Mohannad Maraqa, M.Sc., CAMP,PMD This paper is to helpful tool in creating Quality Improvement Plan and Risk Plan. Therefore, the information in this document is not real; it’s the author’s brainchild for extra clarification. QIP &Risk in Serigraph By Mohannad Maraqa Quality Improvement Plan Activity to be considered: Implementation of a new project to reduce the office paper Weakness: Uncontrolled office paper consumption to the high rate of paper waste and costly recycling in Serigraph company (usage of 53 tons of paper) Impact Measures: Financial Impact: 30% reduction cost (maintenance, energy cost etc.) Environmental Impact: Working Conditions/Office Productivity: 28% reduction in office paper 25% reduced energy consumption 20-40% decrease of waste time searching for documents 40% increase in the productivity 50-70% saving space for documentation Duration of the Project: 21 weeks (11th June-19th October) Quality Improvement Plan and Risk Plan Page 1 Mohannad Maraqa, M.Sc., CAMP,PMD Action Outcome/Success Criteria 90% of employee satisfaction The staff understands the importance of the new project and participates in it. Deadline Resources Person Responsible 15/06/2018 Lead trainer IT manager reduces printing devices and adapts a connected workplace. 30% reduction of the printer devices 22/06/2018 IT manager implements new database management system (DBMS)which allows interchanging documents save the documentation of all departments and communicate with all of the employees. 100% implementation 17/08/2018 of the new database management system (DBMS) 1week: Trainer. Training materials: a system of attendance, room for the training program, planning for training. Equipment: tablet or computer devices per every person. One week: Staff, electricians, technicians. Awareness about the exact amount of printing devices, awareness about the connected workplace. Equipment: computer devices 8 weeks: Program Developer, technicians. Knowledge about the development of a new simple software system. Equipment: computer devices. Investment of money Trainer trains employees about the importance of reduction of office paper Quality Improvement Plan and Risk Plan Monitoring Arrangements Attendance report, feedback after training, a 30minutes evaluation test of the staff. IT manager Report signed off. IT Manager Report signed off. Page 2 Mohannad Maraqa, M.Sc., CAMP,PMD Project Manager trains the entire staff for the new database system of communication and saving documentation and for the correct way of printing (format of the document, doublesided copies etc.) Environmental specialist implements a guideline for the decrease of office paper and informs the employees about the new environmental policy 90% employee satisfaction. 70% improving staff knowledge skills. 24/08/2018 One week: Trainer. Training materials: a system of attendance, room for the training program, planning for training. Equipment: tablet or computer devices per every person. Project Manager Attendance report, feedback after training, 30 minutes evaluation test of the staff. 100% environmental guidelines made accessible to staff. 28/09/2018 Environmental specialist Confirmation reading by all employees. Reports signed off. Project Manager invents a marketing campaign (catchy slogans next to printing devices etc.) for the reduction of office paper. 100% implementation 19/10/2018 of the new marketing campaign. 3 weeks: Knowledge about the current environment situation.2 weeks: Producing Reports, information about new policy.1 week transportation of reports via new software system. 3 weeks: Stickers with slogans, posters. Staff Project Manager Reports signed off. Quality Improvement Plan and Risk Plan Page 3 Mohannad Maraqa, M.Sc., CAMP,PMD Risk Specification Risk Item Description: New database management system (DBMS) is not Risk ID: secure SS01 Author: Mohannad Maraqa Risk Statement Condition: if the new database management system (DBMS) is not secure, Risk Statement Consequences(s): then, the date is not protected, then, the documentation, the personal emails, and the confidential papers could be available to the internet, then, people out of the company could have access to them, and the company has financial losses and decreased productivity. Probability: High Impact: Very High Earliest the risk could have an effect: Latest the risk could have an effect: Starting from the design of the new database Ending the installation of the new database system. system. Mitigation Plan(s): 1. Check the functionality of the database system before installation. 2. Adopt the strong and multifactor access and data management controls for restricting the uncontrolled access. 3. Restrict the access using individual usernames and passwords by each user. 4. Determine who is responsible to have access to each documents' category (financial data, company’s policy data etc.). 5. Monitor the access in Wi-Fi system by enforcing strong passwords, limit the number of failed login etc. 6. Apply a maintenance strategy to all used computers ensuring its effective usage. 7. Create a well-configured firewall such as anti-virus products controlling the threats, preventing the access from unknown users. 