Module 2: Information technology governance: Organization

and planning for IS

Overview
In the previous module, you learned about the importance of information systems (IS) to modern organizations
and of linking IT plans to business plans in order to get the most value out of investments in these tools. You
also learned about some of the ways to think about organizations and their environments (for example, the
value chain and Porters five forces).
In this module, you focus on how to ensure key decisions about IS (including authority, responsibility,
enablement, compliance, planning, structuring, and organizing) are effectively made to maximize business
value. IT governance is concerned with these issues at the broadest level. The module begins with an overview
of IT governance, outlines the key decisions to be made, and highlights key challenges of IS planning,
technology planning, data planning, IS economics, and developing a strategic plan.
You will develop your ability to advise on issues of corporate governance. You will learn how to identify, assess,
and advise on information required for management decision making, to evaluate the interrelationship of an
issue on different functions of the organization, and to apply concepts and approaches within and across
functional areas to develop integrative solutions, thus enabling you to evaluate implications and assess the
appropriateness of solutions beyond the immediate or short term.
The next three modules focus on the process of implementing a particular system. After identifying the types of
applications you wish to develop through strategic planning, you move into the process of managing IS
projects. Module 3 provides an overview of this process, while Modules 4 and 5 present more specific details
on the different activities involved in systems development.
2.1 IT governance
2.2 Short- and long-range technology planning
2.3 Data and information management issues
2.4 IS economics
2.5 Developing an IS strategic plan
Module summary
Print this module
Module scenario: Planning is a whole business
Your Wednesday morning managers session is over. You presented some good ideas, and explained IS
positions on a number of topics. Now the managers are all returning to their responsibilities. You hope some of
what you said will stick, and help them see where IS can work for them. But right now you have another
problem: your own department needs updating. Their technical skill set is excellent, but the kind of updating
they need is big picture, a strategic framework. You need them to understand the responsibilities of IS as a
whole, not just their own area of expertise. And you need their help.
Part of budgeting for IS requires input from the department. Strategy is driven from the senior level down to
the departments, and each department must decide how to best align itself. This takes time, planning, and a
Course Schedule Course Modules Review and Practice Exam Preparation Resources
lot of discussions. And with the economy in a downturn, both budget and capital dollars have been reduced,
and the competition for them will be fierce. In the past, IS automatically got a budget number equivalent to a
percentage of net profit. That is gone. IS must now understand the economics of its projects the same as
other departments do. To do this successfully, your department must understand the impact of short- and
long-range planning, of the data- and information-management issues within IS, and of developing an IS
strategy. However, surrounding these concepts is the topic of governance, and what your department needs to
do to ensure compliance with industry-recognized procedures.
Back in your office, you send a reminder to everyone that the IS strategy planning session is this Friday at 9:30
a.m.
2.1 IT governance
Learning objectives
Evaluate the critical decisions about IT that organizations make, and the different governance
arrangements for making those decisions. (Level 1)
Identify the roles of the financial manager and other stakeholders in IT governance. (Level 1)
Assess the challenges of taking an IS plan from theory to practice. (Level 1)
Required reading
Reading 2-1: Six IT Decisions Your IT People Shouldnt Make (This reading is included in the MS2
casebook.)
Chapter 5, Section 5.5, Management Issues
Chapter 10, Section 10.3, Selecting Projects
Review Chapter 9, Section 9.1, Systems as Planned Organizational Change
LEVEL 1
IT governance considers the key decisions that must be made in managing and aligning IT with an
organizations objectives, and the different ways in which those decisions can and should be made. Formally,
IT governance refers to the assignment of decision rights and an accountability framework for IT to encourage
desirable behaviour in the use of IT (Weill & Ross, 2004).
1
The structures and processes that are established
for making IT decisions should support the firms overall goals. Thus, for a firm pursuing a low cost strategy,
the governance model should encourage behaviours that lead to the lowest reasonable cost for IT. For a firm
pursuing a differentiated strategy, the framework would be designed to promote decisions supporting the basis
of differentiation.
Governance has become a key topic in information systems in recent years, for three significant reasons:
The continuing need to align IT and business and ensure that IT provides appropriate business
value.
The rise of concern over governance in general following the accounting scandals and collapse of
share prices for a number of major U.S. corporations.
Ethical considerations with respect to governance. (For example, Reading 2-1 Six IT Decisions
Your IT People Shouldnt Make mentions Princeton using applicant data to access the Yale
database on admissions. This raises an interesting issue about the ethics of Princeton admissions
personnel using data from applicants improperly, including the issue of intent and disclosure with
respect to data gathering.)
Legislation such as the Sarbanes-Oxley Act of 2002 and the Basel II Capital Accord require firms to be much
more accountable for their decision-making processes and for the risks they assume. Sarbanes-Oxley (SOX)
was enacted in the U.S. in response to a number of high profile corporate scandals that led to significant losses
for investors. The legislation applies to all publicly traded companies in the U.S. (including Canadian companies
that are listed on either the NYSE or the NASDAQ, as well as Canadian subsidiaries of U.S. public companies).
One of the key provisions is the requirement for the CEO and CFO to certify that all financial disclosures are
accurate (and holding them personally accountable for any errors or omissions). Basel II is a similar system for
corporate accountability that applies to financial institutions that operate internationally. While neither SOX nor
Basel II makes specific requirements about IT systems, IT systems provide much of the reporting data for
complying with these laws. Moreover, IT is a key source of operational risk in firms, and as such is subject to
Course Schedule Course Modules Review and Practice Exam Preparation Resources
reporting rules as well. As a result, significant IT process changes have been required in many companies to
support the reporting requirements of the legislation. For example, ensuring the security and auditability of
data has been a major task for many companies, often requiring the assistance of best practices or governance
frameworks.
Governance frameworks: COBIT and COSO
COBIT and COSO are two frameworks to assist organizations with the implementation of IT governance. Both
are supportive of one another as control frameworks, with COBIT taking more of an IT focus and COSO
addressing the controls needed for ensuring confident financial processes. Together, these frameworks help
verify the movement of data throughout an organization, through its initial stages of transaction entry to the
financial reports required by senior executives like the CEO and CFO. Data moves and transforms throughout
organizations: assuring regulatory agencies, investors, and customers that the information reported is sound
and verifiable is an ongoing concern of todays business.
COBIT
COBIT (Control Objectives for Information and Related Technology) is the framework developed by the
Information Systems Audit and Control Association (ISACA). COBIT is a series of components that assist
organizations to increase regulatory compliance and control over IT, integrate global IT standards, and reduce
business risks. First developed in 1996, COBIT 4.01 was published in 2007, and COBIT 5.0 is scheduled for
release in 2011. COBIT is composed of five key components:
A framework to organize IT governance practices by process and then link them to the actual
business needs of the organization
Mapping of business process descriptions and templates
Control objectives that support effective security and control over IT processes
Guidelines to maintain focus on objectives, performance measures, and the integration of IT
governance measures with other areas of governance
Maturity models to support process benchmarking and continuous improvement
COSO
COSO (The Committee of Sponsoring Organizations of the Treadway Commission) is a framework that provides
executive management the ability to assess and enhance internal controls in order to improve risk
management. IT governance is implied with the monitoring of internal control systems. The first publication of
the COSO framework was in 1992. Since then COSO has published improved guidance on monitoring internal
controls and enterprise risk management. COSO is composed of five key framework components:
The control environment that establishes the processes for managing and developing employees
in an organization.
The control activities that are directives to ensure management policies and procedures are
followed.
Information and communications policies developed to ensure governance compliance.
Risks assessments from both internal and external sources including objectives to manage the
risks.
The continuous monitoring of control systems to assess deficiencies and the need for
improvements.
ISO 38500
In 2008, the ISO (International Organization for Standardization) and the IEC (International Electrotechnical
Committee) created ISO 38500 a corporate IT governance standard that provides guidelines on the most
efficient, effective, and best use of an organizations information technologies.
Where COBIT can be categorized as a foundation for IT governance, ISO 38500 acts as a top-down
assessment of the IT governance structure. It does not replace the COBIT framework (which is usually an IS
directive); instead, its goal is to complement COBIT by bringing a senior-executive perspective to IT
governance. The aim of ISO 38500 is to provide the directors of an organization with a standard structure for
the six principles of good IT governance a standard that can be referred to when evaluating the use of IT in
an organization. The six principles are applicable to most organizations, and reflect the behaviour that should
be adopted to guide better decision making. These principles do not provide a how-to framework, but they do
provide guidance, so that each organization can adopt and apply the principles as they see fit.
Six principles of IT governance
Responsibility: Groups and individuals within an organization understand and accept their
responsibilities in respect of both supply of, and demand for, IT. Those with responsibility for
actions also have the authority to perform those actions.
Strategy: The organizations business strategy takes into account the current and future
capabilities of IT; the strategic plans for IT satisfy the current and ongoing needs of the
organizations business strategy.
Acquisition: IT acquisitions are made for valid reasons, on the basis of appropriate and ongoing
analysis, with clear and transparent decision-making. There is appropriate balance between
benefits, opportunities, costs, and risks, in both the short term and the long term.
Performance: IT is fit for purpose in supporting the organization, providing the services, levels of
service and service quality required to meet current and future business requirements.
Conformance: IT complies with all mandatory legislation and regulations. Policies and practices
are clearly defined, implemented, and enforced.
Human Behaviour: IT policies, practices, and decisions demonstrate respect for human behaviour,
including the current and evolving needs of all the people involved the process.
Whereas the principles set the behaviour for decision making, the model for ISO 38500 states that directors
should govern IT through a focus on three tasks:
Evaluate the current and future use of IT. Directors should consider the external or internal
pressures acting upon the business, such as technological change, economic and social trends,
and political influences, and should view evaluation as a continual process.
Direct preparation and implementation of plans and policies to ensure that use of IT meets
business objectives. Directors should assign responsibility for the preparation and implementation
of plans and policies. Plans set the direction for investments in IT projects and IT operations, and
policies should establish the acceptable use of IT (which includes the timeliness of information,
and compliance with the six principles of IT governance: responsibility, strategy, acquisition,
performance, conformance, and human behaviour).
Monitor conformance to policies, and performance against the plans. The performance of IT
should be monitored through established and appropriate measurement systems. Directors should
reassure themselves that performance complies with approved plans and business objectives.
Source: www.ISO.org. Reproduced with permission. All rights reserved.
Once the IT governance structure is undertaken, the tactical structuring and requirements for meeting the
goals of the governance framework must be defined. The executive committee, created during the
implementation of ISO 38500, assumes the governance role and exercises input and decision rights across the
gamut of IT domains.
Governance map
In his 2004 article, Peter Weill outlined five broad classes of decisions about IT that are made in
organizations:
2
IT principles: decisions about the broad principles for applying IT in the firm (such as we will be
a fast follower or we will use only standard technologies)
IT architecture: decisions about the organizing logic for data, applications, and infrastructure
(process and data standardization)
IT infrastructure strategies: decisions about the main shared and enabling services used in the
firm (such as networks and data centres)
Business application needs: decisions that focus on specifying the business need for applications
IT investment: how much to spend and on what sorts of processes
Each of these decisions requires different sorts of information. For example, IT investment focuses on the
cost/benefit trade-offs of different approaches and the overall potential for business value creation, whereas IT
infrastructure strategies might be more concerned with the emergence of new standards and the risks of
obsolescence from aging technology. As such, they require involvement from different members of the
organization.
Weill also outlines different decision-making models that are commonly used in these situations. The six
dominant models are:
Business monarchy: Decisions are made by the executive committee. Organizations that have not
yet adopted a governance framework will rely on senior business leaders such as the CEO.
IT monarchy: Decisions are made by senior IT leaders such as the CIO, Director of IS, or the
systems manager depending on who is the most senior within an organization.
Duopoly: Decisions are made jointly by senior business and IT leaders.
Federal: Decisions are made jointly by central business leaders along with business leaders from
the different areas of the firm, such as strategic business units (SBU) or functional departments.
IT may or may not be represented in this model.
Feudal: Decisions are made locally by each SBU or functional unit.
Anarchy: Decisions are made in multiple locations, typically by individuals with little accountability.
This strategy is rarely seen, and unlikely to ever be considered effective.
Weill and Ross conducted a research study to examine these models in terms of both their prevalence and
effectiveness when used to make a variety of decision types (2004). The results can be expressed in terms of
the governance map shown in Exhibit 2.1-1. The map shows which styles were most commonly used for the
different decision types, and which governance mechanisms had input and influence on those decisions. The
map also indicates which styles were found to be most effective for a particular decision type. Note that results
on the effectiveness are not definitive, because the firms (that Weill and Ross studied) did not vary sufficiently
to let the researchers evaluate the effectiveness of the strategies, only how the strategies are made.
As the exhibit illustrates, decisions based on IT principles tend to be made by a combination of senior business
and IT leaders (duopoly). Such a structure ensures that the right information is brought to the table for
decision-making, and that the right considerations are included. The worst model for making IT principles
decisions is the federal model, typically because there are so many stakeholders that it becomes difficult to
make focused decisions.
Exhibit 2.1-1: Governance map
For IT infrastructure and architecture decisions, the most common decision model is the IT monarchy. These
decisions focus on the more technical elements of IT planning, and thus are most usefully located within the IT
domain. Here again, the federal model is the least effective approach.
