• Ms Word Format
  • 70 Pages
  • ₦5,000
  • 1-5 Chapters




 1.1            Background of the Study


Enterprise risk is a risk that encompasses all major risks faced by a business firm (COSO, 2004). This risk can be classified according to its nature and thus may include pure risk, speculative risk, strategic risk, reputation, legal, operational risk and financial risk. Enterprise risks can also be classified according to the source of the risk: Internal, strategic and external risks. Internal risks are risks that are caused by factors within the organization that can be controlled such as the risk of employee misconduct, systems and technology failures while strategic risks are risks taken on by an organization in the pursuit of value (for instance the risk associated with an investment in developing a new computerized production system) and external risks are largely beyond its control An example is the risk of impact from a natural disaster like an earthquake, economic and political factors (Thuku, 2012).

These days a growing number of companies devote a significant portion of their management effort discussing risk and risk management. However a vast majority of organizations have made very little effort to ascertain the risk profile of their companies and this in effect means that they have not put any structures in place to address the risks.


  • Operational and Database system Risk

Operational risk is part of enterprise risk and results from the firm’s business operations; such as from services offered using computer systems that hackers may break into (COSO, 2004). Shevchenko (2010) notes that in 1990’s there was no widely accepted definition of operational risk. Often, operational risk was defined as any risk not categorized as market or credit risk. Some defined it as the risk of loss arising from various types of human or technical error.


BBA, ISDA, RMA and PwC (1999) came up with the first universally accepted definition of operational risk which was later affirmed by the BCBS (2004). They defined operationalriskastheriskoflossresultingfrominadequateorfailedinternalprocesses, people and systems or from external events. It is the risk of loss arising from the potential that inadequate information systems; technology failures, breaches in internal controls, fraud, unforeseen catastrophes, or other operational problems may result in unexpected losses or reputation problems. The BCBS (2004) adds that such operational risk captures business continuity plans, environmental risk, crisis management, process systems, people related risks and health and safety, and ITrisks.  Abolhassani and Moghaddam (2008) (as cited in Akbari, 2012) while appreciating the definition of operational risk by BCBS (2004) opinioned operational risk is the risk of failure and lack of efficiency in personnel, technology and working process. This appears to be in line with the definition used by Credit Suisse Group (as quoted by IIF and McKinsey & Co., 2011) that operational risk is the risk of adverse impact to business as a consequence of conducting it in an improper or inadequate manner and may tangibly manifest itself in the likes of business disruption, control failures, errors, misdeeds or external events. The BCBS (2004) definition of operational risk has been adopted or adapted by many firms, but it is just one of many possible definitions that can be used. This study adopts this definition.


The importance of operational risk has been highlighted recently with spread of IT applications which has brought about new problems for organizations. Any failure of the IT systems was give rise to a major element of operational risk known as IT risk (and includes such threats as business interruption, disaster recovery, business and information security, data backup and protection, business license compliance and social media used (Jammal, 2011). BCBS (2006) adds to this list human error, external fraud by intruders, obsolescence of applications and machines, availability, performance, reliability issues, mismanagement and natural disasters. Kitheka (2013) defines IT risk as the risk of failure or malfunction of the IT applications and infrastructure used to support a company. He goes ahead and identifies the relevant elements of IT infrastructure as: network and user management, configuration management, system performance and capacity,ITservice request, service level and helpdesk management. The study adopts this definition but also includes data backup and protection and disaster preparedness, license compliance and IT security.


  • Database system Operational Risk Minimization

By the very nature of project management there will always be uncertainty. Whether it’s small or large, complex or simple, every project has risk. It is the job of managers to do their best to minimize the risk in projects (Bogue, 2005). The first step to risk minimization is to identify all risks that are possible in the organization and consider all internal and external factors that could give rise to the risks. The next step is to evaluate the risk based on its probability and impact to the organization’s operations. The risks are then prioritized and managed by putting in place measures to control them and having mitigation strategies for those risks that can’t be controlled. During the implementation phase all risks must be constantly monitored in accordance with the risk assessments.


The greatest cost of an IT system implementation occurs long after the initial development and deployment is over, when the system enters its support  and maintenance phase of its life cycle. Adopting good practices will therefore reduce the long term operational cost and associated risks (Murphy,2010).