8. Remove unused applications, oldest versions from the devices (laptops, tablets, mobile phones) to reduce the vulnerabilities of the new database management system. 9. Implement a robust backup strategy in order to eliminate the risk of losing data or destroyed data caused by malware. 10. Apply the data encryption software to protect the database in case of data leakage. 11. Implement Data Protection Act (DPA) to control the leakage of data and ensure the data protection according to legislation. 12. Train the staff to obtain awareness about the cybersecurity and recognise the threats involved malware and phishing emails. Contingency Plan(s): 1. Provide IT technical emergency staff to turn off the Wi-Fi access to all employees, limiting the breach of the data. 2. Provide IT technical emergency staff to defect the threat in the system, format all the computer devices and update their software. 3. Provide IT technical staff to control the applications and version of the installed programs in each device. 4. Provide a recovery plan including procedures, backup strategy to reduce the damage of unsuccessful security system. 5. Provide IT manager to analyse and evaluate the impact of the breach including financial loss, lack of the competitive advantage etc. 6. Provide IT department to investigate the causes of the unsatisfactory security system such as uncontrolled access of the employees, weak passwords etc. Quality Improvement Plan and Risk Plan Page 4 Mohannad Maraqa, M.Sc., CAMP,PMD Inform all the employees about the breach of the new database management system (DBMS) in order to not use this database until it will be fixed. 8. Inform the authorities (the police) and third parties including banks to reduce the financial loss. 9. Arrange legal actions against the competitors that using the company's data or to the hacker who access the database management system 7. Quality Improvement Plan Identification of the specific activity Printing companies affect the environment directly due to the nature of the process of printing and are willing to reduce their environmental footprint. In Serigraph Company, it is embedded in the philosophy of sustainability which contains the equality of the environmental policy, the social responsibility and the economic growth. After implementing this philosophy, Serigraph considers the minimization of the environmental footprint in intracompany as well (Leifeld, 2011). Implementing the new project to reduce the office paper, it is achievable the decrease of damage of environment (Siegel & Hatcher, 2012). Moreover, the impact of the cost and energy saving is noticeable (Calton, 2005). Finally, the working conditions have been improved creating the comfortable environment and self-improvement of employees due to the new knowledge skills that obtain (Agencies, 2014). The motivation of implementing a new project related to the office reduction paper emerged due to the adaption of this new project by other companies (Leifeld, 2011)as well as the environmental legislation and the campaigns which are realized globally (McCool, 2007). Additionally, the uncontrolled printing behaviour is the largest reason for consumption as well as the cost saving that could be achieved by implementing and supporting a new office reduction system (Chartered, 2010). Another motivation is that the paper consumption has visual impact and influences the employees’ productivity (Agencies, 2014). The implementation of a new project that minimizes the office paper is the solution of the paper consumption. This project includes the development of a new connected workplace and the reduction of printing devices (Cisco, 2007). Secondly, the application of a new database management system (DBMS)improves the communication of the employees and ensures the saving of the documentation while offering the space saving in the office and employee satisfaction by reducing waste time searching documents (Agencies, 2014). Thirdly, the organization culture should be changed by inventing an environmental campaign and support the employees in the reduction of the office paper (Cole & Fieselman, 2013). Impacts and benefits of implementing the new project The weakness of the old environmental policy is the uncontrolled printing in offices which leads to costly recycling policy and high rate of wastes creating the negative environmental impact of the company. Quality Improvement Plan and Risk Plan Page 5 Mohannad Maraqa, M.Sc., CAMP,PMD The adaption of a new project about the reduction of office paper entails a lot of advantages including environmental, economic and working productivity impact. In the first place, the most important benefit is the financial impact. Indicatively, the firm will be able to achieve 30% of the decrease in the cost. The cost-saving includes the maintenance cost, energy consumption which is minimized by 25% (McCool, 2007). Apart from the financial performance, the environmental legislation for a sustainable and ‘green' office support the companies to adopt a new policy and reduce the consumption