For business application needs, either a federal or a feudal model is most common, and neither model is
universally more effective. Here it depends on the business needs of individual firms. For related business units
that need to share infrastructure, a more centralized model (such as the federal model) is helpful. But for
unrelated units where pooling of resources is not particularly helpful, a feudal model with local decision-making
can result in greater responsiveness and agility. In this decision-making area, the IT monarchy is the worst
approach, since this area is closest to the business needs and thus requires significant input from business
leaders. Locating the decision-making outside of the business units decreases both involvement and
accountability on the business side.
In terms of IT investment, a great many models were followed. The best approach seems to be a duopoly,
with active involvement from both senior and IT leaders. As with IT principles, this allows for tightly focused
planning that takes into account the needs of the firm as a whole as well as the capabilities of the technology.
The worst model here was the federal model, because the combination of central decision makers and
decentralized decision makers often results in turf battles and political gamesmanship. The investment decision
is the responsibility of the executive committee and a subgroup of senior officers, including the CIO. It is
important to note the various decision models are more pervasive in an organization and drive all
decision-making, not just IT decisions. Corporate culture also often drives decision-making, at least as much as
decision type.
It is, however, significant that many IT decisions today (45%, as reported by Gartner
3
) are the responsibility of
the CFO and not the CIO. IT Governance principles are as much about leadership as control, and investment
decisions that apply a cost to a corporate direction are typically the domain of the CFO, regardless of whether
the responsibility is under IT or another department. Gartner also reports that 42% of IT organizations report
to the CFO.
Module scenario: Governance with hesitation
The first topic on the Friday meeting agenda with your team is IT governance. The team is receptive to the
idea in areas of strategy alignment, but fears the added work involved in proving accountability on the financial
side of information. One of your developers asks why it isnt accountings responsibility to prove financial
statements. He says, I mean, we use an ERP system with integrated financials, so how could they go wrong?
You explain that, Yes, the software is tightly integrated, but the point of governance is accountability. Can we
actually say that we know with 100% certainty who has access to which programs, and whose entry
contributes to the final statements? And with our CFO legally responsible for numbers, would you sign without
knowing how those numbers get generated?
Thats great, says your network analyst, but that doesnt help us connect our needs to the business. I need
new cabling in the warehouse and another length of fibre. What business objective does this satisfy? I dont
want some other manager saying what we do and dont need in IT based on some uninformed committee
recommendation.
So, you say, lets talk about how we can change our thinking about IT decisions to reflect a more business-
oriented approach, rather than a purely technological one. Some IT decisions are ours, but others should be
decided with input from other departments. Let me show you some slides of how this could work. You then
take your team through the decision-making models and structures of a well-governed company.
Implementing governance arrangements
A variety of different mechanisms are used to implement these different governance arrangements. These
include different decision-making structures, processes for aligning, measuring, and valuing IT decisions with
business needs, and communication strategies for ensuring that structures and policies are respected.
IT decision-making structures
Among the most common decision-making structures are:
executive or senior management committees which provide ongoing business leadership and
involvement in IT, often referred to as IT steering committees
IT leadership committees composed of senior IT leaders from different areas of IT, such as
infrastructure and development
process teams made up of IT members and business/IT relationship managers
IT councils composed of business and IT executives
architecture committees
capital approval committees
Of these, CIOs rate IT leadership committees and business/IT relationship managers as the most effective
means of ensuring adequate decision-making. In both cases, IT expertise is matched with business knowledge
so that decisions are more comprehensive than departmental.
IT decisions for process effectiveness, alignment, and value
An effective IT department is the first step towards alignment. This means measuring and valuing the success
factors on IT projects such as (i) completed on time and (ii) within budget. When IT is better able to account
for its own efficiencies, it is better able to approach alignment, and vice-versa through a reciprocal relationship.
Consistent project management success is the first step for IT towards understanding business priorities and
knowing there is adequate staff to respond to those needs.
To assist the organization in measuring its IT effectiveness, alignment, and value, these processes help track
IT decisions against business needs:
Various systems for tracking IT projects and resources consumed From Microsoft Project to
open-source web solutions like Redmine, Basecamp, and Huddle project management software is
mature and specific. Due dates, milestones, Gantt and Pert Charts, and resource tracking and
costing are all available. The framework Val-IT also provides project tracking.
Service level agreements SLAs help IT establish guidelines for its users on how quickly IT will
respond to a variety of service requests. Help desk and trouble ticket systems help IT create
these agreements, which can then be tracked and evaluated. Although SLAs technically measure
the effectiveness of IT to meet its service commitments, their introduction may signal an
alignment issue with an overall governance commitment to improve customer service.
Formally tracking the business value of IT The completion of projects requires an assessment
of the deliverables to see that the approved value that drove the project is realized upon project
completion. Some project software solutions can assist here, but so can project frameworks like
Val-IT from the IT Governance Institute, which aims to value IT initiatives through three
principles: portfolio, program, and project.
Chargeback arrangements Chargeback agreements are difficult agreements to manage;
however, they can be successful in reshaping the behaviour of departments that routinely rely on
IT project/infrastructure support. If IT is allowed to recoup costs by charging back departmental
projects responsible for large investments, then departments will better understand the business
value proposition before committing to IT resource. This usually means the project is better
understood.
Balanced scorecard The balanced scorecard is a type of performance measurement framework.
It drives strategy by using performance and follow-up measurables. It is best designed
simultaneously with the business case of a project, and may include visual devices such as
dashboards. The Balanced Scorecard Institute
4
provides comprehensive tools and information.
Systems for tracking IT projects and resources remain the most important as far as CIOs are concerned.
IT choices for communications vehicles
Any project can be hampered by poor communications. If people cant follow the progress or cant see the
problems and how they are being addressed, then there is little chance of getting the organizational support
that projects need to succeed. There are many ways to post information, which may be shared through the
following key communication vehicles:
senior management announcements
web-based portals, blogs, wikis, and social media
intranets for IT
informal communication
Having a CIO (or equivalent) as a member of senior management is also important in terms of communicating
the role and importance of IT. Without this, the responsibility falls on the IT manager, who is often immersed
in the day-to-day running of the department, and is not focused on the forward thinking CIO tasks outlined in
the six IT governance principles responsibility, strategy, acquisition, performance, conformance, and human
behaviour. However, as Gartner reported, CFOs are now taking a more active role in the decision making in IT,
providing a shift in the role and focus of IT.
Specific roles for business leaders
As a non-IS manager, you will be involved in IS decision making in a number of ways. First, you will suggest
needs for information and systems within your department that will drive the development agenda of IS.
Second, you will participate in determining the costs and benefits of the systems that will support your
department. Third, you may be asked to participate in priority setting committees to determine which of many
opportunities should be pursued. (There are usually more of these than it is possible to undertake, either
financially or operationally.) Finally, depending on the budgeting approach used in your organization, you may
be required to include the costs of IS projects in your departmental budget. To ensure you are making good
decisions for your department and your organization, you need to understand the issues involved in planning
and realizing the IS infrastructure, which is the relationship between how IS sees itself in the organization, and
its roles, responsibilities, and interactions towards other departments as it tries to enhance its value to the
company. Since more of these tasksmay continue to become the responsibility of the finance department, the
better accountants understand the methods employed in IT decision making the better they will be in assessing
the value of those decisions both from a business and financial perspective.
The IS plan
In theory, the IS plan begins with a consideration of the business strategic plan and compares this plan to the
current IS infrastructure. This comparison leads to the articulation of new systems development plans and
plans for overall management of the IS function, which in turn results in budget implications for the
organization. This top-down approach is illustrated in Table 10-1 of your textbook, which outlines what should
be included in an IS plan: the purpose of the plan, strategic business rationale for the plan, current system
inventory and documentation, new developments, management strategy, implementation plan, and budget
requirements.
Challenges of putting an IS plan into practice
The first challenge relates to the issue of strategic alignment (Module 1). If IS strategy is to be fully aligned
with business strategy, the implied sequence in the theoretical IS planning process described above business
strategy first, then IS strategy does not hold. Business strategy is not always determined first, followed by IS
strategy. Sometimes, particularly in times of great technological change, IS possibilities drive business strategy.
Thus, while the ideal view suggests that business plans come first, the organizational reality is more iterative
than this ideal suggests. As a manager, you need to learn to work in this iterative fashion, in partnership with
IS and IT specialists, to achieve an IS/IT strategy that is aligned with that of the organization as a whole. This
is not to say that business needs are secondary to the technology; business value still is the primary
determinant of the ultimate strategic choices. But from a process perspective, a less linear approach is quite
common and helpful, and for IS, almost a necessity.
The second challenge is in determining the time horizon for IS planning. Historically, organizations have
engaged in long planning cycles. Long-term plans might focus 10 years out, medium-term plans might focus
on three to five years, and short-term plans would focus on the next year. This planning horizon has been
challenged over the past 20 or so years, because the amount of change taking place in the business
environment makes looking this far ahead difficult.
Some argue that long-term planning is not possible, given this pace of change. But long-term plans are
necessary for outlining the broad strategic direction of the firm and the means to get there. Moreover, some
projects that IS undertakes would not be completed within a one-year cycle. Long-term plans simply cannot be
dismissed. Certain IT infrastructure projects continue to realize value years after the completion of the project.
Without a long-term plan, these could be dismissed as failed returns on investment for the short term, without
proper consideration of the longer term accumulative value.
In practice, few organizations look more than three to five years ahead when defining IS plans. This seems
reasonable, given the rate of both organizational and technological change. The three-to-five-year time horizon
forces a look beyond the immediate priorities of the organization and moves thinking into the sort of broad
strategic issues that must be considered to enable proactive, rather than simply reactive, strategic choices.
The final challenge to the theoretical view of the IS plan relates to its implementation. It is tempting to view
the IS plan as the blueprint for what is to happen in the organization. Once the planning document (assuming
there is a document) is complete, simply following the steps as outlined will assure success. But this view is
simplistic. It ignores both the need to adjust the plan as business realities change and the weaknesses inherent
in the assumptions on which these plans are often based. Therefore, you need to think of an IS plan as a
living document, one which will be adjusted over time as needs demand.
1
Weill, P. & Ross, J . (2004). IT Governance: How Top Performers Manage IT Decision Rights for Superior
Performance. Boston, MA: Harvard Business School Press.
2
Peter Weil, Dont J ust Lead, Govern: How Top-Performing Firms Govern IT, Massachusetts Institute of
Technology, Center for Information Systems Working Paper No. 341, March 2004.
3
Computerworld UK: CFOs making the IT decisions in nearly half of businesses Gartner. By Antony Savvas.
J une 11, 2012. http://www.computerworlduk.com/news/it-business/3283161/cfos-making-the-it-decisions-in-
nearly-half-of-businesses--gartner/
4
Balanced Scorecard Institute accessed April 18, 2013, http://www.balancedscorecard.org/.
2.2 Short- and long-range technology planning
Learning objectives
Assess the principal drivers of hardware and software decisions in organizations. (Level 1)
Identify the specific issues in hardware and software planning. (Level 1)
Evaluate the advantages and disadvantages of centrally determined technology standards.
(Level 1)
No required reading
LEVEL 1
At the heart of IT decision making are decisions about what technologies (hardware, software, networks, and
databases) will be used to support the information requirements of the firm. This topic examines the key
questions that should be asked in making decisions among competing technologies to support a given
requirement.
Why this matters to accountants
Advances in technology have two drivers; one is strategic, the other is cost. New technologies always carry a
premium price tag. Accountants need to know what new technologies are coming so they can assess the
financial and company risk of adopting a technology before it has matured or before market forces will bring
the cost down. Again, depending on the decision-making structure of the organization and its strategic
position, certain technologies, although attractive, may represent too big a risk despite ITs willingness to
adapt.
The drivers of technology decisions
Application demands
Technology decisions are often driven by application requirements. For example, suppose you are working for a
medium-sized public accounting firm. An analysis of business requirements suggests that building and
maintaining client relationships will be of increasing importance in the future. At present, however, the firm
maintains little computerized data on clients and has experienced problems ranging from keeping addresses
current to knowing what kinds of additional services might be useful to clients. To address these needs, the
organization decides to build a single, integrated client database.
The organization can implement this system in a number of ways:
It can purchase an off-the-shelf system for customer tracking.
It can build an in-house system.
It can use the offering of a SaaS provider.
Depending on how the firm decides to proceed, there may be requirements to upgrade existing computers.
Perhaps the preferred off-the-shelf system requires more powerful computers to run, more storage space, or
networks. If a local area network is not already in place, the goal of creating a single repository of client
information will demand networking. Even if a network is in place, it may not have the application-sharing
capabilities that this system would require, and will need improvements over and above the cost of the
software. With a SaaS provider, although upgrades to existing equipment may be minimal, a thorough analysis
of the service level agreement with the provider and a testing of security and privacy settings must be made.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Hardware lifecycles
Sometimes technology decisions are driven not by specific application requirements but rather by the need to
maintain an appropriate basic level of technology as a platform on which to build applications in general. Any
computer has a finite life, and upgrades must be undertaken before reliability and performance are
compromised. Networking equipment must similarly be replaced to avoid failures that will hurt the ability of the
business to communicate. The issue of locking into a particular hardware standard is something that IT must
assess. Desktop vendors provide compatible model numbers for IT departments to ensure processor and
chipset compatibility over a guaranteed timeframe. This way, IT departments can verify the workings of a
specific vendor model with their software, if compatibility is an issue, and then only order those specific
models. Networking hardware is equally compatible, in the sense that a particular vendor (Cisco, Dell, and so
on) has its own network OS that connects and controls its devices. The mixing and matching of network
equipment may save money, but provide a management nightmare for IT.