  • Database system Post ImplementationPractices

Acquiring advanced technologies does not necessarily lead to success. Firm’s performance critically depends on how these technologies are implemented. Successful implementation of these technologies requires among other things a human resource strategy to develop the necessary worker skills and engage them in the process (Hornstein, 2008). Karimi (2006) argued that IT system implementation depends on many factors affecting the project’s pre-implementation, implementation and post implementation stages. He identified these factors as comprising four elements: data classification, management controls, operational controls and technical controls. During each implementation stage the organization is required to put in place practices that address these elements and as a consequence there was minimal disruption of the IT systems.This study was concern itself with the practices adopted by organizations to guide IT implementation during the post implementation stage. For this study post implementation is the stage after the project is handed over to the client by the vendor. Kimwele (2013) argues that there is evidence from his survey to suggest that despite numerous technical guides and principles there is no recognized, standard approach at an organization-wide level to help in addressing these IT challenges and suggests that SMEs could develop and adopt appropriate IT security standards and policies, identify IT security roles and responsibilities, create IT security awareness, put in place data  recovery measures, and protect organizational assets. He also suggests that laps in practice accounts for the serious IT security challenges faced by SMEs in Nigeria.


Asangansi (2013) argues that the implementation of HMIS has become a major challenge for researchers and practitioners because of the significant proportion of failure of implementation efforts. He states that researchers have attributed this significant failure of HMIS implementation, in part, to the complexity of meeting with and satisfying multiple (poorly understood) logics in the implementation process. It is also possible that there could be a relationship between the failures and the implementation practices adopted.

The IT systems implementation process is complex and as such requires careful consideration of the organizational context (Galdwin et al, 2003)). National polices and guidelines are expected to be reflected in the plans of the implementing institutions, but prioritized to reflect the context. The sad thing is that some of the government organizations examined are not aware of the national ICT policy and have continued to implement ICT systems without referring to the policy (KACCA, 2008).


New risk categories such as operational, strategy and reputational risk are highlighted as new critical focal areas by Deloitte (2012) for an organization and more importantly it was reported that risk management programs have not been quite effective in these areas. Implementing a successful operational risk discipline was require significant changes in corporate cultures, senior management understanding of and commitment to a robust internal risk management structure (BITS, 2004).


  • Database system Post Implementation Practices and IT Operational Risks

Post implementation practices affect the risk levels of an organization. What the company does or does not do after an IT system is put in place greatly affects the success or failure of the system. Obviously, failure leads to IT risk from malicious actions, man-made and natural disasters, or inadvertent errors made by users and so forth. Over the past few decades, IT applications have become more susceptible to these risks because of the wide spread usage of computers, the interconnectivity of these computers, and rapid development of Internet applications (Badie, 2011). Risk is also fueled by the lack of appropriate practices that creates an enabling environment for implementing IT systems.


ISACA, 2006 (as quoted by Önal, 2006) puts it that since IT is now central and widely used, organizations will continue to be exposed to operational risks related to the use of IT such as virus attacks, breakdown of infrastructure, unauthorized access to data, performance problems, system and infrastructure contingency. A survey carried out by Taub (2002) found that 81 percent of organizations feel they are vulnerable to a serious operationalincident.


Without proper IT Governance, IT systems can lose integrity with serious implications on performance and can also result in breach of client confidentiality (Makau, 2010 as quoted by Munene, 2009). Galdwin et al (2003) and KACCA (2008) noted that some organizations were implementing ICT systems without reference to any policy. As a consequence organizations are exposed to serious vulnerability to information systems securityviolations.


Experience has shown that IT operation risk exposure of an organization increases with the used of IT. The extent of the exposure depends on the post implementation practices adopted after the project is handed over by the vendor. Research shows that IT operational risk is fueled by lack of appropriate practices to guide IT implementations and worse by the fact that some organizations do not know what todo.


  • Public Hospitals inNigeria


Nigerian hospitals can be divided into different facility types under public, faith based, private and non-governmental. Public hospitals scan be distinguished from the rest of the facilities by having been officially gazetted and “taken-over” by the government and placed under the Ministry of Health (MOH), or are under the Prisons, local authorities, Armed Forces, academic, parastatal or the Constituency Development Fund. The hospitals under MOH are categorized into five levels with each level providing different services to the public. The five categories are: provincial general hospitals, district hospitals, sub-district hospitals, health centres and dispensaries. There are approximately 6,150 hospitals in Nigeria of which 41% arepublic.


