IOSR Journal of Computer Engineering (IOSR-JCE) e-ISSN: 2278-0661, p- ISSN: 2278-8727Volume 16, Issue 2, Ver. IX (Mar-Apr. 2014), PP 85-98 85 | Page 
An Assessment of Risk Management Strategies for Financial Information Systems by Financial Institutions in Kenya
Ann Kibe
 Prof Waweru Mwangi
Dr Stephen Kimani
School of Computing and IT, Jomo Kenyatta University of Agriculture and Technology, P O Box 62000-00200  Nairobi Kenya
 Decision making is an important aspect of software processes management. Most organizations allocate resources based on predictions. Improving the accuracy of such predictions reduces costs and helps in efficient resources management. risk management is of vital importance for any financial institution (and enterprise for that matter) to keep its information systems secure at an acceptable level, the key issues focus on both how to reduce the probability of risk occurrence and decrease the loss of risk consequence. The main tasks  for the implementation of such requirements involve the determination of the causes of risks, the estimation of risk occurrence probability, and the evaluation of risk consequence severity, which are all included in the risk analysis.  In the process of risk analysis for information systems, models are built in order to analyze and better understand the risk factors and their causal relationships in real-world information systems. Establishing an appropriate model suitable for the target risk problem is a crucial task that will ultimately influence the effectiveness of risk analysis results. In the existing literature, most the approaches either assumed that the  structure of the model was provided by domain expert experience and knowledge, or assumed that the structure was chosen from some general well-known class of model structures, thus, the results of risk analysis were relatively subjective. To overcome these drawbacks, not only expert have the experience and knowledge that needs to be taken into account, but also, the database of observed cases from information systems should be utilized in the  process of modeling. With the growth of the dependency on IT, the impact of risk concerns on the development and exploitation of information systems has also increased exponentially. The risk management system focuses on specific phases of the software life cycle, without recognizing that risks in one stage can have an impact on other stages. This paper explores the risk situation as it is in the financial institutions in Kenya and suggests ways through which risk management can be brought a notch higher in order to minimise the losses incurred when faced by these risk situations.
 Risks, risk analysis, risk management
The researcher has used qualitative research approach. The qualitative research paradigm, also referred
to as “constructivist”, “naturalistic”, “interpretative”, “post
 positivist” or “post
modern perspective” appro
ach (Lincoln &Guba, 2011 and Smith, 2011), is an enquiry process of comprehending a social or human  problem/phenomenon based on building a complex holistic picture formed with words, reporting detailed views of informants and conduced in a natural setting (Creswell, 2010). Qualitative research is multi method in focus, involving an interpretive, naturalistic approach to its subject matter. This means that qualitative researchersstudy things in their natural settings, attempting to make sense of, or interpret,phenomena in terms of the meanings people bring to them (Newman & Benz2011). Qualitative approach is one in which the inquirer often makes knowledgeclaims based primarily on constructivist  perspectives (i.e., the multiple meaning ofindividual experiences, meaning socially and historically constructed, with anintent of developing a theory or pattern) or advocacy/participatory perspectives(i.e., political, issue-oriented, collaborative or change oriented) or both. It also uses strategies of inquiry such as narratives,  phenomenology, ethnography, grounded theory studies or case studies.
1.1 Research Design
Creswell and Clark (2007) state that research designs are procedures for collecting, analysing, interpreting and reporting data in research studies. Rigorous research designs are important because they guide the methods and decisions that researchers must make during the study and set the logic by which interpretations are made at the end of the study. The exploratory research design used has outlined the situation in respect to the variable being investigated. This means of research design makes it possible for data to be collected effectively without any manipulation on the
 An Assessment of Risk Management Strategies for Financial Information Systems by Financial 86 | Page research context. The research design seeks to outlay the goals of the research by stipulating practical issues that are of focus to this study (Saunders et al, 2009). Research can be classified in terms of its purpose. Accordingly, it is most often classified as exploratory, descriptive or explanatory (Saunders, Lewis&Thornhill 2003). The researcher has opted to use exploratory research. Exploratory research is used to develop a better understanding (Hair,Babin, Money&Samouel 2003). Exploratory studies are a valuable means of finding out what is happening, to seek new insight, to ask questions and to assessphenomena in a new light. It is particularly useful if researcher wish to clarify theunderstanding of a problem. There are three principle ways of conductingexploratory research: a search of the literature, talking to experts in the subject,conducting focus group interviews (Saunders, Lewis &Thornhill2003).
1.2 Population of the Study
The target population consisted of employees of various financial institutions,with background knowledge of FIS and risk management by virtue of their positions in their organizations be it managerial or administrative. They include directors, manager, unit and departmental heads.
1.2.1 Sampling Frame
To facilitate data collection, the study’s sampling frame constituted a listing of institutions from vario
us sectors which include: banks, SACCOs and micro finance institutions. There were a total of 40 respondents from various financial institutions.
1.2.2 Sample and Sampling Technique
An adequate sample size should allow reliability of results so that the investigation can be repeated with consistent results. A sample is a small set of data drawn from a population as Leishman (2008) noted that the sample should be sufficiently and demonstrably representative of the population in order to allow analysis of the sample to be used. The sample size affects confidence interval, thus could, in principle, select the sample to yield any degree of confidence (Doodley, 1995). For this study, a stratified purposive sampling technique was adopted for data collection from the sampled intuitions and key informants; since financial institutions are discrete and in an effort to maintain confidentiality of the respondents. This is normally done by dividing the  population into different strata on the basis of some common characteristics.
Data Collection
Because surveys make it possible to study a population too large to observe directly, it presents an excellent mechanism to collect srcinal data. According to Babbie and Mouton (2001: 232), the careful selection of a probability sample will provide a group of respondentswhose characteristics could mirror those of the larger  population. The data gathered bystudying the characteristics of the sample can then be generalised to the larger  population.This data is then gathered by administering a questionnaire, otherwise known as a structured scheduled interview. Bradburn
et al 
. (2004: 360) define a questionnaire as “the
 complete data collection instrument used by and interviewer or respondent (or both) during asurvey. Primary data was used for this study and the data was collected using questionnaires that were hand delivered and also sent by e-mail.A questionnaire was prepared to understand the perspective of various financial IS stakeholders on risk management including the use of Bayesian networks. The questionnaire was designed as  per the objectives of the study. Secondary data was also used. Information was obtained from various journals, publications, websites and reports. Secondary sources helped the researcher in explaining different conclusions based on previous studies that have been conducted and concluded, while the primary data sources was information collected by the researcher herself specifically for the study (Pervez &Kjell 2005).
Validity and Reliability of the Instrument
In order to reducing the possibility of getting the answer wrong, attention need to be paid two particular on research design: reliability and validity (Saunders et. al., 2003). Validity is concerned with whether the findings are really about what they appear to be about (Saunders et. al., 2003). Validity defined as the extent to which data collection method ormethods accurately measure what they were intended to measure (Saunders et. al.,
2003). Yin (2003) states, “no single source has a complete advantage over all others”. The different sources are
highly complementary, and a good case study should use as many sources as possible.The validity of scientific study increases by using various sources of evidence(Yin, 2003). For quality control, a pre-test of the research instruments to establish their validity was done. The instrument was given to individuals (who constitute the population of key informants) to give their opinion on the relevance of the questions using a 4-point scale of relevant, quite relevant, somewhat relevant, and not relevant.Data is measured in order to have relevance and validity for the issue that is examined. In this study the researcher will say that the theoretical understanding of risk management of information systems is the same as in the operational sense and to that extent, there is clear connection between the theoretical and practical notion
 An Assessment of Risk Management Strategies for Financial Information Systems by Financial 87 | Page of risk management of information systems and for that reason can say that she had valid data. Additionally, numerous steps were taken to ensure the validity of the study: Data was collected by in-depth questionnaires from the reliable sources with knowledge of financial information systems risk management
Questions in the questionnaire were made based on literature review and frame of reference to ensure the validity of the result.
