Critical Success Factors (CSF)
June 28, 2008
If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting and have a nice day!
The technique suggests that strategic information requirements can be uncovered by a 3 stage process.
Firstly the identification of a number of critical success factors (CSF).
CSFs are a handful of things within someone’s job that must go right for the organization to flourish. They are the factors that the manager wishes to keep a constant eye on.
Secondly, they pinpoint critical decisions that need to be made.
The determination of the information required to support these decisions
Example:
CSF: Minimize length of time a part is kept in stock
KD: It might decide what quantities must be ordered
IR: it would need order on demand (rate of sale)
Meeting this CSF ensures that the investment in stock is kept low and that part reach dealers quickly. As this examples shows it is necessary to be clear about business objectives before embarking on CSF Analysis. The process of CSF Analysis allows managers, initially senior ones to articulate the needs in terms of their information management control that is absolutely essential to them.
These needs are influenced by factors such as:
- The industry within which the firm operates
- The environmental factors such as local politics and economic situations
- The firm’s industry position
- The Manager’s position in the management hierarchy.
Prior to the use of CSF there was a rift between the consumers of information i.e. user management and the providers of information i.e. information systems. So CSF can give some guidance on needs in such a way that the effect of the rift is minimized.
CSF must be:
- Intelligent to senior managers
- Intelligent to IS/IT Managers
- Possible to act on (capable of implementation)
CSF Analysis can be applied lower down in the management structure but it gets more and more difficult to articulate as we move down the hierarchy. However, it is generally useful to use several management levels in order to validate the CSF and get a broader picture. Below is an example of the tactical level.
CSF:
- Effective Management control of people/staff
KDs :
- Setting performance standards
- Specification of training needs
- Determination of whether or not to introduce overtime
IR
- Performance reporting
- Budget Allocation
- Exception reports
Challenges of CSF:
- The analysis needs very skilled and very perceptive interviewers to do the abstracting of CSF from senior manager.
- The more removed from the management apex a specific manager is the harder it is to apply CSF analysis. Many managers who are not already involved in strategic planning find CSF analysis too abstract.
- It is usually impossible to build a true picture of the organization’s information requirements using only CSFs.
- The decisions resulting from CSF analysis may ignore any resource constraints, surrounding their realization.
SWOT ANALYSIS and IT
June 28, 2008
b) Are there gaps/opportunities we can go for?
c) Are there dangers/threats we need protection from?
d) Are we strong in the right way to exploit the opportunity where one exists?
SWOT ANALYSIS AND INFORMATION SYSTEMS
With the particular reference to information systems a SWOT Analysis may address such issues as:
Approach to Information systems:
Whether the organization seeks to lead others or just float with the tide? Does the organization see its information systems as a necessary evil, a scarce resource or a transforming aid?
Use of Information Systems
Are there number of systems which are of poor quality i.e. not easy to use? Systems that are management oriented rather than task based?
Delivery of Information Services:
What is the role of users and user management systems development and operation? What proportion of corporate resources is tied in system maintenance? What system development tools and techniques are in use? What is the quality of technical support available?
Data availability and Management:
What is the degree of data redundancy in the application systems? Is there availability of common data across various processing applications? The quality of data management platform (DBMS)
Having become aware of the potential effect of information systems in an enterprise, we can make further use of SWOT techniques
Weigh up the risks associated with each possible decision
Possible Responses on the Basis of SWOT Analysis:
When both opportunities and strengths are present then the organization is in a position to attack its competitors through the use of information systems with a good prospect of success.
Conversely when threats are faced where there are weak capabilities then the organization must take steps to protect itself from its vulnerability to attacks from its competitors.
When there is value adding opportunities for information systems, but the organization finds itself with weak information systems capabilities then they should beware of following this up since they are less assured of success than others in their sector with more adequate information systems.
Should the organization find itself having strong information resources alongside threatening situations, it should explore avenues to both maintain that quality against the opening up of opportunities and to identify overlooked potential.
Strategic Information Systems Planning (SISP)
June 28, 2008
This is the process through which one enterprise conceptualize or formulates ideas for the development of strategic information systems i.e systems that affect the very fabric of the enterprise – the goals, the strategic processes and external relationships.
Importance of SISP
Planning also ensures that whenever new systems are build they can communicate or interface properly with pre-existing systems, thus avoiding the problem of “
SISP ensures that the IS/IT infrastructure is consistent with the strategic vision (business goals) of the enterprise. This is the modern view of SISP.
Who should be Responsible for SISP:
There are a number of ways in which the SISP role could be handled.
By an IT Director
The IT director knows a lot about current technology and technological trends and is very well placed to put that technology into business use. However the IT Director may not be very good in the area of business, and strategic planning. At worst, he might recommend systems with no strategic relevance from a business standpoint.
However these days we have people called Hybrid IT Managers who have formal training both in IT and business. Such managers might produce better planning results than the traditional IT Managers.
Except in firms that are small and use the full time services of hybrid IT Directors the SISP role is likely to be vested elsewhere.
Top management is especially aware of the strategic vision of the enterprise. Such management would also not find it difficult to identify the information needs to support the business goals.
On formulation of a strategic information system plan, the top management can leave the implementation work to the IT Director and his team. The IT Director can subsequently formulate an IT plan to set up the appropriate IT infrastructure.
However top management who are not technology aware i.e. do not understand the available technology and its potential applications may still be conservative in their planning.
Top management who are not technology aware also tends to be reluctant to participate in strategic information planning. There may be a temptation to delegate such planning to the IT Director who is more knowledgeable on matters of IT.
Use of IS Steering Committee
This is ideally a multi-disciplinary team bring together people with a variety of skills and experiences. The team would usually have representatives of top management, IT management and key departments. Use of committees is often an attractive option but there are several challenges involved:
The several challenges involved are:
- Setting up such a committee and keeping it running calls for a higher level of discipline and commitment.
- Planning through committees may be time consuming.
- The biggest mark to the use of information systems steering committee is that they reach decisions through consensus – basic democratic principle.
Use of outside planning consultants (outsourcing)
Outside consultancy may bring in a wealth of planning experience. Outsiders may also be more objective in that they have no pre-conceptions about the organization. However use of consultancy may be expensive and hence unaffordable.
The consultants may not have a proper awareness of the organization’s goals, culture and aspirations and may therefore recommend systems that are not sustainable in the enterprise. There is a temptation to recommend systems that have been observed to work well elsewhere, which does not mean they will work well in this particular organization. The organization’s own personnel e.g. IT manager, might detest the idea of using outsiders to plan the organization’s IS/IT affairs.
Competitive tactics-micheal potter
June 28, 2008
The Strategic Role of Information Systems.
Definition of Business Strategy
Strategy is a broad formula of how business is going to compete, what its goals should be, and what policies will be needed to carry out these goals. The essence of formulating a competitive strategy is relating to a company to its environment. (Michael Potter)
A strategy can therefore be viewed as a cohesive plan or a pattern of action that integrate an organization’s major goals and gives meaning to everything an organization does. This plan or pattern of action is intended to enable an organization meet its major goals within a competitive environment.
When something is said to have a strategic role in an enterprise it means that the thing has an important place in the firm’s major objectives both now and in the future. It is therefore a critical success factor. The strategic role of IS today is to assist in organizational effectiveness in the attainment of corporate goals within a competitive environment.
These are the Information Systems that fundamentally change a firm’s goals, her products, services or internal or external relationships. They are systems which contribute in a direct way to the organization’s strategic pursuits. Such systems assist the enterprise in the attainments of its strategic plans, or give it new strategic plans, or give it new strategic options that did not exist before.
Countering Competetive forces(Michael Potter’s Model)
Michael Potter argued that most of an org’s action are aimed at outdoing the competition. He looked at the competitive environment as follows
In response to the five competitive forces i.e substitute products, new entrant, suppliers, buyers, the following competitive tactics have been suggested.
Product Differentiation:
It aims to make goods or services appear different or better to the consumer than those offered by the competition. Common tactics used include Branding, Packaging, Competitive pricing, superior quality, advertising e.t.c.
Focused Differentiation
Aims to entice a select group of more profitable customers to remain loyal to the firm or perhaps bring along their friends. Focused differentiation depends on a colorful analysis of the market and the sales data to perceive trends or other peculiarities.
Tight linkage with suppliers and customers
It entails setting up communication links with customers and suppliers which in effect lock-in these players, ensuring greater loyalty to the company. Such linkages also focus on increasing or sustaining costs e.g. SABRE reservation systems, Proprietary Computer technology by IBM which only runs on software and other hardware designed by IBM in the 70s and 80s (e.g. IBM AS400), Just in time systems i.e. stockless system.
Becoming the low cost producer (Cost Leadership)
Economies of sale can arise through mass production, low cost supplies of raw materials, containment of production overheads like labor e.t.c. IT can assist in this area in the following ways.
- Capital Intensive production i.e. increased use of IT in place of human labor e.g. Robots or use of CAD instead of many human designers.
- Use of IT to analyze supply and production costs with a view to optimize them as is often done using cost accounting system to identify those areas in which savings can be achieved.
This model looks at an enterprise as a series or chain of value-adding activities which together deliver goods and services to the market. The model distinguishes between a primary and secondary activities.
The primary activities involve actual operations (e.g. production), inbound logistics (e.g. warehousing), outbound logistics (transporting finished goods), sales and marketing and customer service.
The secondary activities involve Human Resource, Management, procurement, General administration and Product development i.e. research and development.
Analysis of the value chain statistics can give indications where saving can be achieved through more efficient operations, elimination of less essential activities e.t.c.
IS can make a contribution through:
- Allowing detailed analysis of the value chain figures
- Integration of specific value chain activities that add more value.
Sustainability of competitive Advantage
The trouble with competitive advantage is that it lasts only for a short time, after which the competitors catch up. What may be a strategic system today will almost certainly become a necessity tomorrow, a system which we must have for survival simply because everybody else has it.
The implications to the planners are clear:
- They can’t afford to be complacent; to stay ahead they must keep coming up with unique/new ideas of business value.
- To the extent possible, they should attempt to build strategic systems that are not easy to match e.g. high capital systems which weak competitors cannot afford to build.
- To come up with new or fresh ideas for competitive advantage, the planners need to call up their creative skills, observe the competitors, observe the technology trends e.t.c.
IS Audit Process
June 24, 2008
Audit Objectives:
The basic purpose of an IS Audit is to identify control objectives and the related controls that address the objective. Audit objectives refer to a specific goal of the audit and it centers around substantiating that internal controls exists to minimize business risks.
Audit process:
-
Plan: this involves assessing the risk, then developing an audit program i.e. objectives and procedures.
-
Obtain evidence:
-
Evaluate evidence: this involves evaluating the strength and weakness of controls.
-
Prepare and present report.
-
Follow up: this involves taking corrective action by management.
The basic steps followed in performing an audit include:
-
Obtaining and recording of an understanding of the audit area/subject.
-
Carrying out risk assessment and a general audit plan/schedule.
-
Carry out detailed audit planning.
-
Carry out preliminary review of the audit area/subject.
-
Evaluating audit areas/subject.
-
Compliance testing i.e. test of controls.
-
Substantive testing.
-
Reporting
-
Follow up
Procedures for testing and evaluating IS controls.
-
One can use generalized audit software to survey contents of data files.
-
Use of specialized software to assess as parameter files.
-
Use of flowcharting techniques for documenting automated applications.
-
Use of audit reports available
An audit program is a step by step audit procedures and instructions that should be performed to complete an audit. It is actually a guide to performing or documenting various audit steps performed, the type and extent of evidential matters to be reviewed.
An audit program provides the trail of the process used and provides accountability for performance.
Audit phases: There are various phases in an audit. these are:
-
Audit subject: identify the area to be audited.
-
Audit objective: identify purpose of audit.
-
Audit Scope
-
Pre-audit planning
-
Audit procedures and steps for data gathering.
-
Procedures for evaluating the tests or reviewing results (organization specific).
-
Procedures for communication with management (organization specific)
-
Audit report preparation.
Audit Objective
An audit objective is to identify the purpose of an audit e.g. determining that source code changes occur in a well defined and controlled manner.
Audit Scope:
An audit scope identifies the specific function, system or organizational unit to be included in the review e.g. in the above example, you can check that source code changes occur in a well defined and controlled manner in a single application or a limited period of time e.g.3 months.
Pre_audit planning
-
This involves identifying technical skills and resources required.
-
Identify sources of information for tests of review e.g. functional flowcharts, procedures, policies, standards, pros audit papers.
-
Identify locations and facilities to be audited.
Audit Planning
Obtain an understanding of the client by obtaining background information about the client, obtaining information about the client’s legal obligations and assess acceptability of audit risk and inherent risk.
Audit Procedures and steps for data gathering:
-
Identify and select audit approach to verify and test controls.
-
Identify individuals you want to interview.
-
Identify and obtain departmental policies, standards and guidelines for review.
-
Develop audit tools and methodology to test and verify control.
Audit report preparation:
-
Identify following review procedures.
-
Identify procedures to evaluate/test operational efficiency and effectiveness.
-
Identify procedures to test controls.
-
Review and evaluate the soundness of documents, policies and procedures.
Fraud Detection
It is management’s responsibility to establish, implement and maintain a framework and design of IT controls to meet internal control objectives. A well designed framework helps to deter fraud and it enables timely detection f frauds.
When it comes to fraud:
-
IS auditors should be alert to the possibilities of opportunities that allow a fraud to materialize and should observe and exercise professional care in all aspects of their work.
-
IS auditors should have knowledge of fraud indicators and during audit work, they should be alert to possibilities of fraud and errors.
-
In case an auditor identifies a major fraud, where the risk associated with the detection is high, they should consider communicating to the audit committee.
-
When an IS auditor comes across instances of fraud, or indicators of fraud he/she may carefully evaluate, communicate the need for a detailed investigation to appropriate authorities.
Audit Classification
June 24, 2008
The basic purpose of an IS Audit is to identify control objectives and the related controls that address the objective. Audit objectives refer to a specific goal of the audit and it centers around substantiating that internal controls exists to minimize business risks.
Performing IS Audit
Audit is the process by which an independent competent person obtains and evaluates evidence regarding an event or economic entity in conformance with identified set of standards.
Classification of Audits
Audits can be classified as:
Financial Audits: Relates to information reliability and integrity and it assess the correctness of financial statements. It involves detailed substantive testing.
Operational Audit is designed to evaluate internal controls like IS audit of application controls or logical security.
Integrated Audit: Includes doing both compliance and substantive testing i.e. data and controls. It assesses the overall objectives related to financial information, assets, safeguarding.
Administrative Audits: these audits assess issues related to efficiency and effectiveness of operational productivity within an organization.
IS Audit: This audit collects and evaluates evidence to determine if an IS and related resources safeguard assets, maintain data and system integrity, provide relevant and reliable information, achieve organizational goals effectively and efficiently.
Internal Controls provide reasonable assurance that operational and control objectives will be met.
Specialized Audits:
These are audits done to review services such as those offered by third parties. it defines professional standards used by service auditor to assess the internal control of service organizations.
Forensic Audits:
They are specialized in discovering, discussing and following up on fraud and crimes. Forensic audit tools such as data mapping for security and privacy, risk assessment and intellectual property for data protection are being used for prevention compliance and assurance.
Risk management
June 24, 2008
Provide Information Systems audit services in occurrence with IS audit standards guidelines and best processes to assist organization to know that their IT and business systems are protected and controlled.
Risk Management
A risk can be said to be the potential a given threat will exploit vulnerabilities of a given asset to cause loss or damage. It can also be said to be “uncertainty that surrounds future events and outcomes ”. Risk is anything that can impact on interest of stakeholders or achievement of organization’s objectives. The impact of risk is based on probabilities of threats (likelihood and frequency e.g occurrence). Threats can be in form of errors, malicious damage, malicious attack, fraud, theft, equipment failure, software failure.
Vulnerabilities can be lack of user knowledge, use of untested technology, weak passwords, transmission over unprotected communication.
Risk management therefore entails identifying risks to information resources and deciding on appropriate controls to reduce risk to an acceptable level based on the value of Information resources to the organization. There is also the management problem i.e. that of achieving effective balance between risks and controls.
Risk management process involves three steps i.e. identify risks, evaluate controls, and managing risks i.e. reduce likelihood/impact of risk, transfer risk, avoid risk or accept to live with it. Risk management is a systematic, logical process that allows the organization to take advantage of opportunities and minimize losses.
The steps involved in the risk management process include:
-
Identifying information resources.
-
Identify threats.
-
Evaluate vulnerabilities.
-
Identify consequential impacts.
-
Identify controls to Prevent or reduce likelihood problems, Detect problem and report occurrence or Minimize impact.
-
Evaluate controls.
-
Determine and evaluate new or additional controls to further minimize risk.
-
Prioritize risks.
-
Identify and implement controls that are most effective and efficient.
When doing risk management one should also check on risk in the audit process thus one should have a planning guide that makes an assessment of the risk so as to:
-
Provide reasonable assurance that material items will be adequately covered during the audit work.
-
Identify areas with relative high risk of existence of material problems.
Components of an enterprise risk management:
-
Internal Environment i.e. the tone, philosophy and risk appetite of the organization i.e. the risk they are willing to accept to live with.
-
Objective setting i.e. the objective of the ERM
-
Event identification i.e. internal and external
-
Risk assessment i.e. the likelihood and the impact of the risk.
-
Risk response i.e. reduce likelihood, transfer, avoid, treat.
-
Control activities i.e. policies and procedures to carry out risk responses.
-
Information and communication: Identifying the flow of information downwards and upwards and across.
-
Monitoring: ongoing management activities, modifications.
IT Governance
June 24, 2008
Corporate Governance can be defined as ethical corporate behavior by directors or others charged with governance in the creation and presentation of wealth.
Corporate Governance spells out the rules and procedures for making decisions on corporate affairs. This helps in providing a structure through which company objectives are set and means of attaining those objectives and monitoring performance.
IT Governance tries to ensure that the organization and related technology support its resources i.e. resources are used responsibly, and its risks are managed.
IT has long been considered as an integral part of the overall organization’s strategy. IT helps achieve this overall strategy by efficiently and effectively deploying secure and reliable technology. The intent of IT Governance is to ensure:
-
Integrity of IT systems.
-
Inclusion of independent audit.
-
Inclusion of appropriate controls for monitoring IT risks, controlling IT assets, compliance with laws and regulations and record management.
-
Enable the enterprise by exploiting opportunities and maximizing benefits of IT
-
Ensure IT resources are used responsibly.
Factors driving IT Governance are:
-
Expanding role of IT into corporate/enterprise governance support, strategy initiative, knowledge management, privacy/security/continuity.
-
Proliferation of technology solutions.
-
Increased emphasis on accountability
-
Need to manage the management process.
-
Focus on organizational capital, value and balance.
-
Rapid advance of technology.
The key elements driving IT Governance are:
-
IT strategic planning
-
IT control performance
-
IT project management
-
IT asset management
-
IT policies/standards/processes i.e corporate, business units, information services.
IT Governance is concerned with two issues i.e. IT delivers value to the business and that IT risks are mitigated. The first issue is driven by strategic alignment of IT with business this is driven by embedding accountability into enterprise.
IT governance is the responsibility of the Board and Executive management. It is an integral part of the enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives.
A key goal of IT governance is aligning of business and IT to achieve business value.
This key goal is achieved by aligning IT governance frameworks with best practices. Such a framework should be composed of:
IT governance .
-
Structures, processes and relational mechanism.
-
The key governance practices are:
-
IT strategic committee.
-
Risk management
-
Standard IT balanced scorecard.
BEST PRACTISES FOR IT GOVERNANCE:
Corporate governance is a set of responsibility and practices used by an organization’s management to provide strategic direction thereby ensuring that goals are achievable, risks are properly addressed and organization’s resources are properly utilized. IT Governance is a structure of relationship and processes used to direct and control the enterprise towards achievement of its goals by adding value while balancing risk vs return over IT and the processes.
User Interface design: Summary
June 24, 2008
1) The interface should be easy to learn, transparent and obvious. It should not require the user to make undue effort to learn its operation.
2) Ideally there should be consistency between various parts of the interface and various interfaces to various applications.
3) The various methods used are not always interchangeable. It depends on the task being performed and the user.
4) Direct manipulation systems may be easy to learn, but have some drawbacks.
5) Command language systems can lack transparency, but can be very efficient and powerful once learned.
Attention
It is important to remember where systems do not take into consideration the users capabilities. Stress is likely to be the result. For the purposes of designing computer systems, it is important to take into consideration the following:
1) Reaction time
2) Movement time
3) Attention.
The following forms of attention need to be considered
a) Selected attention
b) Focused attention
c) Divided attention
d) Sustained attention (vigilance, monitoring)
Sustained Attention:
Design consideration and guidelines:
1) Work& rest schedules should be provided and different tasks done in order to reduce the amount of time spent on vigilance.
2) The signal should be as conspicuous as possible.
3) Uncertainty about where the signal is likely to occur should be reduced.
4) Artificial signals and feedback should be provided.
5) There should be adequate training and the skills acquired should be maintained.
6) Motivation is important.
7) Environmental distraction and stress should be minimized.
Selected Attention
This requires monitoring several channels in order to perform the task. As the number of channels increase, the individual performance decreases.
Guidelines:
1) The number of channels on display should be kept to a minimum.
2) The relative importance of the various channels should be made clear.
3) Environment should be as stress free as possible.
4) Information should be available as to where the next likely source of information will be.
5) Users should be trained to scan effectively.
6) Multiple channels should be as close together as possible.
Focused Attention
This is the ability to attend to one event from what amounts to a mass of competing stimuli in the environment. The problem in designing for focused attention is to maintain the single channel of information without distraction.
Guidelines:
1) Competing channels should be as far apart as possible.
2) Competing channels should be kept to a minimum.
3) The channel of interest should be bigger, brighter and more demanding of attention.
Divided Attention
1) Potential services of information should be limited as far as possible.
2) The user should be encouraged to priorities
3) The task should be as easy as possible.
4) The task should be dissimilar in terms of input, output and modality so as to reduce the likelihood of confusion between them.
Common Interface Interaction Styles
June 24, 2008
Command Driven
This was one of the earliest forms of communication with the computer. The command language system offers a prompt which can range from a .(dot) to a word or a short phrase. The drawback is that users have to remember the commands they want.
Menu
This is a set of options displayed on the screen. It has the advantage that the user does not have to remember anything, but merely to recognize it. Designers have to decide the best way of displaying menus so that they are comprehensible and natural to use.
There are 4 reasonable alternatives for ordering menu items.
- Alphabetical
- Categorical i.e. selection of suitable categories
- Conventional i.e. sticking to pre-ordained order.
- frequency of use.
Menus are supportive, but do not provide flexibility. The number of entries in a menu should not be too many. If too many, you should consider sub-categories.
Question and Answer dialogs
In such systems the system pauses a question to the user and the action carried out depends on the input. This type of systems are used in tasks where information is elicited from users in a prescribed and limited form such as ATM’s, catalog and scheduling applications.
They protect the user from any considerations of navigation and are suitable for novice users, thus they are supportive and offer flexibility.
Forms
The system decides the nature of a pre-determined sequence of inputs and displays simultaneous requests for a completed set of inputs.
There are two types of forms:
a) Those which are designed for transcription input i.e. the screen matches the document the user is working from.
b) Forms without corresponding documents
This input style is very supportive; error trapping should be possible in a carefully designed form.
Natural Language Dialog
This promises flexibility and naturalness of interaction, it is still not possible to have a system that fully understands natural language as it is typed.
Direct manipulation vs Linguistic Manipulation (command driven) using painting devices
Direct Manipulation
These type of interaction provides a continuous graphical representation of current objects of interest that are physically manipulated by some sort of pointing device. The advantage of this is:
a) Novices can learn the basic functionality quickly
b) Experienced users can work extremely fast to carry out a wide range of task.
c) There is reduced anxiety on the part of users.
d) Users gain confidence and mastery because they initiate action, feel in control and can predict system responses.
e) It leads to reduced memory load on the user since whenever a task needs to be performed an examination of the system will tell the user what needs to be done.
Linguistic Manipulation:
Linguistic manipulation system consists of issuing commands and providing labels for objects which those commands will operate on. Their major drawback is that they put considerable pattern on the user of the system since the commands have to be learned and cannot be deduced from interacting with the system. However, they can be very efficient and powerful once learned.