The health sector in Nigeria has a multiplicity of health information systems – manual, computer and web-based. There is little co-ordination between systems and much duplication of data and effort. Yet according to the MOH these systems rarely yield the quality of information necessary for the planning, programme and resource monitoring, and performance-based review that the health managers require (MOH, 2010).


The key institutions that influence ICT policy formulation and implementation in Nigeria public institutions include the Ministry of Information and Communications; ICT Authority and Communications Commission of Nigeria. The ICT Authority is mandated with marketing Nigeria as an ICT market leader and coordinating the provision of public sector shared service.


1.2            Statement of theProblem

IT operational risks result from improperly performing ICT operations and lead to loss of computer assets, increased risk of fraud, loss or theft of data, privacy violations and business disruption (Straub &Welke, 1998); This risk implies that internal processes, people and systems are controlled inadequately (BCBS, 2004). These findings provoked interest to find out if hospitals in Nigeria are facing these risks and what internal and other controls are in place to minimize these types of risks.


Though the government develops ICT guidelines and policies for hospitals to follow the guidelines are in general terms and do not prescribe the implementation details which are left to the hospitals (Goldwin et al, 2003). Waema (2010) et al studied the key challenges facing the ICT sector in Nigeria and pointed out that there is poor implementation of these policies by government institutions. A study by Woods (2009) concluded that the central government and MOH policies are key variables in the management of IT implementations in public hospitals. This study intends to find out how the public hospitals adopt government guidelines for minimizing IT post implementation risks.


Ernst & young (2012) survey in United States quoted that 65% of the surveyed organizations reported that they would have trouble recovering from system-wide computer failure before it caused significant disruption to their business. Since the study was in USA, a study may be required to find out how organizations in Nigeria would recover from a serious computer failure and ensure the IT systems are restored to their original state.


Kimwele et al (2005) found evidence to suggest that IT security policies are not widely adopted by Nigerian SMEs and according to Makumbi et al (2012) small business owners in Nigeria are unclear on how to safeguard their businesses from IT risks that come with the increased reliance on IT. A gap exists for researchers to find out how hospitals in Nigeria protect their IT assets and what IT risks they face.


Kimwele, 2005; Nicolaou, 2008; Gladwin et al, 2008 and Hughes, 2006 focused on the IT implementation process itself and pre-implementation factors as well as risk management process. They did not carry a study on IT post implementation practices or IT operational risk. Research may be required to document the IT practices adopted by public hospitals during the IT post implementationperiod.


Research also shows that IT risk exists because internal processes, people and systems  are controlled inadequately (Kimwele, 2013; Asangansi, 2013; KACCA, 2008; Deloitte, 2012; Taub, 2002; Munene, 2009 and Waema, 2010). This makes one to ask the question: To what extent is this observation true for public hospitals inNigeria?


The study sought to answer the following research question: What is the relationship between IT post implementation practices among public hospitals in Nigeria and IT operational risk minimization? This study endeavored to establish the relationship between IT post implementation practices and IT operational risk minimization among the public hospitals inNigeria.


1.3            ResearchObjectives


The study’s main objective was to establish the relationship between IT post implementation practices and IT operational risks minimization in public hospitals in Nigeria. The specific objectives are:-


  1. To establish the IT post implementation practices in public hospitals inNigeria


  1. To identify the existing IT operational risks in public hospitals inNigeria


  • To determine the relationship between IT post implementation practices and IT operational risks minimization among public hospitals inNigeria.


1.4            Importance of theStudy


The study results should inform the public hospitals of the IT operational risks most of them are exposed to and the relationship between the risks and the IT post implementation practices adopted by them. It is hoped that the hospitals will use this information as a guide in restructuring their organizations for the purpose of better managing IT operational risk with a view to minimizing IT operationalrisk.


It is hoped that the research findings will assist the government in stipulating policy actions necessary to spur the implementation of IT in the sector. More importantly the government should use the results to evaluate the likelihood of success of it’s drive to create functioning IT systems in the public hospitals across the county with the aim of establishing a national health database.


This study seeks to contribute to the literature by broadening the understanding of the IT post implementation practices adopted and the IT operational risks experienced by public hospitals in Nigeria. The results could be important in understanding, improving or even developing theories relating to IT post implementation practices.


It is also hoped that IT professionals was learn from the findings and improve on the IT implementation process they used by selecting and improving on the best implementation models. The study also aims to inform IT professionals what happens long after they  have handed over the project to aclient.



Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like