform to APA style guidelines. You may use Walden Writing Center’s APA Course Paper Template.
This Assessment requires submission of one file. Save your file as SP003_ firstinitial_lastname (for example, SP003_ J_Smith).When you are ready to upload your completed Assessment, use the Assessment tab on the top navigation menu.Part 1:Select an organization of your choice with which you are familiar, or for which you can find sufficient information about its business information systems. Identify one or more information systems for analysis. The information system(s) should be enterprise-scale and cross-functional, or linked to external suppliers, customers, or partners. For the selected business information system(s), prepare a 3- to 5-page risk management analysis and evaluation that addresses the following. In each section, make sure to support your positions with reasoning, evidence, citations, and references.
Identify and describe global and domestic security, legal, and ethical risks related to the selected business information system(s), and their potential impacts. Include financial impacts as well as other types of impacts.
Compare and contrast approaches to mitigating or managing the security, legal, and ethical risks you identified. Include at least two approaches to managing each risk.Part 2: Read the “Engro Chemicals Pakistan Limited Case Study.” Considering the same organization and business information system(s) you selected above, prepare a 5- to 7-page disaster recovery and business continuity plan that addresses the following. In each section, make sure to support your positions with reasoning, evidence, citations, and references.
Identify and evaluate at least two options for disaster recovery. Compare and contrast the strengths and weaknesses of each option (2–3 pages).
Using the preferred option(s) from your evaluation, develop a comprehensive plan for disaster recovery and business continuity for the business information system(s) you selected above (3–4 pages).


Don't use plagiarized sources. Get Your Custom Essay on
SP003 Coca Cola Company
Just from $10/Page
Order Essay


