Archive by Author

A 3-Stage Business Continuity Framework

22 Feb

We have designed a framework that we believe companies could use when preparing a business continuity plan (BCP). This framework will be divided into three stages:

The first is the initiation phase, which generally encompasses all that will be completed when a BCP is first proposed. This involves defining the event for which we are preparing for, identifying the key players involved and the main aspects of the BCP.

The second is the continuous phase, which incorporates many activities that take part at inception of a BCP and also take place regularly during the lifespan of a BCP. This is carried out to prevent the BCP from becoming out of date. These activities include identifying threats, establishing a “whole business approach” and carrying out regular tests, reviews and updates.

The final phase is implementation, which involves putting the BCP into action and ensuring it is in place should a disaster ever affect the business.

Phase 1: Programme Initiation

Crisis Definition

Before an event can be addressed, one must first adequately define it. Is it simply an incident or a crisis “one that can interrupt anything that the organisation considers critical” This will be assessed accordingly by a crisis management team, who will be recruited to properly assess a situation.

Forming the BCP Team

As pointed out by the group the business continuity process should be an enterprise-wide activity rather than just an IT issue. Just viewing business continuity as an IT issue may lead to inadequate resource allocation for the business continuity plan. Therefore it is important to establish a programme which chooses key people within the entire organisation and not just within the IT department.

Choosing people from different departments to participate in the preparation of the business continuity plan (BCP Team) will increase the variety of skill available and also will act as a voice for their department when planning the contingency plan. The CIO can have a key role in identifying these key individuals. The business continuity plan should be the responsibility of a senior manager (business continuity manager) who will lead the development of the business continuity plan. Within this initial phase the programme roles, responsibilities and processes will be defined and agreed by the BCP team. Also the team should identify the key personnel, resources and suppliers needed in the event of a crisis and those identified should be assigned specific tasks in the event of a crisis. Once the BCP team is assembled they can go about discussing what should be included in the business continuity plan.

Aspects of BCP

These are the main areas of interest in relation to a forming a BCP.

1. BCP Governance

BCP Governance is concerned with how aware management are of their commitments and roles. This section needs to contain a structure, possibly in the form of a committee who are responsible for overseeing the plan as a whole.

2. Business Impact Analysis (BIA)

The importance of a BIA is in relation to identifying the main products/services that the company provides, while clarifying the impact a disruption may have on these. Another area that is looked at in this section is identifying areas that could potentially lead to revenue loss, additional expenses and intangible losses. At this phase it is important to identify the organisations insurance requirements and identify inter-dependencies that exist between a company’s products/services.

3. Plans, Measures and Arrangements for Business Continuity

This stage of the plan requires the company to prepare a detailed recovery/response arrangement to maintain business continuity. The aim of these arrangements is to provide the organisation with an idea of when they would be able to provide a minimum level of service during a time of disaster. BCPs need to be made specifically for each product/service that the company provides. They also need to ensure continuity within each business process of an organisation.

4. Readiness Procedures
These procedures ensure that all staff members are adequately briefed on the plans contents and the measures that will be going ahead in the event of a disaster. Everyone needs to be aware of their responsibilities while those staff members who have direct responsibility need to keep up to date on their role in the event of an incident.

5. Quality Assurance Techniques
This process is essential for helping companies evaluate what part of their plan needs to be updated and improved on. These techniques may include an internal review or an external audit, or possibly a combination of both methods.

Phase Two: Continuous

Internal and External Threats

There is a need for both a company’s internal and external threats to be explored at the outset of a BCP.

An internal threat is something that occurs within the company. Examples include interruption to supply chain, security breaches, and data loss. As a company evolves other internal threats may become a bigger risk to the company, for example if the company is customer orientated, a power outage could cause adverse effects. External threats are those that come from outside of the company, something the company cannot control, for example natural disaster and terrorism. Another example is hack attack on the company’s system. In order for a company to prepare for these attacks a stringent and well organised business continuity plan needs to be in place within to company.

Identification of these threats will serve to increase the company’s resilience by being prepared for all eventualities. Flexibility needs to exist within the BCP to ensure all threats are prepared for. For example, the same action would not be taken for supply chain interruption as would be for the occurrence of an earthquake.

Whole Business Approach

As pointed out in the Initiation Phase of our framework, a Business Continuity Plan needs to be an enterprise-wide activity. There needs to be a whole business approach in adopting the BCP in order to gain full advantage of the plan when it is called upon.

The programme initiation phase of our framework and building the right team is crucial in making a BCP an enterprise-wide exercise. If the correct team is put in place, it will insure there is strong leadership (Business Continuity Manager from top management of the business) and an active involvement from all sectors of the business (BCP Team). By the importance of the BCP being recognised from the top down, the plan should become a crucial part of the business that is integrated into the everyday functioning of the company. If this ‘embedding’ of the plan into the company’s culture is successful, then each member of staff will be aware of the importance their role has in its success and pay due diligence to that role. For the recognition of this importance to continue into the future, beyond the initial setup stage, testing and reviewing will be crucial.

As part of an all-encompassing “whole business” approach, recognising the need for suitable secondary protocols are essential. We propose that this should involve an assessment of the company itself by professionals in the area of disaster recovery. This will provide the company with the necessary instructions to accommodate for financial strains that secondary protocols can cause.

Testing

A BCP is defunct unless it has been proven to be effective. In order to ensure this, companies perform full tests on their BCPs which are performed at initiation to ensure a new plan is effective, and at regular designated times until further changes have to be made. This is necessary in order to keep the plan up to date as the external environment and threats change constantly.

As discussed in a previous post there are three different types of tests:

1. A Plan Review
This is a theoretical review of all BCP documentation.

2. Table-top Test
All of those involved in the BCP gather together to discuss and examine the plan and how it would be implemented.

3. Simulation Test
This is a practical demonstration of the company’s procedure under particular circumstances or in an unexpected event. It is the most exhaustive of BCP tests, and will prove the best indicator of a plan’s effectiveness.

These tests are measured based on the following standards, which incorporate the main aspects of a BCP as discussed.

1. Participation
This refers to those taking part in the test.

2. Attendance
Were people present and prepared for the test?

3. Plans (Early and Later Stages)
How well did those involved react to the initial stages of the issue? How exhaustive were the plans drawn up for issues including the co-ordination and allocation of key resources?

4. Support and External Players
How helpful were the support groups? Who was needed the most?

5. Leadership
Did those in charge during the co-ordination of the plan during the test react well?

6. Information Flow
Were those in relevant positions kept well informed during the process?

7. Quality Assurance
Reviewing the test regularly will help to ensure quality and effectiveness.

Mistakes

Testing shouldn’t be about “ticking the boxes”. Companies must account for all exceptional circumstances, and place their business ahead of all else. In the case of an unexpected event that a BCP doesn’t specifically address, there are critical areas that must first be looked at. As already discussed “The testing should challenge and surprise the organisation and its stakeholders”. This of course means that tests should also accommodate for all business processes, not just IT and IS. By recognising these pitfalls, a company is ensuring the continued survival of their business in a thorough and comprehensive way.

Updates

Our framework also takes into consideration past mistakes that others have made with regards to BCP. Over-reliance is addressed through assessing all possible areas of concern. The scope of the BCP will cover all aspects of the company, not just IS and IT, as this has become an increasing issue recently. Other issues such as security, insurance and service evaluation will also be addressed. Regular assessments of the company’s BCP will be a part of the BCP tests that will be carried out.

Phase 3: Implementation

The implementation of the BCP is one of the most critical aspects of the project. The role of the BC Manager and the BC Team is crucial here, as is the “Whole Business Approach”.

Other stages required in a successful implementation are;
• Actively encouraging employees to embrace the operation activity of the BCP by conducting internal discussions/study meetings etc. Encourage employees to gain knowledge themselves to enhance their skills with regards to disaster prevention and responses. This can be done by providing incentives for taking part in emergency-response courses and seminars related to BCP.

The BCM should also conduct their own training session on their BCP. Regular training sessions for the employees that focus on BCP-education will ensure if/when a disaster occurs that the organisation is adequately prepared. These sessions should involve the following aspects;
1. Evaluate and re-evaluate the effectiveness of the BCP
2. Help employees gain an understanding of the BCP and clearly identify their own roles
3. Actively promote cooperation and collaboration amongst employees in the case of a disaster.
It is the role of the manager to keep everyone informed and updated on the BCP.

The group also pointed out that even if a good continuity plan is implemented and tested regularly there is no guarantee of success, as the Lehman brothers showed during the 9/11 attacks when they were denied access to their recovery center, they had to draw on emerging processes in creative ways, showing that crisis adaptability is the key to continuity. Regular reviews of the BCP will be carried out to ensure that it remains accurate and up to date, depending on the external environment.

Figure 1.1 Proposed Framework

freamework

We believe that the above framework incorporates all aspects that are essential when it comes to business continuity planning. By assessing literature, previous successes and failures, we have feel that we have accounted for the obvious and the unexpected. As with every framework, there is room for interpretation, but it is our belief that it should prove successful.

Group 10

Tim Ahern
Briain Dollard
Ross Leahy
Cian O’Brien
Eileen O’Brien
Claire O’Sullivan

Advertisements

Business Continuity Planning: Common Mistakes

7 Feb

Before we present our framework, it is important to discuss the biggest mistakes that companies make when creating a BCP, as we wish to consider all previous findings in our final post(s).

As presented in this article by Dan Carson and Brian Zawada, the 10 most common mistakes where BCP is concerned are the following:

Over-reliance
This is essentially companies placing too much weight in the BCP they create. Without regular reviews and tests, they can easily become out-of-date, and employees must be constantly trained. It is not enough to simply rely on a plan in theory; it must work in practice also.

Scope
This is a problem that has become common in more recent times. It has become apparent that BCP must not only consider IT and IS, but also consider normal business practices as well. There is certainly a need for board-level involvement with regards to these business processes (Swartz et.al, 2003).

Prioritization
It’s important that all the aforementioned business processes are prioritized accordingly. It is senior management’s responsibility to ensure this is completed when putting together a BCP.

Plan Update
This is something I have already discussed in previous posts. It is essential to constantly retool and update BCP as they can become irrelevant as conditions change.

Ownership
This involves delegating responsibility of control of a BCP to a person who can correctly manage and control.

Communication
This is imperative, particularly during the recovery process, as those involved must be constantly updated as the process develops.

Security
Not taking security into account often leads to exposure to certain risks that could make the situation worse.

PR
The public reaction is often important, and they must be communicated with in an effective way so as to avoid developing a bad reputation.

Insurance
Some companies fail to accommodate accordingly for insurance needs, which is extremely important when considering possible disasters and incidents.

Service Evaluation
Without proper assessment of recovery products (such as software) a company may not be able to deal with the situation adequately.

Keeping all of these mistakes in mind, we must also consider all that has been previously discussed. Many of the above issues relate to the main areas of a BCP, something that has been posted by sully1210 previously. For example, leadership is a governance issue, and a standard by which BCP tests are measured. Over reliance also feeds into a post in which I mentioned a paper written by David Tickner, who highlights the pitfalls of over-relying on a BCP.

It is our intention to consider everything that has been discussed up to this point in our final post(s), and ensure that an adequate framework for analysing a BCP is created.

Dan Carson and Brian Zawada (1999) Ten Common Business Continuity Planning Mistakes The Trusted Professional http://www.prescientsolutions.com/2013/01/09/three-biggest-myths-about-business-continuity-planning/

David Tickner Test the organisation, not just the plan http://www.bcm2012.com/papers/StreamA/6TesttheorganisationDavidTickner.pdf

Ethne Swartz, Dominic Elliott and Brahim Herbane (2003) “Greater Than the Sum of it’s Parts: Business Continuity in the UK Fincance Sector” Risk Management: An International Journal

Business Continuity: Secondary Protocols

4 Feb

I have already covered the need for BCP tests to ensure their reliability. They are important to test all possible areas that could fail, and assign relevant responsibilities. However, testing is not 100% guaranteed to prevent disaster. In some cases, it can be important to ensure that there are procedures in place should failover systems (systems that are put in place when the general system is affected by disaster) not function in the way there were supposed to (Continuity Central).

It’s important to recognise the relevance of secondary protocols, and how these remain a fundamental part of any business continuity plan or framework. Some attribute the lack of attention given to these protocols to financial difficulties, as some companies’ budgets fall short in distributing enough funding to fulfil the requirements of a thorough and reliable BCP (Vizard, 2008).

However, it can also be argued that simple designated “back-ups” can become redundant themselves, and can prove an unnecessary expense. One company that has overcome such an issue is the Oklahoma division of US Company 7-Eleven. In order to control their inventory system, they have opted to use Aerozone’s wireless system which will allow all locations to become inter-dependent. If one were to fail, they could rely on one of the other functioning locations, and repairing the issue wouldn’t require a specialist to go to that specific branch. This has led to widespread savings across the company, meaning that any budgetary constraints would no longer become an issue (Aerohive).

Example: Blackberry

These secondary protocols are just another aspect of BCP that must be considered in order to ensure full confidence in business survival. RIM (Blackberry’s controlling company) poorly conceived secondary protocols caused huge amounts of downtime for Blackberry customers in October 2011. This caused a massive amount of back-data and cost the company a lot of time and funding (Continuity Central).

Similarly to testing, records information management, and crisis definition, secondary protocols will be an imperative aspect of our BCP framework.

http://www.continuitycentral.com/news05977.html

http://www.aerohive.com/company/press-releases/7-eleven-stores-deploys-aerohive-wireless-lan

Vizard, Michael (2008) “why there’s no business continuity” Baseline; Sep2008, Issue 88, p18-18, 1p

Business Continuity: Crisis Definition

1 Feb

Previous posts have detailed the various aspects of creating a business continuity plan based on certain events. One thing that becomes imperative in business continuity planning is the classification, or the definition, of the event or issue itself.

Classification is important in determining resource allocation, assigning relevant employee positions and successful implementation of objectives. There are many different ways that words such as “incident” and “crisis” can be interpreted, and it can lead to widespread confusion due to the lack of a concrete definition of each.

One author discusses the confusion related to the UK Cabinet Office’s attempts to classify both these terms separately, with incident management referring to common occurrences, and crises only referring to very rare and seldom once-off events. Though he argues that it is important to apply certain standards where definitions of this kind are concerned, he also discusses the varying ways in which the word “crisis” is defined. Perception is something that plays a huge role in this matter, as a situation that appears to some as a crisis, can appear to other eyes as something far less serious (Power, 2009).

Are there any common definitions?

In terms of BCP, any event that will cause unwanted disruption to a company’s processes is “an incident” (Lindstrom). It is only when these disruptions cause even more harm, and interrupt anything that the organization considers critical that it is determined to be a “crisis”, leading to the involvement of the crisis management team in attempting to restore normal operations. It is imperative that the word “crisis” is not used until it has been classified as such by the aforementioned crisis management team (Lindstrom, 2012).

Business Dictionary defines the two terms differently as well, describing an incident as something “discrete” or an event which may lead to further implications for the business. Crisis Management is defined as something “critical”, which if handled inappropriately, could lead to devastating consequences for the business or organisation. Subsequently, crisis management is further described as “procedures” which are used to resolve any “emergency” that may occur in a business’ processes (Business Dictionary).

The severity of the situation plays a major role in the way that a business continuity plan is created. It is these “crises” that require more extensive testing, such as simulation testing, which was discussed in a previous post. Based on the above discussion however, a more concrete method of definition will be necessary in order to correctly plan for the events in question, as perception and unique personal outlooks can seriously affect these assessments.

When we begin to discuss our framework, classification and determination of these terms will play a huge role in its success, and the involvement of the previously mentioned crisis management team could be pivotal in terms of BCP.

http://www.crisis-solutions.com/crisis-management-and-business-continuity-one-and-the-same/

Power, Peter 2009 Journal of Business Continuity & Emergency Planning; Aug2009, Vol. 3 Issue 4, p302-311, 10p

John Lindström, (2012) “A model to explain a business contingency process”, Disaster Prevention and Management, Vol. 21 Iss: 2, pp.269 – 281

Business Continuity Planning: Testing & Possible Issues

28 Jan

In my previous post I discussed a number of different aspects of a BCP. In this post I will look at the different types of tests that can be adopted to ensure a BCP is effective. This will in turn help to evaluate the framework that we will be discussing in the future. I will also discuss one of the biggest issues faced by organisations when testing their BCP.

As provided by Searchdisasterrecovery, three different types of BCP tests can be used:

  • The first, a plan review, involves a basic theoretical review of all BCP documentation. It is essentially a paper test. It looks for holes in the plan, and possible traps that the business could fall into. It involves only those who created the plan itself.
  • The second is a tabletop test, which essentially involves all of those involved gathering together to discuss in detail how the plan would be implemented. It is this step that helps to assign duties to the appropriate individuals. Without this type of test, the individuals would be unable to correctly implement the BCP, as they would be unsure of where their responsibility lies.
  • The third is a simulation test, which is the test that my previous post detailed. This involves the company undergoing a practical demonstration of the company’s procedure under particular circumstances or in an unexpected event. This is the best way to find any errors or inconsistencies in the plan itself, and iron out any other problems including governance and human error.

The various aspects that I previously discussed all come into play during simulation tests, such as readiness procedures and internal governance issues. However, there are also a number of other aspects of testing that need to be considered in order to avoid further problems later on.

A paper written by David Tickner highlights some of the indirect consequences of following BCPs too rigidly. A plan review, as already discussed, is all about documentation. However Tickner states that following basic documentation on business continuity, or even disaster recovery, too rigidly, can be a mistake. Those using them could simply try to replicate them step-by-step without every really using it in the context of the business itself. “The testing should challenge and surprise the organisation and its stakeholders.” (Tickner)

This paper also goes on to mention that business continuity plans are not just about “ticking the box”. They are about accounting for all the unknowns, the unexpected events. When we discuss our framework in the future, we will attempt to account for these unknowns, and attempt to provide a way for businesses to account for all exceptional circumstances, while also ensuring that the business is considered ahead of everything else. This is the only way to ensure a successful and strong BCP.

Searchdisasterrecovery http://searchdisasterrecovery.techtarget.com/feature/Business-continuity-and-disaster-recovery-testing-templates-A-free-download-and-guide

David Tickner Test the organisation, not just the plan http://www.bcm2012.com/papers/StreamA/6TesttheorganisationDavidTickner.pdf

Business Continuity Planning: Testing

14 Jan

As previously discussed, business continuity and disaster recovery, despite going hand in hand, are actually different functions. disaster recovery, as defined by CSO, is the process by which you resume business after a disruptive event, whereas business continuity refers to the plan by which companies will adhere to in the event of a disaster, which is drawn up before any such event occurs.

According to White (2006), the main purposes of a business continuity plan are:

  • To find any weaknesses and put into place a procedure for any unforeseen disaster;
  • To reduce the length of any consequences of such a disaster;
  • To ensure effective organisation of recovery activities and;
  • To eliminate any unnecessary work that may arise during disaster recovery.

By the above definition, it would appear that the performance of disaster recovery can only be calibrated as it is implemented. business continuity can be tested prior to such an event taking place. Sully1210 already discussed the 5 main sections of a BCP. In this post, using information provided by Goh Moh Heng (2006), I will discuss the various standards by which the success of a BCP is measured, which are based around some of the sections discussed by Sully1210.

Plans, measures and arrangements for business continuity/Readiness Procedures

As defined by business dictionary, business readiness is “the preparedness of persons, systems, or organizations to meet a situation and carry out a planned sequence of actions.” The plans, measures and arrangements are also what dictate the success of any business continuity plan.

Participation
How many can conceivably take part in the test? Were there an adequate number participating? Did the plan succeed with the number involved or will more be needed?

Attendance
Were people prepared for the test? Individuals’ preparation for a test of this nature can say a lot about the success of a plan. If they are unprepared, their reaction will differ wildly from those who were.

Business Impact Analysis
This would be the business’s level of sensitivity to any sort of disaster; essentially, the loss that would be incurred due to disasters or accidents (business dictionary).

Plans (Early Stages)
How well did those involved react to the initial stages of the issue? How quick were their response times? Did they react too slow, leading to a worsening of the situation? The test can be useful in determining the areas in which reaction is weak, and areas which reacted quickly. Extra attention can be devoted to those weaker areas.

Plans (Later Stages)
How exhaustive were the plans drawn up for issues including the co-ordination and allocation of key resources? In some cases they may require more attention and detailed preparation.

Governance
This can be any internal politics, and supervision tactics (business dictionary).

Support and External Players
In terms of the main support group, how helpful were they? Which were needed most, and how well did they perform during the test?

Leadership
Did those in charge during the co-ordination of the plan during the test react well? Did any pre-established chains of command play a role? In some cases they may not have been adhered to, which can be attributed to a failure on the part of those involved, or the design of the chain itself.

Information Flow
Were those in relevant positions kept well informed during the process?This is particularly important in the case of the above leaders, or players in important positions. If they are not kept well informed, it will inevitably lead to the failure of the business continuity plan.

Quality Assurance
As discussed by sully1210, this is all about reviewing. As such, the test itself is a quality assurance measure, and it is responsible for identifying areas in need of improvement.

As you can see, a business continuity plan can include a huge number of areas, and tests can be extremely comprehensive. In later blogs, we will discuss these areas in greater detail, as well as the various benefits of such tests.

CSO http://www.csoonline.com/article/204450/business-continuity-and-disaster-recovery-planning-the-basics

Moh Heng, Goh (2006), Testing & Exercising Your Business Continuity Plan (Second Edition)

White (2006) “Success or Failure?Your Keys to Business Continuity Planning” Ingenuity

Business Dictionary http://www.businessdictionary.com/definition/readiness.html

http://www.businessdictionary.com/definition/business-impact-analysis-BIA.html

http://www.businessdictionary.com/definition/governance.html

Looking Into the Future: Sustaining IS Alignment

26 Nov

Now that we are nearly finished with our investigation into strategic alignment, we have already discussed the topic from a number of different angles. We have covered the basics, how it works, where the challenges lie, and what are its advantages and disadvantages. To conclude my own posts, I would like to examine the process of maintaining IS Alignment, and sustaining it in the long term.

One of the major pitfalls of alignment is the inability of businesses to cope with change and adapt to the ever evolving external market. Henderson and Venkatraman (1993) define it as “not an event but a process of continuous adaptation and change”. It isn’t just a once-off event, and a simple process. Strategic Alignment is an on-going development that is constantly changing and adapting as the environment permits.

A major element of the external environment, and one that has adverse effects on a company’s internal dynamics, are other organisations or competitors. A paper written by Joe Peppard and Karin Breu (2003) uses “co-evolutionary theory” to describe the bigger picture of how organisations operate and change. While evolutionary theory described organisations as single actualities, co-evolution thinks of all organisations as inter-linked, whereby a single action can have rippling effects that force all organisations to constantly change and adapt.

Adapting to this way of thinking may make it easier for an organisation to accept that constant progression is imperative in maintain IS alignment. When it comes to something as comprehensive as IT and IS, businesses should not just react and counter-react to competitors’ actions, but constantly keep in mind the techniques necessary to achieve alignment, such as communication and prioritizing internal structure in order to maintain alignment as their company’s procedures and strategies change according to these external factors. Such actions will ensure alignment is sustained well into the future.

Research on the struggle to achieve optimal alignment still remains inconclusive. Based on my own investigation, and what I’ve learned from other user, it is something that, once achieved, can lead to an increased level of efficiency, and a strong foothold in the market. Two major advantages, but two advantages that companies will struggle to achieve. Most operate without a clear understanding of what IS alignment really is, where the challenges lie, and how to overcome these challenges, and for these companies IS alignment will remain impossible, and that “best fit” within the organisation will be unattainable.

Henderson, J. C., and Venkatraman, N. “Strategic Alignment: Leveraging Information Technology for Transforming Organizations,” IBM Systems Journal (32:1), 1993, pp. 4-16.

IS Alignment and Financial Concerns

22 Nov

In a recent post, d112221671 discussed the effect that the current economy has had on IS alignment, and alignment in general. In this post, I plan on examining the role of finance in IS alignment not just from an economic standing point but from an internal one as well.

This late in our investigation, the role of the CIO has been discussed on a number of occasions. For example, aidancrowley7 discussed the role of CIO the post “The Importance of Alignment and the Changing Role of the CIO”. More recently, posters have become concerned with the role of the CFO in relation to the CIO. In a paper published by The Center for Digital Strategies, entitled “Fuelling Business Strategy through IT/Finance Alignment” alignment in IT and IS is approached from a financial stance, and the role of the CFO in alignment is discussed.

The paper suggests that there is a lack of communication and business understanding in IT, and as a result it is creating a large roadblock towards realizing IT value. It attributes this to a lack of alignment to a clash of interests between the CIO and the CFO. This misalignment is something that a lot of us have already discussed. The paper makes a suggestion that the CIO and CFO should world together to determine optimal IT investment based on various measures of value.

In relation to alignment, finance plays a crucial role. Without agreeable methods on which to base IT investment, the “best fit” that many of us have referred to cannot be achieved. This issue of internal disagreement may in fact be a huge roadblock for IS alignment. If neither can agree which is the best way to measure the value of potential investments in IS, than they will never find a way to align their interests.

The paper does suggest that there should be some form of compromise on either side. For example, it advises CIOs to “try to think, and even act, like CFOs, because their investments are so inextricably linked with the company’s financial health”. It’s a compromise that can come with a lot of scrutiny, because such a method of thinking about IS can lead to certain factors, such as system integrity, being over looked in favour of a more tangible return on investment.

Personally, I think that there is a fine line between competent financial investment, and compromising IS consistency. When it comes to IT, and IS, one of the most important things to note is that even the little details matter. For example, just a few small cuts can lead to system inefficiency, which can be a lot more trouble than it’s worth, especially if it’s only cause is a need to reduce capital expenditure. Then again, in an economy like this one, learning to adapt to financial constraints can be extremely important.

Does anybody else have any opinions on this?

Strategic Alignment and the Role of Governance

11 Nov

A recent post by user 04ac listed Governance as one of the key factors involved in Alignment, which led me into finding an interesting article entitled “IT Alignment: Who is in Charge?” published by the IT Governance Institute.

It discusses issues that a few of us have already discussed previously in different posts such as co-ordination within an organisation. It states that “it is essential that employees in all elements that comprise the enterprise fully understand corporate objectives and work together in a properly controlled and coordinated way to ensure that those objectives are met”. This is something that user ctpk discussed in their post “The Strive for Strategic Alignment” when they mentioned that individuals who are given concise goals will contribute towards a well aligned organisation.

More specifically, however, this article focuses on Governance, and the role it plays in successful IT alignment. This is something that has come up in 04ac’s aforementioned post which lists governance as one of the main causes of misalignment, along with communication and planning. However, this article approaches Strategic Alignment in a different way than we have done previously. The author lists Strategic Alignment as a minor function of IT Governance. This definitely opens up our discussions to a different perspective on the matter.

It continues to discuss the main components of successful governance of strategic IT alignment. It mentions “leadership” and “commitment” as two necessary traits of a company looking to achieve peak alignment. One component it mentions in particular is the role of the Board in IT alignment. Naturally they would play one of the biggest roles in company-wide governance. It lists the following as the benchmarks against which they might achieve alignment:

• The first is to establish alignment with strategy, one of the core components that we’ve discussed numerous times;
• Making certain that IT functions in a way that allows this strategy to be realised and;
• Monitoring this IT strategy to ensure adequate financial benefits are derived from these systems.

It is important that the Board is kept constantly informed about potential new routes they could take in relation to alignment. The paper also highlights the importance of a strong IT representation in the Board itself, to ensure adequate communication between them and those who will carry out the implementation of alignment. Without a strong knowledge of IT and how IT and IS work, the Board will not fully understand the technicalities of implementation, leading to miscommunication, or worse, misalignment. It also suggests regular reporting to Boards on IT matters, so as to keep them regularly informed on the progress of alignment.

The role of the Board is just one factor of a greater list of tips for maximising alignment. One other key factor referred to is the resources available and adequate time frame, which are obvious requirements for actualising any plan or strategy. If you’re interested, you can follow the link to read the complete list.

Strategic Alignment Challenges: Complexity

5 Nov

In my previous post entitled Strategic Alignment Challenges: Communication, I discussed the importance of communication throughout the organisation when it comes to implementing strategic alignment, particularly in the case of IT and IS. In this post I plan on investigating this aspect of strategic alignment further, by taking into consideration a paper written by author White entitled The Case for Strategic Alignment. In this paper, the importance of strategic alignment in growing organisations is discussed, and it is concluded that strategic alignment is only successful if this alignment reaches “all stakeholders of the business”.

It mostly discusses the main issue surrounding strategic alignment: complexity. The reason why so many businesses can use financial plans and organisational charts so easliy is that they’ve been used for so long. But in the current IT and IS heavy business enviornment, such simplistic means of operating have become near redundant when they are usen in isolation. In the face of growing companies and more complex forms of conducting day-to-day business, these forms don’t hold much merit againts the large and highly efficient market leaders.

The White paper mentions the importance of the process view of the organisation, which is later stated to “enrich” and “augment” the traditional organisational and financial views of an organisation. This is something that ties in with my previous argument regarding communication throughout the organisation; in order for this “process” evaluation to take place, there needs to be excellent communication, more specifically, there needs to be excellent communication between all the stakeholders, particularly in a large and growing organisation.

White also discusses the motivations of these stakeholders, particularly managers who may misinterpret strategies and only focus on how these developments will affect them personally and not the organisation as a whole. This type of interpretation needs to be eradicated to ensure success on the strategic alignment front. I would like to tie this argument in with a previous post written by d12221671 that discusses an interdependence within IS and IT. Managers can no longer look simply at their own opinions and goals, but merge with all those involved in order to bring the company’s strategies to light.

To conclude, as companies are growing, they are becoming more and more complex, an issue I’ve discussed above, and as they grow alignment becomes more important. However, it also becomes more difficult as the level of complexity increases. Communication between all stakeholders on all processes is imperative, particularly to ensure all goals and objectives are in line with the company’s. Just as communication is important for the CIO in the world of IS, it is also important for all managers and stakeholders, especially considering the complicated nature of the issues arising in IS today, something I’m sure we’re all familiar with at this stage in our investigation.

%d bloggers like this: