RFID risk management: although there are many benefits to using the new RFID technology, careful thought must be given to the possible risks that come with it

Internal Auditor, April, 2005 by John Kopalchick, III, Christopher Monk

There are additional personnel risks with change management. These risks must be addressed through formal and proactive communication strategies and plans ensuring all stakeholders understand how they are impacted by RFID. Gillette and/or EPC Global initiatives are currently addressing many of these risks.

IT RISKS

Other key IT risks surfaced that have not been widely discussed in trade journals and among RFID participants. These include:

* Tasks associated with application control and IT change management may not be adequate, such as analyzing and addressing pilot results, system cutover, requirements management, program change control, configuration change control, process change control, and quality assurance processes.

* Facilities used as backups may not have adequate RFID capabilities to serve customers (applies to a phased rollout by geography).

* Long-term disruptions in data processing or availability may occur. Support processes, including job scheduling, backup and recovery, continuity planning, and help desk services may not be adequate.

* The large volume of data collected may not be effectively used to create "information" relevant to manage and control the business or shared in an effective manner.

Data and comments received from the survey respondents, as well as the average risk scores, will provide key input for the generation of Gillette's audit plan in 2005 and beyond. In particular, internal auditing must monitor internal based risks (versus external- or environmental-based risks) over data integrity, business interruption, and physical process changes to ensure the success of the auto-ID implementation, both initially and on an ongoing basis.

PROCESS RISKS

Few critical process risks surfaced from the survey. The primary concerns identified were the existence of adequate RFID-enabled backup facilities, business continuity planning, and the impact and integration of RFID-enabled processes with existing business processes. Generally speaking, Gillette, as a whole, focused on the broader post-implementation process risks. This is primarily attributed to the proactive nature with which Gillette is pursuing its RFID initiative. Gillette appears confident that it has the immediate risks contained, and is further along in its efforts on the broader, more long-term risks.

RELATED ARTICLE: Gillette Co. Risk Map

The average survey responses for likelihood and impact of each risk are plotted on a 2 X 2 risk matrix, with the upper right quadrant representing the most significant or most critical risks--high likelihood and high impact. In this example, the graphical representation shows that 33 of the 46 total risks were scored as critical, or fourth-quadrant risks. Among those, 12 risks are process-related and 21 are technology related. As a result, the top 10 risks--most critical--within the fourth quadrant were defined and further analysis was provided based upon the individual comments from the survey respondents. Identifying the most critical risks to the organization allows internal auditors to prioritize efforts related to further process assessment and testing to ensure appropriate plans are in place to effectively identify, manage, mitigate, and control each risk.