Data has been collected through between 4 weeks, within this short period of time no major event has been changed with the related topic. According to Saunders et. al., 2003, reliability refers to the degree to which data collection method or methods will yield consistent findings, similar observations would be made or conclusions reached by other researchers or there is transparency in how sense was made from the raw data.Reliability can be assessed by the following three questions (Easterby-Smith et al., 2002: p.53):Numbers of different steps were taken to ensure the reliability of the study:
The same type of questions was used for all the respondents in order to increase the reliability.
The theories that have been selected for the study was clearly described and research question has been formulated based on the previous theory.
Data has been collected based on the frame of reference that was drawn from the discussed theories. The objective is to make sure that if another investigator will follow the same procedures and used the same case study objects, the same conclusions would be made.
2.2 Ethical Consideration
The goal of ethics in research is to ensure that no one is harmed or suffers adverse consequences from the research activities (Cooper and Schindler, 2001). The researcher has undertaken various measures to protect the rights of the respondents by:
Ensuring that none of the respondents was named during the research or subsequent report
Respondents were selected to participate without compulsion
All respondents were informed of the reason and purpose of the research; and
Informed consent was sought from the management of the selected company and the respondents  before the commencement of this research initiative.
Data Processing and Analysis
As mentioned in the methodology primary data was collected using questionnaires that were formulated based on the knowledge gathered from secondary sources to help attain the objectives of the research. This section states the objectives and how they were obtained in the research.
 Demographic factors
They survey setting was Financial institutions composed of a listing of various financial institutions in the industry. Figure 1: In which financial industry sector is your company? The survey sample was selected on the basis of their organizational position; by this virtue they were better  placed to have knowledge and access to provide accurate information required in this research. Figure 2: Which of the following best describes your title?
 Financial Information Systems Acquisition
The researcher sought to find out how financial institutions acquired their Financial Information Systems.
 An Assessment of Risk Management Strategies for Financial Information Systems by Financial 88 | Page 
When in need of Financial Information systems, my company ……
Frequency Percent Tailor makes the system (internally or outsources) 24 60.0 Acquires already developed systems 16 40.0 Total 40 100.0
As shown in table 1 above, 60% of financial institutions in Kenya develop their own tailor made financial information Systems; this is done by their employees or outsourced developers as opposed to 16% of the institutions which acquire already developed information systems.
Organizations’ involvement in Information System Development 
Organization’s involvement in Information systems de
velopment is vital not only to ensure successful implementation but also to manage risks. The respondents for organizations that tailor made their Financial Information systems were asked whether they were actively involved in every stage of their financial information system development. Table 2: In the case of tailor made systems, is your organization actively involved in every stage of the information system development?
Frequency Percent Yes 14 58.33  No 7 29.17
Don’t know
 3 12.50 Total 24 100.0
More than half (58.33%) of these organizations were actively involved in their information systems development, a significant 29.17% of the organizations were not actively involved while 12.5% of the respondents had no idea about their organizations involvement. Organizations that are not actively involved in their information systems development have a higher chance of  being exposed to not only more risks that could have been well managed in the initial stages, but also incur more cost in mitigating the said risks. Table 3: Do you agree that financial institutions are sufficiently actively involved in the development of their information systems?
Frequency Percent Strongly agree 10 25.0 Agree 21 52.5  Neither Agree nor Disagree 3 7.5 Disagree 6 15.0 Total 40 100.0
The survey indicated that majority of the respondents 77.5% felt that their organizations were sufficiently actively involved in the development of their information systems, percentage 22.5% were either not sure or felt that involvement was insufficient.
 Financial Information System Development Risks
Figure 3: Based on your experience and professional knowledge please indicate the risk levels in the following information systems development environments.
Development cycle risks
Majority of the respondents 70% indicated that the implementation stage of the IS development cycle had the
of 14