Archive by Author

Surviving Disaster

7 Feb

Management may wonder what are the essential resources that the business needs to continue operations?

Five main types of resources necessary for the continuity of operations are identified by Duncan, Yeager, Rucks & Ginter 2011: facilities, communication, records and databases, supplies, and human resources.

Continuity of facilities:

As discussed in my second blog a second location for the conducting of business should be identified or else firms will feel the consequences of not being prepared as was the case with Caterpillar. When a tornado struck Oxford, Mississippi in 2008 and destroyed much of the Caterpillar operations there, it placed major hardships on the company and its employees. Caterpillar essentially put all its ‘eggs in one basket’ by locating the manufacturing facilities for all its high-pressure couplings–—used in bulldozers, dump trucks, and excavators–—in a single facility, which was rendered inoperable by the storm (‘‘Caterpillar and Disaster Preparedness,’’ 2008).

Continuity of Communication:

Communication is vital for a business to enable it to respond to, and recover from a crisis. Electronic, verbal, and written/paper are three components of essential communication. Electronic communication is likely to be the first to go with verbal communication also can decline in a crisis and so it is the written/paper communication channel that is the most reliable. Experts suggest experts suggest that all employees have a personal copy of the continuity of operations plan and the specific standard operating procedures for the positions they back up (Duncan, Yeager, Rucks & Ginter 2011).


Continuity of records and databases or (RIM):

“All records, information systems, and data management software required to support individuals accountable for accomplishing mission-critical functions must be identified, backed up, and safeguarded.” An example of safeguarding data is the First National Bank of Omaha when they decided to build its new operations facility partly below ground with reinforced walls designed to withstand winds of 260 miles per hour. In addition, the bank’s back office operations were powered completely by in-house, hydrogen-based fuel cell technology. As one bank spokesperson noted, ‘‘[even] if the whole city of Omaha loses power, [First National] won’t lose it’’ (Fest, 2009, p. 16).

Continuity of Suppliers:

Again a big issue as discussed in my third blog, when external services are required and materials are purchased, it is important to regularly review vendor and contractor agreements to ensure these firms also have continuity of operations plans in case of a disaster (Altman, 2006).

Continuity of Human Resources:

People have to be accounted for, and someone must be responsible for counting and reporting. Rally points need to be established, in the event that employees are separated or work at satellite locations. (Duncan, Yeager, Rucks & Ginter 2011)

These 5 resources would be identified in step 3 in my first blog in a business impact analysis.

Big Risks in 2013

6 Feb

Business interruption, natural catastrophes and fire represent the top three risks for companies in 2013, says a new global survey by Allianz.

Top 10 business risks for 2013

Business interruption and supply chain risk ranked as the top risk, with almost half (46%) of the responses ranking it as one of the three most important risks for their clients. With many businesses choosing to run lean supply chains to reduce costs, business interruption at a key supplier can cause a ripple effect felt across an entire industry. For example the flooding in Thailand in late 2011, caused a shortage of hard-drives impacting PC manufacturers globally, triggering contingent business interruption claims far outside the flood zone itself. “The flexibility that provides a modern supply chain with its cost advantages has also created its inherent vulnerability,” says Paul Carter, Global Head of Risk Consulting at AGCS. Today, companies are increasingly re-examining the trade-off between efficiency and operational redundancy (Allianz Risk Pulse 2013).

“To improve supply chain resilience many companies consider adding back some redundancy into lean supply chains, even if this reversal of widely used single-supplier sourcing incurs additional costs” (Paul Carter).

Checking a supplier’s own business continuity planning should also be embedded in the supplier selection process and ideally include even the suppliers of the primary suppliers. This would be good practice for business to incorporate this into their Business Continuity Management programmes. Not only should firms have a business continuity plan in place they should check the business continuity plans of those who they do essential business with.

The Article also revealed the breakdown of risks by large and small enterprises, by regions and by industry.