Unformatted Attachment Preview

Muntazar Bashir Ahmed wrote this case solely to provide material for class discussion. The author does not intend to illustrate
either effective or ineffective handling of a managerial situation. The author may have disguised certain names and other identifying
information to protect confidentiality.
Ivey Management Services prohibits any form of reproduction, storage or transmittal without its written permission. Reproduction of
this material is not covered under authorization by any reproduction rights organization. To order copies or request permission to
reproduce materials, contact Ivey Publishing, Ivey Management Services, c/o Richard Ivey School of Business, The University of
Western Ontario, London, Ontario, Canada, N6A 3K7; phone (519) 661-3208; fax (519) 661-3882; e-mail [email protected].
Copyright © 2009, Ivey Management Services
Version: (A) 2009-12-14
On October 20, 2007, Ruhail Mohammed, vice-president and chief financial officer (CFO) of Engro
Chemical Pakistan Limited (Engro) was preparing his notes to present at the management committee
meeting on November 1, 2007. A critical item on the agenda was that on August 19, 2007, a fire in the
PNSC building, which housed the Engro head office, had destroyed a substantial portion of the company’s
hard-copy records relating to the financial years 2004/05 and 2005/06, as well as the period from January
1, 2007, to August 19, 2007; however, the electronic data had remained largely intact. The end of the
company’s financial year was December 31, and the external auditors were due to commence their work in
December 2007, as the deadline to publish the annual financial report was February 20, 2008. The
company was listed on the Karachi Stock Exchange (KSE) and, being a blue chip company, had informed
the stock exchange of the date it would announce its final results for 2007.
Mohammed had to update the management committee on the progress that had been made under a plan
according to which the company’s critical accounting and control systems and data would be restored, so
as to keep company operations uninterrupted. The auditors had pointed out that, since they had earlier
conducted a review of the financial records as of June 30, 2007, they would rely on that work and not need
any records for the first six months. Their main focus would be on the second half of the year, and this
would require that the company provide them with all the information that they requested in order to form
an opinion for the annual audit report. As the records for 2005/06 were also destroyed, they were
concerned that the company could be in breach of the statutory provisions in the Companies Ordinance1
relating to the minimum period that a publicly-listed company’s records were required to be retained.
Engro was launching a number of new projects, and the auditors needed to be satisfied that the plans would
The corporate sector in Pakistan is governed by the Companies Ordinance 1984, which was promulgated on October 8,
1984 and major amendments made via the Companies (Amendment) Ordinance, 2002. The objectives of the Companies
Ordinance 1984 were inter alia to consolidate and amend the law relating to companies and certain other associations for
the purpose of healthy growth of corporate enterprises, protection of investors and creditors, promotion of investment and
development of economy. The detailed provisions of the Companies Ordinance, 1984 sought to meet these objectives and
have been amended and updated from time to time to keep in line with the changing circumstances.
This document is authorized for use only in Angela Montgomery’s CMBA SP003-Risk Management and Business Information Systems course at Laureate Education – Baltimore, from
September 2017 to November 2018.
Page 2
not be affected by the loss of records. The CFO was confident in the company’s documented disaster
recovery plan (DRP) that had been activated, and he felt that matters were under control.
Engro Chemical Pakistan Ltd. had been incorporated in 1965 as Esso Pakistan Fertilizer Company Ltd.
The core business of Engro was the manufacturing and marketing of fertilizers and it was the second
largest producer of urea in the country, which was produced at the plant site in Daharki (a small town 570
kilometers from Karachi). Engro also produced NPK2 (Zarkhez) at the plant in Port Qasim, a few
kilometers from Karachi, and marketed two other brands of fertilizer: MAP under the brand name Zorawar
and DAP. Owing to the continuously declining margins in seed business, the management had decided to
exit from this business in a phased manner. This demonstrated the management’s proactive business
approach of conducting a continuous review of operations and realigning corporate strategy according to
changing business dynamics.
During 2007, all of Engro’s businesses grew rapidly. The principal business of the company remained in
the manufacturing and marketing of fertilizers. Its joint ventures and subsidiary companies were engaged
in a variety of businesses: chemical terminals and storage, PVC resin manufacturing and marketing,
control and automation, foods and energy businesses. A brief review of the main business and the new
projects underway follows:
The fertilizer sold by the company was of two types:
Urea: During 2007, a total of 4.76 million tons of urea was produced in the country, of which Engro
produced 954,000 tons while in the process of further expansion. The urea plant expansion was the largest
private sector investment that had been made in the history of Pakistan. In 2007, it was on track for
completion in 2010, and with key contracts and financing in place, the construction work had begun.
Phosphates: Engro sales up to the third-quarter of 2007 indicated that it would be in a good position as the
market leader, as it expected to capture 35 per cent of the phosphates market for the full year. This
fertilizer was imported and its price was susceptible to fluctuations in the international market.
The activities of subsidiary and joint venture companies were as follows:
Engro Polymer & Chemicals Ltd (EPCL): This subsidiary was involved in the manufacturing and sales of
poly vinyl chloride (PVC) and was also being expanded: its backward integration project was expected to
be completed by mid-2009.
Engro Vopak Terminal Ltd (EVTL): This was a 50:50 joint venture with Royal Vopak of the Netherlands.
This subsidiary had commenced building the country’s first cryogenic ethylene storage facility.
Avanceon: Engro owned 63 per cent of Avanceon, which was a leader in industrial automation business. It
had acquired facilities in the United States and was in the process of seeking to serve customers as an
offshore outsourced vendor.
NPK is a fertilizer consisting of nitrogen , phosphorus and potassium.
This document is authorized for use only in Angela Montgomery’s CMBA SP003-Risk Management and Business Information Systems course at Laureate Education – Baltimore, from
September 2017 to November 2018.
Page 3
Engro Foods Limited (EFL) : This was a wholly-owned subsidiary of Engro and 2007 was its first
complete year of operations. It had continued its expansion by adding to its brand portfolio, milk
production and distribution capacity.
Engro Energy (Pvt) Ltd: This was also a wholly-owned subsidiary of Engro and had concluded the
formalities to set up an innovative and cost-effective power plant: their target was to add 217 megawatts to
the national grid.
Engro Eximp (Pvt) Ltd: This was a wholly-owned subsidiary of Engro and was engaged in the trading of
phosphatic fertilizers.
Engro was publically listed on the three stock exchanges in Pakistan: Karachi, Lahore and Islamabad. Its
earnings had grown steadily over the last 10 years (see Exhibit 1), as shown by the increasing trend in the
annual earnings per share (see Exhibit 2).
A leading Pakistani business conglomerate known as the Dawood Group (DG) held the majority 42 per
cent of shares in Engro, while the ownership of Engro employees and employee trust shareholding was
eight per cent. Engro’s board of directors comprised five members from its own management: two from
DG and three other non-executive directors (see Exhibit 3). During 2006, Hussain Dawood, chairman of
DG, was elected as the chairman of Engro. The association of DG, which also owned other chemical
businesses, had augmented the capacity of the board to guide the management in formulating its long-term
The company was managed through the following principle management committees:
Board Compensation Committee: This committee was responsible for reviewing and recommending all the
elements of compensation, organization and employee development policies relating to the executives and
approving all matters relating to remuneration of executive directors and members of the management
committee. This committee (see Exhibit 3) consisted mainly of non-executive directors and had met four
times during 2007.
Board Audit Committee: This committee consisted of four independent non-executive directors (see
Exhibit 3). The chief executive officer (CEO) and the CFO only attended if they were invited. As part of its
work, the committee met with the external auditors at least once per year. During 2007, this committee had
met seven times and had been informed by the CFO of the data loss the company had incurred, and that the
DRP was being implemented.
In addition, the following committees were set up at the operational level and functioned in advisory
capacity in order to provide recommendations to the CEO relating to business and employee matters.
Corporate HSE Committee: This committee was responsible for providing leadership and strategic
guidance on all health, safety and environment (HSE) improvement initiatives and was responsible for
monitoring compliance against regulatory standards and selected international benchmarks.
This document is authorized for use only in Angela Montgomery’s CMBA SP003-Risk Management and Business Information Systems course at Laureate Education – Baltimore, from
September 2017 to November 2018.
Page 4
Management Committee: This committee was responsible for reviewing and endorsing long-term strategic
plans, capital and expenses budgets, development and stewardship of business plans and reviewing the
effectiveness of the risk management processes and the system of internal control (see Exhibit 3).
COED Committee: This committee was responsible for the review of compensation, organization and
employee development (COED) matters for all employees excluding directors and executives.
During 2007, the management committee undertook a review of the major financial and operating risks
faced by the company. Internal controls were recognized by the company as being an important
responsibility of the board of directors. As no system could be totally risk-free, the company recognized
that the system of controls was there to minimize risk of material misstatement or loss, but could not
eliminate it completely. The detailed design and operation of the system of internal control had been
delegated to the CEO while the board retained the overall responsibility of the risks involved. The control
framework consisted of:

Clear organization structure;
Established authority limits and accountabilities;
Well-understood policies and procedures;
Budgeting and review processes.
The external and internal auditors’ reports were received by the board audit committee (BAC), and the
managing committee reviewed the processes and ensured that the controls were effective.
Engro’s business transaction data processing and communications was based on using information
technology (IT) resources at two locations:
1. Head office in PNSC Building at Karachi.
2. Plant site at Daharki, which was 570 kilometers away.
All systems were linked so that the IT applications installed on servers in the head office were being
accessed by users at various locations:

Daharki plant;
Zarkhez plant at Port Qasim;
Other regional offices.
The IT assets at the head office consisted of computer equipment linked via an online data communication
network on which different application systems were being used. The company staff occupied three floors,
in the multistory PNSC building, and computer users were spread over all three floors. Computing
equipment on each of these floors was connected by means of a fibre optics backbone and each floor had
This document is authorized for use only in Angela Montgomery’s CMBA SP003-Risk Management and Business Information Systems course at Laureate Education – Baltimore, from
September 2017 to November 2018.
Page 5
its own network control equipment such as switches. The head office was also connected to different
locations through a wide area network (WAN) (see Exhibit 4). The details of these links for various
locations were as follows:

256 kilobits per second (kbps) DXX3 link with plant site at Daharki;
64 kbps radio link with Zarkhez plant at Port Qasim;
64 kbps DXX link with regional office at Multan;
64 kbps DXX link with regional office at Hyderabad;
64 kbps data link with regional office at Lahore.
The server room was on the seventh floor where all communication links terminated onto the central router
in that room.
Engro’s two joint venture companies EPCL and EVTL had their head offices close to Engro in the Bahria
Complex4. Systems of these two companies were also connected with the Engro network by a digital
subscriber line (DSL) link through a firewall mainly for exchanging e-mails with Engro and to access the
There were two Internet connections: one with the Internet service provider (ISP) CyberNet over radio link
for Internet bound e-mails and connectivity with Lahore regional office, the other based on DSL
technology with the ISP Multinet and being used for Internet traffic. A firewall was used to protect Engro’s
network from various Internet threats.
The following Engro communication and financial application systems were located at the head office:

Lotus Notes-based e-mail system;
MIDAS system for sales;
SAP ERP system (see Exhibit 5) for accounting transactions.
All the key buildings at the Daharki plant were connected through optical fibre backbone and each building
had its own network equipment. All servers were located in a server room which was located in the
administration building. The Daharki network was connected to the head office network by a data
communication link. This link was based on DXX technology and consisted of a last mile radio link
between the plant and the local Daharki telephone exchange. The staff at the Daharki plant connected to
the router in the server room over dial-up telephone lines to access the Internet.
Digital cross-connect: A network device used by telecom carriers and large enterprises to switch and multiplex low-speed
voice and data signals onto high-speed lines and vice versa. It is typically used to aggregate several T1 lines into a higherspeed electrical or optical line as well as to distribute signals to various destinations; for example, voice and data traffic may
arrive at the cross-connect on the same facility, but be destined for different carriers. Voice traffic would be transmitted out
one port, while data traffic goes out another. Cross-connects come large and small, handling only a few ports up to a few
thousand. Narrowband, wideband and broadband cross-connects support channels down to DS0, DS1 and DS3
Bahria Complex was a set of office buildings, owned by the Pakistan Navy, in which various companies had rented space
for their offices.
This document is authorized for use only in Angela Montgomery’s CMBA SP003-Risk Management and Business Information Systems course at Laureate Education – Baltimore, from
September 2017 to November 2018.
Page 6
E-mail Setup
Engro’s e-mail system was based on IBM’s Lotus Domino technology, and Lotus Notes was used as a
front-end client to access the e-mail server (see Exhibit 4). Users in the Karachi office, Zarkhez plant and
all the regional offices except the Daharki region accessed the e-mail server in the head office.
The head office server was connected to the e-mail server in Daharki over a wide area network (WAN). It
was also connected to EVTL and EPCL’s e-mail servers over a DSL-based virtual private network (VPN)
link. All Internet e-mails for Engro Karachi staff, plant staff at Daharki and regional office users EVTL,
EPCL and EFL were received by the head office server through a firewall. Similarly, all outgoing e-mails
were sent to the relay server by the e-mail server at the head office. The Engro infrastructure was used by a
number of subsidiaries to route their business communications.
MIDAS was an in-house application developed using Oracle Developer, linking to the back-end Oracle
database. MIDAS used two servers in the head office: an application server and a database server. The
head office users accessed the database server through the Oracle client directly while all remote users
(regional offices and Zarkhez plant staff) accessed MIDAS through the application server via an Internet
browser. There was one MIDAS server at the plant, which was accessed by the plant distribution
department for the detailing of urea orders to the truckers and for processing their invoices.
Key activities performed by different users through MIDAS at the head office were the following:

Master data (new-product setup, urea pricing);
Bank guarantee handling;
Management of dealers account;
Payroll allowance entry;
Product shipment from the port and Zarkhez plant;
Monthly closing.
All information entered in the head-office MIDAS server was automatically replicated to the plant MIDAS
server using a replication feature created by Oracle. Similarly, any information entered at the plant (such as
trucker detailing, etc.) was replicated to the head-office MIDAS database server automatically.
SAP Setup
SAP was being used by the finance and human resource (HR) sections at the head office and by the
Industrial Relations Department at the plant to facilitate their operational needs (see Exhibit 5). Only two
modules of SAP — namely HR and financial control (FICO) — were in use on the Red Hat Linux
Advanced Server operating system. The following key tasks were performed using SAP at head office:

Accounts payable (invoice processing, payments, vendor payment, cash receipts, cheque printing);
General ledger;
Financial control;
This document is authorized for use only in Angela Montgomery’s CMBA SP003-Risk Management and Business Information Systems course at Laureate Education – Baltimore, from
September 2017 to November 2018.
Page 7

Asset management;
Payroll processing (all Engro employees);
Compensation and benefit administration (all Engro employees).
The applications installed on servers at the Daharki plant were accessed mainly by users at the plant,
consisting of the following systems:

MAXIMO computerized maintenance management system (CMMS), also used by the purchasing
section at the head office.
MIDAS sales and distribution system which was used to update the shipments of goods and other
related information.
E-mail systems.
MAXIMO was a state of the art CMMS software system used by various organizations worldwide for
computer-based maintenance management: this system was installed at the Engro plant. The main module …
Purchase answer to see full

Order your essay today and save 10% with the discount code ESSAYHSELP