of office paper by 28% (Siegel & Hatcher, 2012). Adapting the new project, the space-saving between 50% and 70% is possible. Additionally, the employees' productivity is increased by 40% while the decreased waste time searching the documentation could be from 20% to 40% (Agencies, 2014) Description of the actions of the Quality Improvement Plan (QIP) The achievement of the described impacts above is able to increase the performance of the company on economic terms as well as the environmental footprint and employees’ productivity. The guideline of the six developed actions is outlined in Quality Improvement Plan (QIP) and is described below. The implementation of the new environmental project about the reduction of office paper entails changes in the culture of the company and in the working environment. Due to a different application and the newly emerged environmental culture, it is required the training of the employees by the trainer to raise the awareness about the importance of the new project (Moormann et al., 2011).It is proved that to implement successfully a change in the organisation, the appropriate training program is necessary to be realized by supporting the staff self-awareness and improving the team effectiveness during the project’s process (PaperLess, 2017). An effective training program enhances the motivation of the employees to comprehend and participate in the new project and consequently improving their productivity. The outcome is presented in Quality Improvement Plan (QIP) and is composed of the 90% of employee satisfaction. The training program is monitored by attendance report to be sure about the involvement of the staff in training as well as an examination after training program for the evaluation of employees (Fretty, 2006). Action two and three are executed by the IT manager. In particular, in action two, IT manager implements a connected workplace while reduces the unnecessary printing devices. The IT manager has the awareness of the exact number of needed printers and the application of this new system (Agencies, 2014). Due to the application of connected workplace, the visual impact has been improved by the elimination of the documentation (Cisco, 2007). However, some organisations refuse to invest money and time to create a connected workplace, preferring adopting payment system for printing. More specifically, each employee should pay for printing (PaperLess, 2017). In action three, the new adapted database management system (DBMS) allows the users to improve the communication in intra-company by interchanging documents whilst saving a large amount of the documentation. The communication is improved by 20% and it realised the 30% reduction of the printing devices. Apart from the well-skilled program developer, it should be required the investment of the money for the development of the database. Reports are submitted to IT manager by the Quality Improvement Plan and Risk Plan Page 6 Mohannad Maraqa, M.Sc., CAMP,PMD employees for the usage of the software (McCool, 2007). Although, adopting a new database management system containing the company’s documentation and confidential papers, includes a risk regarding the system security as well as the easy usage of the system by the employees. The new system should be applied by well-educated IT employees considering the data security and the control of the system that is an essential element for the company's reputation (Dey et al., 2007). Action four also involves one-week staff training schedule for the usage of the new database management system (DBMS) and a sustainable way of printing which is monitored by attendance reports and an examination after training. The training program entails practice lesson using the new database system and for a new way of printing. The sustainable printing consists of the format of the document, the double-side copies and the exclusive use of technology. This is very important to pursue the staff about the main objective of the system’s implementation being the positive environmental impact. To create a sustainable office, it is necessary the employees’ involvement in order to embrace the new culture and implement it other actions regarding the environmental policy including the waste reduction. The total implementation of the new system increases the employees’ confidence and staff knowledge skills (Calton, 2005). The fifth action is an adequate environmental policy based on ISO standards which presents a guide for a ‘green’ office and is adopted by the environmental specialist. Additionally, the new policy is transmuted in the total company by information reports about its impacts and benefits via the new software system. The new system is being accessible to the employees and therefore, the staff’s awareness is increased about the new environmental policy is highlighted by McCool (2007). The adoption of the upload environmental policy through ISO standards is compulsory for all companies regarding the new strict legislations due to the emerged global environmental issues. To motivate the organisations implementing the strict environmental legislations many countries adopt a bonus system for the most sustainable organisations by reducing their taxes. On contrary, a new sustainable system implies funds investment (new equipment, training programs etc.) that some companies are not able to invest. The last action is executed by the project manager who invents a campaign using stickers, posters and catchy slogans that are placed in the printing devices during the procedure of the project. The successful implementation of the campaign is expected to provide positive environmental impact. Finally, a controlled system is installed to manage the personnel printing footprint (McCool, 2007). Risk specification Identify the specific risk After analysing and evaluating the quality improvement plan for reducing the office paper in Serigraph Company, it is required for the implementation of the risk management through the detailed plan. Adopting the risk management, it could monitor the project’s process by reducing the financial, social and environmental impact of emerged risks and improve the Quality Improvement Plan and Risk Plan Page 7 Mohannad Maraqa, M.Sc., CAMP,PMD project’s quality and profitability (Meyer, 2015). In this report, it is used three risk techniques analysing and evaluating the risk management of the project including risk grid analysis, Riskit graph analysis and Ishikawa diagram as demonstrated in Appendices. At the first place, the risk identification including the potential risks, its impacts, and the possible consequences dimensions, is displayed in this report in Appendix A. The risk grid technique enables to identify and map the rating of potential risks depending on the described dimensions avoiding the biggest damage in the project. As displayed in Appendix A, the training’ failure due to non-attendance to the program is obtained as a risk (T01, T02) in new software systems as highlighted by Dey et al. (Dey et al., 2007). Additionally, the failure of success of a connected workplace (CW01) is addressed as a risk that required mitigation and contingency plan and highlighted by yellow colour (Appendix A)(Cisco, 2007). Due to the new implementation of a database management system (DBMS), the severity of the risk to the system’s security (SS01) and crash (SS02) implies the direct control and reduction of its impact in the process of the project(ICO, 2016; Dey et al., 2007). As a risk with very high impact and high probability, the insecure database system is presented in the risk specification sheet and analysed and evaluated below. Nowadays, due to the increased technology and the growing interest of IT projects supporting the management of the companies, exist studies claim that the security of data in the new database systems is the major issue and a trend in management(Dey et al., 2007; ICO, 2016; Dalal & Chhillar, 2012).According to the risk specification, if the new system is not secure, the data are not protected and the company has a big loss through the leakage of important documents regarding the company’s financial performance as well as the supplier’s lists and its confidential papers. Thus, all documents could be available on the internet and competitors may be used them to gain the competitive advantage of the company. These consequences have a very high impact regarding the profitability, the productivity, and the economic performance as well as high probability. Ishikawa or fishbone diagram (Appendix C) is a visualization tool for categorizing the problem’s causes by asking why identifying the problem’s roots. Before designing the fishbone diagram, it is placed a brainstorming session the potentials causes of the problem categorize them based on the hierarchy’s level. After the risk identification, it is needed to lower the likelihood of the most damaging risk in order to reduce its loss. To minimize the negative impact of the project that is produced by the risk occurrences, it is created a mitigation plan that is the detailed determination of appropriate actions. A complete risk analysis contains also the contingency plan, in order to control the outcomes of the risk occurrences. Contingency plans aim to prepare the company to respond to the emergency and monitor the consequences. The mitigation and contingency plan for the insecurity of the new database management system (DBMS) are presented in the risk specification sheet and evaluated in the next sections. Quality Improvement Plan and Risk Plan Page 8 Mohannad Maraqa, M.Sc., CAMP,PMD Mitigation Plan The strong motivation to create a Quality Improvement Plan is the cost’s reduction while the potential risk of the insecure database system has occurred. Designing the Ishikawa diagram, it is identified the roots of the problem in four categories according to Appendix C. Decreasing the impact of likelihood this specific risk, the mitigation plan is developed. At the first place, the leakage of confidential data is caused by the uncontrolled access in the new system by the majority of staff due to the lack of strong passwords and the control of Wi-Fi system (Dalal & Chhillar, 2012). The second cause of the system’s insecurity is the creation of a well-configured firewall for system's protection in order to avoid virus products threatening the new database management system (DBMS)(ICO, 2016).In case of data’s leakage, the most effective solution is the installation of data encryption software using an extra firewall protecting the data (MFT, 2008). Another possibility of failure of the system's security is the weakness of maintenance strategy of the electrical equipment (laptops, tablets, and smartphones) (Dalal & Chhillar, 2012). To name examples improving the maintenance strategy are the removal of unused oldest versions applications for vulnerabilities’ reduction and the backup plan to minimize the risk of the loss data. According to the relevant legislation regarding the security of data, the mitigation plan also involves the installation of Data Protection Act (DPA) to ensure the data protection (ICO, 2013). Ensuring the awareness of staff about the cybersecurity and the threats' recognition involved malware and phishing emails is a milestone for a successful mitigation plan. The mitigation plan contains the checking the functionality of the database system before the system’s installation. Contingency plan An essential element of the new software implementation regarding the risk management is the conceptualization of potential risks during the process of the project. In case of the failure of mitigation plan or the risk occurred turning into a problem, the risk’s control is realized by implementing the contingency plan. The Riskit Graph Analysis that is depicted in Appendix B visualizes and formalises the risks, their impact, and their consequences. Starting for the first emerged event, while the IT manager perceived the leakage of data through the threat detection in the security software, the company is required to take technical actions in order to avoid the total leakage of data. Possible reactions involving turning off the Wi-Fi interrupting the internet connection as well as the implementation of maintenance strategy using the backup plan and Data Protection Act (DPA) can lead to the minimization of data leakage and the recovery of lost data. Interrupting the internet connection, also it leads to the working time interruption and the company needs to send the staff home until the fix of the system by the IT department. In Riskit Graph Analysis is illustrated the effects due to the developed actions depending on the cost and time loss as well as the company’s reputation and productivity. Understanding the usage of company’s documentation due to the unusual traffic activity to the company’s bank accounts, it is necessary to be prepared and inform the authorities (police and banks) as well as the company’s employees about the leakage of data. These actions affect negatively the company’s reputation by informing factors out of the company. Another alternative is to take legal actions against hackers in order to restore the company’s reputation. In every event, the reaction doing nothing is always an option containing the highest negative impact of the company and it is not preferable.Through the contingency plan, it is essential to its implementation limiting the damage of the occurred risk and its consequences. Quality Improvement Plan and Risk Plan Page 9 Mohannad Maraqa, M.Sc., CAMP,PMD References Agencies, C.D.&., 2014. Colorado Department of Public Health and Environment Print Optimization Business Case. [Online] Available at: https://www.colorado.gov/pacific/sites/default/files/Case%20Study%20%20Print%20Optimization_1.pdf [Accessed 2015]. Calton, R., 2005. Office Paper Waste Prevention Case Study. [Online] East Bay Regional Available at: http://www.stopwaste.org/sites/default/files/Documents/ebrp_final_10130 5.pdf [Accessed 2006]. Chartered, S., 2010. Reducing and Eliminating Paper Consumption.. A best guide for Corporate Office. Cisco, 2007. How Cisco Achieved Environmental Sustainability in the Connected Workplace. [Online] Available at: https://www.cisco.com/c/dam/en_us/about/ciscoitatwork/downloads/ciscoi tatwork/pdf/Cisco_IT_Case_Study_Connected_Worplace_Summary.pdf. Cole, E. & Fieselman, L., 2013. A community-based social marketing campaign at Pacific University Oregon: Recycling. International Journal of Sustainability in Higher Education, 14(2), pp.176-95. Dalal, S. & Chhillar, R., 2012. Case Studies of the most common ans severe types of software system failure. International Journal of Advanced Research in Computer Science and Software engireening , 2(8). Dey, P., Kinch, J. & Ogunlana, S., 2007. Managing risk in software development projects: a case study. Industrial Management & Data Systems, 107(2), pp.284-303. Fretty, P., 2006. Training the troops. PM Network, 2(1), pp.4-8. ICO, 2013. ICO. [Online] (2.0) Available at: https://ico.org.uk/media/about-the-ico/policies-and-procedures/1853/dataprotection-regulatory-action-policy.pdf [Accessed August 2013]. ICO, 2016. A practical guide to IT security. Ideal for the small business. [Online] Available at: https://ico.org.uk/media/forQuality Improvement Plan and Risk Plan Page 10 Mohannad Maraqa, M.Sc., CAMP,PMD organisations/documents/1575/it_security_practical_guide.pdf [Accessed 6 January 2016]. Leifeld, N., 2011. ASQ. [Online] Serigraph Available at: https://asq.org/quality-resources/social-responsibility-serigraph [Accessed 2 May 2011]. McCool, C., 2007. How to Reduce Printing Costs by 17%:A Guide to Doing Well and Doing Good by Printing Less. [Online] (1.1) Available at: http://www.printgreener.com [Accessed September 2008]. Meyer, W.G., 2015. Quantifying risk: measuring the invisible. In PMI® Global Congress. London,England, 2015. Project Management Institute. MFT, G., 2008. Go Anywhere Managed File transfer. [Online] Available at: https://www.goanywhere.com/resource-center/case-studies/generalplastic-corp-sa [Accessed March 2009]. Moormann, J., Börner, R. & Wang, M., 2011. Advancing staff training: transforming a paper-based role play into a workflow management system. Development and Learning in Organizations: An International Journal, 25(6), pp.16-19. PaperLess, 2017. PaperLess. [Online] Available at: http://paperlesseurope.com/wp-content/uploads/UK-Fast_CaseStudy_V4.pdf [Accessed 2016]. Siegel, D. & Hatcher, N., 2012. Case Study: Education and Outreach Campaign Reduces Paper Usage. [Online] Available at: https://www.epa.gov/sites/production/files/2015-05/documents/cs5-opmpaper-reduction.pdf [Accessed February 2014]. Quality Improvement Plan and Risk Plan Page 11 Mohannad Maraqa, M.Sc., CAMP,PMD Appendix A Risk Grid Code T01 CW01 T02 SS01 SS02 MC01 T03 Risk Staff did not attend to the environmental training program Consequences Impact Not well-informed employees due Very Low to the absences in the training. Delays due to the need of retraining New connected workplace No reduction of office paper, high Medium is not be adopted energy consumption, financial loss successfully Staff did not attend to the Not well-educated employees due Medium database management to the absences in the training. system (DBMS) program Delays to customer’s services creates decreased productivity and failure to meet customer’s requirements, financial loss New database system is not Not protected data, financial loss, Very High secure delays to customer’s services creates decreased productivity and failure to meet customer’s requirements New database system Loss of data, delays to customer’s Very High crashed services affects financial cost. Decreased productivity and failure to meet customer’s requirements Probability Medium New marketing campaign is not be implemented Staff fail to inform about a new environmental guideline Very Low Less energy saving, less financial Very loss Low Not well-informed employees due Low to the unsuccessful communication in the company Low Low High Medium Very Low Risk Heat-map Impact Very Low Probability Very Low MC01 Low High Very High T03 Low Medium Medium CW01 T01 T02 High SS02 SS01 Very High Quality Improvement Plan and Risk Plan Page 12 Mohannad Maraqa, M.Sc., CAMP,PMD Appendix B Riskit Graph Analysis Reaction Send employees home in order to fix the damage Event Data are not protected due to the detected threats in the security system Reaction Provide recovery plan for the loss data using the back-up plan Effect Additional cost, time and resources loss due to extra working hours, no impact for company’s reputation Reaction Implement maintenance strategy including implementation Data Protection Act (DPA) Effect Financial cost, time loss due training, resources loss due to additional working hours, no impact for reputation Reaction Detect the threats in software system through the security system by the IT staff (eg malware, damaged files) Factor New database management system is unsecure Reaction Evaluate the impact of the leakage of data by the IT manager financially Reaction Emergency actions: Turn off WiFi, update the system Reaction Do nothing Event Uncontrolled data access from hackers due to the unusual traffic activity to the company’s bank accounts Effect Work loss due to the unexpected holidays, additional cost for new equipment, time and resources loss for repairing the system Reaction Inform employees about the data leakage Reaction Inform authorities (police, bank) about the data leakage Reaction Arrage legal actions against hackers for data access Reaction Do nothing Quality Improvement Plan and Risk Plan Effect Resources loss for IT manager, time loss/increased working hours, no impact for company’s reputation Effect Time loss and resources loss for IT department, financial cost Effect Time and resources loss stoppage / low productivity, negative impact of company’s reputation Effect Financial loss, time loss, stoppage, low productivity, decreased company’s reputation Effect Time and resources loss stoppage / low productivity , decreased reputation Effect Time and resources loss, reputation loss, negative impact for company’s reputation Effect Time loss, financial and resources cost from law department, decreased company’s reputation Effect Financial loss, time loss, stoppage, low productivity, decreased company’s reputation Page 13 Mohannad Maraqa, M.Sc., CAMP,PMD Appendix C Ishikawa Diagram Quality Improvement Plan and Risk Plan Page 14