ICT risk

Another revealing issue of the survey was the underestimated business risks for 2013. One of which was Cyber Crime an area where the ICT industry does not underestimate as seen above. Another area of underestimated risk is power blackouts “Reliability of power supply will decrease in the future due to aging infrastructure and the lack of substantial investments,” (Michael Bruch, Head of R&D Risk at AGCS). A solution to this states Michael is to expand and to link decentralized sources of power generation, especially renewable energies, and to enable cross-border trading of power and grid services.

The BCM of a firm is now changing from merely planning a continuity plan for emergencies but it also has to be adaptable during a crisis if things don’t go to plan as discussed in my second blog and now to totally protect against disaster firms need to also check out the BCP’s of their suppliers.

Business Continuity in Action

5 Feb

Essential to the success of BCM is a thorough understanding of the wide range of threats (external and internal) and recognition that an effective response will be determined by employees’ behaviour during the business recovery process.

Morgan Stanley’s response to the September 11th attacks is an example of the benefits and limitations of business continuity planning.

Continuous training following the 1993 world trade centre bombing meant that most the company’s 3,700 employees survived the evacuation in 2001. The company then proceeded to re-establish contact with its dispersed employees using house calls, public broadcasts and one of its own call centres in Arizona. Simultaneously Morgan and Stanley set out to recover its operations at alternative facilities (but not those that were originally designated as they were in the inaccessible lower Manhattan area). A temporary recovery site was established in Brooklyn until the first recovery centre could be accessed.

Other firms such as Lehman Brothers, who also were affected by the denial of access to their recovery centre, drew on emerging processes in creative ways. Over half of Lehman Brothers staff worked from home in the immediate aftermath as a result of an extensive remote access programme. This shows that “crisis adaptability is the key to continuity” (Herbane, Elliot and Swartz (2004)). The actions that Morgan and Stanley had taken demonstrated both on-going organisational learning and adaptation before and during the crisis.

The Senior Vice president of the Federal Reserve Bank of New York commented that existing models of contingency planning in which single-site technical crises are considered should no longer exist. Instead priority should be the loss or lack of access to staff because without them nothing can be recovered, restored or retrieved. Business Continuity processes are more vital now than ever , the above organisations have showed that creative and flexible use of resources are required during a crisis and that can supersede the value gained from mimicking emergency plans. Such an approach requires on-going commitment and leadership, the foundations of which are provided by adopting a business continuity management approach as discussed in my last blog here.

Firms that recover quickly and thoroughly from crises will sustain little damage to their competitive position. However if a firm is unable to recover quickly, the effects on its reputation may outlast direct effects of the crisis.

The above blog and examples is based the paper: Herbane, Elliot and Swartz (2004) Business Continuity Management: time for a strategic role?

Framework for BCM

27 Jan

Business Continuity Management (BCM) is a tool to aid management in developing business continuity plans. It ensures greater confidence that the business will continue to operate in the face of risks. A framework by Gibb and Buchanan 2006 is proposed which draws on other authors work as well as experience in the field. The steps in the framework are as follows;

S1- Programme Initiation – BCM needs to be an enterprise-wide activity yet research shows that some 2/3 of enterprises view BCM as an IT issue. (Gibb & Buchanan 2006). A programme plan must be set out to identify when, what and how BCM projects will be initiated.

S2- Project Initiation – Goals of the project will define the expected outcomes of the project, objectives should be measured using SMART targets and project teams should contain a wide range of skills as BCM is a multi-disciplinary activity.

S3- Risk Analysis – Consists of 3 phases; risk identification, risk evaluation and business impact analysis (BIA) see diagram below. The team is required to identify events, the causes of these events and calculate the consequences of these events.



S4- Selecting Risk Mitigation Strategies – options are identified and evaluated for dealing with the identified risks in the previous phase. However for each risk there may be one or more solutions for mitigation. See diagram of proactive approaches below.



