INFORMATION SYSTEMS AND E-BUSINESS Risc and Value of Applications to Organizations Jorge Pereira, José Martins, Vítor Santos, Ramiro Gonçalves University of Trás-os-Montes e Alto Douro, Vila Real, Portugal
[email protected],
[email protected],
[email protected],
[email protected]
Keywords:
e-business, management, decision support, business intelligence, information systems.
Abstract:
We aim to analyze the current problems and the main difficulties encountered by information systems and information technologies managers, featuring different actors and how they relate. This work introduces a design pattern, a fact table, for management and decision support, named CRUDI Table. The CRUDI Table is an abstraction idealized from the CRUD Matrix concept extended by an extra dimension: the importance dimension. The CRUDI example application presented in this paper generates relevant information regarding importance and priorities in information systems projects, to better align them with the business needs.
1
INTRODUCTION
Today, the information systems (IS) and information technologies (IT) managers have major challenges in characterizing the risk and the relative importance of each information system and each application to support the business processes of enterprises. The global economic difficulties have led companies and their managers to scenarios of major challenges, in need of constant change and evolution that require the continued investment, but with less budget and less time to implement them. Quite often, business managers in organizations have an opinion contrary to their information systems manager, regarding the importance of an information system and the priority of necessary investments in information systems to better support the business. It is also difficult to estimate the risk assigned to each information system and to define its need for complete replacement on certain types of disasters (natural or others) with larger impact. The strategic alignment between business and information systems is very important and is a continuous process, focused in change and the need for adaption. Henderson & Venkatraman (Henderson, J., Venkatraman, N., 1993) defined two main characteristics in this process: A direct relation between financial results and the ability of managers to create a strategic adjustment of the management team and
support services, positioning the organization in a leading and competitive position of their market with a specific product-market. A dynamic strategic adjustment, aligning business objectives with information systems objectives. We consider extremely important the creation of new methods and new tools to aid in the demanding job of information systems managers because technological development has introduced electronic components and software in the normal day-to-day of people and companies, even in those that traditionally haven’t had the need for it before. The rapid evolution of Internet and the emergence of Web 2.0 have also created new problems, new opportunities and new business models that imply new management models for technologies and information systems. The traditional models for information systems analysis and management already consider, for example, the use of CRUD tables for modeling business processes and their respective information entities. However, these same tables do not indicate which processes and which entities are most important to the company's business. They also don’t indicate what system or subsystem must be implemented first in order to have the greatest impact on business and in the organization's future. This study aims to analyze the current problems and main difficulties encountered by information systems managers, featuring different actors and
how they relate. We intend to create new tools and analysis models to better support the decision (making it faster), helping the information systems managers in their daily activity and in their strategic planning. This paper also presents an approach and a new method to better define business processes importance and their related support applications, based in a conventional CRUD matrix. We introduce a design pattern and a fact table for management and decision support, named CRUDI Table. The CRUDI Table is an abstraction idealized from the CRUD Matrix concept extended by an extra dimension: the importance dimension.
2
PROBLEM DEFINITION
In the last two decades of the twentieth century, Information and Communication Technologies – ICT – have contributed in a significant way to a profound change in economic and social activities. These changes include increases in quality of life, as well as in the competitiveness and productivity of enterprises (Sócrates, J., 2007).
2.1 Business and Companies needs The current era of Information and Communication Technologies ushered in the era of electronic commerce and information society, where traditional management paradigms are challenged and new business models are sought (Loebbecke, C., Wareham, J., 2003). It is important to align the business needs with the business processes of an enterprise, even if they are in continuous improvement. There should be a good fit between the tasks of business processes and information systems (Trkman, P., 2010). The society is changing. The high speed of this change is promoting new opportunities and new business models, as well as outdating old business models. According to other studies (Ramirez, R., et al, 2010), in the past years information technology has been promoted as a central tenet of process redesign that scopes the evolution of processes. This fact is enhancing the continuous call for IT investment in business process management. Additionally, the same author states that firms with higher levels of IT investment have been found to have a greater application of decentralized decision authority, use of self-managed teams, and cross functional units. These practices alongside with similar others, leverage the informing and
automating capabilities of technology to enable new forms and types of organizational structure, decision authority and human resource management.
2.2 Legislation and Regulators Financial authorities and financial industry participants have a common interest in promoting the resilience of the financial system to major operational disruptions (Basel Committee, 2006). The Regulatory Standard No. 14/2005-R of November 29, Instituto de Seguros de Portugal (ISP) has defined the general principles applicable to the development of risk management systems and internal control of insurance companies (ISP, 2009). Those principles are known as legislation key items. According to Lunsford (Lunsford, D., Collins, M., 2008), organizations need to ensure that each employee has the appropriate access to information, but does not have excessively powerful access rights. This author also describes the challenges faced by auditors and organizations when a company hires, fires, loses, or moves employees. At the same time, new laws such as Sarbanes-Oxley (SOX) Act place greater importance on this. Both international and national regulatory legal entities like the European Central Bank or the Portugal Central Bank, state the need to define and implement a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP). Additionally, the web is revolutionizing the access to information and the opportunity for people who have disabilities to actively participate in society (Thatcher et al., 2006). If website accessibility and usability levels are high (enabling the perception and understanding, and the navigation and interaction with websites) then all sectors of society including groups such as children, seniors and people with disabilities can be more independent and lead more fulfilling lives. In many countries the law mandates web accessibility and consequently policies exist to that end, for example in the European Union, with the eGov Action Plan (EU, 2006) or in Portugal with the new law for the public procurement procedure based on Electronic Web Platforms (Silva, A., 2008).
2.3 Management and Processes Business management involves monitoring and controlling all forms of commercial transactions over the Internet and extranets, related technologies and communications services (Ray, P., Lewis, L., 2009).
Several methods have been defined and implemented to address management needs and control key points of production, starting in the marketing and sales cycle into the production, delivery and maintenance stages. Some of the good business practices are based in a good definition of processes, both for management and for business delivery (products or services), so they can be enforced and monitored by Key Process Indicators (KPIs). Those indicators are collected automatically and presented to management in a graphical way called Score Cards (Business or others like IT). They allow a permanent follow up of evolution (good or bad), allowing management to take updated decisions to change what is bad and enforce what is good. Usually the KPIs are presented together as Business Score Cards (BSC), to allow a permanent follow-up. This management process is also called business intelligence (BI), because it’s based in real business information. According to Barroero (Barroero, T., et al. 2010), business managers specify the business processes for delivering the business services and the related business performance relevant to each business services stakeholder. Additionally, they argue that in order to partnering IT service management and business service management, it is necessary that IT management decisions and actions consider business customer’s priorities and impacts. Thus, they foster the need of models and methods able to correlate business customer performances with IT services performances and management. They model the business process with a structural and flow diagram and identify KPIs according to the HIGO® grid. Business processes should be aligned with delivery and management processes in order to optimize business performance. The key achievement of the analysis model is the link between business and IT performances, and a systematic approach that enables to step from business value down to IT resources and IT management processes. This alignment could actually enable the continuous improvement cycle that is in the final stage of Capability Maturity Model Integration (CMMI). -With this, management can take good decisions that have direct impact in processes improvement and in business results. According to Ramirez (Ramirez, R., et al, 2010), process redesign is one of many activities that can produce positive organizational change. Other programs utilized by firms include employee involvement, total quality management (TQM), lean manufacturing, six sigma, and business process management.
2.4 Information Systems Management An important consideration in investment decisions is on the potential value of using a global Information Technology (IT) in order to solve a business need (Scheepers, H., Scheepers, R., 2008). There are several difficulties to define and to decide which the priority investments are. Usually business managers have a different opinion from CIO’s in what concerns information systems investments and value. Some business managers claim that technologies should be seen as a cost and that its usage should be as insignificant as possible. Others say that technologies are strategic to business development, to optimize delivery costs and creating new opportunities. Nevertheless, there’s a large consensus in the importance of technologies and information systems to present business models (Ramirez, R., et al., 2010). Additionally, managers should consider investment in IT and process redesign as a means for improving firm performance. According to Moura & Bartolini (Moura, A., Sauvé, J., Bartolini, C., 2007), the contribution of IT to business value creation is currently a hotly debated topic. IT is expected to bring value to the business, as is attested to by the introduction of Control Objectives for Information and Related Technologies (COBIT, 2007) and SOX Act compliance requirements. To meet such expectation, IT management methodologies, tools and processes have had to evolve in maturity. Evolution has been made possible with the IT Service Management (ITSM) practices recommended by the processoriented Information Technology Infrastructure Library (ITIL) framework (ITIL, 2007). Other IT management frameworks have been developed on the basis of ITIL by HP, IBM and Microsoft, among others, traditionally related to innovation. Moura & Bartolini also state that IT outsourcing is an international trend. The entire IT function of a client – including support to its strategic business processes – may be outsourced to one or more providers. A core ITIL (Menken, et al., 2009) instrument for managing IT outsourcing contracts is the Service Level Agreement (SLA) by which certain promises are made to clients about the quality or performance objectives of the service provided and now the provider is to be compensated / penalized. Information systems managers also have to define architectures to better support the business needs, like the Service Oriented Architecture (SOA). According to Jormakka & Lucenius (Jormakka, J.,
Lucenius, J., 2009) SOA is currently the way to design and integrate information services in enterprises. SOA is usually based on Web Services, originating from the eBusiness world, but SOA is not only technology, it is more of a philosophy. One of the central ideas in SOA is the flexibility to changes in business, like reorganization, changes in the way business is carried out, or changes among the business partners. Organizational business processes are realized as SOA Business Processes or high level services, some for end users inside the organization, and some to be used in a standardized way by business partners. Business processes are for example ordering and invoicing. The business processes invoke technical services, which may access the organization’s ERP (Enterprise Resource Planning), or CRM (Customer Relations Management) systems and databases. Implementation aspects, like protocols or data access technology are hidden from the business processes. The business processes may be further orchestrated in order to provide more intelligent, automated business flows.
3 3.1
INFORMATION SYSTEMS RISC AND VALUE The Problem
To measure the importance of a particular application or information system for the different business units of the company is, normally a very difficult task. It obligates to answer some others questions as: What is the relative importance of each system or application for company business? What is the system or application where to allocate more budget? What is the system or application where priority makes improvements to the business? What projects are to "move forward" with the budget? (limitations) These are the frequent questions that CIO’s have to answer and which promote big and frequent discussions with the business managers. The chain value that is perceived by each department is different and is based in different indicators. Nowadays, the aimed alignment between business and information systems is not a reality. It’s frequent to assist a business manager that refuses to talk to an information systems manager.
The ITIL and COBIT management are good practices and methods but they don’t solve these typical problems. According to the ITIL, COBIT and ISO 27002 alignment for business benefit (ITIL alignment, 2008) and Malta & Sousa (Malta, P., Sousa, R., 2009), the development of architectures has been a major issue for IS managers, both from a technological point of view and from an organizational way. It’s even more complex when it comes to Enterprise architecture (EA) that includes business strategies and processes, besides IS models that support them. This way, the CRUD matrix (Lunsford, D., Collins, M., 2008) is an excellent technique to model processes and data and how they interact with respect to creation, reading, updating, and deleting of data. In this paper, we extend the CRUD matrix to a CRUDI matrix, where we propose to incorporate a third dimension on the matrix, in order to include the relative importance of each node (pair process/data).
3.2
CRUDI Approach
The need for new tools and methods implies the search for new approaches. This way, we intend to define a new method supported in new tools like the CRUDI matrix, to help information systems managers to better decide the investments and their related priorities, aligned with the business needs. The first difficulty will be to define the CRUDI matrix to the first level of abstraction, with a CEO of a company, thus adding the relative importance of each business process with each information entity. The second problem, certainly more complex than its predecessor, will repeat the previous procedure, iteratively, obtaining the same information but now with a greater level of detail going into each sub-process. Achieved the previous two objectives, then we can obtain the clusters of entities-processes, necessary for the characterization of information systems and enterprise applications. At this point, it will be possible to assess the indicators achieved and we can correlate the relative importance of each information system and each sub-system. With this new information, and the creation of new indicators for decision support, managers of information systems and business managers now have a consistent and coherent view on the relative importance of each investment in information systems to achieve the business objectives. Definition and specification for a process change:
a)
b)
c)
d)
e)
Definition of the CRUD matrix for the processes and systems that support the business; Add the relative importance of each node in the CRUD Matrix (New Dimension), of each feature and each process, in a relative scale, creating a CRUDI matrix; you can get an array with nodes with information about the alignment and the importance for business, for each node of the array, for Level 1 – Business Process and Entities. Observe Figure 1 below. Add the relative importance of each link between nodes in the CRUDI matrix, reflecting a relative scale and thus the value of integration between IS for business; Determine the relative importance of each application subsystem based on information gathered in the CRUDI matrix; Implementation of a New Information System and Technology (IST) Management Process for determining and simulating the relative importance of each system and application to business, in a simple and intuitive way; i. Introduce procedures to specify and update the CRUDI matrix, for processes and features associated with its importance; ii. Determination and simulation of the relative importance of each system and application based on CRUDI Matrix; INCOME
Business ScoreCard
IT ScoreCard
Service Level Corrective Maintenance
Availability of Applications and IT Systems
Monitoring Systems and Applications
Business Indicators (Proposals, Policies, Claims)
Projects Performance
Datawarehouse KPI
Probes and Monitoring ETL Engines
Central System
Application servers
Databases
Communications Servers
Web Servers
Figure 2: Hierarchy of KPI’s and Score Cards.
iv. Ensuring a Decision Support System to ensure the introduction, measurement and monitoring (evolution) of new indicators; v. Analysis and Strategic Decision-making based on the CRUDI matrix and new KPIs; it also allows an assessment on the business impact (financial and strategic).
IMAGE AND BRAND RECOGNITION EMPLOYEE SATISFACTION
Sup-Process
Sup-Process
Service Level Evolutive Maintenance
IT Team
CUSTOMER SATISFACTION
COSTS
BUSINESS PROCESSES
Management and Decision Makers
RESULTS
BUSINESS PERFORMANCE
Sup-Process
iii. Create Indicators (KPI's) based on the new CRUDI matrix for measuring progress;
Sup-Process
Stage 1
Stage 3
Stage 1
Stage 3
Stage 2
Stage 4
Stage 2
Stage 4
KPI
Impact
KPI
Impact SERVICES / APPLICATIONS IT
KPI Service/Application1
Service/Application 2
Service/Application 3
Service/Application 4
Impact
INFRASTRUCTURE IT
KPI MainFrame
Database Servers
Application Servers
Communications
Figure 1: Relation between business processes and support applications.
3.3
Challenges and Conclusions
With the presented example we aim to demonstrate that the use of a CRUDI matrix can be a viable approach and that CIO’s and business managers can have new information to better decide new investments. This new approach has, in our opinion, a big potential to define investment priorities in information systems, which are perfectly aligned to business needs. This way we can reduce the abysm between business and technology, steel present in several business sectors. This method also allows a better alignment between business and information systems. The present work is a starting point to a more detailed evaluation of possible scenarios, to assure the complete assessment of a company need, starting with an insurance company or a bank. We will continue this task, trying to work closely with real entities in the future year, to define and describe the new method and to create real CRUDI matrix samples, which describe the real problems and business needs. We will present those CRUDI matrix samples to CIO’s and to business managers in the way they can evaluate the information and comment if it’s useful or not and if there is any gap we must still solve. Then we intend to provide new articles with a more detailed work and the achieved results (case studies).
4
REFERENCES
Barroero, T., et al., (2010), “Aligning IT service levels and business performance: a case study”, IEEE conference on Services Computing, DOI 10.1109/SCC.2010.88 Basel Committee (2006), “The Joint Forum: High-level principles for business continuity”, Basel Committee on Banking Supervision, Bank For International Settlements, August 2006 COBIT, (2007), “COBIT® 4.1. Framework, Control Objectives, Management Guidelines, Maturity Models”, IT Governance Institute, ISBN 1-933284-722 2007. EU, (2006), “i2010 eGovernment Action Plan: Accelerating eGovernment in Europe for the Benefit of All.” [accessed 15th August 2010]. Available at: http://ec.europa.eu/idabc/servlets/Doc?id=25286. Henderson, J., Venkatraman, N., (1993), Strategic Alignment: Leveraging Information Technology for Transforming Organizations, IBM Systems Journal 32(1): 4-16.
ISP, (2009), “Orientação Técnica – Desenvolvimento dos sistemas de gestão de riscos e de controlo interno das empresas de seguros”, Circular N.º 7/2009, de 23 de Abril, Instituto de Seguros de Portugal (ISP), 2009. ITIL, (2007). “ITIL v3 - Introduction to ITIL Service Lifecycle”, Office of Government Commerce, 2007. ISBN: 9780113310616 ITIL alignment, (2008). “Aligning CobiT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit”, ITGI, ISACA, OGC and TSO - IT Governance Institute. Jormakka, J., Lucenius, J., (2009), “Possibilities for improving dependability of C4I2SR systems based on Service Oriented Architecture”, IEEE, 2009 Computation World, DOI 10.1109. Loebbecke, C., Wareham, J., (2003), “The Impact of eBusiness and the Information Society on ‘STRATEGY’ and ‘STRATEGIC PLANNING’: An Assessment of New Concepts and Challenges”. 165– 182, 2003 Lunsford, D., Collins, M., (2008), The CRUD Security Matrix: A technique for Documenting Access Rights, 7th Annual Security Conference, June 2-4, 2008. Malta, P., Sousa, R., (2009). “Looking for Efective Ways of Achieving and Sustaining Business-IT Alignment”. Menken, I., Blokdijk, G., Malone, T., (2009), “ITIL V3 MALC-Managing Across the Lifecycle of IT Services Best Practices Study and Implementation Guide, 2009, Emereo Pty Ltd London, UK Moura, A., Sauvé, J., Bartolini, C., (2007), “BusinessDriven IT Management Upping the Ante of IT: Exploring the Linkage between IT Business to Improve Both IT and Business Results”, communications Magazine, vol. 46, issue 10, October 2008. Ray, P., Lewis, L., (2009), “Managing cooperation in ebusiness systems”. DOI 10.1007/s10796-008-9095-2, Springer 2009 Ramirez, R., et al. (2010), Decision Support Systems 49 – 417-429, Elsevier, 2010. Scheepers, H., Scheepers, R., (2008), “A process-focused decision framework for analyzing the business value potential of IT investments”. DOI 10.1007/s10796008-9076-5, Springer 2008. Silva, A., (2008). Law 18/2008. Portuguese Republic Diary, 1st Series – Nº20 of 29th of January 2008. Sócrates, J., (2007), Portuguese Ministers Council Resolution N.155/2007, Portuguese Republic Diary. Thatcher, J., et al., (2006), “Web accessibility: Web standards and regulatory compliance”. friends of ED. Trkman, P., (2010), “The critical success factors of business process management’: An Assessment of New Concepts and Challenges”. International Journal of Information Management 30 (2010) 125–134.