Why this matters to accountants
Understanding that price is not the only factor in IT is the first step toward assessing IT infrastructure costs.
Not all network hardware is interchangeable. IT is responsible for mapping the current and future state of a
network so that decision makers can understand how the future direction will support the future business.
However, purchase decisions must be flexible enough so that lowest price equipment is not the only deciding
factor. For example, future business plans may include shop floor automation, and IT has sourced the best
hardware for incorporating RFID. Or remote financial branches may require secured connections with
virtualization, requiring a hardware choice in future plans to accommodate this direction.
Customer and supplier demands and other external forces
Finally, some technology decisions are made in response to the demands of customers or suppliers. For
example, if your business partners make changes in their technology, you may need to make changes to
continue to communicate with them. Also, if technology suppliers stop supporting particular pieces of hardware
or software, you may need to upgrade, not because what you have no longer performs to specification, but
because you cannot obtain replacement parts or additional components or because they no longer interface
with other applications.
These changes often have no particular benefits in terms of improved information or business processes. They
are often frustrating for managers and users in organizations, who do not see the need for change, and who
find themselves forced to change their behaviours without reaping benefits from the extra work. To manage
these projects effectively, you need to communicate the reasons for the change and minimize the disruptions
at the user level.
For example, Walmart demands compliance with all its suppliers to their supply chain network, and this has
meant incurring costs sometimes for both hardware and software compatibility.
Software planning
Licenses and upgrading
When you purchase software (as opposed to building it in house), you purchase the right to use the software
under specific conditions, rather than owning the intellectual property of the software itself. In short, you are a
licensed user of the software rather than an owner.
In the past, many software agreements were for indefinite use and often included source code, so that
customers could modify the software to their own particular needs. This is no longer the case. Software
vendors are increasingly moving toward defined license periods. This is sometimes accomplished directly, in
that your license to use the software simply expires and you are no longer able to access it. At other times, it is
accomplished more indirectly. The vendor releases annual versions of the product, and while you are technically
still licensed to use the old version, upgrading to a current version requires going through intervening versions.
If you do not regularly upgrade, you will have to purchase new versions at the full cost rather than the upgrade
price, and the difference between these two costs is substantial. From a risk-management perspective, the
amount of savings over multiple years could outweigh purchasing a new version if the organization can take
the risk of running an older version for a longer period. This is one of the areas where the strategic value of IT
is able to help the business make that decision. This essentially forces organizations to upgrade their licenses
on a regular basis. Of course, the advantage of regular upgrading is that you get the latest functionality
available, both from a user perspective and in terms of performance, reliability, and security. Even if you
experienced a software version level that was complete and error free for your needs, you would not be
advised to remain at that level indefinitely. It is not practical given the pace of change in IT around your
company. Compatibility issues with suppliers and customers would eventually surface, and the cost then to
upgrade to a supported level would be prohibitive.
This move towards defined license periods reflects a broader trend in the industry toward SaaS. In the software
as a service model, applications are hosted remotely from the firm (typically by the software vendor) and the
firm pays a monthly fee for the use of the software sometimes including upfront license costs. SaaS models
have a number of benefits and limitations. In terms of benefits, SaaS requires less internal IT infrastructure
since the application is typically housed at an outside firm. It is typically accessed via the Internet. Version
upgrades are made by the vendor on a regular basis, so that users are always working in the most current
release (at least as far as incremental releases are concerned; major changes are a bit more complicated). This
can be a very cost-effective model for the firm. On the other hand, there is less control over the application
and as a result there is a higher degree of dependence on the outside vendor. With a highly qualified vendor
this may not represent a problem. (It may actually be a benefit, since the vendor specializes in the provision of
the software and may therefore be more capable than internal staff.) SaaS typically doesnt allow a lot of
customization, and thus can be somewhat inflexible. Many managers worry about the security risks of hosting
data remotely and accessing it via the public Internet. While not wanting to make light of these issues,
experience suggests that both risks can be adequately managed (as will be discussed in Module 9).
SaaS has been an important model for organizations to judge the effectiveness of critical data stored outside
the confines of the corporate network. It has opened the way for the newest metaphor of hosted processes:
cloud computing. Where SaaS was concerned with hosting specific business application software, cloud
computing extends the hosting to include desktop applications and backups, and treats services as licensed
utilities, where the web model of web services can be more vastly employed to all devices mobility and
flexibility define key characteristics of a cloud solution. Owned software may become less and less of a
business model, and be replaced with utility pay-per-use software services. On the other hand, in the cloud-
computing model, customization is typically not allowed and software upgrades take place at regular, pre-
determined times. J ust prior to the upgrades, an organization would review all its internal processes because
the organizations systems need to be in sync with the outsourced software. For example, suppose a small-to-
medium business uses CRM in a cloud-computing environment. The CRM hosting service announces a major
upgrade that requires synchronized upgrades to internal financial systems and office-productivity applications.
From this moment on, the business has a limited time to upgrade all additional systems; otherwise, it will be
left out from the cloud.
License considerations in an IS plan
An IS plan must consider the current state of software licenses and the requirements for license renewal, and
must make trade-offs between faster and slower upgrade cycles. To learn more about software licensing rules
for individuals and organizations for one vendor, visit the Volume Licensing page on the Microsoft website.
Many organizations license Microsoft applications through agreements like Open, Select, and Enterprise,
dependent on the number of licenses through the size of the organization. Plus, in keeping with other cloud-
based offerings like Google Docs, Microsoft offers Office 365 its own online cloud version of MS-Office,
closely tied to its Sky Drive cloud storage.
Furthermore, an IS plan must include a review of all software to ensure it is not pirated software. The use of
pirated software could be a very expensive problem for your company, not only in dollars and cents, but also in
reputation. You could end up paying for software you cannot update or software that lacks the security features
of legitimate software. It is good governance to ensure your company uses legitimate software. There are
many choices to assist companies in tracking their software licensing as part of a software audit. Lansweeper
(http://www.lansweeper.com) is one such licensed software application, and Spiceworks
(http://www.spiceworks.com) an open-source version. Both provide audits of licensed software so that IT
managers can verify both the legitimacy of their purchases and the numbers of licenses.
Custom-designed applications
The discussion of licenses applies to the situation where you are purchasing software components. However,
when you are working with custom-designed applications, there are different aspects of planning to be
considered. Essentially, you move from deciding whether or not to adopt an existing upgrade to focusing on
how much to include in an upgrade, how to build it, and how to implement it. An upgrade becomes yet
another systems development project.
You will learn more about these projects in Modules 3 to 5. What is important to learn here is that software
planning includes both plans for new systems ideas and for the maintenance of existing software and that the
need to upgrade exists whether you purchase applications or build your own.
Business process reengineering showed many organizations that their own custom developed software, over
time, was just as proprietary as purchased software. Upgrade compatibility issues, application lock-ins, poor
documentation and support all the reasons provided to avoid software vendors were inherent in custom-
built software solutions too.
Upgrading to support future business requirements
Perhaps the most important question to ask when examining existing applications and making decisions about
what to upgrade is: If we maintain the current versions of our information systems without upgrading, will this
produce a risk to our organization (risk in this case is financial, process, people, security, etc.)?
Suppose you operate a retail business selling craft supplies. Based on your analysis of the business
environment, you want to provide customer ordering on the Internet to expand your potential market. Your
current ordering software may or may not support this requirement. It may not be able to link with the kinds
of tools that would be needed to build the front-end interface, and it may not have sufficient error control to
be used by customers. Designing a system for a small set of highly trained users demands less software error
detection and correction than does designing software to be used by large numbers of global untrained users.
Even if your current ordering software works well today and your license is current, you should consider
upgrading this software now in preparation to support a future business requirement.
The open-source software movement
Most software on the market today follows proprietary standards. Packages are built and sold by a particular
vendor whose value proposition rests on providing capabilities that will be of benefit to adopters at a
reasonable cost. For example, Microsoft Office suites integrate with other Microsoft-based solutions like
SharePoint Portal. This way the benefit of adopting a Microsoft vision of computing ensures compatibility with
other Microsoft products in a sense reinforcing a proprietary model.
There are those who argue that the proprietary model is inappropriate. This model discourages information
sharing and application integration since different proprietary systems dont generally communicate with each
other. For the same reason, it makes it difficult for users to adopt the best software to meet specific needs.
Consider enterprise systems. These are large, integrated software packages designed to meet most of the
data-processing needs of the organization. They include modules for accounting, inventory, human resource
management (HRM), and so on.
Different vendors produce certain modules better than others. For example, PeopleSoft has long been a leader
on the HRM side of enterprise systems. An organization might want to purchase the PeopleSoft (Oracle) HRM
module along with the inventory and accounting modules of a different vendor (perhaps SAP). The trouble is
that the modules from different vendors (best-of-breed) are not designed to work seamlessly with each other.
Databases can also be incompatible. Because each vendor sells all of the modules, it is not in their interest to
make it easy for users to do this kind of mixing and matching.
Enter the open-source software movement. What if the software source code (the human readable program
instructions) was made available to developers who wanted to build related applications? What if developers all
over the world could look at software source code to find errors and security holes? The expected result would
be software that is cheaper, performs better, and can be tailored more precisely to the needs of individual
users. This does not necessarily make all open-source software free. For example, the Linux operating system
one of the better-known open-source products is typically purchased through one of a number of
vendors. Red Hat is one of the biggest vendors. Google offers Google Docs, once free but now at a nominal
cost to organizations. Cloud-based solutions extend the delivery of open-source software. Although cloud-based
storage solutions (such as Dropbox.com) offer a minimum amount of free storage to individuals, the business
community must pay for the service. Many users opt to buy the software rather than download it for free
because they can obtain support and documentation more easily through this route.
The open-source community, however, rejects this criticism of a lack of support. They provide support options
available 24/7, including bug tracking and fixes, how-to questions and answers, blogging, forums, and live
online support. Their view is there is little the proprietary software vendors can offer that they cant match.
Sustainability of open-source software
Some argue that open-source software cannot be sustained as a business model because you can receive the
software for free. Yet, the open-source movement has gained momentum in the past decade. Linux is now one
of the most commonly used operating systems in IT department servers, and Apache (an open-source web
server) is the most commonly used web server. Linux, however, has yet to replace the desktop operating
system, where the vast share is still supported by Microsoft or other corporate servers running financial, ERP,
and file-server applications.
But even Microsoft is releasing more of its source code to developers of applications, and is working toward
involving the developer community in the development of its .NET applications. Hardware companies see open-
source software as a way to increase revenue and market share. IBM and HP have very strong Linux programs,
and Apple has based its operating system on another open-source Unix variant, Darwin. The open-source
software movement may not be making money in the traditional sense, but it affects how companies use and
purchase hardware and software.
What open-source offers organizations today is choice. From operating systems (Ubuntu, openSUSE), to
browsers (Firefox), to business applications (SugarCRM, Compiere, Openbravo), open-source software solutions
are offering organizations more choice than just traditional vendors.
However, a threat to the immediacy of open-source solutions today are downloadable applications (apps).
These apps are portable, mobile, single solution, easy to install, and immediately accessible. Many are free, but
those that require payment are often less than $10. The success of the app solution to more traditional
application coding has been duplicated beyond Apples original App Store to now include Google Android
Market, Blackberry App World, and Windows Store. All sites offer apps for their own proprietary devices from
tablets to smartphones to mp3 players available instantaneously over WiFi. This change represents not only
a single-solution/single-licensed approach but also threatens the open-source market because proprietary
solutions, once the hallmark of what open-source fought to eliminate, is now back stronger than ever in app
stores.
Hardware planning
Keeping current
As explained earlier, changes in a firms hardware may be precipitated by application demands, hardware
lifecycles, or by external forces. Whatever the reason for the change, numerous factors have to be considered
in planning.
The issue of evergreening keeping hardware current with the latest developments is particularly relevant
to personal computing hardware. Knowledge workers demand up-to-date hardware to support their personal
computing. Often, this is driven by the pace of change in software. For example, upgrading from Office 2003 to
Office 2007 drives a need to upgrade the PC to meet the basic requirements of the application software.
However, cloud computing may offer a solution to the issues and cost of evergreening within IT. With cloud
computing, the push is away from locally installed applications on current hardware to browser-based
operations. If the browser becomes the de-facto application for hosted business applications, then the hardware
itself becomes secondary, or at least less important in terms of raw processing power and compatibility. The
compatibility will be in the browser software, potentially removing the need for certain evergreening operation
models in place in IT departments today.
Upgrading When and why?
What do you do when people demand faster, more powerful desktop computers? What do you do when the
business demands higher security or adherence to Green IT initiatives? How often do you upgrade these
machines, and how do you finance them? What do you do with the technology that you replace?
There are more choices today when it comes to information technology. Personal computer (PC) technologies
probably should be replaced on an ongoing basis, depending on the necessity of the applications they run
(CAD, engineering, large data set analysis) and not simply as a matter of course. Large organizations, however,
still replace PCs on a schedule, which makes sense when calculating the total cost of ownership (TCO) of PC
investments. But as SaaS makes gains in the hosting of enterprise software, the need for high-powered
desktop PCs will fade because the primary means of connectivity is an Internet browser. Companies are
increasingly opting for thin-client solutions (desktop virtualization) where the replacement cost is cheaper than
a new PC purchase and software version control is centralized. Plus, web-based cloud OS environments, such
as J olicloud, offer inexpensive netbook computing and extension into the traditional desktop by providing an OS
complete with common desktop apps. However, in organizations where replacement computers follow an
established schedule, upgrading can be accomplished in two basic ways.
The upgrading plan and cycle
The first basic approach to upgrading is to replace each computer every three years. During the upgrade year,
everyone gets a new computer. The advantage of this approach is having a common standard for machine
types (desktop, laptop, server, etc.), which makes supporting them much cheaper. The downside is that the
upgrading effort and cost is huge in the upgrade year and non-existent in other years. When you consider a
large organization such as Public Works and Government Services Canada, a department of the federal
government that has over 18,000 desktop computers in operation, this approach can become unwieldy.
Large organizations where hundreds of desktop computers may be replaced in a single upgrade often contract
the services of consulting firms to assist in the transition. These firms have vast work areas where multiple
computers can be connected and simultaneously tested and loaded with pre-authorized software and
networking scripts. This way, when the replacement weekend occurs, the transition can be made with
computers already loaded, tested, and configured for their intended user.
The second basic approach to upgrading is to develop a staggered upgrading plan ; this is the norm for most
organizations. If your goal is to replace your computers every three years, then on average, you need to
replace one-third of the computers each year. You generate a list of employees and upgrade one-third this
year, one-third next year, and one-third the year after. At any given time, the computers will be one and a half
years old on average, and as computers become truly problematic in their third year, they are ready to be
replaced. This approach makes financial sense, as it evens out the investment over time. It is also operationally
easier, because now you can devote a certain portion of the IS organization to maintaining and upgrading the
PC infrastructure, and this group will have a relatively stable demand for service rather than huge peaks and
valleys.
The disadvantage of this approach is that you end up with multiple hardware and operating system
configurations that must be supported. Some computer manufacturers, like Dell, offer business lines that
guarantee a hardware/software lock-in for at least a year to help businesses maintain consistency across their
upgrade cycles. Another issue is that not all users require upgrades quite as often. Users whose tasks demand
greater computer usage, with applications that are more taxing on the hardware (that is, more memory
intensive, requiring more storage or speed, and so on), will need upgrades more often to support their work. A
financial analyst who spends six hours each day working on complex spreadsheets and building financial
models will notice performance degradations from older hardware sooner, for example, than a manager who
uses a computer only for e-mail and basic word processing.
Within the upgrading cycle, then, it is possible, and even desirable, to have different rules for different parts of
the organization, driven by the nature of the job tasks being supported by the technology and their importance
to the organization overall. Again, IS plans today must be flexible and more fluid with the culture of the
organization than overly governed by hard rules.
Hardware purchase options
The preceding discussion leads to an interesting side issue. Often, as users of technology, we see the hardware
as a commodity, and in some ways it is. The features provided to us as users are similar (for example, all Intel-
based machines of a particular era can run the same OS and applications). However, from a technical
perspective, there are differences in quality and reliability that make hardware not truly a commodity product.
Brand name or white box systems
One critical choice you (or at least your organization) will make around hardware is whether or not to buy
brand name machines (such as Dell, Toshiba, HP, or Apple). Many smaller vendors build their own systems,
mixing and matching components and producing white box systems. These systems are often cheaper than
brand name computers (by as much as 20%), so there are significant cost advantages to purchasing them as
opposed to brand name machines.
If you decide to purchase a white box system, you need to have someone you trust who understands the
components fairly well and can decide whether a machine with a particular brand of hard drive (such as
Western Digital or Seagate) combined with a particular motherboard (such as, Asus, Intel, or IBM) is a good
combination. This person may be an internal employee, the vendor, or a consultant, but the key is whether you
can trust the persons judgment.
Many users have experienced the frustration of buying a new machine and finding it to be unstable it
crashes often, it runs slowly, or it just doesnt seem quite right. Sometimes this is a configuration issue that can
be resolved with good technical support. Often, the problem goes back to a conflict between elements of the
PC that just dont work and play well together. These problems are slightly more common with white box
systems than with brand names, and are sometimes difficult to resolve. Brand name machines tend to use
fewer different component configurations, and vendors and technical support personnel have worked out the
possible conflicts. That is the trade-off for a lower price.
Hardware technical support
A related issue is what kind of support you will get for your hardware purchases. What warranty is available
with the machine, and how do you access warranty service? Some companies find it easier to simply replace a
poorly functioning machine while others will try to repair them. Some warranties provide on-site service, while
others require you to take the machine to a dealer. It is important to consider these warranty and service
issues when you are buying hardware, over and above the cost of support.
Users who come to rely on the technology in performing their work need to get problems dealt with quickly
and efficiently, with minimal disruption of their work. If a machine is cheaper at the outset but has limited
warranty coverage or poor service options, it may end up being more expensive in the long term.
Depending on your organizations model of IT governance, these decisions may fall to IT alone to decide on
the companys behalf. The user community will quickly inform IT if the decision is an incorrect one, and needs
to be adjusted.
The role of standards
Organizations tend to diverge between the need for centrally controlled standards for hardware and software
(where all employees are supplied with the same tools) and the need for local managers to make decisions to
accommodate particular requirements. A user might want a different laptop than the standard machine or a
whole division might want a different PC than the standard. In the advertising industry, for example, the
creative teams prefer to work on Apple computers while the administrative applications are usually on
Windows-based PCs. Whatever the reason, there is a tension between meeting local needs and providing
centralized control. This often comes across as a variation on Henry Fords marketing message from years ago.
You can have any colour, as long as its black has now become you can run any word processor you want as
long as it is Microsoft Word, or you can have any laptop you want as long as its a Dell and so on. This is
frustrating for users and managers who feel that their needs are not driving technology decisions. In an
environment directed more through a governance framework, business users express business needs. IT
solves the problems with technology.
Reasons for standards
Standards limit the range of technologies in use in an organization and can result in lower costs to the
organization, better integration of applications, and fewer problems in ensuring adequate performance.
Standards reduce variability and are backed by industry best practices.
Imagine, for example, a help desk that had to support every possible word-processing technology that users
wanted. In a large organization you would have to support everything from Word 2003 to Word 2010 for PC,
Word for Mac, OpenOffice (an open-source application), Google Docs, and probably a few others, because
some users will be reluctant to upgrade no matter what. The cost of training staff to support these applications
would far outweigh the benefits to the local users of being able to match their needs precisely.
Even if you consider the idea of supporting two different word processors (Pages and Word), each of which is
better for some tasks than the other, the costs are likely to be high. Also imagine that users need to exchange
files and work on documents together. It is problematic to try to go back and forth between different
applications, with different formats and features. Even if both software packages have the capability to read
files from the other, the formatting may not translate well.
Business considerations
With regard to business requirements, it is important to consider not just the information or processing
requirements of individuals or groups, but the overall cost and performance trade-offs at the firm level. At the
end of the day, organizations typically find that having the same applications or hardware technologies across
the board (or at least a very limited number of choices) is better than having the best applications in each
area. Keep in mind, however, that there could be valid reasons for supporting several different technologies.
For example, does the software allow for efficiencies or support a competitive advantage? This must be a
conscious decision based on business needs, though. If the benefits outweigh the costs, then the decision is
sound.
However, business reasons for limiting application support may outweigh cost alone. Many organizations
standardize on a single browser version, such as Microsofts Internet Explorer. Users want choice, with either
Firefox or Googles Chrome available to them also. But IS, in securing the network with anti-virus and intrusion
software, is aware of Internet Explorers particular vulnerabilities, and constantly scans for breached activity
before it becomes widespread. Introducing a new browser with new security concerns now doubles the work of
IS, and makes it more vulnerable to browser security issues because now they have to support different vendor
instances. Users may see the request for more choice as an innocent one, whereas it is really much more
complex.
Technology scanning
This topic has presented some of the current issues and challenges in planning for technology. But now that it
has been written, it will quickly become out of date. New issues will arise that have not been considered or
discussed. While understanding the issues involved in technology planning in a broad sense is important, you
must also have a plan in place to engage in continuous technology scanning, looking at emerging technologies
and trends that are not relevant today but may be important later on.
Why organizations need constant technology scanning
Organizations easily become too focused on what they are doing today and ignore emerging technologies and
trends that, although not particularly relevant today, may someday be critical. Today, organizations are
wrestling with how to use a variety of cloud-based Web 2.0 technologies, in particular the social networking
sites such as Facebook and Twitter, and mobility applications, such as Foursquare and Skype, available through
different vendor app stores. Many managers argue such technologies have no place in the world of business,
but they may be too quick in their judgment. One of the keys to technology scanning is not to be always
correct, but to quickly recognize when you are wrong and to take the appropriate steps to remedy the situation.
Technology scanning as part of the process
Technology scanning is sometimes done by a separate group within the IS organization, but often is not
managed formally. The reason is that the direct benefits of technology scanning are hard to measure and may
not be realized for years. However, increasing the formality of this process may make it easier to achieve good
results, by making someone or some group directly responsible for the activity. Without accountability, it is too
easy for such a future-focused activity to be pushed to the bottom of everyones to do list, as current
problems exert more immediate pressure for action.
Caution in technology scanning
The need to remain competitive in IS through assessing the impact of emerging technologies comes with a
caution. One danger of technology scanning is that vendors often publicize new technologies well before they
are able to deliver the products. Similarly, when a new technology is released, there are often multiple
standards for how it can work. For example, HD DVD and Blu-ray Disc emerged as competing standards for
high-definition DVDs, and yet only one format (Blu-ray) survived. Also, there are different standards today for
cellular telephones, wireless networking, and a host of other technologies. It is unlikely that all will survive.
Technology planners need to be careful that they are not jumping too quickly onto a new technology. There is
a fine line between being on the "leading edge" and being on the bleeding edge of technology. One may
provide a temporary competitive advantage, while the other may put your company at a disadvantage
similar to the risk in using beta software before a stable release is available.
2.3 Data and information management issues
Learning objective
Relate the issues of data integrity, security, and integration as they apply to IS planning.
(Level 2)
Required reading
Chapter 6, Databases and Information Management
Module scenario: Tell me what I want to hear
Tuesday afternoon, when you return from lunch, the controller is waiting in your office. You exchange
pleasantries. Look, she says. I need your help understanding something. If we were to integrate a
competitive division, could we not just hook our systems together or pull their data into ours? There is not a lot
of margin in this purchase so we cant afford to waste everything on making systems work. Well, you say
after removing your coat, do you know what software theyre using? I dont know, replies the controller,
but they have a server room that looks like ours. You dont like your department being portrayed as the bad
guy when there is no information available for you to make an assessment. More time and study are needed.
You need to know what software they use, what database management system, the structure of the data, how
data are used, updated, and maintained, and many other questions. And you need this information to help the
finance department understand how complex their simple question may be. J enny, you say after a moments
quiet, I cant answer your question right now, but what I will do is write down the things you need to find out
for me so I can better understand what they have. Then we can talk about the tasks I will have to do to
ensure data compatibility, and how we may be able to converge our systems, if at all. Fair?
LEVEL 2
So far, you have learned about the hardware and software components of an information system and the
issues involved in planning for these components. This topic turns to the data and information within the
system and considers the planning issues with respect to data management.
Data
Chapter 6 in the textbook reviews the nature of data and the advantages of database management systems
(DBMSs) for providing good access to data. These notes focus on the management of information and data
beyond the basics.
Information is the lifeblood of organizations. Without information, managers are unable to review the
performance of their organizations or make decisions about what to do in the future. Data give value to our
inventory, and meaning to our decisions. Of course, information does not have to be computerized, and
managers may have enough information in their memories or in paper records to make these decisions without
using computer-based tools; however, the size of most organizations soon outstrips the human capacity to
integrate and manage data.
IS planning is not just about what systems to build or buy and which hardware configuration to install. At the
heart of an information system is data. IS plans that do not recognize the specific challenges of data
management data integrity, data security, and data integration are likely to omit important aspects of the
IS management task.
Data integrity
Course Schedule Course Modules Review and Practice Exam Preparation Resources
To be useful to organizations, the information in computer-based systems must be:
Presented in a meaningful format
Available to the people who will need it
At the appropriate level of detail for the decision at hand
On whichever device they have available
Correct (most importantly)
This is what is meant by data integrity. When data can be used in many formats, and many functions can be
performed with the data in such a way that the characteristics (type, size, usage, metadata, ownership) are
maintained, then you have data integrity. Its not just about information being correct; for IS it is more a
forensic challenge to prove the soundness of the collection, storage, and relatedness of the data that become
information.
Challenges in data integrity
Hundreds of thousands of transactions are processed every day by companies using computer systems. Even if
people are accurate 99.9% of the time, 100 errors are introduced into the system in each 100,000
transactions. Most of us can recall incidents where data in computer systems was incorrect. Perhaps it was a
grade recorded incorrectly in a professor's grading system. Perhaps it was a company who spelled your name
wrong or had the wrong address. All of these errors cause problems for organizations. They are costly to find
and correct, and more costly (in terms of customer goodwill) to ignore. An extra zero in an inventory count
could have dramatic effects on value, scheduling, and purchasing, and could be material to the financial
statements: 100 errors could be anywhere.