S5- Monitoring and control – the BCM strategy will require an effective communication and control structure to be in place to ensure success. E.g risk reduction measures are put in place.

S6- Implementation – improving operating procedures, infrastructures and security which can help to transfer, minimise or absorb the risks of processes and services being compromised.

S7- Testing – testing of the disaster recovery plans and risk mitigation strategies should be carried out regularly to see if they are still relevant and deliverable. Plans should be tested within 3 months of implementation and not more than 1 year there-after. A report should be created evaluating the effectiveness of the tested components, highlighting areas of concern.

S8- Education and training – Benefits and objectives of the BCM strategy must be communicated to the workforce to ensure that the objectives can and are being achieved. For critical processes self-assessment should be considered.

S9- Review – the BCM strategy must be responsive to changes in business requirements. New processes, technologies and personnel bring new risks and requirements so it is essential that the business does not become complacent and fails to update its BCM procedures. If the business is protecting non critical components etc

BCM is key to ensuring that a business can protect itself against the risks which are inherent in its environment.  “A lack of investment can result in loss of revenue at best and cessation of business activities at worst.” (Gibb & Buchanan 2006)

The above framework will aid management in preparing business continuity plans and the 9 steps can be discussed in more detail in future blogs as they do play a part in developing business continuity plans.

Implications of IS value

26 Nov

In my previous blog I stated that; it depends on how the company perceives the value of IT/IS that will determine the evaluation method to use. As Lucid21 points out in his last post one problem facing IS evaluation methods is defining the term “value”.

Cronk and Fitzgerald (2002) demonstrate how the many evaluation measures that have been employed stem from differing philosophical paradigms and interpretations of the term IS business value.

However what is the value of IT/IS? Bannister and Remenyi (2000) pointed out, to be able to assess value; one has to clearly define it. Parker and Benson (1988) stated that IT value is the ability of IT to enhance the business performance of the enterprise.

Brown (2005) stated that it is the benefits of an IS investment that constitute the business value that have proved the most challenging to assess. Organizations invest in and maintain ICT (information and communications technology) applications to create business value. They expect benefits like productivity gains or quality improvements that contribute to the organization’s strategic goals or operational performance. Evaluation exercises are concerned with the question of value. There has been comparatively little attention paid to the definition of IS business value (Cronk and Fitzgerald, 1997).

“Without a clear understanding of this concept estimation of benefits and hence evaluation are unlikely to contribute much to our understanding of the impact of ICT.” (Brown 2005)

Both the actual and potential value of each IS investment will vary from situation to situation and between stakeholders.

Orlikowski (1999) states that; “Technology is not valuable, meaningful or consequential by itself; it only becomes so when people use it.” Davenport (2001) uses examples of organizations that have installed advanced information systems to capture transaction data but have yet to make effective use of it.**

To investigate business value Orlikowski (1999) and Davenport (2001) focus on the specific information systems applications and the organizational context within which they are used. Business value is de facto considered a function of the individual information systems application and the particular context within which it is of applied.

To conclude IS evaluation exercises can also be viewed as projects that involve both the hard factors of evaluation of the technology and soft factors like evaluation of the organizational impact of the technology and organizational processes for decisions. People’s different take on the value of IS will lead to different evaluation methods, customized to capture the perceived value of the investment.

**Davenport Examples: Davenport T, Harris J, De Long D and Jacobson A (2001) ‘Data to Knowledge to Results: Building an analytic Capability’ California Management Review vol 41(2) p117-138

Different evaluation measure for different types of investments

19 Nov

In my last blog: I discussed how there is no one fit solution to evaluating an IS system. That it will depend on how the company perceives the value of the system that will determine the method of evaluation, i.e. if the company sees the benefit of a new system as increasing staff moral (intangible) then they will engage in using methods such as the balance scorecard. Mirra2, kechy4me and sully1210 have all elaborated on when quantitative and qualitative measures should be used.

The search for one uniform evaluation method becomes unjustified, and a customized evaluation method should be designed for each IS investment. Bannister and Remenyi (1999) call it a “Meta approach‟ (as defined in last blog) and argue that this orientation is not structured and varies from case to case.

The selection of methods most appropriate for particular company’s circumstances is one of the biggest problems in IT/IS evaluation (Remenyi et. al., 2000). Remenyi puts forward a view of how different evaluation methods are chosen by relating the evaluation measure to the investment purpose. For example, if the purpose is to improve efficiency– a cost-benefit analysis should be performed, whilst for strategic investments – strategic analysis would be the suitable tool (Remenyi 2000). The relation of evaluation measure to the investment purpose determines the overall evaluation strategy, rather than the specific tools to be used (Lech 2005). Irani (2002) suggests that evaluation criteria should be dependent on the IT element (i.e an ERP system) that is implemented.

The first question that should be answered before the evaluation process begins is for what reason the IT/IS investment is being made. This is the purpose of implementation that determines general evaluation strategy. The relationship between the investment purpose and aspects that should be subject to evaluation can be seen in the below table. (Click to enlarge)

The Investment purpose first of all determines what should be measured (see above). If the investment is a “must-do” – which means that it is either required by law or is an industry standard, then the main benefit is staying on board. The optimizing criterion for such investment should be to obtain the desired goal at minimum costs (Lech 2005). However if the investment is for competitive advantage then a more strategic analysis is required.

I believe Lechs paper (2005) Evaluation Methods’ Matrix – A Tool for Customized IT Investment Evaluation, has contributed to outlining how companies determine what IS/IT evaluation methods to select when choosing an investment. By following the above figure one can see that an IS investment is split into 4 categories (investment purpose) which is linked to the evaluation aspect and methods used for evaluation. From this it can be concluded that the purpose of the investment will also be related to what evaluation method to use.

A one-size fits all approach does not exist

14 Nov

There is little doubt that information systems evaluation is problematical (Smithson & Hirscheim, 1988). Berghout and Renkama (1994) list 60 evaluation techniques, while Katz (1993) cites Wilson as having identified over 160. Renkema and Berghout (1997) considered over 65 methods for IT evaluation and conclude that the available non-financial evaluation methods are barely supported by theoretical foundations.

There is not one individual evaluation method that can be used for every company. With so many different evaluation measures, how will a company decide which one to use? When will a company use quantitative measures over qualitative measures or use both together? The answer lies in how the company perceive the value of IT.

Investment decisions are based on perceived value, however measured.  An understanding of how value translates to decisions can be aided by classifying approaches to evaluating IT decisions into three basic techniques that can be used in two different ways. (Bannister & Remenyi 1999)

The first level consists of the basic approaches to evaluation, which can be termed Fundamental, Composite and Meta methods.

Fundamental measures are metrics which attempt to assign parameters to some characteristic or closely related set of characteristics of the investment down to a single measure. These include IRR and ROI as discussed in previous blogs. Measures of this type are not confined to the purely financial, although financial measures are the most common.

Composite approaches combine several fundamental measures to get a ‘balanced’ overall picture of value/investment return. These include portfolio methods as lucid21 discussed  and the Balanced Scorecard of Kaplan and Norton (1996) which sully1210 talked about. There are few organisations that would try to evaluate their information systems activity today without using some variant of the composite approach.

Meta approaches (e.g. Farbey et al 1993; Peters, 1994) attempt to select the optimum set of measures for a context or set of circumstances.  This meta orientation is not usually structured and there is no question of the organisation wishing to use this approach for any sort of benchmarking other than for internal comparison between different projects and or over time when the same meta approach is being applied.

