Figure 4 (Farrell, 2003)
IT Risk Management
The process of risk management is an important component of an organisation which involves identifying and assessing risks, and steps taken to reduce the risks to an acceptable level. Risk management needs to be treated as an essential management function of the organisation, rather than just a technical function managed by IT experts. It also enables the organisation to accomplish their mission successfully by securing and accrediting the IT systems on the basis of documentation derived by performing the process of risk management. The three major components of risk management are risk assessment, risk mitigation and evaluation and assessment (Stoneburner, Goguen & Ferunga, 2002).
The first component of risk management is risk assessment which is used to determine the extent of potential threat, and also the associated risk. The various steps involved in risk assessment include system characterisation, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, control recommendations and result documentation. The second component, risk mitigation includes the process of prioritising, evaluating and implementing the necessary risk reducing measures recommended by assessing the risk. The risk mitigation can be achieved through various options such as risk limitation, risk assumption, risk planning, risk avoidance, risk transference, etc. These options are usually selected by taking into consideration the goals and mission of an organisation. The last component of risk management is the evaluation and assessment which is done by providing cost effect safeguards that meet the needs of an organisation such as updating the software applications with newer versions, etc. (Stoneburner, Goguen & Ferunga, 2002).
Analysis of Risk Management Activities
Recommendations
The organisation is in a stable financial and operational position, however there are always improvements which could bring higher levels of productivity and profitability if done correctly. Below are some recommendations that should be implemented in a timely manner to affect a positive change to the organisation with consideration for repercussions as well.
The biggest concern today is the potential failure of the hardware and software of the ERP system. It is running on older hardware and the software cannot be easily modified. An urgent review is required to deploy a new CRM/ERP system on a new software/hardware platform that can be outsourced beyond the IT Manager and the minimal resources available to maintain it. Relying on either the IT Manager or one programmer whom is not always available is too commercially risky.
There should be an IT committee formed with the IT Manager as chairperson and a single representative from each department (i.e. customer services, sales, administration and warehouse) joining to put forward their concerns and concepts monthly. This allows for an open forum to discuss new approaches to operations relating to IT, as well as rectifying issues as they arise.
The IT manager should focus more on prioritised IT matters and employ a junior engineer to engage in day-to-day tasks to reduce low priority interruptions.
The marketing team and IT should deploy the integration between social media and sales promotions to capture a larger audience. This may not require using a modern CRM/ERP system straight away to plug into social networks, but it would make lead generation easier.
Some laptops are provided with administration privileges to allow flexibility of specialist software installations. It would be ideal to lock down the administration privileges on these laptops, and if this is not possible then at the very least encrypt the hardware should the laptops be stolen or misplaced.
Data backup is a magnetic tape drive done once a week which is taken off site. This is sufficient, however providing off site live and mirrored backups are essential when operations are centralised. In the event of failure, contingency plans to relocate and reopen operations in a short time frame is essential.
Lastly, and still very importantly is the area of implementing a quoting tool for the resellers which includes their own logos, pricing margins and details. This “loyalty builder” minimises the risk of staff not knowing how to use the older ERP system to quote but instead quoting via email, which can be easily modified. Locking it in and recording the event assists in tracking and provides factual results that are time stamped.
Structure
Q: Can you please introduce Connector Systems Holdings Limited (CSH)?
A: Connector Systems is a distributor of technology within the NZ market and has been in business for 30 years. It was an early adopter of technology and created its own ERP system back in the 1980s. It gave a competitive advantage in its transactional and information offering services. As such, Connector Systems grew to well over 200 staff nationwide. However as the technology of competitors caught up to speed, CSL did not evolve and keep ahead of the game and in recent years there was no longer a competitive edge to offer its customers. The only advantage was through the offering of highly skilled staff and their knowledge as a service to obtain sales. In the last 14 months there has been a change in ownership in the direction towards modernising its IT Systems to take advantage of technology and to provide a competitive advantage. The new Managing Director Dale Smith is committed towards a Strategically IT focused approach to business in order to take the lead competition wise. This means a heavy investment in Technology as a whole to increase revenue.
Q: How is your company structured?
A: The company is rather flat in its management structure is based on one lead and three general managers who lead the sales force. The IT manager is purely there to manage the services to cater for the company’s need to use IT as a tool. There is a shift which is being lead from the new MD to make use of IT to provide more opportunities to capture more sales and to also provide new efficiencies within the internal business. The IT manager is on the same level as the three General Managers directly reporting to the MD.
Q: Please do tell us what your role is within the organisation?
A: I am officially the IT Manager for CSH and I take care of anything which has a relation to IT. This could also overflow into areas of Electrical and HVAC. I am currently looking at modernising the systems and creating new ways of using technology to improve processes. I hope to reduce IT frustrations which were prevalent as I entered the company.
Q: Where does IT play a part within the organisation?
A: It is currently a mission critical tool for CSH and runs the operation in terms of providing the ERP and this would entail invoicing, sales forecasting, tracking of goods, email and communications of Unified Communications in terms of a Voice over IP(VoIP) system over out LAN/WAN networks. I keep the place running in terms of information finding and providing functional efficiencies surrounding planning, transactions and communications internally and externally.
Q: What typical processes and procedures relate to IT and CSH?
A: I usually make the call and have to justify any major changes to the MD and at times if required to the General Managers. It is my role to provide conceptual changes and pitch a logical reason to make changes and spend resources on these changes. Once testing is applied and proved to work, we will roll out the changes gradually and this could be a day, week or months.
Q: Are there any areas for concern?
A: At this moment in time, there is not real redundancy in our ERP systems, Backups are minimal and we are well behind out competitors with the use of technology to provide training, sell and maintain relationships. We are just not leveraging technology to capture a wider market of customers. Also we could reduce operational spend such as telephone toll calls. Similarly there is a concern over security of data on individual laptops.
Operations
Q: Are there any apparent risks and if so, what are they?
A: There are many risks as already mentioned. Reference to Appendix f. Risk Identification Map.
Q: How important is IT in your organisation?
A: IT can affect different levels ie. operations and strategic. We can sell more via website or speed up process in accounts or error correction prevention in warehouse for tracking purposes. We use IT technologies every time we quote, sell, freight out products and even plan in terms of management and pay the bills. It is very much so a technology which CSH is dependent on and requires it to function. It has to be reliable!
Q: What barriers can CSH put up to prevent your competitors imitating your IT innovations?
A: At this stage there is no need to apply for patents but in the future that could be an option if it was rather innovative. Security of our customer database and pipeline is rather important and we must do all we can to not all information to leak out. Similarly our approaches to the use of IT, staff have been asked to be discrete about how we approach the market. Tell only ones that should know, such as out customers. In terms of our future web interface, only valid login’s are allowed to see anything in terms of price and resources available to them. We plan to use Youtube videos to provide training but in the private domain and under secure logged in web interfaces. It is our hope that competitors do not have access to such resources.
Q: Can you instil high switching costs or even cause lock-in?
A: We are looking at doing so by creating an easy to use system for our customers to directly quote their customers from our systems. This type of quote would include their margins already calculated into the price as well as their own logos. Once they get used to it, they would always use it and better yet, always use us and our products! That’s what you call lock in. We do not believe anyone else in the industry has such a system. Perhaps we should patent this. Haha.
Q: Any thoughts on leveraging your networks and partnerships with your client base?
A: We discretely use specialists and partner them up with other subject matter specialist to create synergetic teams to create solutions for end-users. What this mean is that if both teams are loyal users of our products then as a team they will provide great solutions to the end-user and this means that we will sell more and the quality of the deployment will be of the highest level. There will be less likelihood of our customers using alternatives if both are our customers and both use different products of out offering. These partnerships usually non-competitive situations and very much so synergetic.
Q: How complex is your industry and do you have anything unique to offer?
A: It is a complex industry requiring a rather highly skilled sales force but what is more important is the timely responses to equries. This would be pricing quotes, support from international resources, sales transactions and tracking but most importantly it has to be easy for staff and customers to use.
Q: In the workings of the operations, how is IT used to enhance performance?
A: We currently email promotions and sales discounts to our database. That is about as far as we can go with the use of IT. We need to progress this more towards social networking and marketing ourselves out there in this new age media. Web 2.0 is new but is something we need to get into fast.
Q: How often are IT audit processes carried out if any?
A: Not very often. We need to implement this. Clean up our ‘images’ and ensure backups are done for laptops. Loss of information protect is not high on the priority list and needs buy in from all stakeholders including staff and managers.
Q: Are risk assessment findings presented to the Board of Directors for review and acceptance?
A: Yes it is presented to the MD and recommendations are provided as a solution to a problem. Typically my word is taken as gospel.
Q: How often is this done?
A: It is casually done the MD has an open door policy as he understands that there are problems and these problems will crop up over time and some issues are urgent, others no so. It is my decision to make this call and approach as needed. I have two years to turn the company around. To use technology as a strategic advantage.
Q: How often if at all, do you Ensure that Backup and Disaster Recovery plans are tested and kept up to date?
A: Backup is done continuously on our CDP systems (Continuous Data Protection) and versions of file changes are recorded and archived. As for how regularly full back ups are done, this is done every day and offsite backups done every week. We plan to change this by creating a mirror image offsite and backed up incrementally every day.
Q: ICT/ITS systems are vulnerable to risk and what are the potential impacts on the business?
A: As most of our systems are mission critical, it would instantly impact productivity and some technologies such as ERP systems would stop transactions ! VoIP isn’t as critical as we all have mobile phones.
Q: Any Past experience good or bad?
A: We have had staff delete important files before but we had backups. Also we have had our ERP systems crash before. We now have a redundant system in place as a failover but it is running on an old PC which is 20 years old. We need to transfer this system to a modern, more available system. We risk not being able to source parts if issues arise.
Q: Is IT an operations or Strategic decision?
A: At this moment in time it is Operational. In the future, about 2 years it will become a strategic and advised decisions will come from the top.
Q: Is IT involved strategically ?
A: It is becoming that way.
Q: How can IT affect the strategic competitive advantage?
A: As mentioned before, with a comprehensive web interface to our prices and quoting systems and integration into the social media, we can capture more customers and lock in our customers to our systems. It creates an artificial loyalty. Similarly if our systems are simple and not complicated now and fast, we will always be able to service effective and provide minimal delays to our customers.
Q: Do you have a dynamic website with valuable content?
A: Currently a website to feed prices to reduce operational overheads without telephone sales staff. We need to expand this and reduce load on these staff as we grow and minimise frustrations.
Q: Can the org sell and market itself in other ways?
A: Yes, Social Media as well as provide great video tutorials/training online for our loyal customers for our products. Its free training provided to create value. We plan to create a neat knowledge base within time. We want to create value and not just be a box dropper.
Q: Online training knowledge base for approved resellers, do you have such a system?
A: No not yet. We will as it take a fair amount of resources to create
Q: How will this benefit you ?
A: Well by providing such a catalogue of intellectual knowledge, we can leverage the technology to minimise overheads on staff and make training and knowledge transfer easier. There will of course be an element of human interface in our business. However it is the hope that simple enquiries will be minimised through the effective use of technology.
Q: Any future plans ?
A: There are lots on the to do like, some of which have already been identified. We are looking heavily into use of social media as another method of exposure for the breed of customers out there. Training via a knowledge base is also important and similarly modernising our ERP system will remove legacy issues inherent with systems of yester-year. We are business enough as it is, we can only hope to reduce frustrations both internally and externally by creating transparency and partnerships.
Strategies
Q: What you your primary strategy for IT in your organisation?
A: We know we are behind the 8 ball. We are modernising the approach for 2011 and beyond. Strategically we haven’t had the chance to sit down and review such approaches for competitive advantages. We have spoken on a few occasions but these movements are rather ad hoc for the mean time and will morph into a strategic approach once operational issues are dampened. The strategic approach or focus for IT will come, just later on. Once setup operationally, the management of the organisation must have the following
“Understanding Strategy of IT <-> Management <-> Services”
Management is in-between the Strategic approach and servicing these objectives.
Q: Are there any IT strategies at the board level within your organisation?
A: Besides modernising our infrastructure and using it for marketing in the traditional email sense, No.
Q: Any exploits to gain a competitive advantage?
A: Well the ERP system is a big one. Currently it is EAI rather than ERP. We have a starting to use SalesForce(SF) as a middleware between SQL and CRM (SF) and Accounts. The SF aspect is now not only a tool for CRM, but also encompasses Pricing tools, email broadcasting of marketing promotions and invitations to regular training. We hope to use these tools in the mean time to increase;
-Training,
-Uptimes of Systems and increased productivity,
-Integration between the functional parts of the business,
-Security Risks on information accessibility
-Flexibility
-Access to Reports and to provide automated reporting to identify commercial risks.
Q: How will you increase your market share and grow the business with the use of IT?
A: Again through the use of creative marketing via social media. RSS, Twitter, Facebook, Google Adwords, YouTube and the likes of such. Also as mentioned before, a customisation GUI for in system quoting will be of benefit and will provide a faux loyalty via lockin.
Q: How has IT affected your customers?
A: Customers in recent years have had the ability to request for pricing over email or over the ERP ecommer site. Although ETA and stock information is lacking, the efficiencies wanted are minimised by the load towards the CSR team. It is almost an expectation by the emerging Generation Y to order via online systems and be notified instantly when an order should arrive if under normal circumstances. The expectation is more so an immediate need rather than a delayed want.
Q: How has IT affected your businesses?
A: The operation itself is in a hybrid mode trying to play catch-up with limited resources. It is not easy to integrate an old system which is 30 years old and proprietary. Steps are being taken to remove barriers to progress. Once done, the business will be streamlined. Similarly with systems so old, the hardware may be prone to fail soon. Well over due replacement and platform migration is much needed. This will remove the risks of failures and downtime.
Q: How has IT affected the industry you reside in?
A: The industry is still in its infancy in terms of product distribution within NZ. Most organisations do not have a drive to fully develop such online systems because there is a perceived value placed onto the human interaction or email/human. Sites like Amazon and buy.com are fully automated and simple whereas distribution believes in human value add. Which is incorrect? Hard to say. We want to be innovative and proactive in our approach.
Q: Are you replacing or enhancing IT employees?
A: It is almost a corporate need to have good IT now days to provide a comfortable and less frustrating environment such as a CRM and processing software which is familiar to the users. As such when approaching staff, having IT knowhow is practically a must.
Reactive or Proactive
Q: What risk management strategies do you implement?
A: It is business as usual. In terms of the traditional proactive protection mechanisms, we have data backs regularly onsite, offsite and security on multiple levels. As for leaks, we implement software where appropriate to mitigate these. Financial movements are also signed off, process wise by multiple parties and audits carried out as required. Please refer to Appendix Risk Identification.
Q: What measures do you implement to minimise the risk of damage to the Company’s corporate image potentially arising from a compromise of Company information held by external agencies?
A: Without removing flexibility, it can be hard to protect data leakage. We hold every staff responsible personally for data leaks and remind them that data is confidential and for internal use only.
Q: Do you have procedures in place for when computer equipment or components are sent offsite for servicing?, Are there appropriate confidentiality agreements in place, and how do ensure that when hard disk units are replaced, that the old units are returned uncompromised for secure disposal?
A: At this moment in time, all servicing is done onsite. Hard drives are removed if service is done offsite. There is no agreements other than where offsite data is held in collocation spaces and they will have no legal access to it. I do think you have a good suggestion though.
Q: What critical steps do you take to improve individual and org information security?
A: All laptops which are mobile and servers have multiple security barriers to prevent unauthorised access. Encryption is also a must.
Business Continuity
Q: Do you have a formal Business Continuity Plan?
A: At this stage, most of our data is backed up and images for reimaging is in place. It a a matter of purchasing equipment as an when required to bring business back up and running. We can have the operations up and running fairly quick but it would be all at a cost which is accounted for.
Q: Do you have an organization-wide disaster recovery and business continuity program?
A: Not anything official, but it is in place in the event of a “worse case” scenario.
Q: Who is responsible for implementing this?
A: Myself with the approval of the Managing Director.
Q: Centralised or Decentralised ? What is best for you?
A: We work on a centralised platform for core services and a slight decentralised network for services that cannot be provided for centrally, such as the CRM. This help the organisation control flows inwards and outwards. We prefer this model for control and security of geographic diversity for backup. This is more so a preference by the MD.
Q: What is the probability of occurrence of any risk?
A: Relate to Risk chart
Evaluation & Procurement
Q: How do you prioritize risk?
A: We look at what could pose the most threat to the operations of the production line where financial impact is probable and take care of issues accordingly.
Q: How do you know what to replace or implement in terms of technology?
A: Most of our equipment has a 3 year life, If productivity is identified by staff as an impact negatively, then action is taken. Budgets are available but we have a policy to not replace unless necessary.
Q: How do you know what is best of breed vs what a salesperson says?
A: Research of review and case studies assist in sound decisions being made.
Q: What if you spend too much ? Do you?
A: At times, certain technologies may be expensive and absolutely required. We always look at Return on Investments and Total cost of Ownerships. If the cost benefit is there, the spend must be had. We typically try not to spend too much and yes we can spend too much sometimes if it is justified.
TCO & ROI
Q: How do you know how much a system will cost over the lifetime of the system?
A: Power consumptions, support agreements, replacement costs, space constraints, training, scalability, upgrades, resources needed to operate and maintain, mobility and licensing are just a few examples of how we consider TCO. Again most systems have a life of 3-5 years. Larger implementations such as ERP/CRM systems have a longer term view of 5-10 years. Costs are usually estimated based on industry experience and chatter amongst the community.
Q: What are the typical measurements you look for to make such decision?
A: Plug in scalable, Maintenance, Training, Operational requirements, Licencing, Warranty / support
Q: How do you measure return?
A: Revenue increase, satisfaction surveys by staff, surveys to customers, cost savings, complain reduction, and general estimations placed upon intangibles such as security increase to reduce data leakage. Audit are yet to be implemented but these will assist such measures.
Q: Any future strategies to increase the ROI?
A: Selecting value for money technologies which has a better fit for our medium sized organisation and effectively embracing technology to take full advantage of such technologies. This includes marketing such advances, measuring such changes and adjusting operations to increase returns.
Q: What do you expect the timeframes to be?
A: It depends on the technology. Returns could be 1 year and can be as long as 3-5 years.
Finance Options & Budget Cycles
Q: How often do you have budget forecast and funds provided if any cycles exists?
A: We review spend yearly but there is no formal plan in place. Most spend at this stage is done adhoc with ROI taken into consideration. The budgeted spends are approved as they come up.
Q: How accurate are such forecasts?
A: N/A
Q: Can the organisation be flexible in adjusting these figures midyear ?
A: Yes
Q: CapEx or OpEx, which do you prefer?
A: We prefer spending sub 10K with Cash and placed into CAP-EX. Where interest rates are reasonable, larger investments may be placed into OP-EX arrangements if ROI is dragged out over a longer than 2 year period.
Q: Are there risks with spending either way?
A: OpEx is more related to maintenance of systems and CapEx is more related to major infrastructure investments.
Competition Trends
Q: Are your competitors moving with the industry and doing what you are doing?
A: It is business as usually with them. A competitor by the name of Datastor have represented themselves as the local vendor by creating a datatorpromotions website which is appealing and links back to local representation. This is quite innovative and attracts local potential customers to the local distributors. However, most of the competitors are also not effective marketing to the levels we plan to move ahead on in the next 2 years.
Q: What are you doing different from your competitors?
A: For the moment we are on par with them or even slightly behind. We hope to be streets ahead on the 2-3 years to come with our innovative social media, educative and partnered approach with IT as the main enhancing interface to customers all the while keeping our human interface lively with IT savvy staff.
Porters 5 Forces Analysis
- Do new entrants get subsidies from government?
- Quality. Is substitute a better?
- The cost of switching to substitutes? Is it easy to change to another product?
- Relative price and performance of substitutes?
- Bargaining power of suppliers
- Profitability of suppliers – are they allowed to raise prices?
- Do brand manufacturers threaten to set up their own retail outlets?
- Switching costs - Is it easy for suppliers to find new customers?
- Bargaining power of buyers
- Are there few dominant buyers and many sellers in the industry?
- Differentiation – Are products standardized?
- Profitability of buyers - Are buyers forced to be tough?
- Switching costs - Is it easy for buyers to switch their suppliers?
- Rivalry among existing firms
SWOT Analysis
Value Chain Analysis
Just as indicated within this diagram, the function of the new company is to import products, add value either by advice or modification to the products, and to sell it on. The firm’s infrastructure is indicative of its building relationships to import agents and freight organisations. Similarly HR, procurement and IT are merely support functions of the primary activities which actually add value. This is the present situation of the new company but it is hopeful that within a 2 year period it will change slightly towards procurement (forecasting) and IT intertwined, and become more so primary but attached to every single activity. The system should smartly forecast and automatically order from the IT systems products as they are predicted to come.
Most importantly, IT should be integrated into inbound, the operations in terms of processing orders via the reseller interface, notify users via email automatically once orders are outbound, reach out to new customers via social media and email marketing and service and provide training resources at the service section. All these portions through the use of IT actually should generate efficiencies and loyalty and high profit margins. Without IT, the value chain would rely on more human resources and time to process information.
Risk Identification Map
References
- Porter, M. E. (1996). What is strategy? Harvard Business Review, November–December, 61-78.The value chain
-
Martin, James (1995). The Great Transition: Using the Seven Disciplines of Enterprise Engineering. New York: AMACOM. ISBN 978-0814403150., particularly the Con Edison example.
-
The Horizontal Corporation". Business Week. 1993-12-20.
-
Mitchell, J., Coles, C., and Keane, J. (2009) Upgrading along value chains: Strategies for poverty reduction in Latin America London, UK: COPLA Global - Overseas Development Institute.
-
Microlinks (2009) [Value Chain Development http://apps.develebridge.net/amap/index.php/Value_Chain_Development Washington, D.C.: USAID.
- http://www.brighthub.com/office/project-management/articles/51759.aspx
- Porter, M. E. (1996). What is strategy? Harvard Business Review, November–December, 61-78.The value chain
-
Michael Porter in his 1985 best-seller, Competitive Advantage: Creating and Sustaining Superior Performance.
- The Long Tail: How Endless Choice Is Creating Unlimited Demand by Chris Anderson
http://www.amazon.co.uk/Long-Tail-Endless-Creating-Unlimited/dp/184413850X
- VIRTOUS CYCLE DIANA FARRELL 2003
http://www.ncbi.nlm.nih.gov/pubmed/14521102
-
SWITCHING COSTS: The impact of switching costs on the customer satisfaction-loyalty
Jonathan Lee, (Assistant Professor, Kelley School of Business, Indiana University, Indianapolis, Indiana, USA), Janghyuk Lee, (Lecturer, Department of Economics, University of Reading, Reading, UK), Lawrence Feick, (Professor of Business Administration, Joseph M. Katz Graduate School of Business, University of Pittsburgh, Pittsburgh, USA.
- http://www.netmba.com/strategy/value-chain/