The problem has gotten worse with the advent of Internet commerce. Can you guess the most common name
in website registration databases? J ohn Smith, perhaps? Actually, the most common name is Mickey Mouse.
Web users who don't want to provide personal information frequently make up information to fill in required
fields. This kind of data can cause significant problems. For example, suppose you want to sell advertising
space on your website. One of the things you would need to tell prospective advertisers is the number of
regular users of your site. If you use data that have not been properly cleaned up, you are overselling your
product. While you may want to report a larger number of users, you do not want to be accused of providing
fraudulent information, and you want to have enough credibility with buyers that they will want to do business
with you.
Even when giving accurate information, customers may give different variations at different times. Pat McGinnis
may be P. McGinnis, P Mc Ginnis (with a space), Patricia McGinnis, P.R. McGinnis, and so on. If you cannot
address these issues, you will have incomplete and conflicting information about your customers that may
result in poor customer service and, ultimately, loss of business.
It is tempting to think about technological solutions to this problem. For example, you can build software to
look at similar names and merge those listed at the same address, reasoning that they are likely to be the
same person. However, what do you do about people who are named for their parent and still live at home?
The answer is you look for other characteristics to distinguish them (for example, age information), but this
only works if customers are willing to provide this information.
Even with internal corporate information, such as inventory, there are errors. A shipment may be ordered but
never picked up. If the inventory system records the reduction in inventory at the time of order, it will appear
as if the inventory on-hand is less than it actually is. Or inventory may be lost or damaged, but not removed
from the database, resulting in an overstatement of available inventory.
Maintaining data integrity is challenging and costly. Technological solutions (such as the program to locate
duplicate records) are not sufficient to address the problem. The more we rely on computer-based systems to
support our organizations, the greater the problem of data integrity becomes both because there is more
data to control and because its importance to us to be correct is greater.
Data security
While data integrity ensures that the data we record and use are accurate, data security is concerned with
protecting the confidentiality of the data. Organizations that store detailed information about their clients
(especially sensitive information such as salary, debt, and medical information) have a responsibility to protect
the privacy of these clients by ensuring that the data are not released outside of the authority given by the
customer.
For example, if you provide your bank with information about your current debt, the bank needs to ensure that
this information is not released to other customers, other organizations (other than credit bureaus or other
organizations to which you authorize the bank to grant information), or to employees whose job does not
require the information. Similarly, organizations need to protect the information they maintain about their
employees, their suppliers, and any other stakeholder about whom they maintain information.
Cloud computing, and the storage of sensitive company information, will be seen as a test for both the Internet
and browser security. In 2009, Gartner predicted an increase in security spending for IS that includes security
information and event management (SIEM), e-mail security, URL filtering, and user provisioning.
1
Although
these areas are not directly cloud related, they do show a trend towards data protection. By 2015, Gartner
predicts that 10% of overall IT security enterprise product capabilities will be delivered in the cloud : Growth
rates for cloud-based security services are set to overtake those of traditional on-premises.
2
Customer privacy
Customer privacy issues have become increasingly important in recent years, as more people transact business
over the web and more customer information is stored electronically. Many times a year, the media reports the
inadvertent disclosure of customer information from some organization. In 2007, TJ X Corporation announced a
security breach that had involved more than 3 million customers credit card information. Lawsuits from
financial institutions were unresolved as of March 2008. Also, in December 2010, the popular technology group
Gawker announced that the source code to its website had been compromised, and that passwords were
obtained. In total, 1.3 million commenter accounts were taken, and over 50% of them were cracked. Gawker
media issued apologies, suggesting that users change any web accounts they have using the same passwords.
On February, 1, 2013, Wired.com reported that social media giant Twitter had been hacked, affecting as many
as 250,000 users.
Such reports are damaging to the trust that organizations seek to build with customers and can be harmful to
the individuals whose information is released. This harm may be to the individual's reputation, livelihood, or
even physical safety.
For example, suppose a pharmacy inadvertently releases the names of individuals who take prescription
medication for depression or another mental illness. Such information will, at a minimum, be a source of
embarrassment to the individual, but might also result in the loss of employment. How would you feel to learn
your child's kindergarten teacher or your physician was taking medication for severe depression? How would
others react?
In Canada, privacy of personal information (including customer information) is governed by two statutes the
Privacy Act, which regulates government agencies, and the Personal Information Protection and Electronic
Documents Act (PIPEDA), which governs the collection and use of personal information by organizations.
PIPEDA sets the standard by which the protection of customer information will be assessed. Effective J anuary
2004, all companies in Canada are governed by PIPEDA.
At the heart of PIPEDA are 10 fair information principles that govern the rules with which organizations must
comply. Broadly, the Act requires that Organizations covered by the Act must obtain an individuals consent
when they collect, use or disclose the individual's personal information. The individual has a right to access
personal information held by an organization and to challenge its accuracy, if need be. Personal information
can only be used for the purposes for which it was collected. If an organization is going to use it for another
purpose, consent must be obtained again. Individuals should also be assured that their information will be
protected by specific safeguards, including measures such as locked cabinets, computer passwords or
encryption.
3
As Web users, the guidelines of PIPEDA apply every time we enter personal information into a Web form for
the purpose of obtaining information, trial software, documents, and so on. In daily use, this means that a
Canada-based website must comply, as described in the scrolling agreement window and box that we all check
as read (without reading), so that we can get the goods that the site is offering in exchange for our personal
information.
In addition to PIPEDA, it is worth noting many provinces have provincial-privacy legislation that applies to
provincial-government agencies. Some examples of provincial privacy legislation are outlined on the
PrivacyInfo.ca website.
Activity 2.3-1: Privacy quiz
Review the 10 fair-information principles on the Privacy Commissioner of Canada website, and take the privacy
quiz.
Since the collection, storage, and use of personal information involves information systems in most
organizations, the introduction of PIPEDA has important implications for information systems. Organizations
need to ensure that the data collected and maintained in their systems are consistent with the fair information
principles and that organizational processes comply with the Act. This applies to both existing systems, which
may require modification, and to new systems, for which the design will have to reflect the new rules. Also,
some organizations have internal policies to collect information about their employees, which raises issues
around privacy and data security. Topic 9.5 deals further with the challenges of privacy and other ethical
implications of information systems.
Discussion Topic
A local automotive parts supply company has decided to go global with its products. As a result it will be
dealing with suppliers and customers in many different countries and languages. With a culturally diverse
workforce already within the company, senior management asks HR to create an employee survey to collect
which languages its employees speak fluently. Management intends to use this information to help the
company branch into global markets. Once collected, the data will be entered in the employees profile, and will
be accessible only to senior managers.
1. Is this a legitimate request by senior management? Why or why not?
2. Should employees be allowed to opt-in or opt-out of the collection process?
3. Under PIPEDA guidelines, is the company breaching employee privacy?
Data integration
It is often argued that the power of computers and networks derives at least in part from the ability to pool
data from different sources, thus building more complex views of organizations or people. For example,
enterprise systems are highly valued, in part, for their ability to quickly produce financial statements for large
organizations by combining data from disparate divisions far more quickly than was possible before their
adoption. Customer data warehouses are most valuable when they combine basic customer demographic
information with purchase behaviour, or Web surfing behaviour. Many companies track your click patterns
through their websites (and to and from their websites) and link these patterns with your registration. It allows
them to customize the sites to your taste.
For example, if you frequent the online bookstore Amazon.com and always go looking for information on
mystery novels, the site will begin to put new release information about mysteries on the home page whenever
you log in. This is, in theory, useful to you because it provides you with what you want most. But it is also
beneficial to the organization, which hopes to sell more books that way.
Challenges in data integration
In many organizations, data integration is the number one challenge for information systems. Legacy software,
still in use and still valuable, needs to be integrated to newer enterprise systems, but offers no easy
programming means to do this. Often the database, structure, and format of the data are incompatible with
more current systems. Middleware applications can be purchased or built to solve the issue; however, this
increases the complexity of the architecture and creates another potential area of failure. Furthermore, there is
the issue of integrating front-end systems like web servers with back-end enterprise systems which in
todays environment often refers to systems decentralized, dispersed, and housed outside the direct control of
traditional IS departments.
The idea behind data integration, then, is simple and powerful. Yet the reality remains difficult and costly to
achieve. In large organizations, especially those that are geographically dispersed or those where growth has
been through acquisition, the biggest challenge is the lack of commonly accepted definitions of data elements.
For example, a data field such as "sales" could mean either gross or net sales, and, if neither is specified, you
simply would not know. If two applications were developed at different points in time, in different languages,
by different developers, they could easily have adopted different meanings for the term sales, and integration
would not be so simple.
And the famous CIO piece on Nestls aborted first attempt to leverage SAP (Nestls ERP Odyssey, CIO
Magazine, May 15, 2002) wherein it was revealed that the multinational conglomerate had 29 different price
quotes for vanilla, all from the same vendor but referenced by different codes in different systems at different
locations.
Similarly, a part number might be a five-digit alphanumeric code in one plant, but a 27-digit numeric code in
another. Here the integration problem is not that the same field refers to different things, because in both
cases it refers to a part number. But in any programs that use these codes, error-checking routines are
necessary to protect the data integrity. The rules for error-checking will be quite different though, and
integrating the data from these two systems will require much more complex programming to provide adequate
error correction.
The main challenge here is one of scale. It is conceptually simple to look at these examples and see solutions
for fixing them. But in most organizations, there are thousands (or even hundreds of thousands) of data
elements and hundreds of thousands of records described using these elements. Dealing with the problems of
integration is much harder than it looks. For example, some organizations simply do not bother to bring their
legacy data forward when they make major changes to enterprise systems. The costs of converting and
integrating all of the existing data and then of ensuring its integrity outweighs the benefits of having it.
So, minimal data are brought forward, and programs are written to provide access to the old data on an as-
needed basis. In these cases, data integration is something that happens after the fact, often in supporting
applications such as Excel, Access, or Crystal Reports.
Ethics and data integration
Information contained in separate databases may be useful but non-identifying. Database integration can raise
privacy concerns. This is an issue frequently encountered in research contexts. For instance, a hospital might
provide non-identifying patient information to health researchers, but if one of the researchers is a clinician
with access to identifying information in a patient database, the clinician can link the information, thereby
raising privacy concerns.
Similarly, customers might provide seemingly non-identifying information to a survey company, not realizing
third parties can easily link this to identifying information through publicly available databases. Should the
company have warned customers of the potential breach of privacy? An interesting example is Statistics
Canada, which takes very seriously its role as a reliable data custodian.
Databases are no longer centrally located. And their content has changed from clearly identifiable, single
content data elements (such as name, address, and phone) to more open text-based repositories. Big data
offers a view of internal and external data sets connected to solve problems, but the underlying issue of
integration remains, no matter how big the data is. From an ethical perspective, issues around who owns your
online data are beginning to come to the forefront. On February 7, 2013, a U.S. court declared that photos of
the aftermath of the 2010 Haitian earthquake that were posted on Twitter remain the property of the
photographer and not Twitter.
4
Improving data integrity, security, and integration
If data integrity, data security, and data integration are important, what can you do about these issues? How
do you plan for them? Are new resources available to address these recurring problems?
A number of approaches, both technological and human, can be used to improve data quality and usefulness.
Technological solutions
IT security, which includes data security, is covered in detail in Module 9. Again, in IT security, a combination
of technological (passwords and system privileges) and human (training and education) approaches are needed
to ensure that private data are not accessed by unauthorized individuals.
IS design has an enormous impact on data integrity and integration. The textbook reviews the file-oriented
approach to IS, where data are not integrated across applications. This approach is one of the chief culprits of
poor data integrity because the lack of integration across applications means that the same information is
stored in multiple places (uncontrolled data redundancy) and needs to be updated in multiple places. Moving
toward more integrated views of organizational data and using a database management system to create more
integrated systems will help immensely.
Chapter 5, section 5.4 in the textbook deals with contemporary software platform trends. An important trend
for dealing with data inconsistencies is XML, which is discussed under the subheading Web Services and
Service-Oriented Architecture. As a method of data integration, XML shows great promise but requires a more
novel approach to process integration through SOA (service-oriented architecture), which uses Web services to
build solutions across platforms.
Another technological approach has to do with the design of user-input programs. Consider the example of
names that are entered differently at different points in time. If data-entry programs are designed to look up
existing records for matches to the newly entered record (perhaps matching on surname, street address, and
gender, or some similar combination of elements), the user can be prompted to confirm whether the new
record truly is new or whether it is a duplicate.
Human solutions
Technological solutions, while helpful, are only part of the picture. It is impossible, for example, to anticipate all
of the possible mistakes that users can make in data entry or all of the ways that customer information can be
presented. Human solutions, mostly involving training and education, are an essential part of any plan to
improve data quality. Educating users about the importance of data quality, and the meaning of data quality, is
an essential first step. Getting users, especially knowledge workers, to recognize the potential of integrated
information and to cease hoarding information is also important to improving data integration. Finally, training
in how to use applications and how to maintain integrity of data are also critical factors. Many organizations
often neglect the training and education components of a well-designed IS plan. Large multi-million dollar
implementations have failed in part due to the lack of technical training of staff, resulting in their inability to
adapt to a new system. One such public example is Lumber Liquidators. You can read an analysis of its story.
1
Gartner Survey Shows Security Software and Services Budgets to Increase 4 Per Cent in 2010, accessed
May 29, 2013. http://www.gartner.com/newsroom/id/1167612
2
Gartner Predicts Cloud as a Delivery Model to Shape Buying and Prioritization of Security, accessed Feb 13,
2013. http://www.gartner.com/newsroom/id/2311015
3
Privacy Commissioner of Canada, Your Privacy Responsibilities: A Guide for Businesses and Organizations to
Canadas Personal Information Protection and Electronic Documents Act. Accessed December 29, 2010.
4
Lexology.com, Its my moment, not yours U.S. Court decision clarifies who owns photos on Twitter.
Accessed February 13, 2013. http://www.lexology.com/library/detail.aspx?g=99b227f9-b432-43a1-8c73-
ba15083c52d7
2.4 IS economics
Learning objectives
Assess the business value of an information system from a financial perspective. (Level 1)
Identify the four elements that make up the total cost of ownership of IS, and defend the
importance of considering non-capital costs when evaluating IS acquisitions. (Level 2)
Relate the relevance of Moore's Law and Metcalfe's Law to IS management. (Level 2)
Required reading
Chapter 10, Section 10.4, Establishing the Business Value of Information Systems
Chapter 5, Section 5.1, IT Infrastructure (subsection on Technology Drivers of Infrastructure
Evolution)
LEVEL 1
Information systems add value to organizations in multiple ways. As you learned in Module 1, organizations
can use information systems to reduce costs, differentiate their products or services, lock in suppliers or
customers, create new products or services, and create and sustain alliances with other organizations. IS
investments can support the various elements on an organization's value chain, and the links between value
chain activities.
IS investments are by their nature different than other business investments, and sometimes more difficult to
quantify. One criticism is that IS investments are open-ended. Also, many IS investments are not readily
noticeable by the users of IS. An investment in data security offers no tangible benefit to the user community,
but helps ensure data integrity both in structure and reporting. And many users have a limited knowledge of
what IS is and what it can do for them, adding to the difficulty of delivering meaningful solutions when users
themselves struggle to articulate their needs.
Regardless, investment in IS must be categorized in terms of cost reduction, increased income, benefits
directly to the structure of IS, or quality improvements such as customer satisfaction. This is the first step in
assessing value.
Business value and valuation
Although it is clear that information systems add value to organizations through their many applications, this
course has not yet looked at how much the systems are worth. It is challenging to assess the business value of
IS from a financial perspective. However, given the rates of spending that are necessary to sustain a sound
and flexible IS infrastructure and the difficulties firms have in realizing the benefits of their IS investments, it is
essential to consider this perspective.
Section 10.4 outlines the different financial approaches to evaluating IS investments. All are variants of a cost-
benefit analysis, where you begin by determining the costs associated with a particular IS and then determine
the benefits against which these costs are compared. Payback methods, return-on-investment (ROI) and net-
present-value (NPV) calculations, cost-benefit analysis, profitability indexes, and internal rates of return are all
techniques that can be used to compare benefits realized from an IS investment to the costs in relation to
the benefits projected from other kinds of investments. You may be familiar with these approaches from
previous finance and accounting courses.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Value of intangible benefits
For the sake of historical comparison, Table 10-3 (page 326) provides a useful list of the different cost and
benefit items to consider in making an IS investment. The challenge comes in considering the value of the
intangible benefits. It is one thing to evaluate a system that is designed to reduce direct costs. For example,
Dirt Bikes Canada management believed that after valuing the benefits of a new employee skill tracking system,
there would be a savings of two hours of HR staff time per week, which could translate into headcount
reduction or hiring avoidance, and that recruiting costs would decrease by $11,000 annually. But not all
systems have cost reduction or avoidance as their goal. What about an organization whose fundamental
problem is the lack of timely information for management decision-making?
In many organizations, there is a patchwork of unconnected information systems that have proliferated over
time, making the creation of integrated financial statements tedious and time consuming, and making real-time
progress tracking impossible. What is the value of more timely information? Given a need to react to changing
markets and respond to customer demands, the value of timeliness might be seen in higher sales or in lower
costs of servicing unhappy customers (or both). But by how much would sales increase? How confident do you
think you would be in predicting such a figure with the kind of precision that capital budgeting requires?
Although the assessment of intangible benefits is difficult, there are a variety of tools that you can use to
facilitate this activity. Often such tools involve analyzing specific decisions and scenarios to see how the
intangible benefit might be connected to other, more tangible outcomes. For example, employee satisfaction
(which might be improved by introducing a new system to replace an unpleasant task or a cumbersome
process) has been shown to be related to outcomes such as absenteeism, turnover, and productivity. The costs
of absenteeism can typically be estimated by a firm, as can the costs of turnover and productivity. Thus, to the
extent that improved employee satisfaction results in lower absenteeism and turnover, or higher productivity, it
will result in a reduction of costs to the firm. However, converting intangible to tangle benefits for the sake of
calculating value is not as simple as it may seem.
Two challenges remain: The first is measuring the amount of improvement in satisfaction that will occur.
Gathering data from employees about their current level of satisfaction and how they perceive it would change
with a new system would be one way to get at least some sense of the likely influence. The second challenge
is measuring the changes in absenteeism, turnover, and productivity that are likely to result from the expected
change in satisfaction. Again, data will be needed to support this estimate. Some companies conduct exit
interviews with employees who quit, and such interviews might give a clue as to the amount of turnover that is
related to the process in question. Absenteeism rates (or turnover) could be compared between employee
groups that are affected by the unpleasant task and those that are not; if the task is the driver of absenteeism
or turnover, then you might expect rates to become more similar after the change.
Example 2.4-1: Job satisfaction and productivity
How would you estimate the influence of this improved satisfaction on productivity? What kinds of data could
you use to draw your conclusions? What challenges would you foresee?
If the organization, like some, collects information on employee satisfaction, then such information could be
related to organizational performance data. However, it is unlikely that this depth of information would exist in
most companies. Other things you could do include the following:
Do a comparison between groups who are affected and groups who are unaffected by the
unpleasant task. You would need to find groups where the work tasks are sufficiently similar in
order to make a comparison of productivity meaningful.
Compare the current situation to some prior point in history when the situation was different (if
the data exist to do so).
Guess. This is, of course, what many organizations do. The secret to effective guessing is to have
multiple people involved in determining whether the guess looks reasonable, and to conduct
sufficient sensitivity analysis to see how differences in the estimate would influence the outcome
of the system. For example, if the only way a system is valuable is if it triples productivity due to
increased employee satisfaction, then it is unlikely to be valuable. But if a 5 or 10% increase in
productivity would make the system worthwhile, then that seems more reasonable. In
organizations, where you use the special talents of people to help solve problems, Six Sigma
black belts are trained in statistical analysis and could be a valuable resource in testing the
sensitivity of various options.
Influence of IS
The second challenge stems from the role of IS as an enabler of organizational objectives. As noted in Module
1, IT alone is unlikely to be a source of sustainable competitive advantage, since it is not typically rare or
inimitable. This is particularly true as we move toward more purchased (rather than custom-developed) IS
solutions and hosted solutions, which are even less customizable. The advantage comes from what you do with
the systems and technology that you have. As such, the influence of IS on benefits is somewhat indirect, and
simply part of the day-to-day functioning of a business.
Consider, for example, benefits such as improved decision making and increased organizational learning. By
providing timely access to relevant information for decision-making, IS can provide stronger support for making
decisions and provide the opportunity to learn from past activities. But whether this opportunity actually results
in better decision-making (which, like all intangibles, needs to be made tangible for valuing) or learning
depends on the ability of the people involved to use the information in these ways. This is why the training and
education of employees is so important. Employees bring their own particular skills to the organization, which
must be combined and tempered with the goals of the business to maximize opportunities. Asking for the right
information, and being able to interpret it, are issues where IS can assist an organization and its people.
As such, it is important to recognize the limits of financial models for assessing IS value and to work with these
models within their limits to build at least partial pictures that will better inform IS decision making. Otherwise,
IS managers end up making large financial requests with little more than "trust me" as the justification. As you
will see in Module 3, past experience with IS projects does not exactly engender this level of trust.
LEVEL 2
IS costs
Table 10-3 (page 326) identifies IS costs, which consist of hardware, telecommunications, software, services,
and personnel. The first three are relatively straightforward, but the last two are more problematic and often
underestimated. The Gartner Group, a world-renowned research firm focusing on the management of IS, was
among the first to recognize the more hidden costs of IS. In 1987, Bill Kirwin, a Gartner analyst, developed the
"total cost of ownership (TCO)" model to assess the true costs of computers, and to use as a measure of that
cost, to be reduced over time. In 1996, Gartner computed that the total cost of owning a personal computer
was about $13,000 per year, or about five times the cost of purchasing the equipment! In 2008, and again in
2011, Gartner updated its TCO model to current specifications, revising the model to separate managed and
unmanaged installations.
The cost breakdown from the 2011 update is shown in Exhibit 2.4-1.
Exhibit 2.4-1:
Source: Desktop Total Cost of Ownership: 2011 Update, November 16, 2010. For a more detailed discussion of
Gartners TCO strategy, follow the source link above.
Providing technical support to users, including training and administering systems (for example, assigning
passwords, tracking inventory, and so on), were also significant costs that had to be considered. But the most
surprising finding was that nearly half the cost of PC ownership in unmanaged desktop installations was hidden
in end-user costs, which included items such as training, fixing, and downtime issues. Downtime issues could
be further broken down to secondary elements such as end-user salaries.
The total cost of ownership of a PC today is lower than it was in both 1996 and 2008. Locked and well-
managed systems (those where IT prevents users tampering with the setup) provide the lowest TCO. Gartner
reports that TCO continues to decline gradually: 0.7% to 3% depending on the scenario over 2008 numbers.
The basic ideas behind the TCO model remain important : hardware and software are not the main costs
associated with owning and operating IT.
End-user costs
The end-user costs of IT are a source of great concern to management. In particular, the notion of the non-
work time spent by users with their PCs is something most managers wish they could better control. If a typical
user spends, for example, 10% of the day playing on the computer, then theoretically, if we can control that
time, we could improve productivity by 10% across the board. The assumption behind this thinking is that the
unproductive time would be turned into work-related activities and would not be replaced by equally
unproductive activities such as chatting by the water cooler or making personal telephone calls. While some
time may be re-channelled into productive work, it seems unlikely that employees will ever spend 100% of
their time at work focused solely on work (and they are unlikely to spend 100% of their time at home focused
solely on non-work activities).
As a manager, you can address this problem by developing policies on what you consider to be a reasonable
amount of personal use and communicating your expectations to employees. But remember, the notion of what
is reasonable is likely to be perceived differently by different people, and trying to enforce standards that are
perceived as unreasonable will create a backlash. You can also create technological solutions, like removing
game software from machines and limiting access to websites with games (although many employees will be
able to circumvent such mechanisms). Clearly communicating expectations, and the reasons for those
expectations, will still be necessary.
Situational ethics
The logistics manager has approached you about three of his employees. They work the night shift, from 11
p.m. to 7 a.m., and he has noticed a steady decrease in the amount of work they produce. He has shown up
unannounced twice, just to see that everything is running fine. He has not witnessed anything out of the
ordinary. He knows you have software that restricts viewing certain websites, and that the software also can
be used to track the browsing habits of users (spyware). He wants you to track the Web usage of his three
employees so that he can better see what they are doing through the night when they are not working. He will
use this information to discipline or replace them if necessary.
As the IS manager, and through the governance of HR, how should you ethically approach this request? Do
you foresee any negative consequences to his request? Is there another way to address his concern?
Moores Law
You were introduced to the concept of Moores Law in Module 1. Moores Law shows how rapidly prices decline
in computer hardware, in comparison to the steady increase in power/function. Thus, it relates to the
economics of IT. If the power of a computer doubles every 18 months for the same price, then what does this
mean to the cost of technology?
Moores Law is one of the key drivers behind the problem of evergreening PCs, and one of the key drivers for
IT change in general. With more computing power available for lower cost every day, the possibilities for what
can be automated are virtually limitless at least from a purely technological perspective. Moreover, it drives
the demand for regular upgrades of hardware and software, as users see ever more powerful equipment
available and as new software versions demand more of the equipment.
However, the desktop as the standard of web-based computing is quickly giving way to mobility. Gartner
predicted that by 2013, mobile phones would overtake desktops as the most common web access device.
1
Though this has yet to be proven, significant growth in this new channel not only affects IS planning, but it will
also affect Moores Law. If consumer connectivity through mobile devices surpasses that through PC-based
computing, then the need for evergreening may diminish, or simply switch platforms.
Impact of Moore's Law on computing prices
Two graphs, developed by the National Science Board, show the impact of Moore's Law on computing prices.
Exhibit 2.4-2 shows the cost per gigabyte of stored information, which has decreased by a factor of
approximately 2,000 between 1988 and 2002.
Exhibit 2.4-2
In a blog by Matthew Komorowski, a mathematician and software engineer, the history of storage prices has
been detailed to show the steady decline through 2010, as predicted by Moores Law. Exhibit 2.4-3 shows the
greatest concentration of storage size/price occurs through the mid-1990s to the early 2000s in line with the
rise of the Internet and e-commerce.
Exhibit 2.4-3
Source: mkomo.com, personal blog, A History of Storage Cost, accessed on May 29, 2013.
http://www.mkomo.com/cost-per-gigabyte
Exhibit 2.4-4 shows the cost of computers themselves, with a similar rate of decline. The graphs use a
logarithmic scale and show the decline as a straight line, when in fact it is an exponential decrease.
Exhibit 2.4-4
However, in a Wall Street J ournal study conducted in 2010,
2
a similar decline in PC prices was charted, except
for an increase in 2010. The increase does not debunk Moores Law; instead, the article attributes the increase
to the willingness of consumers to pay more money for higher-end models.
These examples of declining computing prices are meant to highlight the impact of advancing technology on
pricing. To fully understand the economics of IT requires an understanding of Moores Law and its impacts on
the technology environment.
Metcalfe's Law
One final law relates to the economics of IT Metcalfe's Law. Robert Metcalfe, founder of 3Com Corporation,
stated that the usefulness, or utility, of a network equals the square of the number of users.
The idea here is a simple one. Consider the prospect of having the first and only telephone. What value would
it have to you? Perhaps there would be some symbolic value associated with having something nobody else
had, but in terms of functional utility or being able to do anything with it having the only telephone would
be pretty useless. Having one of two telephones is more useful. At least you have one other person with whom
you can communicate. But having one of one million telephones is even more useful as it increases the
chances that you can communicate with anyone using the device, including telemarketers during the dinner
hour. By now you should realize that nothing is simple within IS.
This mass adoption is the essence of Metcalfes Law. Networks in business organizations are meant to
interconnect people and computers, to enable communication and integration of value-producing activities. The
more people who are part of the network, the higher the potential for integration and communication and the
greater the value of the network. For example, the value of a Facebook, Twitter, or Linked In network is
directly attributable to the number of users registered and using the service. The more users, the more
benefits on two fronts: first, easier communication with friends because they are all on a shared, networked
service (Facebook), and second, the greater the potential advertising revenue for Facebook because of the
number of active users.
Metcalfes Law also demonstrates why the most popular technology can be more beneficial than the best
technology. Throughout the history of modern technology there are instances where a technologically superior
alternative was beaten out by its inferior rival for example, Betamax lost to VHS video cassette recorders,
and Macintosh computers gained only a fraction of the market share of Windows-based PCs. In most cases,
the winning alternative was able to capture market share more quickly and establish a critical mass of users.
Having created these networks of users, the options for related products (in the two examples of videotapes
and software) are greater with the more widely adopted technology, and this becomes a self-reinforcing
phenomenon. A contrary example is Blu-ray versus HD -DVD, where the superior technology did win out, but
once again the battle was ultimately won or lost on the basis of market support rather than technology.
Network effects in IS decision making
There are several other reasons why network effects are so powerful in IS decision making:
You dont want to be out of step with competitors.
There is a risk associated with being out there on your own, and it is often safer to stick with
what everybody else is doing (even though that goes against principles of differentiation).
Think about the prospect of a bank deciding to deploy a system to allow customers to access
their account information. Even if the bank could do a better job of adding value to the system
by developing a proprietary network, perhaps using the electrical power grid as the data
transmission medium, the fact that everybody else can support Internet transactions is a pretty
compelling reason to use that approach. How would the bank convince its customers to use this
new network? How would consumers hook into the network? Would they require different
network connections for their online banking and their online bill presentment?
Similarly, you don't want a proprietary technology to lock you out of markets or opportunities.
Being stuck with a technology developed only for you, and one that is not compatible with other
systems (for example, that of your customers and suppliers), creates the risk that you will not be
able to adapt to new opportunities as quickly as those who have adopted more widely known and
used systems.
Finally, if you have a different technology, you may find it difficult to get support.
IT professionals tend to gravitate toward the most widely accepted (and thus marketable)
technologies when developing their skills. So if you adopt a niche technology it may be difficult
(and expensive) to find the qualified people you need to support your operations.
Metcalfes Law is one of the reasons why Netscape gave away copies of its browser and why Microsoft fought
to have its browser included in the Windows operating system. By getting the browser onto more desktops, the
vendors hoped to create networks of committed users and to become the de facto standard for products in the
browser class. This would then drive sales of server-side products and generate substantial revenues. Microsoft
was right.
1
Gartner Highlights Key Predictions for IT Organizations and Users in 2010 and Beyond, Gartner Newsroom,
accessed 15 J uly 2011. http://www.gartner.com/it/page.jsp?id=1278413.
2
Ben Worthen, Rising Computer Prices Buck the Trend, The Wall Street J ournal, December 13, 2010,
accessed April 9, 2013: http://online.wsj.com/article/SB10001424052748704681804576017883787191962.html
2.5 Developing an IS strategic plan
Learning objectives
Evaluate the issues associated with IS planning and developing an IS strategic plan. (Level 1)
Compare the scenario planning approach to more traditional approaches of structuring the
planning process. (Level 1)
Required reading
Reading 2-2: Strategic Planning Donts (and Dos)
Review Chapter 10, Section 10.3, Selecting Projects
LEVEL 1
The issues associated with IS planning can be broadly grouped as five questions:
Why do it?
What is the content of the plan?
Who is involved?
How is planning done?
When is planning done?
Module 1 presented the strategic motivations for IS planning and the business context in which IS planning
must take place, which answers the first question. The content of the plan was discussed in Topic 2.1, which
answers the second question. Here you will examine the planning process, which addresses the final three
questions.
Who needs to be involved?
IS planning needs to involve a range of stakeholders from around the firm, including IS staff, users, and
managers. In some cases, IS planning may also include consultation with customers, suppliers, and other
external stakeholders. Depending on the governance model, different levels of involvement will occur for
different units regarding different decisions. Departmental needs can best be articulated by people from within
those departments. Users and managers from finance to production to marketing need to be consulted, and
their input must be included in the planning process. This consultation may be formal or informal and focused
at one point in time or ongoing. A combination is likely the most effective. Informal, ongoing relationships allow
for easier communication, but formal and more intense consultations may bring to the surface issues that
would otherwise get lost in the minutiae of day-to-day conversation.
Senior management
Senior management plays a role in the planning process by providing broad strategic direction and support to
the planning effort. Planning for the future takes time away from the pressures of current work. Therefore,
without senior management commitment to the planning process, it is likely that insufficient attention will be
given to the process often by the most important stakeholders. A primary tenet of project management
success is to obtain senior management support. It is no different with IS planning.
Financial management
Financial management plays at least two roles in this process. First, the finance team is an important consumer
Course Schedule Course Modules Review and Practice Exam Preparation Resources
of IS products and services. Financial managers also play a role in determining the costs and likely benefits of
an IS opportunity, and identifying where the funds to undertake different projects will be found.
Senior IS management
Senior IS management, along with senior business leadership, must take the lead in this planning process.
Other IS staff may be involved as facilitators of the process, gathering information (working with departmental
management and users to determine priorities), researching new technologies and their potential applications,
and preparing cost-benefit analyses (with help from the financial team and the departmental representatives)
for different proposals. It is important that all IS staff have a role in planning. This helps with department buy-
in when the approved plan is presented to the staff, because the whole department feels included in the
process.
How is planning done?
Various tools and methodologies are used to structure the planning process. Two techniques are outlined in the
textbook: portfolio analysis and strategic analysis (or critical success factors). Both approaches are useful in
organizations. The combination of a top-down (strategic analysis) and risk/benefit evaluation of IS projects
results in complementary information that may yield superior plans by highlighting any strategic disconnects
within the company. To focus on one or the other risks missing important opportunities.
Strategic analysis
Strategic analysis, using critical success factors, takes a top-down approach. Using tools such as Porters five
forces model or the value chain, managers determine the most important processes in the organization and the
opportunities to use IS to support these processes. They then become the priorities for systems development.
Strategic analysis focuses directly on achieving alignment between IS and the business by bringing IS in line
with both the market and the organization.
Limitation of approaches
One limitation to both approaches is that they do not do well at addressing the potential for substantial change.
Both are focused on the present, particularly portfolio analysis where all that can be assessed are the current
projects and current costs. While the strategic analysis perspective aims to look forward, most managers find it
less than ideal when trying to foresee the importance of new developments and their implications for IS plans.
Flexibility and agility are expected from many plans today, and IS cannot afford to be too locked into any one
strategy at the expense of change. Although no organization wants a plan that changes every month, changes
to a business plan can happen quickly, and that speed must also be adopted by the IS plan.
The conflicting forces are consistency and flexibility. IS uses standards to mitigate risk, to streamline costs, and
to avoid variation all to provide a consistent user experience and a supportable IT environment. Standards
work, but often at the cost of flexibility. To remain flexible to change in IT, the department must use less
standard approaches, which increase the reaction time to change, but maintain a risky environment with much
variability.
Scenario planning
An alternative approach called scenario planning, involves looking at a small number of future possibilities and
examining their implications for the current IS plan. An organization called IDEO provides a website that
describes design thinking, an innovative scenario-planning approach across numerous industry sectors.
Scenario planning makes use of open creative thinking around the possibilities of future business, by
challenging assumptions that restrict thinking to the present. This is not an easy thing to do.
When is planning done?
As you learned in the first part of this module, timing in IS planning is not easy. Long-range planning is difficult
in times of great change. It is important to keep plans flexible and open to change as business and technology
realities shift.
IS planning occurs at multiple points in time, driven by the needs of strategic planning, budgeting, and specific
project requests. A clear IS strategy, articulated to define the broad goals of IS within the organization and
how they relate to business strategy, facilitates both regular annual planning and ad hoc planning by providing
a framework within which to make choices and trade-offs. This is a key concept to address with management.
The IS plan is a boat that has a restriction on how many passengers it can hold. Remove some, and you can
add others. You cannot keep adding passengers without sinking the boat. Through governance, management
must decide who stays on the boat now, and who has to wait until it returns to dock.
Long-range planning
Long-range planning would likely have cycles of three to five years, probably closer to three in most
organizations. In the long-range plan, the broad strategic emphasis is developed and large projects are
considered. For example, the Li & Fung Trading Company, a global sourcing company that supplies such retail
customers as Abercrombie and Fitch, The Limited, and American Eagle, maintains a rolling three-year strategic
plan that includes IT plans as a key part. This forces the company to focus on the broad strategic challenges
and to have a set of coherent goals that drive its operational activities.
Budgeting cycle
In most organizations, much of the tactical IS planning is conducted as part of the annual budgeting cycle. As
with other departments, the IS department must specify its financial needs for the coming year. This budgeting
cycle serves as a catalyst to focus on possible projects and milestones to achieve them. It also helps to
prioritize projects and spending over a relatively manageable cycle.
Further planning takes place on an ad hoc basis, as projects are proposed for consideration by various
stakeholders. New opportunities may emerge outside of the normal budgeting cycle. Mechanisms are put in
place to consider these opportunities as they emerge. This is often part of the role of an IS steering committee.
Not only does the steering committee protect the company by maintaining the focus on key projects, but it also
helps protect IS from appearing inflexible.
Module 2 self-test
1. Define a database and a database management system and describe how it solves the problems
of a traditional file environment.
Source: Kenneth C. Laudon, J ane P. Laudon, and Mary Elizabeth Brabston, Management
Information Systems: Managing the Digital Firm, Fifth Canadian Edition (Toronto: Pearson
Canada, 2011), page 195. Reproduced with permission from Pearson Canada.
Solution
2. Identify and describe the elements of the hierarchy of data.
Solution
3. Using Table 5.4, Total Cost of Ownership (TCO) Cost Components, from the textbook, calculate
your TCO for any computers you have at home. Use Excel and create a spreadsheet that you can
fill out.
Solution
4. You are working as a business risk analyst for a mid-sized payroll services company. Over the
past week you have attended several seminars on information systems planning portfolio
analysis, strategic analysis (or CSFs), and scenario analysis. The director of your department was
unable to attend these sessions and has asked you to prepare a memo summarizing what you
learned.
Required
Write a memo to Melodie Anderchuk, Director, Operations Management, in which you compare
and contrast the three approaches for information systems planning. Include in your memo a
description of how they are conducted, their strengths and weaknesses, and when you would
advocate using each.
Solution
5. Using the table below, identify which governance archetype exists in your organization. Is it a
good fit? Why or why not?
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Solution
6. Explain the concept of data integration and the challenges involved in ensuring it is achieved for
an organization.
Solution
7. Explain how legislation, industry self-regulation, and technology tools help protect the individual
privacy of Internet users.
Source: Kenneth C. Laudon, J ane P. Laudon, and Mary Elizabeth Brabston, Management
Information Systems: Managing the Digital Firm, Fifth Canadian Edition (Toronto: Pearson
Canada, 2011), page 124. Reproduced with permission from Pearson Canada.
Solution
Module 2 self-test solution
Question 1 solution
A database management system (DBMS) is software that permits an organization to create, store, centralize
data, manage it efficiently, and provide access to the stored data by application programs.
Some of the benefits of a DMBS are:
The value of an information system can be increased through the ability to link data files, and
provide real-time information.
Data redundancy and inconsistency can be reduced, increasing data integrity.
Data confusion can be eliminated through the commitment to one database.
Program-development and maintenance costs can be radically reduced.
Flexibility of information systems can be greatly enhanced.
Access and availability of information can be increased.
Allow for the centralized management of date, their use, and security.
Source: Adapted from Dale Foster, Instructors Manual to accompany Management Information Systems:
Managing the Digital Firm, Fifth Canadian edition, Pearson Canada, 2011, Chapter 6, pages 202-203.
Reproduced with the permission of Pearson Canada.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Module 2 self-test solution
Question 2 solution
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Module 2 self-test solution
Question 3 solution
This question requires you to think about all of the elements that make up TCO. The table shows an example
for a Mac user.
Components/items Cost
Hardware acquisition iMac $1,246.00
Software acquisition MS Office for Mac $199.95
Installation Nerds on site $100.00
Training N/A ???
Support Apple support $139.00
Maintenance ???
Infrastructure Back-up/network $400.00
Downtime ???
Space and Energy In a year $10.00
Total $2,094.95 + ???
The hardware and software costs, and the Apple support costs are relatively easy to estimate. They are likely
to be fairly accessible on company websites. But other costs are harder to estimate. How much is installation?
You may be able to find this directly from a company like "Nerds on Site" but you may have to guess. And
what about training, maintenance, and downtime? Macs are supposedly easy to use, but does that make their
costs zero? Likely not.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Module 2 self-test solution
Question 4 solution
MEMORANDUM
Date: May 6, 20XX
To: Melodie Anderchuk
Director, Operations Management
From: Pat Student
Business Risk Analyst
Subject: Summary of information systems planning seminars
As per our discussion, I have summarized the highlights of the three information systems planning seminars
that I attended last week. I have included a brief description of how each is conducted, their strengths and
weaknesses, and some thoughts on when each might be used.
Portfolio analysis
Portfolio analysis begins with a consideration of the organization in terms of the investment in IT projects, and
their risks and benefits to the organization. It is a cumulative planning method that involves scoring each of the
existing cost investments of IT (licenses, contracts, projects, consulting agreements, etc.) as to their cost and
potential risk/benefit. The key strength of this approach is that it results in better use of existing systems and
in more feasible solutions since it is rooted in closer alignment between IT and company goals. The main
weakness of this approach is that it requires constant attention to maintain the portfolio. Missing or out of date
information will weaken its effectiveness as both a planning and alignment tool.
Strategic analysis
Strategic analysis begins with a consideration of the external environment and the critical activities that the firm
must succeed at to survive in that environment (critical success factors, CSFs). It is a top-down approach that
involves a small number of senior managers who articulate the CSFs as they see them. These are then
aggregated and used as a basis to set IS priorities. Strategic analysis is very good at producing systems that
are tied to business strategy. However, its limitations include involving multiple stakeholders with different
views of the firm and producing ideas that are difficult to implement. This method is thus most useful when
there is a consistent strategy that needs to be leveraged/supported by technology and when there are not
multiple competing views.
Scenario planning
Scenario planning is the process of looking into the future at widely different scenarios that anticipate possible
business realities. The goal is to identify the fundamental assumptions or factors that will influence how the
business would operate under different conditions. Unlike the previous two methods, scenario planning
addresses the needs of planning in times of rapid change. Its weakness is that the specific scenarios identified
are probably unlikely to occur. If those involved do not understand the purpose of developing the scenarios (to
surface assumptions, constraints, and so on), this approach can create problems in implementation. Scenario
planning is most useful in situations of rapid and extensive change.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Module 2 self-test solution
Question 5 solution
Your answer will be partly dictated by the type of organization you work in. The key issue is whether it works
or not. For the most part, good governance is associated with whether or not people understand the process
for decision-making and get the support that is required to do their jobs.
Your answer should focus on one of the following governance styles and should describe it correctly:
1. Business monarchy Decisions are made by senior business leaders, such as the CEO.
2. IT monarchy Decisions are made by senior IT leaders such as the CIO.
3. Duopoly Decisions are made jointly by senior business and IT leaders.
4. Federal Decisions are made jointly by central business leaders along with business leaders from
the different areas of the firm, such as strategic business units or functional departments. IT may
or may not be represented in this model.
5. Feudal Decisions are made locally by each SBU or functional unit.
6. Anarchy Decisions are made in multiple locations, typically by individuals with little
accountability. This strategy is rarely seen, and unlikely to ever be considered as effective.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Module 2 self-test solution
Question 6 solution
Data integration refers to the ability of systems within an organization to share data and to aggregate it
without a lot of manual intervention. Enterprise systems have a high degree of data integration because they
are built on enterprise-wide data models that show the linkages between functions in terms of the data they
use. They are often modular, and integrate through a core set of rules and functions.
Because IS developments often arise from departmental requests, it is not unusual to see a firm with
unintegrated systems. This is also the case in firms that have grown by acquisition, where the acquired
companies have systems that have been maintained even after the merger.
Two examples of integration problems are given in the module one relating to different definitions of data,
the other relating to different formats of data. Both lead to problems in combining information from different
sources.
The main problem in data integration is one of scale. It is easy to see conceptually what needs to be done, but
the rules for combining information must be extremely precise (in order to be automated), and it is difficult to
determine all of the exceptions and variants on a rule that exist within a large system.
Two current methods being explored to help with data integration involve cloud computing, where systems and
their associated data are stored by third-party affiliates, and SOA (service oriented architecture), where Web
based service models are being adopted by organizations to take advantage of the Webs cross platform
architecture.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Module 2 self-test solution
Question 7 solution
In Canada, as legislated by PIPEDA, individuals must opt in to allow their information to be shared by
organizations. The federal legislation that applies to private-sector organizations is mirrored by public-sector
legislation at most provincial levels, and at the federal level. Industry must comply with PIPEDA legislation that
dictates the level of responsibility for privacy and protection of data. Some industries professional
organizations, such as accountants, engineers, and information systems professionals, have adopted codes of
ethics to help regulate what their professionals do. Businesses have taken some steps, including publishing
statements about how this information will be used.
Technology tools can be used on individual computers to protect against viruses, spyware, and block certain
sites. Technical solutions also enable e-mail encryption, anonymous emailing and surfing, and cookie rejection.
Of particular interest is the P3P standard that allows the user to have more control over personal information
that is gathered on the Web sites visited, although the adoption of P3P throughout the Web server community
has been slow and questionable.
Source: Adapted from Dale Foster, Instructors Manual to accompany Management Information Systems:
Managing the Digital Firm, Fifth Canadian edition, Pearson Canada, 2011, Chapter 4, pages 126-127.
Reproduced with the permission of Pearson Canada.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
Module 2 summary
Information technology governance: Organization and planning for IS
Evaluate the critical decisions about IT that organizations make, and the different governance
arrangements for making those decisions.
IT governance is the assignment of decision rights and the development of an accountability framework for
IS/IT decision making.
Different forms of governance are recommended for different IT decisions, and for firms pursuing
different strategic objectives.
Organizations make five key decisions, covering
IT infrastructure
IT principles
IT architecture
business application needs
IT investment
Governance frameworks
COBIT:
A framework to organize IT governance practices by
process and then link them to the actual business needs
of the organization.
Mapping of business process descriptions and templates.
Control objectives that support effective security and
control over IT processes.
Guidelines for management to focus on objectives,
performance measures, and the integration of IT
governance measures with other areas of governance.
Maturity models support process benchmarking and
continuous improvement.
COSO:
The control environment that establishes the processes
for managing and developing employees in an
organization.
The control activities that are directives to ensure
management policies and procedures are followed.
Information and communications polices developed to
ensure governance compliance.
Risks assessments from both internal and external
sources including objectives to manage those risks.
The continuous monitoring of control systems to assess
deficiencies and the need for improvements.
Six decision-making frameworks are commonly used in these situations:
business monarchy
IT monarchy
duopoly
federal
feudal
anarchy
Effective governance involves both identifying appropriate decision-making models and designing
the structures and processes to support those models.
Identify the roles of the financial manager and other stakeholders in IT governance.
Course Schedule Course Modules Review and Practice Exam Preparation Resources
The financial managers role will be to identify what kinds of information and broad systems are needed to help
meet the companys objectives. In todays business environment, no strategy will succeed if it ignores the
challenges and rewards that IT offers.
The financial manager may also be required to
identify multiple opportunities
prioritize needs or opportunities
include the cost of systems in the budget
Assess the challenges of taking an IS plan from theory to practice.
You need to compare the business strategic plan with the current IS infrastructure and look for
alignment and mismatches.
Business strategy is not always determined before IS strategy, especially during times of large-
scale technological change.
Sometimes technology drives business strategy.
Traditional time horizons (perhaps 5-10 years) dont translate well to technology planning.
Implementation of any plan is difficult, given that the technology landscape is constantly
changing. IS plans should undergo constant revision and updating.
Assess the principal drivers of hardware and software decisions in organizations.
The type of business that you have and the kinds of processes that support that business will
dictate the types of software applications you need.
You will then decide how you will implement that application (off-the-shelf or custom
programming).
The kinds of applications that you require will in turn determine the type of hardware and
network infrastructure that you need.
The relatively short lifespan of hardware and software will also drive change in organizations.
Some computers have a much shorter lifespan than more traditional capital equipment, and as a
rule, hardware becomes obsolete before it is worn out.
Customers or suppliers may demand newer or different technologies, especially ones that make
transactions more efficient or that contribute to lower costs.
Identify the specific issues in hardware and software planning.
When you purchase software, you dont own it. You just have a license to use it, subject to a
large number of conditions. The same applies when you subscribe to hosted SaaS.
Most licenses are based upon the number of users of the software. If you are planning to
increase the number of people that work in your organization, you need to plan to spend more
money just to maintain your existing infrastructure.
Software companies constantly release newer versions of existing software, requiring customers
to upgrade to the newer versions, for example by ending support for older versions.
Sometimes the current software in use will not support the goals of the future IS plan so you
start to upgrade the software sooner to meet the future demands.
Open-source software changes the dynamic of forced upgrades. Since improvements and patches
are done by the user community, you can always upgrade the software without purchasing a new
license. There are no additional fees if you increase the number of users.
The upgrading cycle must be planned. You need to make trade-offs between types of users, the
risks of supporting multiple systems, and the costs involved in upgrading computers.
When you are making hardware purchases you must make decisions about the type of vendor,
cost, and the kind of technical support that you need and are willing to pay for.
Evaluate the advantages and disadvantages of centrally determined technology standards.
Standards limit the range of technologies that can be used in an organization, making it easier to
support and control.
Standards can allow for lower costs and better utilization of resources.
Standards limit the choices that business units have in terms of technology. The choices set out
by the central standards may not be the best choice for an individual business unit.
Relate the issues of data integrity, security, and integration as they apply to IS planning.
Data are some of the most important elements in any information system.
In order for data to be useful for an organization it must
be presented in a meaningful format
be available to the people who need it
have the right amount of detail required
be correct
Maintaining data integrity is difficult, challenging, and costly.
There are a number of issues that need to be addressed around how information is recorded and
how it is used in the various business processes.
Data must be secured.
Security not only protects confidential information about clients, but also ensures the
confidentiality of an organizations information.
Security must also ensure that data are incorruptible.
Security protects customer privacy.
Data integration allows organizations to combine the data from different sources in order to
create a more complete picture about a customer or product.
There are issues around scale; the more sources you are using the more complex the job.
Different databases may use different terms to describe the same data or use the same term to
describe different data.
You can improve data integrity and security with a combination of technology (passwords and
data entry rules) and training for the users and developers of systems.
Assess the business value of an information system from a financial perspective.
You can use standard cost-benefit analysis to establish the business value of an IS.
ROI, NPV calculations, and profitability indexes can all define a tangible cost benefit for an IS,
especially in systems that improve or streamline business process.
The intangible benefits from IS are harder to quantify.
IS enables the organization to conduct business.
Some information systems are not designed to reduce head count or reduce cost, but to improve
"decision making" or manage "organizational knowledge."
Financial models have their place and should be used, but will only provide part of the picture.
Identify the four elements that make up the total cost of ownership of IS, and defend the
importance of considering non-capital costs when evaluating IS acquisitions.
Total cost of ownership (TCO) of IS includes not only the cost of hardware, software, and
telecommunications, but also the cost of service and personnel.
Service and personnel costs include
the cost of technical support and administration
the cost of consumables
end-user operations (formal and informal learning, down-time, non-productive
activities)
Organizations try to reduce the total cost of ownership by developing and implementing hardware
and software standards.
Moving towards a more centralized model of computing puts less responsibility on the end user of
computing.
Relate the relevance of Moores Law and Metcalfes Law to IS management.
Because computing power doubles every 18 months, the demand for new computers is constant
and unending.
In order to maximize your investment in hardware and software, it is important that you increase
the size and scope of your network and increase the number of networks with which you
connect.
Evaluate the issues associated with IS planning and developing an IS strategic plan.
IS planning involves a wide range of groups and stakeholders: senior management, financial
management, senior IS management, customers, suppliers, and other external stakeholders.
IS planning can occur at various times, driven by events such as project requests or strategic
planning.
While long-range planning can be problematic, some organizations will review long-range plans
on a regular basis (every 3 to 4 years).
IS planning also occurs during the annual budget cycle.
Compare the scenario planning approach to more traditional approaches of structuring the
planning process.
Scenario planning
involves looking at a future situation and then examining the possible effects on the current IS
plan
doesnt predict the future but helps to anticipate the possible outcomes
is more of a big picture approach
Portfolio analysis
looks at the current projects and recurring IS costs in the organization
looks for strategic alignment with the stated business goals
is a risk/benefit analysis of the dollar and resource investments within IS
attempts to maximize the value of existing projects/expenditures through low risk/high return IS
investments.
Strategic analysis
uses critical success factors, value chain, or Porters five forces to determine the key processes
and then identifies how IS can support these processes
uses a top-down approach
focuses on achieving IS and business alignment