These three approaches may be applied in two different ways:

1. Positivist, where the decision-maker allows the methodology to make the decision.  In this approach the investment with the highest return or with the best overall score in some ranking is chosen.  The decision-maker establishes a series of mechanical operations which reduce the decision to a single score, either by using a preferred basic method, combining several such methods with a composite technique or using a meta approach to select a single method.  The latter two can be combined, ie. using a meta method to select an optimum set of techniques to be used and an ad hoc composite method to combine them.

2.  Hermeneutic, here defined as methods of interpretation of data which use non-structured approaches to both understanding and decision-making.  Here the decision-maker takes on board several different metrics directly and combines them in his or her mind in a manner that cannot be formally stated.  It is in this area that instinct and intuition plays the biggest role.

The concept is illustrated below: (click to enlarge)

If a company perceives the value of IT/IS as purely financial then quantitative measures will be used or if the company perceive the value of IT/IS as being more intangible then qualitative measures will be used. It depends on how the company perceives the value of IT/IS that will determine the evaluation method to use. For example, if the evaluation relates to IT/IS in services, one might need to assign more weight to intangibles, and if it is in manufacturing, one might need to assign higher weight to tangibles.

post-implementation evaluation matters too

5 Nov

“Generally speaking, most empirical and theoretical articles (with very few exceptions) tend to classify IT/IS evaluation as a planning activity or take a temporal view along the development life cycle only to stop short of the operational phase.” (H. Al-Yaseen , T. Eldabi , R. J. Paul and R. El Haddadeh 2008)

(Irani and Love 2008) discussed the evaluation process by extending the temporal view of the systems life cycle with more concentration put on the operational phase – in order to understand issues related to IT/IS evaluation after project completion.

“Evaluation is a process that takes place at different points in time, or continuously, explicitly searching for (quantitatively or qualitatively) the impact of IT/IS projects” ( Al Yaseen 2006 ). This definition recognizes the different stages in the full life cycle of an Information system in which evaluation is performed.

First view evaluation which can be referred to as ‘ex ante’, ‘formative evaluation’ or ‘prior operational use’ (POU) is used to gain direction in the IS project. Here quantitative techniques such as IRR and NPV can be used. This evaluation doesn’t provide feedback beyond design, implementation and delivery of the project outcomes.

Evaluation can also be considered in terms of the effectiveness of the IT/IS system. What a system actually accomplishes in relation to its stated goals (Eldabi 2003). This form of evaluation draws on real data rather than projected data, and can be used to justify adoption (Love and Irani, 2001). This type of evaluation should be performed during the operational phase of the project. This is referred to as ‘post-implementation’ evaluation (PIE).

The below diagram from (Irani & Love 2008) shows these forms of evaluation with respect to a systems life cycle.

Forms of evaluation with respect to a systems life cycle.

Results from (H. Al-Yaseen , T. Eldabi , R. J. Paul and R. El Haddadeh 2008) suggest that most decision-makers do not place much importance on PIE of their IT/IS systems. “Most managers tend to think of it only as a formality rather than a proper evaluation process. Among the 45 who considered adopting PIE, those companies who undertake it seriously tend to gain considerable benefits, including the validation of their original POU estimates. But more importantly PIE helps those organisations to better appreciate and capture the intangible benefits associated with IT.”

The results of the research indicated that all the participating organisations have carried out a formal POU evaluation, but that only 36.5% currently perform a formal PIE of their IT/IS systems. That suggests only 36.5% of the participating organisations justified their investment in IT/IS and if their IT/IS systems achieved the anticipated benefits. (Irani & Love 2008)

Evaluating an IS investment after the implementation stage makes sense to me as it can be seen how the new system is progressing and can give organisations a more comprehensive evaluation of the investment. After the implementation stage a system may act as an enabler into new products and services that may not have been taught of in the ‘prior operational use’ stage of evaluation.

Do people think that to evaluate the full benefits and cost of an information system investment that using both POU and PIE would be a more comprehensive method of evaluation?

Not just about the method

25 Oct

From my research into frameworks for evaluating Information systems investments such as the Delphi/VAHP/DEA model which I discussed in my previous blog and also from reading about the PENG model which sully1210 discussed, I agree that the evaluation methods are heavily dependent on personnel’s attitudes and those peoples resistance to change.

To place a monetary value on an intangible asset is subject to these personnel/line managers in an organization who place an estimated value on each intangible asset e.g. morale.  As Oliver 2007 pointed out by including intangible benefits of the project in the evaluation, a better understanding of the true value of the project will emerge. So to get a good evaluation we need people to place a high value on the intangible benefits associated with investment in information systems.

So therefore it is not just the method used to evaluate the investment but key organisational drivers that also affect the outcome of the IS/IT project evaluation. (See above figure)

The figure above which I got from Zahir Irani and Peter Love (2008) shows the eight characteristics of effective IT evaluation which include the six key organisational drivers. Irani and Love (2008) conducted interviews with 72 senior managers in 36 companies, “effective evaluation outcomes such as selection of the right projects, consistent and timely decision-making, corporate learning, and thus, improved IT/IS project outcomes, were found to be closely related to the six key drivers presented” above. which are :

1)      Accountability for results

2)      Top-leadership commitment

3)      Strong IT- business relationship

4)      Alignment to Strategy

5)      Effective Measurement regime

6)      Willingness to take action

Irani and Love (2008) findings show that effective evaluation outcomes are more closely related to evaluation behaviours in organisations than the use of specific methods and techniques. Simplicity and flexibility were also found to be key drivers for effective IT /IS evaluation practice.

Another interesting finding here was that companies who had the most successful practices came from the finance and insurance sector while the mining sector was found to have the least effective practices. Due to the mining sector considering IT as ‘a commodity’, “this resulted in greater challenges in terms of obtaining access and information from the business and had a serious negative impact on the effectiveness of IT project evaluation.”

Do people agree that it is not just the method used to assess the investment but there are also key organizational drivers which can determine the successful evaluation of an information system investment?

Framework for evaluating information systems investment

17 Oct

“IT/IS investment evaluation problem has special characteristics, which makes it more complex and challenging than conventional investment evaluation problems.” (Azadeh, Keramati, Jafary 2009)

I beleave that IS investments must be evaluated not just on there financial benefits but also on the value they add to a company. Helping a company to reach its long term goal and to gain a strategic advantage may not be financialy measurable but this must still be accounted as a benefit.

Gunasekaran & Love (2001) stated that existing methods for justifying the investment in IT projects are considered to be inadequate and so presented a conceptual model that places emphasis on evaluating the benefits of strategic, tactic, operational, financial, and intangible investment appraisal techniques.

Azadeh, Keramati & Jafary 2009 propose an integrated Delphi/VAHP/DEA framework for evaluation of information system investments. (illustrated below)

“Delphi is designed to overcome the interpersonal behavior problems of work groups. VAHP has been used for supplier selection problem, and DEA is a universally accepted non-parametric method that uses linear programming to calculate the efficiency of defined DMUs.” (Azadeh 2009)

The above framework was put into practice in a large multidisciplinary power holding organization in Tehran. The company used the above framework to test what IS investment to invest in and this resulted in the company investing in a ERP (A Meta system for organization’s resources planning at enterprise level) and a product development system. This validated the results of the framework which showed that both the ERP and the product development system were efficient investments.

The framework was also examined by ten IT/IS experts who had completed a questionaire on the framework marking it out of ten in certain areas. The framework scored high in Measuring Tangible & intangible benefits and costs. It also scored high in measuring risk and using both qualitative and quantities data.

Azadeh developed this framework to overcome some of the problems of traditional methods of evaluating information system investments such as quantifing intangible benefits. His paper was published in 2009 which makes me beleave that this is a relativly new framework. Perhaps there are older more proven frameworks for evaluating informations systems investments? Or does anyone have an opinion on how IS Investments should be evaluated?

%d bloggers like this: