7-pages writing work
John.Quality
folder-1.zipcourse-text-books/Keri E. Pearlson_ Carol S. Saunders - Managing and Using Information Systems_ A Strategic Approach-Wiley (2016).pdf.pdf
bgloss.indd 312 11/26/2015 7:40:39 PM
Managing and Using Information Systems
A STRATEGIC APPROACH
Sixth Edition
Keri E. Pearlson KP Partners
Carol S. Saunders W.A. Franke College of Business
Northern Arizona University
Dr. Theo and Friedl Schoeller Research Center for Business and Society
Dennis F. Galletta Katz Graduate School of Business
University of Pittsburgh, Pittsburgh, PA
ffirs.indd 1 12/1/2015 12:34:39 PM
VICE PRESIDENT & DIRECTOR George Hoffman
EXECUTIVE EDITOR Lise Johnson
DEVELOPMENT EDITOR Jennifer Manias
ASSOCIATE DEVELOPMENT EDITOR Kyla Buckingham
SENIOR PRODUCT DESIGNER Allison Morris
MARKET SOLUTIONS ASSISTANT Amanda Dallas
SENIOR DIRECTOR Don Fowley
PROJECT MANAGER Gladys Soto
PROJECT SPECIALIST Nichole Urban
PROJECT ASSISTANT Anna Melhorn
EXECUTIVE MARKETING MANAGER Christopher DeJohn
ASSISTANT MARKETING MANAGER Puja Katariwala
ASSOCIATE DIRECTOR Kevin Holm
SENIOR CONTENT SPECIALIST Nicole Repasky
PRODUCTION EDITOR Loganathan Kandan
This book was set in 10/12 Times Roman by SPi Global and printed and bound by Courier Kendallville.
This book is printed on acid free paper.
Founded in 1807, John Wiley & Sons, Inc. has been a valued source of knowledge and understanding for more than 200 years, helping people
around the world meet their needs and fulfill their aspirations. Our company is built on a foundation of principles that include responsibility to
the communities we serve and where we live and work. In 2008, we launched a Corporate Citizenship Initiative, a global effort to address the
environmental, social, economic, and ethical challenges we face in our business. Among the issues we are addressing are carbon impact, paper
specifications and procurement, ethical conduct within our business and among our vendors, and community and charitable support. For more
information, please visit our website: www.wiley.com/go/citizenship.
Copyright © 2016, 2013, 2010, 2006, 2004, 2001 John Wiley & Sons, Inc. All rights reserved. No part of this publication may be repro-
duced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or
otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission
of the Publisher, or authorization through payment of the appropriate per‐copy fee to the Copyright Clearance Center, Inc., 222 Rosewood
Drive, Danvers, MA 01923 (Web site: www.copyright.com). Requests to the Publisher for permission should be addressed to the Permissions
Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030‐5774, (201) 748‐6011, fax (201) 748‐6008, or online at: www.
wiley.com/go/permissions.
Evaluation copies are provided to qualified academics and professionals for review purposes only, for use in their courses during the next
academic year. These copies are licensed and may not be sold or transferred to a third party. Upon completion of the review period, please
return the evaluation copy to Wiley. Return instructions and a free of charge return shipping label are available at: www.wiley.com/go/
returnlabel. If you have chosen to adopt this textbook for use in your course, please accept this book as your complimentary desk copy.
Outside of the United States, please contact your local sales representative.
ISBN: 978-1-119-24428-8 (BRV)
ISBN: 978-1-119-24807-1 (EVALC)
Library of Congress Cataloging-in-Publication Data Names: Pearlson, Keri E. | Saunders, Carol S. | Galletta, Dennis F.
Title: Managing and using information systems: a strategic approach / Keri
E. Pearlson, Carol S. Saunders, Dennis F. Galletta.
Description: 6th edition. | Hoboken, NJ : John Wiley & Sons, Inc., [2015] |
Includes index.
Identifiers: LCCN 2015041210 (print) | LCCN 2015041579 (ebook) | ISBN 9781119244288 (loose-leaf : alk. paper) |
ISBN 9781119255208 (pdf) | ISBN 9781119255246 (epub)
Subjects: LCSH: Knowledge management. | Information technology—Management. |
Management information systems. | Electronic commerce.
Classification: LCC HD30.2 .P4 2015 (print) | LCC HD30.2 (ebook) | DDC 658.4/038011—dc23
LC record available at http://lccn.loc.gov/2015041210
Printing identification and country of origin will either be included on this page and/or the end of the book. In addition, if the ISBN on this
page and the back cover do not match, the ISBN on the back cover should be considered the correct ISBN.
Printed in the United States of America
10 9 8 7 6 5 4 3 2 1
ffirs.indd 2 12/1/2015 12:34:39 PM
To Yale & Hana
To Rusty, Russell, Janel & Kristin
To Carole, Christy, Lauren, Matt, Gracie, and Jacob
ffirs.indd 3 12/1/2015 12:34:39 PM
iv
Information technology and business are becoming inextricably interwoven. I don ’ t think anybody can talk meaningfully about one without the talking about the other.
Bill Gates
Microsoft 1
I ’ m not hiring MBA students for the technology you learn while in school, but for your ability to learn about, use and subsequently manage new technologies when you get out .
IT Executive
Federal Express 2
Give me a fi sh and I eat for a day; teach me to fi sh and I eat for a lifetime .
Proverb
Managers do not have the luxury of abdicating participation in decisions regarding information systems (IS).
Managers who choose to do so risk limiting their future business options. IS are at the heart of virtually every
business interaction, process, and decision, especially when the vast penetration of the Web over the last 20 years
is considered. Mobile and social technologies have brought IS to an entirely new level within fi rms and between
individuals in their personal lives. Managers who let someone else make decisions about their IS are letting
someone else make decisions about the very foundation of their business. This is a textbook about managing and
using information written for current and future managers as a way to introduce the broader implications of the
impact of IS.
The goal of this book is to assist managers in becoming knowledgeable participants in IS decisions. Becoming
a knowledgeable participant means learning the basics and feeling comfortable enough to ask questions. It does
not mean having all the answers or having a deep understanding of all the technologies out in the world today. No
text will provide managers everything they need to know to make important IS decisions. Some texts instruct on
the basic technical background of IS. Others discuss applications and their life cycles. Some take a comprehensive
view of the management information systems (MIS) fi eld and offer readers snapshots of current systems along with
chapters describing how those technologies are designed, used, and integrated into business life.
This book takes a different approach. It is intended to provide the reader a foundation of basic concepts relevant
to using and managing information. This text is not intended to provide a comprehensive treatment on any one
aspect of MIS, for certainly each aspect is itself a topic of many books. This text is not intended to provide readers
enough technological knowledge to make them MIS experts. It is not intended to be a source of discussion of any
particular technology. This text is written to help managers begin to form a point of view of how IS will help or
hinder their organizations and create opportunities for them.
The idea for this text grew out of discussions with colleagues in the MIS area. Many faculties use a series of
case studies, trade and popular press readings, and Web sites to teach their MIS courses. Others simply rely on one
of the classic texts, which include dozens of pages of diagrams, frameworks, and technologies. The initial idea for
this text emerged from a core MIS course taught at the business school at the University of Texas at Austin. That
course was considered an “appetizer” course—a brief introduction into the world of MIS for MBA students. The
course had two main topics: using information and managing information. At the time, there was no text like this
Preface
1 Bill Gates, Business @ the Speed of Thought. New York: Warner Books, Inc. 1999. 2 Source: Private conversation with one of the authors.
fpref.indd 4 11/27/2015 4:21:12 PM
vPreface
one; hence, students had to purchase thick reading packets made up of articles and case studies to provide them the
basic concepts. The course was structured to provide general MBA students enough knowledge of the MIS field so
that they could recognize opportunities to use the rapidly changing technologies available to them. The course was
an appetizer to the menu of specialty courses, each of which went much more deeply into the various topics. But
completion of the appetizer course meant that students were able to feel comfortable listening to, contributing to,
and ultimately participating in IS decisions.
Today, many students are digital natives—people who have grown up using information technologies (IT) all
of their lives. That means that students come to their courses with significantly more knowledge about things such
as tablets, apps, personal computers, smartphones, texting, the Web, social networking, file downloading, online
purchasing, and social media than their counterparts in school just a few years ago. This is a significant trend
that is projected to continue; students will be increasingly knowledgeable the personal use of technologies. That
knowledge has begun to change the corporate environment. Today’s digital natives expect to find in corporations
IS that provide at least the functionality they have at home. At the same time, these users expect to be able to work
in ways that take advantage of the technologies they have grown to depend on for social interaction, collaboration,
and innovation. We believe that the basic foundation is still needed for managing and using IS, but we understand
that the assumptions and knowledge base of today’s students is significantly different.
Also different today is the vast amount of information amassed by firms, sometimes called the “big data” prob-
lem. Organizations have figured out that there is an enormous amount of data around their processes, their interac-
tions with customers, their products, and their suppliers. These organizations also recognize that with the increase
in communities and social interactions on the Web, there is additional pressure to collect and analyze vast amounts
of unstructured information contained in these conversations to identify trends, needs, and projections. We believe
that today’s managers face an increasing amount of pressure to understand what is being said by those inside and
outside their corporations and to join those conversations reasonably and responsibly. That is significantly different
from just a few years ago.
This book includes an introduction, 13 chapters of text and mini cases, and a set of case studies, supplemental
readings, and teaching support on a community hub at http://pearlsonandsaunders.com. The Hub provides faculty
members who adopt the text additional resources organized by chapter, including recent news items with teaching
suggestions, videos with usage suggestions, blog posts and discussions from the community, class activities, addi-
tional cases, cartoons, and more. Supplemental materials, including longer cases from all over the globe, can be
found on the Web. Please visit http://www.wiley.com/college/pearlson or the Hub for more information.
The introduction to this text defends the argument presented in this preface that managers must be knowledge-
able participants in making IS decisions. The first few chapters build a basic framework of relationships among
business strategy, IS strategy, and organizational strategy and explore the links among them. The strategy chapters
are followed by ones on work design and business processes that discuss the use of IS. General managers also need
some foundation on how IT is managed if they are to successfully discuss their next business needs with IT pro-
fessionals who can help them. Therefore, the remaining chapters describe the basics of information architecture
and infrastructure, IT security, the business of IT, the governance of the IS organization, IS sourcing, project
management, business analytics, and relevant ethical issues.
Given the acceleration of security breaches, readers will find a new chapter on IS security in this sixth edition of
the text. Also, the material on analytics and “big data” has been extensively updated to reflect the growing impor-
tance of the topic. Further, the chapter on work design has been reorganized and extensively revised. Each of the
other chapters has been revised with newer concepts added, discussions of more current topics fleshed out, and old,
outdated topics removed or at least their discussion shortened.
Similar to the fifth edition, every chapter begins with a navigation “box” to help the reader understand the flow
and key topics of the chapter. Further, most chapters continue to have a Social Business Lens or a Geographic Lens
feature. The Social Business Lens feature reflects on an issue related to the chapter’s main topic but is enabled by or
fundamental to using social technologies in the enterprise. The Geographic Lens feature offers a single idea about
a global issue related to the chapter’s main topic.
No text in the field of MIS is completely current. The process of writing the text coupled with the publication
process makes a book somewhat out‐of‐date prior to delivery to its audience. With that in mind, this text is written
fpref.indd 5 11/27/2015 4:21:12 PM
vi Preface
to summarize the “timeless” elements of using and managing information. Although this text is complete in and
of itself, learning is enhanced by combining the chapters with the most current readings and cases. Faculty are
encouraged to read the news items on the faculty Hub before each class in case one might be relevant to the topic of
the day. Students are encouraged to search the Web for examples related to topics and current events and bring them
into the discussions of the issues at hand. The format of each chapter begins with a navigational guide, a short case
study, and the basic language for a set of important management issues. These are followed by a set of managerial
concerns related to the topic. The chapter concludes with a summary, key terms, a set of discussion questions, and
case studies.
Who should read this book? General managers interested in participating in IS decisions will find this a good
reference resource for the language and concepts of IS. Managers in the IS field will find the book a good resource
for beginning to understand the general manager’s view of how IS affect business decisions. And IS students will
be able to use the book’s readings and concepts as the beginning in their journey to become informed and success-
ful businesspeople.
The information revolution is here. Where do you fit in?
Keri E. Pearlson, Carol S. Saunders, and Dennis F. Galletta
fpref.indd 6 11/27/2015 4:21:12 PM
vii
Books of this nature are written only with the support of many individuals. We would like to personally thank
several individuals who helped with this text. Although we ’ ve made every attempt to include everyone who helped
make this book a reality, there is always the possibility of unintentionally leaving some out. We apologize in
advance if that is the case here.
Thank you goes to Dr. William Turner of LeftFour , in Austin, Texas, for help with the infrastructure and
architecture concepts and to Alan Shimel, Editor‐in‐Chief at DevOps.com for initial ideas for the new security
chapter.
We also want to acknowledge and thank pbwiki.com. Without its incredible and free wiki, we would have been
relegated to e‐mailing drafts of chapters back and forth, or saving countless fi les in an external drop box without
any opportunity to include explanations or status messages. For this edition, as with earlier editions, we wanted to
use Web 2.0 tools as we wrote about them. We found that having used the wiki for our previous editions, we were
able to get up and running much faster than if we had to start over without the platform.
We have been blessed with the help of our colleagues in this and in previous editions of the book. They
helped us by writing cases and reviewing the text. Our thanks continue to go out to Jonathan Trower, Espen
Andersen, Janis Gogan, Ashok Rho, Yvonne Lederer Antonucci, E. Jose Proenca, Bruce Rollier, Dave Oliver, Celia
Romm, Ed Watson, D. Guiter, S. Vaught, Kala Saravanamuthu, Ron Murch, John Greenwod, Tom Rohleder, Sam
Lubbe, Thomas Kern, Mark Dekker, Anne Rutkowski, Kathy Hurtt, Kay Nelson, Janice Sipior, Craig Tidwell, and
John Butler. Although we cannot thank them by name, we also greatly appreciate the comments of the anonymous
reviewers who have made a mark on this edition.
The book would not have been started were it not for the initial suggestion of a wonderful editor in 1999 at John
Wiley & Sons, Beth Lang Golub. Her persistence and patience helped shepherd this book through many previous
editions. We also appreciate the help of our current editor, Lise Johnson. Special thanks go to Jane Miller, Gladys
Soto, Loganathan Kandan, and the conscientious JaNoel Lowe who very patiently helped us through the revision
process. We also appreciate the help of all the staff at Wiley who have made this edition a reality.
We would be remiss if we did not also thank Lars Linden for the work he has done on the Pearlson and Saunders
Faculty Hub for this book. Our vision included a Web‐based community for discussing teaching ideas and post-
ing current articles that supplement this text. Lars made that vision into a reality starting with the last edition and
continuing through the present. Thank you, Lars!
From Keri: Thank you to my husband, Yale, and my daughter, Hana, a business and computer science student at
Tulane University. Writing a book like this happens in the white space of our lives—the time in between everything
else going on. This edition came due at a particularly frenetic time, but they listened to ideas, made suggestions, and
celebrated the book ’ s completion with us. I know how lucky I am to have this family. I love you guys!
From Carol: I would like to thank the Dr. Theo and Friedl Schoeller Research Center of Business and Society for
their generous support of my research. Rusty, thank you for being my compass and my release valve. I couldn ’ t do
it without you. Paraphrasing the words of an Alan Jackson song (“Work in Progress”): I may not be what you want
me to be, but I ’ m trying really hard. Just be patient because I ’ m a work in progress. I love you, Kristin, Russell,
and Janel very much!
From Dennis: Thanks to my terrifi c family: my wife Carole, my daughters Christy and Lauren, and my grand-
daughter Gracie. Also thanks to Matt and Jacob, two lovable guys who take wonderful care of my daughters. Finally,
thanks to our parents and sisters ’ families. We are also blessed with a large number of great, caring neighbors whom
we see quite often. I love you all, and you make it all worthwhile!
Acknowledgments
fack.indd 7 11/27/2015 4:24:53 PM
viii
Dr. Keri E. Pearlson is President of KP Partners , an advisory services fi rm working with business leaders on issues
related to the strategic use of information systems (IS) and organizational design. She is an entrepreneur, teacher,
researcher, consultant, and thought leader. Dr. Pearlson has held various positions in academia and industry. She
has been a member of the faculty at the Graduate School of Business at the University of Texas at Austin where she
taught management IS courses to MBAs and executives and at Babson College where she helped design the popular
IS course for the Fast Track MBA program. Dr. Pearlson has held positions at the Harvard Business School, CSC,
nGenera (formerly the Concours Group), AT&T , and Hughes Aircraft Company . While writing this edition, she was
the Research Director for the Analytics Leadership Consortium at the International Institute of Analytics and was
named the Leader of the Year by the national Society of Information Management (SIM) 2014.
Dr. Pearlson is coauthor of Zero Time: Providing Instant Customer Value—Every Time, All the Time (John Wiley, 2000). Her work has been published in numerous places including Sloan Management Review, Academy of Management Executive, and Information Resources Management Journal . Many of her case studies have been published by Harvard Business Publishing and are used all over the world. She currently writes a blog on issues at
the intersection of IT and business strategy. It ’ s available at www.kppartners.com.
Dr. Pearlson holds a Doctorate in Business Administration (DBA) in Management Information Systems from
the Harvard Business School and both a Master ’ s Degree in Industrial Engineering Management and a Bachelor ’ s
Degree in Applied Mathematics from Stanford University.
Dr. Carol S. Saunders is Research Professor at the W. A. Franke College of Business, Northern Arizona
University in Flagstaff, Arizona, and is a Schoeller Senior Fellow at the Friedrich‐Alexander University of
Erlangen‐Nuremberg, Germany. She served as General Conference Chair of the International Conference on
Information Systems (ICIS) in 1999 and as Program Co‐Chair of the Americas Conference of Information
Systems (AMCIS) in 2015. Dr. Saunders was the Chair of the ICIS Executive Committee in 2000. For three
years, she served as Editor‐in‐Chief of MIS Quarterly . She is currently on the editorial boards of Journal of Strategic Information Systems and Organization Science and serves on the advisory board of Business & Information Systems Engineering. Dr. Saunders has been recognized for her lifetime achievements by the Association of Information Systems (AIS) with a LEO award and by the Organizational Communication and
Information Systems Division of the Academy of Management. She is a Fellow of the AIS.
Dr. Saunders ’ current research interests include the impact of IS on power and communication, overload,
virtual teams, time, sourcing, and interorganizational linkages. Her research is published in a number of journals
including MIS Quarterly, Information Systems Research, Journal of MIS, Communications of the ACM, Journal of Strategic Information Systems, Journal of the AIS, Academy of Management Journal, Academy of Management Review, Communications Research , and Organization Science .
Dr. Dennis F. Galletta is Professor of Business Administration at the Katz Graduate School of Business,
University of Pittsburgh in Pennsylvania. He is also the Director of the Katz School ’ s doctoral program and has
taught IS Management graduate courses in Harvard ’ s summer program each year since 2009. He obtained his
doctorate from the University of Minnesota in 1985 and is a Certifi ed Public Accountant. Dr. Galletta served as
President of the Association of Information Systems (AIS) in 2007. Like Dr. Saunders, he is both a Fellow of
the AIS and has won a LEO lifetime achievement award. He was a member of the AIS Council for fi ve years.
He also served in leadership roles for the International Conference on Information Systems (ICIS): Program
Co‐Chair in 2005 (Las Vegas) and Conference Co‐Chair in 2011 (Shanghai); as Program Co‐Chair for the
About the Authors
fabout.indd 8 11/27/2015 4:25:42 PM
ixAbout the Authors
Americas Conference on Information Systems (AMCIS) in 2003 (Tampa, Florida) and Inaugural Conference
Chair in 1995 (Pittsburgh). The Pittsburgh conference had several “firsts” for an IS conference, including the first
on‐line submissions, reviews, conference registration and payment, placement service, and storage of all papers
in advance on a website. Dr. Galletta served as ICIS Treasurer from 1994 to 1998 and Chair of the ICIS Execu-
tive Committee in 2012. He taught IS courses on the Fall 1999 Semester at Sea voyage (Institute for Shipboard
Education) and established the concept of Special Interest Groups in AIS in 2000. In 2014, he won an Emerald
Citation of Excellence for a co‐authored article that reached the top 50 in citations and ratings from the fields of
management, business, and economics.
Dr. Galletta’s current research addresses online and mobile usability and behavioral security issues such as
phishing, protection motivation, and antecedents of security‐related decision making. He has published his research
in journals such as Management Science; MIS Quarterly; Information Systems Research; Journal of MIS; European Journal of Information Systems; Journal of the AIS; Communications of the ACM; Accounting, Management, and Information Technologies; Data Base; and Decision Sciences and in proceedings of conferences such as ICIS, AMCIS, and the Hawaii International Conference on Systems Sciences. Dr. Galletta’s editorship includes working as current and founding Coeditor in Chief for AIS Transactions on Human‐Computer Interaction and on editorial boards at journals such as MIS Quarterly, Information Systems Research, Journal of MIS, and Journal of the AIS. He is currently on the Pre‐eminent Scholars Board of Data Base. He won a Developmental Associate Editor Award at the MIS Quarterly in 2006. And during the off‐hours, Dr. Galletta’s fervent hobby and obsession is digital pho- tography, often squinting through his eyepiece to make portrait, macro, Milky Way, and lightning photos when he
should be writing.
fabout.indd 9 11/27/2015 4:25:42 PM
x
Contents
Preface iv
Acknowledgments vii
About the Authors viii
Introduction 1
The Case for Participating in Decisions about Information Systems 2 What If a Manager Doesn’t Participate? 5 Skills Needed to Participate Effectively in Information Technology Decisions 6 Basic Assumptions 8 Economics of Information versus Economics of Things 12 Social Business Lens 14
Summary 15
Key Terms 16
1 The Information Systems Strategy Triangle 17
Brief Overview of Business Strategy Frameworks 19
Business Models versus Business Strategy 21
Brief Overview of Organizational Strategies 25
Brief Overview of Information Systems Strategy 26
Social Business Lens: Building a Social Business Strategy 27
Summary 28
Key Terms 29
Discussion Questions 29
Case Study 1‐1 Lego 30
Case Study 1‐2 Google 31
2 Strategic Use of Information Resources 33
Evolution of Information Resources 34
Information Resources as Strategic Tools 36
How Can Information Resources Be Used Strategically? 37
Sustaining Competitive Advantage 43
Social Business Lens: Social Capital 47
Strategic Alliances 47
Risks 49
Geographic Box: Mobile‐Only Internet Users Dominate Emerging Countries 50
Co‐Creating IT and Business Strategy 50
ftoc.indd 10 11/27/2015 8:36:37 PM
xiContents
Summary 51
Key Terms 51
Discussion Questions 51
Case Study 2‐1 Groupon 52
Case Study 2‐2 Zipcar 53
3 Organizational Strategy and Information Systems 55
Information Systems and Organizational Design 58
Social Business Lens: Social Networks 63
Information Systems and Management Control Systems 63
Information Systems and Culture 66
Geographic Lens: Does National Culture Affect Firm Investment in IS Training? 70
Summary 71
Key Terms 71
Discussion Questions 71
Case Study 3‐1 The Merger of Airtran by Southwest Airlines: Will the Organizational Cultures Merge? 72
Case Study 3‐2 The FBI 73
4 Digital Systems and the Design of Work 75
Work Design Framework 77
How Information Technology Changes the Nature of Work 78
Social Business Lens: Activity Streams 84
Where Work Is Done and Who Does It: Mobile and Virtual Work Arrangements 86
Geographic Lens: How Do People Around the World Feel About Working Remotely? 88
Geographic Lens: Who Telecommutes? A Look at Global Telecommuting Habits 89
Gaining Acceptance for IT‐Induced Change 94
Summary 96
Key Terms 97
Discussion Questions 97
Case Study 4‐1 Trash and Waste Pickup Services, Inc. 97
Case Study 4‐2 Social Networking: How Does IBM Do It? 98
5 Information Systems and Business Transformation 99
Silo Perspective versus Business Process Perspective 100
Building Agile and Dynamic Business Processes 104
Changing Business Processes 105
Workflow and Mapping Processes 107
Integration versus Standardization 109
Enterprise Systems 110
Geographic Lens: Global vs. Local ERPs 113
Social Business Lens: Crowdsourcing Changes Innovation Processes 118
Summary 119
Key Terms 120
ftoc.indd 11 11/27/2015 8:36:37 PM
xii Contents
Discussion Questions 120
Case Study 5‐1 Santa Cruz Bicycles 121
Case Study 5‐2 Boeing 787 Dreamliner 122
6 Architecture and Infrastructure 124
From Vision to Implementation 125
The Leap from Strategy to Architecture to Infrastructure 126
From Strategy to Architecture to Infrastructure: An Example 133
Architectural Principles 135
Enterprise Architecture 136
Virtualization and Cloud Computing 137
Other Managerial Considerations 139
Social Business Lens: Building Social Mobile Applications 143
Summary 144
Key Terms 144
Discussion Questions 145
Case Study 6‐1 Enterprise Architecture at American Express 145
Case Study 6‐2 The Case of Extreme Scientists 146
7 Security 147
IT Security Decision Framework 149
Breaches and How They Occurred 151
The Impossibility of 100% Security 154
What Should Management Do? 155
Summary 162
Key Terms 163
Discussion Questions 163
Case Study 7-1 The Aircraft Communications Addressing and Reporting System (ACARS) 163
Case Study 7-2 Sony Pictures: The Criminals Won 164
8 The Business of Information Technology 165
Organizing to Respond to Business: A Maturity Model 167
Understanding the IT Organization 168
What a Manager Can Expect from the IT Organization 168
What the IT Organization Does Not Do 170
Chief Information Officer 171
Building a Business Case 173
IT Portfolio Management 175
Valuing IT Investments 176
Monitoring IT Investments 177
Funding IT Resources 182
How Much Does IT Cost? 184
Summary 187
ftoc.indd 12 11/30/2015 7:27:16 PM
xiiiContents
Key Terms 188
Discussion Questions 188
Case Study 8‐1 KLM Airlines 189
Case Study 8‐2 Balanced Scorecards at BIOCO 190
9 Governance of the Information Systems Organization 191
IT Governance 192
Decision‐Making Mechanisms 199
Governance Frameworks for Control Decisions 200
Social Business Lens: Governing the Content 204
Summary 205
Key Terms 205
Discussion Questions 205
Case Study 9‐1 IT Governance at University of the Southeast 205
Case Study 9‐2 The “MyJohnDeere” Platform 207
10 Information Systems Sourcing 208
Sourcing Decision Cycle Framework 209
Social Business Lens: Crowdsourcing 214
Geographic Lens: Corporate Social Responsibility 220
Outsourcing in the Broader Context 224
Summary 225
Key Terms 225
Discussion Questions 225
Case Study 10‐1 Crowdsourcing at AOL 225
Case Study 10‐2 Altia Business Park 226
11 Managing IT Projects 228
What Defines a Project? 230
What Is Project Management? 231
Organizing for Project Management 232
Project Elements 233
IT Projects 239
IT Project Development Methodologies and Approaches 240
Social Business Lens: Mashups 247
Managing IT Project Risk 247
Summary 253
Key Terms 254
Discussion Questions 254
Case Study 11‐1 Implementing Enterprise Change Management at Southern Company 254
Case Study 11‐2 Dealing with Traffic Jams in London 255
ftoc.indd 13 11/27/2015 8:36:37 PM
xiv Contents
12 Business Intelligence, Knowledge Management, and Analytics 258
Competing with Business Analytics 259
Knowledge Management, Business Intelligence, and Business Analytics 260
Data, Information, and Knowledge 261
Knowledge Management Processes 264
Business Intelligence 264
Components of Business Analytics 265
Big Data 268
Social Media Analytics 269
Social Business Lens: Personalization and Real‐Time Data Streams 271
Geographic Lens: When Two National Views of Intellectual Property Collide 272
Caveats for Managing Knowledge and Business Intelligence 274
Summary 274
Key Terms 275
Discussion Questions 275
Case Study 12‐1 Stop & Shop’s Scan It! App 275
Case Study 12‐2 Business Intelligence at CKE Restaurants 276
13 Privacy and Ethical Considerations in Information Management 278
Responsible Computing 280
Corporate Social Responsibility 283
PAPA: Privacy, Accuracy, Property, and Accessibility 284
Social Business Lens: Personal Data 289
Geographic Lens: Should Subcultures Be Taken into Account When Trying to Understand National
Attitudes Toward Information Ethics? 292
Green Computing 292
Summary 293
Key Terms 294
Discussion Questions 294
Case Study 13‐1 Ethical Decision Making 295
Case Study 13‐2 Midwest Family Mutual Goes Green 297
Glossary 299 Index 313
ftoc.indd 14 11/27/2015 8:36:37 PM
1
Introduction
Why do managers need to understand and participate in the information systems decisions of their
organizations? After all, most corporations maintain entire departments dedicated to the management
of information systems (IS). These departments are staffed with highly skilled professionals devoted
to the fi eld of technology. Shouldn’t managers rely on experts to analyze all the aspects of IS and
to make the best decisions for the organization? The answer to that question is an emphatic “no.”
Managing information is a critical skill for success in today ’ s business environment. All decisions
made by companies involve, at some level, the management and use of IS and the interpretation of
data from the business and its environment. Managers today need to know about their organization ’ s
capabilities and uses of information as much as they need to understand how to obtain and budget
fi nancial resources. The ubiquity of personal devices such as smart phones, laptops, and tablets and
of access to apps within corporations and externally over the Internet, highlights this fact. Today ’ s
technologies form the backbone for virtually all business models. This backbone easily crosses
oceans, adding the need for a global competency to the manager ’ s skill set. Further, the proliferation
of supply chain partnerships and the vast amount of technology available to individuals outside of
the corporation have extended the urgent need for business managers to be involved in information
systems decisions. In addition, the availability of seemingly free (or at least very inexpensive) appli-
cations, collaboration tools, and innovation engines in the consumer arena has put powerful tools in
everyone ’ s hands, increasing the diffi culty of ensuring that corporate systems are robust, secure, and
protected. A manager who doesn ’ t understand the basics of managing and using information can ’ t
be successful in this business environment.
The majority of U.S. adults own a smart phone and access online apps. According to the Pew
Research Center , in 2014, 90% of U.S. adults had a cell phone of some kind, and 87% of American
adults used the Internet. 1 Essentially the use of these types of devices implies that individuals now
manage a “personal IS” and make decisions about usage, data, and applications. Doesn ’ t that give
them insight into managing information systems in corporations? Students often think they are
experts in corporate IS because of their personal experience with technology. Although there is some
truth in that perspective, it ’ s a very dangerous perspective for managers to take. Certainly knowing
about interesting apps, being able to use a variety of technologies for different personal purposes,
and being familiar with the ups and downs of networking for their personal information systems pro-
vide some experience that is useful in the corporate setting. But in a corporate setting, information
systems must be enterprise‐ready. They must be scalable for a large number of employees; they
must be delivered in an appropriate manner for the enterprise; they must be managed with corpo-
rate guidelines and appropriate governmental regulations in mind. Issues like security, privacy, risk,
support, and architecture take on a new meaning within an enterprise, and someone has to manage
them. Enterprise‐level management and use of information systems require a unique perspective and
a different skill set.
1 Internet Use and Cell Phone Demographics, http://www.pewinternet.org/data‐trend/internet‐use/internet‐use‐over‐time (accessed
August 18, 2015).
cintro.indd 1 11/26/2015 7:38:29 PM
2 Introduction
Consider the now‐historic rise of companies such as Amazon.com, Google, and Zappos. Amazon.com began as
an online bookseller and rapidly outpaced traditional brick‐and‐mortar businesses like Barnes and Noble, Borders,
and Waterstones. Management at the traditional companies responded by having their IS support personnel build
Web sites to compete. But upstart Amazon.com moved ahead, keeping its leadership position on the Web by lever-
aging its business model into other marketplaces, such as music, electronics, health and beauty products, lawn and
garden products, auctions, tools and hardware, and more. It cleared the profitability hurdle by achieving a good
mix of IS and business basics: capitalizing on operational efficiencies derived from inventory software and smarter
storage, cost cutting, and effectively partnering with such companies as Toys “R” Us Inc. and Target Corporation.2
More recently, Amazon.com changed the basis of competition in another market, but this time it was the Web ser-
vices business. Amazon.com Web services offers clients the extensive technology platform used for Amazon.com
but in an on‐demand fashion for developing and running the client’s own applications. Shoe retailer Zappos.com
challenged Amazon’s business model, in part by coupling a social business strategy with exemplary service and
sales. It was so successful that Amazon.com bought Zappos.
Likewise, Google built a business that is revolutionizing the way information is found. Google began in 1999
as a basic search company but its managers quickly learned that its unique business model could be leveraged
for future success in seemingly unrelated areas. The company changed the way people think about Web content
by making it available in a searchable format with an incredibly fast response time and in a host of languages.
Further, Google’s keyword‐targeted advertising program revolutionized the way companies advertise. Then Google
expanded, offering a suite of Web‐based applications, such as calendaring, office tools, e‐mail, collaboration,
shopping, and maps and then enhanced the applications further by combining them with social tools to increase
collaboration. Google Drive is one of the most popular file‐sharing tools and Gmail one of the most popular email
apps. In 2015, Google’s mission was to “organize the world’s information and make it universally accessible and
useful.” It is offering its customers very inexpensive fiber connections. In so doing, Google further expanded into
infrastructure and on‐demand services.3
These and other online businesses are able to succeed where traditional companies have not, in part because their
management understood the power of information, IS, and the Web. These exemplary online businesses aren’t suc-
ceeding because their managers could build Web pages or assemble an IS network. Rather, the executives in these
new businesses understand the fundamentals of managing and using information and can marry that knowledge
with a sound, unique business vision to dominate their intended market spaces.
The goal of this book is to provide the foundation to help the general business manager become a knowledge-
able participant in IS decisions because any IS decision in which the manager doesn’t participate can greatly affect
the organization’s ability to succeed in the future. This introduction outlines the fundamental reasons for taking the
initiative to participate in IS decisions. Moreover, because effective participation requires a unique set of manage-
rial skills, this introduction identifies the most important ones. These skills are helpful for making both IS decisions
and all business decisions. We describe how managers should participate in the decision‐making process. Finally,
this introduction presents relevant models for understanding the nature of business and information systems. These
models provide a framework for the discussions that follow in subsequent chapters.
The Case for Participating in Decisions about Information Systems In today’s business environment, maintaining a back‐office view of technology is certain to cost market share and
could ultimately lead to the failure of the organization. Managers who claim ignorance of IS can damage their
reputation. Technology has become entwined with all the classic functions of business—operations, marketing,
accounting, finance—to such an extent that understanding its role is necessary for making intelligent and effec-
tive decisions about any of them. Furthermore, a general understanding of key IS concepts is possible without the
extensive technological knowledge required just a few years ago. Most managers today have personal technology
2 Robert Hof, “How Amazon Cleared the Profitability Hurdle” (February 4, 2002), http://www.bloomberg.com/bw/stories/2002-02-03/how-amazon-
cleared-the-profitability-hurdle (accessed on October 29, 2015). 3 For more information on the latest services by these two companies, see http://aws.amazon.com/ec2 and http://www.google.com/enterprise/cloud/.
cintro.indd 2 11/26/2015 7:38:29 PM
3The Case for Participating in Decisions about Information Systems
such as a smart phone or tablet that is more functional than many corporate‐supported personal computers provided
by enterprises just a few years ago. In fact, the proliferation of personal technologies makes everyone a “pseudo‐
expert.” Each individual must manage applications on smart phones, make decisions about applications to purchase,
and procure technical support when the systems fail. Finally, with the robust number of consumer applications
available on the Web, many decisions historically made by the IS group are increasingly being made by individuals
outside that group, sometimes to the detriment of corporate objectives.
Therefore, understanding basic fundamentals about using and managing information is worth the investment of
time. The reasons for this investment are summarized in Figure I-1 and are discussed next.
A Business View of Critical Resources
Information technology (IT) is a critical resource for today’s businesses. It both supports and consumes a significant
amount of an organization’s resources. Just like the other three major types of business resources—people, money,
and machines—it needs to be managed wisely.
IT spending represents a significant portion of corporate budgets. Worldwide IT spending topped $3.7 trillion in
2014. It is projected to continue to increase.4 A Gartner study of where this money goes groups spending into five
categories including devices (e.g., PCs, tablets, and mobile phones), data center systems (e.g., network equipment,
servers, and storage equipment), enterprise software and apps (e.g., companywide software applications), IT ser-
vices (e.g., support and consulting services), and telecommunications (e.g., the expenses paid to vendors for voice
and data services).
Resources must return value, or they will be invested elsewhere. The business manager, not the IS specialist,
decides which activities receive funding, estimates the risk associated with the investment, and develops metrics
for evaluating the investment’s performance. Therefore, the business manager needs a basic grounding in managing
and using information. On the flip side, IS managers need a business view to be able to explain how technology
impacts the business and what its trade‐offs are.
People and Technology Work Together
In addition to financial issues, managers must know how to mesh technology and people to create effective work
processes. Collaboration is increasingly common, especially with the rise of social networking. Companies are
reaching out to individual customers using social technologies such as Facebook, Twitter, Reddit, Renren, YouTube,
and numerous other tools. In fact, Web 2.0 describes the use of the World Wide Web applications that incorporate information sharing, user‐centered design, interoperability, and collaboration among users. Technology facilitates
FIGURE I-1 Reasons why business managers should participate in information systems decisions.
Reasons
IS must be managed as a critical resource since it permeates almost every aspect of business.
IS enable change in the way people work both inside and outside of the enterprise.
IS are at the heart of integrated Internet‐based solutions that are replacing standard business processes.
IS enable or inhibit business opportunities and new strategies.
IS can be used to combat business challenges from competitors.
IS enable customers to have greater pull on businesses and communities by giving them new options for voicing their concerns and opinions using social media.
IS can support data‐driven decision making.
IS can help ensure the security of key assets.
4 http://www.gartner.com/newsroom/id/2959717/ (accessed March 5, 2015).
cintro.indd 3 11/26/2015 7:38:29 PM
4 Introduction
the work that people do and the way they interact with each other. Appropriately incorporating IS into the design
of a business model enables managers to focus their time and resources on issues that bear directly on customer
satisfaction and other revenue‐ and profit‐generating activities.
Adding a new IS to an existing organization, however, requires the ability to manage change. Skilled business
managers must balance the benefits of introducing new technology with the costs associated with changing the
existing behaviors of people in the workplace. There are many choices of technology solutions, each with a different
impact. Managers’ decisions must incorporate a clear understanding of the consequences. Making this assessment
doesn’t require detailed technical knowledge. It does require an understanding of short‐term and long‐term con-
sequences risk mitigation, and why adopting new technology may be more appropriate in some instances than in
others. Understanding these issues also helps managers know when it may prove effective to replace people with
technology at certain steps in a process.
Integrating Business with Information Systems
IS are integrated with almost every aspect of business and have been for quite some time. For example, the CTO of
@WalmartLabs, Jeremy King, wrote in a blog,
There used to be a big distinction between tech companies: those that develop enterprise technology for businesses,
and the global companies that depend on those products. But that distinction is now diminishing for this simple reason:
every global company is becoming a tech company. . . . we’re seeing technology as a critical component for business
success.5
Walmart built platforms to support all of its ecommerce and digital shopping experiences around the world.
Walmart’s teams created a new search engine to enable engaging and efficient ways for on‐line customers to find
items in inventory. IS placed information in the hands of Walmart associates so that decisions could be made closer
to the customer. IS simplified organizational activities and processes such as moving goods, stocking shelves, and
communicating with suppliers. For example, handheld scanners provide floor associates with immediate and real‐
time access to inventory in their store and the ability to locate items in surrounding stores, if necessary.
Opportunities and New Strategies Derived from Rapid Changes in Technology
The proliferation of new technologies creates a business environment filled with opportunities. The rate of adop-
tion of these new technologies has increased due in part to the changing demographics of the workforce and the
integration of “digital natives,” individuals whose entire lives have been lived in an era with Internet availability. Therefore digital natives are completely fluent in the use of personal technologies and the Web. Even today, inno-
vative uses of the Internet produce new types of online businesses that keep every manager and executive on alert.
New business opportunities spring up with little advance warning. The manager’s role is to frame these oppor-
tunities so that others can understand them, evaluate them against existing business needs and choices, and then
pursue those that fit with an articulated business strategy. The quality of the information at hand affects the quality
of both decisions and their implementation. Managers must develop an understanding of what information is cru-
cial to the decisions, how to get it, and how to use it. They must lead the changes driven by IS.
Competitive Challenges
Competitors come from both expected and unexpected places. General managers are in the best position to see the
emerging threats and utilize IS effectively to combat ever‐changing competitive challenges. Further, general man-
agers are often called on to demonstrate a clear understanding of how their own technology programs and products
5 Jeremy King, “Why Every Company Is a Tech Company” (November 21, 2013), http://www.walmartlabs.com/2013/11/21/why‐every‐company‐is‐a‐
tech‐company‐by‐jeremy‐king‐cto‐of‐walmartlabs (accessed August 18, 2015).
cintro.indd 4 11/26/2015 7:38:29 PM
5What If a Manager Doesn’t Participate?
compare with those of their competitors. A deep understanding of the capabilities of the organization coupled with
existing IS can create competitive advantages and change the competitive landscape for the entire industry.
Customer Pull
With the emergence of social networks like Facebook, microblogs like Twitter, and other Web applications like
Yelp, businesses have had to redesign their existing business models to account for the change in power now
wielded by customers and others in their communities. Social media and other web apps have given powerful
voices to customers and communities, and businesses must listen. Redesigning the customer experience when inter-
acting with a company is paramount for many managers and the key driver is IS. Social IT enables new and often
deeper relationships with a large number of customers, and companies are learning how to integrate and leverage
this capability into existing and new business models.
Data‐Driven Decision Making
Managers are increasingly using evidence‐based management to make decisions based on data gathered from
experiments, internal files, and other relevant sources. Data‐driven decision making, based on new techniques for
analytics, data management, and business intelligence, has taken on increased importance. Social media have cre-
ated a rich stream of real‐time data that gives managers increased insights to the impact of decisions much faster
than traditional systems. Mid‐course corrections are much easier to make. Predictive and prescriptive analytics give
suggestions that are eerily close to what happens. Big data stores can be mined for insights that were unavailable
with traditional IS, creating competitive advantage for companies with the right tools and techniques.
Securing Key Assets
As the use of the Internet grows, so does the opportunity for new and unforeseen threats to company assets. Taking
measures to ensure the security of these assets is increasingly important. But decisions about security measures
also impact the way IS can be used. It’s possible to put so much security around IT assets that they are locked down
in a manner that gets in the way of business. At the same time, too little security opens up the possibility of theft,
hacking, phishing, and other Web‐based mischief that can disrupt business. Managers must be involved in decisions
about risk and security to ensure that business operations are in sync with the resulting security measures.
What If a Manager Doesn’t Participate? Decisions about IS directly affect the profits of a business. The basic formula Profit = Revenue − Expenses can
be used to evaluate the impact of these decisions. Adopting the wrong technologies can cause a company to miss
business opportunities and any revenues those opportunities would generate. For example, inadequate IS can cause
a breakdown in servicing customers, which hurts sales. Poorly deployed social IT resources can badly damage
the reputation of a strong brand. On the expense side, a miscalculated investment in technology can lead to over-
spending and excess capacity or underspending and restricted opportunity. Inefficient business processes sustained
by ill‐fitting IS also increase expenses. Lags in implementation or poor process adaptation reduces profits and there-
fore growth. IS decisions can dramatically affect the bottom line.
Failure to consider IS strategy when planning business strategy and organizational strategy leads to one of three
business consequences: (1) IS that fail to support business goals, (2) IS that fail to support organizational systems,
and (3) a misalignment between business goals and organizational capabilities. These consequences are discussed
briefly in the following section and in more detail in later chapters. The driving questions to consider are the poten-
tial effects on an organization’s ability to achieve its business goals. How will the consequences impact the way
people work? Will the organization still be able to implement its business strategy?
cintro.indd 5 11/26/2015 7:38:29 PM
6 Introduction
Information Systems Must Support Business Goals
IS represent a major investment for any firm in today’s business environment. Yet poorly chosen IS can actually
become an obstacle to achieving business goals. The results can be disastrous if the systems do not allow the orga-
nization to realize its goals. When IS lack the capacity needed to collect, store, and transfer critical information for
the business, decisions can be impacted and options limited. Customers will be dissatisfied or even lost. Production
costs may be excessive. Worst of all, management may not be able to pursue desired business directions that are
blocked by inappropriate IS. Victoria’s Secret experienced this problem when a Superbowl ad promoting an online
fashion show generated so many inquiries to its Web site that the Web site crashed. Spending large amounts of
money on the advertisement was wasted when potential customers could not access the site. Likewise, Toys “R”
Us experienced a similar calamity when its well‐publicized Web site was unable to process and fulfill orders fast
enough one holiday season. It not only lost those customers, but it also had a major customer‐relations issue to
manage as a result.
Information Systems Must Support Organizational Systems
Organizational systems represent the fundamental elements of a business—its people, work processes, tasks, struc-
ture, and control systems—and the plan that enables them to work efficiently to achieve business goals. If the
company’s IS fail to support its organizational systems, the result is a misalignment of the resources needed to
achieve its goals. For example, it seems odd to think that a manager might add functionality to a corporate Web
site without providing the training the employees need to use the tool effectively. Yet, this mistake—and many
more costly ones—occurs in businesses every day. Managers make major IS decisions without informing all the
staff of resulting changes in their daily work. For example, an enterprise resource planning (ERP) system often
dictates how many business processes are executed and the organizational systems must change to reflect the new
processes. Deploying technology without thinking through how it actually will be used in the organization—who
will use it, how they will use it, and how to make sure the applications chosen will actually accomplish what is
intended—results in significant expense. In another example, a company may decide to block access to the Internet,
thinking that it is prohibiting employees from accessing offensive or unsecure sites. But that decision also means
that employees can’t access social networking sites that may be useful for collaboration or other Web‐based appli-
cations that may offer functionality to make the business more efficient.
The general manager, who, after all, is charged with ensuring that company resources are used effectively,
must guarantee that the company’s IS support its organizational systems and that changes made in one system are
reflected in the other. For example, a company that plans to allow employees to work remotely needs an information
system strategy compatible with its organizational strategy. Desktop PCs located within the corporate office aren’t
the right solution for a telecommuting organization. Instead, laptop computers or tablets with applications that are
accessible online anywhere and anytime and networks that facilitate information sharing are needed. Employees
may want to use tablets or smart phones remotely, too, and those entail a different set of IS processes. If the orga-
nization allows the purchase of only desktop PCs and builds systems accessible from desks within the office, the
telecommuting program is doomed to failure.
Skills Needed to Participate Effectively in Information Technology Decisions Participating in IT decisions means bringing a clear set of skills to the table. All managers are asked to take on
tasks that require different skills at different times. Those tasks can be divided into three types: visionary tasks, or
those that provide leadership and direction for the group; informational/interpersonal tasks, or those that provide
information and knowledge the group needs to be successful; and structural tasks, those that organize the group.
Figure I-2 lists basic skills required of managers who wish to participate successfully in key IT decisions. Not only
does this list emphasize understanding, organizing, planning, and solving the business needs of the organization,
but also it is an excellent checklist for all managers’ professional growth.
cintro.indd 6 11/26/2015 7:38:29 PM
7Skills Needed to Participate Effectively in Information Technology Decisions
These skills may not look much different from those required of any successful manager, which is the main
point of this book: General managers can be successful participants in IS decisions without an extensive technical
background. General managers who understand a basic set of IS concepts and who have outstanding managerial
skills, such as those listed in Figure I-2, are ready for the digital economy.
How to Participate in Information Systems Decisions
Technical wizardry isn’t required to become a knowledgeable participant in the IS decisions of a business. Man-
agers need curiosity, creativity, and the confidence to ask questions in order to learn and understand. A solid frame-
work that identifies key management issues and relates them to aspects of IS provides the background needed to
participate in business IS decisions.
The goal of this book is to provide that framework. The way in which managers use and manage information is
directly linked to business goals and the business strategy driving both organizational and IS decisions. Aligning
business and IS decisions is critical. Business, organizational, and information strategies are fundamentally linked
in what is called the Information Systems Strategy Triangle, discussed in the next chapter. Failing to understand this relationship is detrimental to a business. Failing to plan for the consequences in all three areas can cost a manager
his or her job. This book provides a foundation for understanding business issues related to IS from a managerial
perspective.
Organization of the Book
To be knowledgeable participants, managers must know about both using and managing information. The first
five chapters offer basic frameworks to make this understanding easier. Chapter 1 uses the Information Systems
Strategy Triangle framework to discuss alignment of IS and the business. This chapter also provides a brief over-
view of relevant frameworks for business strategy and organizational strategy. It is provided as background for
those who have not formally studied organization theory or business strategy. For those who have studied these
areas, this chapter is a brief refresher of major concepts used throughout the remaining chapters of the book.
FIGURE I-2 Skills for successful IT use by managerial role.
Managerial Role Skills
Visionary Creativity
Curiosity
Confidence
Focus on business solutions
Flexibility
Informational and Interpersonal Communication
Listening
Information gathering
Interpersonal skills
Structural Project management
Analytical
Organizational
Planning
Leading
Controlling
cintro.indd 7 11/26/2015 7:38:30 PM
8 Introduction
Subsequent chapters provide frameworks and sets of examples for understanding the links between IS and business
strategy (Chapter 2), links between IS and organizational strategy (Chapter 3), collaboration and individual work
(Chapter 4), and business processes (Chapter 5).
The rest of the text covers issues related to the business manager’s role in managing IS itself. These chapters
are the building blocks of an IS strategy. Chapter 6 provides a framework for understanding the four components
of IS architecture: hardware, software, networks, and data. Chapter 7 discusses how managers might participate in
decisions about IS security. Chapter 8 focuses on the business of IT with a look at IS organization, funding models,
portfolios, and monitoring options. Chapter 9 describes the governance of IS resources. Chapter 10 explores sourc-
ing and how companies provision IS resources. Chapter 11 focuses on project and change management. Chapter 12
concerns business intelligence, knowledge management, and analytics and provides an overview of how companies
manage knowledge and create a competitive advantage using business analytics. And finally, Chapter 13 discusses
the ethical use of information and privacy.
Basic Assumptions Every book is based on certain assumptions, and understanding those assumptions makes a difference in interpret-
ing the text. The first assumption made by this text is that managers must be knowledgeable participants in the IS
decisions made within and affecting their organizations. That means that the general manager must develop a basic
understanding of the business and technology issues related to IS. Because technology changes rapidly, this text
also assumes that today’s technology is different from yesterday’s technology. In fact, the technology available
to readers of this text today might even differ significantly from that available when the text was being written.
Therefore, this text focuses on generic concepts that are, to the extent possible, technology independent. It provides
frameworks on which to hang more up‐to‐the‐minute technological evolutions and revolutions, such as new uses of
the Web, new social tools, or new cloud‐based services. We assume that the reader will supplement the discussions
of this text with current case studies and up‐to‐date information about the latest technology.
A second, perhaps controversial, assumption is that the roles of a general manager and of an IS manager require
different skill sets and levels of technical competency. General managers must have a basic understanding of IS in
order to be a knowledgeable participant in business decisions. Without that level of understanding, their decisions
may have serious negative implications for the business. On the other hand, IS managers must have more in‐depth
knowledge of technology so they can partner with general managers who will use the IS. As digital natives take on
increasingly more managerial roles in corporations, this second assumption may change—all managers may need
deeper technical understanding. But for this text, we assume a different, more technical skill set for the IS manager
and we do not attempt to provide that here.
Assumptions about Management
Although many books have been written describing the activities of managers, organizational theorist Henry
Mintzberg offers a view that works especially well with a perspective relevant to IS management. Mintzberg’s
model describes management in behavioral terms by categorizing the three major roles a manager fills: interper-
sonal, informational, and decisional (see Figure I-3). This model is useful because it considers the chaotic nature of
the environment in which managers actually work. Managers rarely have time to be reflective in their approaches
to problems. They work at an unrelenting pace, and their activities are brief and often interrupted. Thus, quality
information becomes even more crucial to effective decision making. The classic view is often seen as a tactical
approach to management, whereas some describe Mintzberg’s view as more strategic.
Assumptions about Business
Everyone has an internal understanding of what constitutes a business, which is based on readings and experi-
ences with different firms. This understanding forms a model that provides the basis for comprehending actions,
interpreting decisions, and communicating ideas. Managers use their internal model to make sense of otherwise
cintro.indd 8 11/26/2015 7:38:30 PM
9Basic Assumptions
FIGURE I-3 Managers’ roles. Source: Adapted from H. Mintzberg, The Nature of Managerial Work (New York: Harper & Row, 1973).
Type of Roles Manager’s Roles IS Examples
Interpersonal Figurehead CIO greets touring dignitaries.
Leader IS manager puts in long hours to help motivate project team to complete project on schedule in an environment of heavy budget cuts.
Liaison CIO works with the marketing and human resource vice presidents to make sure that the reward and compensation system is changed to encourage use of the new IS supporting sales.
Informational Monitor Division manager compares progress on IS project for the division with milestones developed during the project’s initiation and feasibility phase.
Disseminator CIO conveys organization’s business strategy to IS department and demonstrates how IS strategy supports the business strategy.
Spokesperson IS manager represents IS department at organization’s recruiting fair.
Decisional Entrepreneur IS division manager suggests an application of a new technology that improves the division’s operational efficiency.
Disturbance handler IS division manager, as project team leader, helps resolve design disagreements between division personnel who will be using the system and systems analysts who are designing it.
Resource allocator CIO allocates additional personnel positions to various departments based upon the business strategy.
Negotiator IS manager negotiates for additional personnel needed to respond to recent user requests for enhanced functionality in a system that is being implemented.
chaotic and random activities. This book uses several conceptual models of business. Some take a functional view
and others take a process view.
Functional View
The classical view of a business is based on the functions that people perform, such as accounting, finance,
marketing, operations, and human resources. The business organizes around these functions to coordinate them and
to gain economies of scale within specialized sets of tasks. Information first flows vertically up and down between
line positions and management; after analysis, it may be transmitted across other functions for use elsewhere in the
company (see Figure I-4).
Process View
Michael Porter of Harvard Business School describes a business in terms of the primary and support activities that
are performed to create, deliver, and support a product or service. The primary activities are not limited to specific
functions, but rather are cross‐functional processes (see Figure I-5). For example, an accounts payable process
O p e ra
ti o n s
A c c o u n ti n g
S a
le s
Executive Management
M a rk
e ti n g
S u p p o rt
In fo
rm a ti o n f lo
w s
FIGURE I-4 Hierarchical view of the firm.
cintro.indd 9 11/26/2015 7:38:30 PM
10 Introduction
might involve steps taken by other departments that generate obligations, which the accounting department pays.
Likewise, the product creation process might begin with an idea from R&D, which is transferred to an operations
organization that builds the actual product and involves marketing to get the word out, sales to sell and deliver the
product, and support to provide customer assistance as needed. This view takes into account the activities in each
functional area that are needed to complete a process, and any organization can be described by the processes it
performs. Improving coordination among activities increases business profit. Organizations that effectively manage
core processes across functional boundaries are often the industry leaders because they have made efficiencies that
are not visible from the functional viewpoint. IS are often the key to process improvement and cross‐functional
coordination.
Both the process and functional views are important to understanding IS. The functional view is useful when sim-
ilar activities must be explained, coordinated, executed, or communicated. For example, understanding a marketing
information system means understanding the functional approach to business in general and the marketing function
in particular. The process view, on the other hand, is useful when examining the flow of information throughout a
business. For example, understanding the information associated with order fulfillment, product development, or
customer service means taking a process view of the business. This text assumes that both views are important for
participating in IS decisions.
Assumptions about Information Systems
Consider the components of an information system from the manager’s viewpoint rather than from the technolo-
gist’s viewpoint. Both the nature of information (hierarchy and economics) and the context of an information
system must be examined to understand the basic assumptions of this text.
Information Hierarchy
The terms data, information, and knowledge are often used interchangeably, but have significant and discrete mean- ings within the knowledge management domain (and are more fully explored in Chapter 12). Tom Davenport, in his
book Information Ecology, pointed out that getting everyone in any given organization to agree on common defi- nitions is difficult. However, his work (summarized in Figure I-6) provides a nice starting point for understanding
the subtle but important differences.
The information hierarchy begins with data, or simple observations; data are sets of specific, objective facts or observations, such as “inventory contains 45 units.” Standing alone, such facts have no intrinsic meaning but can be
easily captured, transmitted, and stored electronically.
A c c o u n ti n g
O p e ra
ti o n s
M a rk
e ti n g
S a le
s
S u p p o rt
Executive Management
Accounts Payable Process
Product Development Process
Order Fulfillment Process
Information Flows
FIGURE I-5 Process view of the firm: Cross‐functional processes.
cintro.indd 10 11/26/2015 7:38:30 PM
11Basic Assumptions
Information is data endowed with relevance and purpose.6 People turn data into information by organizing data into some unit of analysis (e.g., dollars, dates, or customers). For example, a mashup of location data and housing
prices adds something beyond what the data provide individually, and that makes it information. A mashup is the term used for applications that combine data from different sources to create a new application on the Web.
To be relevant and have a purpose, information must be considered within the context in which it is received
and used. Because of differences in context, information needs vary across functions and hierarchical levels. For
example, when considering functional differences related to a sales transaction, a marketing department manager
may be interested in the demographic characteristics of buyers, such as their age, gender, and home address. A man-
ager in the accounting department probably won’t be interested in any of these details, but instead wants to know
details about the transaction itself, such as method of payment and date of payment.
Similarly, information needs may vary across hierarchical levels. These needs are summarized in Figure I-7
and reflect the different activities performed at each level. At the supervisory level, activities are narrow in scope
and focused on the production or the execution of the business’s basic transactions. At this level, information is
focused on day‐to‐day activities that are internally oriented and accurately defined in a detailed manner. The activ-
ities of senior management are much broader in scope. Senior management performs long‐term planning and needs
FIGURE I-6 Comparison of data, information, and knowledge. Source: Adapted from Thomas Davenport, Information Ecology (New York: Oxford University Press, 1997).
Data Information Knowledge
Definition Simple observations of the state of the world
Data endowed with relevance and purpose
Information from the human mind (includes reflection, synthesis, context)
Characteristics • Easily structured • Easily captured on machines • Often quantified • Easily transferred • Mere facts
• Requires unit of analysis • Data that have been
processed • Human mediation
necessary
• Hard to structure • Difficult to capture on machines • Often tacit • Hard to transfer
Example Daily inventory report of all inventory items sent to the CEO of a large manufacturing company
Daily inventory report of items that are below economic order quantity levels sent to inventory manager
Inventory manager’s knowledge of which items need to be reordered in light of daily inventory report, anticipated labor strikes, and a flood in Brazil that affects the supply of a major component
6 Peter F. Drucker, “The Coming of the New Organization,” Harvard Business Review (January–February 1988), 45–53.
Top Management Middle Management Supervisory and Lower‐Level Management
Time Horizon Long: years Medium: weeks, months, years Short: day to day
Level of Detail Highly aggregated Less accurate More predictive
Summarized Integrated Often financial
Very detailed Very accurate Often nonfinancial
Source Primarily external Primarily internal with limited external
Internal
Decision Extremely judgmental Uses creativity and analytical skills
Relatively judgmental Heavily reliant on rules
FIGURE I-7 Information characteristics across hierarchical levels. Source: G. Adapted from Anthony Gorry and Michael S. Scott Morton, “A Framework for Management Information Systems,” Sloan Management Review 13, no. 1, 55–70.
cintro.indd 11 11/26/2015 7:38:30 PM
12 Introduction
information that is aggregated, externally oriented, and more subjective than supervisors require. The information
needs of middle managers in terms of these characteristics fall between the needs of supervisors and of senior
management. Because information needs vary across levels, a daily inventory report of a large manufacturing firm
may serve as information for a low‐level inventory manager whereas the CEO would consider such a report to be
merely data. The context in which the report is used must be considered in determining whether it is information.
Knowledge is information that is synthesized and contextualized to provide value. It is information with the most value. Knowledge consists of a mix of contextual information, values, experiences, and rules. For example,
the mashup of locations and housing prices means one thing to a real estate agent, another thing to a potential buyer,
and yet something else to an economist. It is richer and deeper than information and more valuable because someone
thought deeply about that information and added his or her own unique experience and judgment. Knowledge also
involves the synthesis of multiple sources of information over time.7 The amount of human contribution increases
along the continuum from data to information to knowledge. Computers work well for managing data but are less
efficient at managing information and knowledge.
Some people think there is a fourth level in the information hierarchy: wisdom. Wisdom is knowledge fused with intuition and judgment that facilitates the ability to make decisions. Wisdom is that level of the information
hierarchy used by subject matter experts, gurus, and individuals with a high degree of experience who seem to “just
know” what to do and how to apply the knowledge they gain. This is consistent with Aristotle’s view of wisdom as
the ability to balance different and conflicting elements together in ways that are only learned through experience.
Economics of Information versus Economics of Things In their groundbreaking book, Blown to Bits, Evans and Wurster argued that every business is in the information business.8 Even those businesses not typically considered information businesses have business strategies in which
information plays a critical role. The physical world of manufacturing is shaped by information that dominates
products as well as processes. For example, an automobile contains as much computing power as a personal com-
puter. Information‐intensive processes in the manufacturing and marketing of the automobile include design,
market research, logistics, advertising, and inventory management. The automobile itself, with its millions of lines
of code, has become a computer on wheels with specialized computers and sensors alerting the driver of its health
and road conditions. When taken in for service, maintenance crews simply plug an electronic monitor into the auto-
mobile to analyze and identify worn parts or other areas in need of upgrades and repair.
As our world is reshaped by information‐intensive industries, it becomes even more important for business strat-
egies to differentiate the timeworn economics of things from the evolving economics of information. Things wear
out; things can be replicated at the expense of the manufacturer; things exist in a tangible location. When sold, the
seller no longer owns the thing. The price of a thing is typically based on production costs. In contrast, information
never wears out, although it can become obsolete or untrue. Information can be replicated at virtually no cost
without limit; information exists in the ether. When sold, the seller still retains the information, but this ownership
provides little value if the ability of others to copy it is not limited. Finally, information is often costly to produce
but cheap to reproduce. Rather than pricing it to recover the sunk cost of its initial production, its price is typically
based on its value to the consumer. Figure I-8 summarizes the major differences between the economics of goods
and the economics of information.
Evans and Wurster suggest that traditionally the economics of information has been bundled with the economics
of things. However, in this Information Age, firms are vulnerable if they do not separate the two. The Encyclopedia
Britannica story serves as an example. Bundling the economics of things with the economics of information made
it difficult for Encyclopedia Britannica to gauge two serious threats. The first threat was posed by Encarta, an entire
encyclopedia on a CD‐ROM that was given away to promote the sale of computers and peripherals. The second
was Wikipedia, which is freely available to all and updated on a nearly real‐time basis continuously by thousands of
7 Thomas H. Davenport, Information Ecology (New York: Oxford University Press, 1997), 9–10. 8 Philip Evans and Thomas Wurster, Blown to Bits (Boston: Harvard Business School Press, 2000).
cintro.indd 12 11/26/2015 7:38:30 PM
13Economics of Information versus Economics of Things
volunteers; currently Wikipedia reports that it holds over 4.9 million articles, receives 10 edits per second globally,
and boasts 750 new pages added each day.9 In contrast, Encyclopedia Britannica published volumes every several
years and the price was between $1,500 and $2,200, covering printing and binding ($250) and sales commissions
($500 to $600).10
Britannica focused on its centuries‐old tradition of providing information in richly bound tomes sold to the public
through a well‐trained sales force. Only when it was threatened with its very survival did Encyclopedia Britannica
grasp the need to separate the economics of information from economics of things and sell bits of information
online. Clearly, Encyclopedia Britannica’s business strategy, like that of many other companies, needed to reflect
the difference between the economics of things from the economics of information.
Internet of Things
More recently, a new concept has emerged to describe the explosive growth in the data generated by sensors
traveling over the Web. The Internet of things (IoT) is the term used to refer to machines and sensors talking to each other over the network, taking Evans and Wurster’s concepts even further. Although the term IoT was coined
in1999,11 it was not widely discussed until the current decade. The earliest example of its functions was reported
before the Internet even existed—in a Coke machine at Carnegie Mellon University in the mid‐1970s. Staff mem-
bers and students in the Computer Science Department were able to use a network connecting a minicomputer
and sensors in the machine to monitor not only the machine’s inventory but even which button to push for the
coldest bottles.12
A more broadly used early application of IoT was provided by Otis Elevator in the late 1980s and later copied
by most other elevator companies.13 Sensors in elevators send alerts over a network to a service center’s computer
when parts need replacing, and service technicians arrive without the builder owner knowing about the potential
problem. Extending IoT even further, today’s elevator systems alert handheld devices of nearby repair technicians
who then visit the elevator to make the repair. Devices may connect to the Internet over a wireless connection or
through a hard‐wired connection.
Many say that we are on the brink of a new revolution that will be as impactful as the popularization of the
World‐Wide Web. The IoT has already been applied to large number of “things”—extending to home appliances,
automobiles, thermostats, lighting, pets, and even people.14 Many people can already perform futuristic functions
using smartphone apps. They can remotely check the status of their heart monitor, tire pressure, or subway train’s
location. They can locate a lost pet or valuable object. They can reset their thermostat, turn off lights, and record a
program on their DVR even after having left for vacation.
9 Wikipedia Statistics, http://en.wikipedia.org/wiki/Wikipedia:Statistics (accessed August 18, 2015). 10 Evans and Wurster, Blown to Bits. 11 K. Ashton, “That ‘Internet of Things’ Thing,” RFID Journal (June 22, 2009), http://www.rfidjournal.com/articles/view?4986 (accessed May 26, 2015). 12 Attributed to The Carnegie Mellon University Computer Science Department Coke Machine, “The ‘Only’ Coke Machine on the Internet,” https://www.
cs.cmu.edu/~coke/history_long.txt (accessed May 26, 2015). 13 D. Freedman, “The Myth of Strategic IS,” CIO Magazine (July 1991), 42–48. 14 Internet of Things, Whatis.com, http://whatis.techtarget.com/definition/Internet‐of‐Things (accessed May 26, 2015).
FIGURE I-8 Comparison of the economics of things with the economics of information.
Things Information
Wear out Doesn’t wear out but can become obsolete or untrue
Are replicated at the expense of the manufacturer Is replicated at almost zero cost without limit
Exist in a tangible location Does not physically exist
When sold, possession changes hands When sold, seller may still possess and sell again
Price based on production costs Price based on value to consumer
cintro.indd 13 11/26/2015 7:38:30 PM
14 Introduction
Management
Information Systems
People Technology Process
FIGURE I-9 System hierarchy.
Social Business Lens
The explosion of consumer‐based technologies, coupled with applications such as Facebook, Renren, Sina
Weibo, Twitter, LinkedIn, YouTube, Foursquare, Skype, Pinterest, and more have brought into focus the concept of
a social business. Some call this trend the consumerization of technology . Consumerization means that technol-
ogies such as social tools, mobile phones, and Web applications targeted at individual, personal users are cre-
ating pressures for companies in new and unexpected ways. At the same time, technologies initially intended for
the corporation, like cloud computing, are being retooled and “consumerized” to appeal to individuals outside
the corporation.
In this text, we use the term social business to refer to an enterprise using social IT for business applications,
activities and processes. We sometimes say that a social business has infused social capabilities into business
processes.
Social business is permeating every facet of business. There are new business models based on a social IT
platform that offer new ways of connecting with stakeholders in functions such as governing, collaborating, doing
work, and measuring results. In this book, we are particular about the terminology we use. Social IT is the term we
use for all technologies in this space. We defi ne social IT as the technologies used for people to collaborate, net-
work, and interact over the Web. These include social networks and other applications that provide for interaction
between people.
Many use the term social media as an overarching term for this space, but increasingly, social media refers to
the marketing and sales applications of social IT, and we use it that way. Social networks are a specifi c type of tool,
like Facebook, Ning, and similar tools. Social networking is the use of these types of social IT tools in a community.
As of the writing of this text, the social space is still like the Wild West; there are no widely accepted conventions
about the terms and their meanings or the uses and their impacts. But we have enough experience with social
IT that we know it ’ s a major force bursting on to the enterprise scene and it must be addressed in discussions of
managing and using information systems.
Look in chapters for the feature “Social Business Lens” where we explore one topic related to that chapter from
a social business perspective.
The reader might already be using the IoT with one or more of these apps. However, vendors tell us we “ain ’ t
seen nothing yet.” The potential impact of IoT is limited by the number of objects connected and apps available to
monitor and control them. As the number of devices directly connected to the Internet increases, researchers and IT
cintro.indd 14 11/26/2015 7:38:31 PM
15Summary
professionals expect an exponential increase in IoT functionality and usage.15 In the coming years, Internet traffic
will dramatically increase along with an explosion in the amount of information generated by these devices.
System Hierarchy
Information systems are composed of three main elements: technology, people, and process (see Figure I-9). When
most people use the term information system, they actually refer only to the technology element as defined by the organization’s infrastructure. In this text, the term infrastructure refers to everything that supports the flow and processing of information in an organization, including hardware, software, data, and network components whereas
architecture refers to the blueprint that reflects strategy implicit in combining these components. Information sys- tems (IS) are defined more broadly as the combination of technology (the “what”), people (the “who”), and process (the “how”) that an organization uses to produce and manage information. In contrast, information technology (IT)
focuses only on the technical devices and tools used in the system. We define information technology as all forms of technology used to create, store, exchange, and use information. Many people use the terms IS and IT inter-
changeably. In recent years, “IT” has been more fashionable, but that changes as fashions change.
S U M M A R Y
Aligning information systems and business decisions is no longer an option; it’s an imperative for business. Every business oper-
ates as an information‐based enterprise. In addition, the explosive growth of smart phones, tablets, social tools, and Web‐based
businesses provides all managers with some experience in information systems and some idea of the complexity involved in
providing enterprise‐level systems. This highlights the need for all managers to be skilled in managing and using IS.
It is no longer acceptable to delegate IS decisions to the management information systems (MIS) department alone. The
general manager must be involved to both execute business plans and protect options for future business vision. IS and business
maturity must be aligned to provide the right level of information resources to the business.
This chapter makes the case for general managers’ full participation in strategic business decisions concerning IS. It out-
lines the skills required for such participation, and it makes explicit certain key assumptions about the nature of business,
management, and IS that will underlie the remaining discussions. Subsequent chapters are designed to build on these concepts
by addressing the following questions.
Frameworks and Foundations
• How should information strategy be aligned with business and organizational strategies? (Chapter 1)
• How can a business achieve competitive advantages using its IS? (Chapter 2)
• How do organizational decisions impact IS decisions? (Chapter 3)
• How is the work of the individual in an organization affected by decisions concerning IS? (Chapter 4)
• How are information systems integrated with business processes? (Chapter 5)
IS Management Issues
• What are the components of an IS architecture? (Chapter 6)
• How are IS kept secure? (Chapter 7)
• How is the IT organization managed and funded? (Chapter 8)
• How are IS decisions made? (Chapter 9)
• What source should provide IS services and how and where should they be provided? (Chapter 10)
15 Jared Newman, “Right Now, the Internet of Things Is Like the Internet of the 1990s,” Fast Company (March 27, 2015I, http://www.fastcompany. com/3044375/sector‐forecasting/the‐future‐of‐the‐internet‐of‐things‐is‐like‐the‐internet‐of‐the‐1990s (last accessed May 26, 2015).
cintro.indd 15 11/26/2015 7:38:31 PM
16 Introduction
• How are IS projects managed and risks from change management mitigated? (Chapter 11)
• How is business intelligence managed within an organization? (Chapter 12)
• What ethical and moral considerations bind the uses of information in business? (Chapter 13)
K E Y T E R M S
architecture (p. 14)
data (p. 10)
digital natives (p. 4)
information (p. 11)
information system (p. 14)
information technology (p. 14)
infrastructure (p. 14)
internet of things (p. 13)
knowledge (p. 12)
mashup (p. 11)
social business (p. 15)
social IT (p. 15)
social media (p. 15)
social networking (p. 15)
Web 2.0 (p. 3)
wisdom (p. 12)
cintro.indd 16 11/26/2015 7:38:31 PM
17
1 chapter
The Information Systems Strategy Triangle
In February 2015, 1 health care giant Kaiser Permanente named Dick Daniels to the CIO position and
the leadership team for the next stage of the company ’ s business strategy: to provide better health care
at lower costs. To achieve those goals, Kaiser Permanente, one of the nation ’ s largest not‐for‐profi t
health care systems with over 9.5 million members and 2014 operating revenue of $56.4 billion,
invested in numerous information systems projects aimed at streamlining operations, offering new
services, and meeting government obligations. For example, in 2014, 13% of all the medical appoint-
ments were fulfi lled digitally—through e‐mail—to the delight of patients who did not have to make
a trip to the doctor ’ s offi ce and to the delight of doctors who were able to check in on their patients,
particularly those with chronic conditions, more frequently. Doctors particularly liked this because
their annual bonuses were based, in part, on improvements in patient health metrics such as lower
blood pressure, reduced blood sugar levels if at risk for diabetes, and improvement in cholesterol
scores rather than on the number of tests they ordered or the total billing they brought in. The organi-
zation invested heavily in video conferencing technology, mobile apps, and analytics as they fi nished
implementing a $4 billion electronic health records system, KP HealthConnect.
KP HealthConnect began in 2003, but by 2008, all members had online access to their health
records; by 2010, all system services were available at all medical offi ces and hospitals in the system;
and by 2012, all members had access to their health records on mobile devices. Kaiser Permanente
has been a regular innovator in the use of technologies, being one of the fi rst health care organiza-
tions to experiment with chat rooms, secure messaging, and private e‐mail correspondence between
patients, physicians, and care providers. The new system connects each member to all caregivers and
services available at Kaiser Permanente. Further, it enabled patients to participate in the health care
they received at a new level and access information directly from the system.
The organizational design supported the business strategy of better health care at lower costs. 2
At the core of this strategy was a shift from a “fi x‐me system” with which patients seek health care
when something is broken and needs repair to a system that was truly proactive and focused on pro-
moting health. Under the “fi x‐me system,” health care was expensive and often sought too late to
The Information Systems Strategy Triangle highlights the alignment necessary between decisions regarding business strategy, information systems, and organizational design. This chapter reviews models of business strategy, organizational strategy and design, and information systems strategy. It concludes with a simple framework for creating a social business strategy.
1 http://blogs.wsj.com/cio/2015/02/09/kaiser‐permanente‐names‐richard‐dick‐daniels‐cio/; http://fortune.com/2015/04/29/kaiser‐
ceo‐on‐healthcare/; http://fortune.com/2014/07/24/a‐health‐care‐model‐thats‐working/; Paul Gray , Omar Sawy , Guillermo Asper ,
and Magnus Thordarson , “ Realizing Strategic Value Through Center‐Edge Digital Transformation in Consumer‐Centric Industries ,”
MIS Quarterly Executive 12 , no. 1 ( March 2013 ) . 2 Note that the organizational design puts the organizational strategy into practice. For instance, rewarding billings, sharing little
information, and late involvement with patients are organizational design elements of a “fix‐me” organizational strategy.
c01.indd 17 11/26/2015 6:19:39 PM
18 The Information Systems Strategy Triangle
fix the problem. Instead, the Kaiser Permanente strategy focused on promoting health, enabling identification of
problems before they became serious issues. For example, those in need of more exercise may receive a prescription
to take a walk and an e‐mail reminder from health care providers to reinforce the new behavior. Staff incentive
systems were aligned with this behavior, too. Physicians were all paid a flat salary and end‐of‐year bonuses if their
patients achieved better health. All caregivers were rewarded for guiding people into making behavioral choices
that were likely to keep them well.
The success at Kaiser Permanente was achieved in part because of the alignment between its business strategy, its
information systems strategy, and its organization design. Physicians were part of the decision‐making processes.
Managers were involved in the design and implementation of the information systems. The decision to move from
a “fix‐me system” to a “proactive health system” was not made in isolation from the organization or the information
systems.
The information systems (IS) department is not an island within a firm. Rather, IS manages an infrastructure
that is essential to the firm’s functioning. Further, the Kaiser Permanente case illustrates that a firm’s IS must be
aligned with the way it manages its employees and processes. For Kaiser Permanente, it was clear that not only did
the physicians need a fast, inexpensive, and useful way to communicate with patients outside of regular in‐person
appointments but also incentive systems and patient service processes had to be updated. Information systems
provided a solution in conjunction with new operational and control processes.
This chapter introduces a simple framework for describing the alignment necessary with business systems and
for understanding the impact of IS on organizations. This framework is called the Information Systems Strategy Triangle because it relates business strategy with IS strategy and organizational strategy. This chapter also presents key frameworks from organization theory that describe the context in which IS operates as well as the business
imperatives that IS support. The Information Systems Strategy Triangle presented in Figure 1.1 suggests three key
points about strategy.
1. Successful firms have an overriding business strategy that drives both organizational strategy and IS strat- egy. The decisions made regarding the structure, hiring practices, vendor policies, and other components of
the organizational design, as well as decisions regarding applications, hardware, and other IS components,
are all driven by the firm’s business objectives, strategies, and tactics. Successful firms carefully balance
these three strategies—they purposely design their organization and their IS strategies to complement their
business strategy.
2. IS strategy can itself affect and is affected by changes in a firm’s business and organizational design. To perpetuate the balance needed for successful operation, changes in the IS strategy must be accompanied by
changes in the organizational strategy and must accommodate the overall business strategy. If a firm designs
its business strategy to use IS to gain strategic advantage, the leadership position in IS can be sustained only
by constant innovation. The business, IS, and organizational strategies must constantly be adjusted.
3. IS strategy always involves consequences—intended or not—within business and organizational strategies. Avoiding harmful unintended consequences means remembering to consider business and organizational
strategies when designing IS implementation. For example, deploying tablets to employees without an
accompanying set of changes to job expectations, process design, compensation plans, and business tac-
tics will fail to achieve expected productivity improvements. Success can be achieved only by specifically
designing all three components of the strategy triangle so they properly complement each other.
Business Strategy
Organizational Strategy Information Strategy
FIGURE 1.1 The Information Systems Strategy Triangle.
c01.indd 18 11/26/2015 6:19:39 PM
19Brief Overview of Business Strategy Frameworks
Before the changes at Kaiser Permanente, incentives for doctors were misaligned with the goals of better health
care. Its IS Strategy Triangle was out of alignment at that time. Its organizational strategy (e.g., a “fix‐me” system)
was not supported by the IS strategy (e.g., tracking and reporting billable procedures). Neither the organizational
strategy nor the IS strategy adequately supported their purported business strategy (helping patients at lower cost).
For Kaiser Permanente, success could be achieved only by specifically designing all three components of the
strategy triangle to work together.
Of course, once a firm is out of alignment, it does not mean that it has to stay that way. To correct the misalign-
ment described earlier, Kaiser Permanente used on‐line services to enable quick communications between patients,
physicians, and care providers. Further, it changed its bonus structure to focus on health rather than billing amounts.
The new systems realign people, process, and technology to provide better service, save time, and save money.
What does alignment mean? The book Winning the 3‐Legged Race defines alignment as the situation in which a company’s current and emerging business strategy is enabled and supported yet unconstrained by technology. The
authors suggest that although alignment is good, there are higher states, namely synchronization and convergence,
toward which companies should strive. With synchronization, technology not only enables current business strategy
but also anticipates and shapes future business strategy. Convergence goes one step further by exhibiting a state in
which business strategy and technology strategy are intertwined and the leadership team members operate almost
interchangeably. Although we appreciate the distinction and agree that firms should strive for synchronization and
convergence, alignment in this text means any of these states, and it pertains to the balance between organizational strategy, IS strategy, and business strategy.3
A word of explanation is needed here. Studying IS alone does not provide general managers with the appropriate
perspective. This chapter and subsequent chapters address questions of IS strategy squarely within the context of
business strategy. Although this is not a textbook of business strategy, a foundation for IS discussions is built on
some basic business strategy frameworks and organizational theories presented in this and the next chapter. To be
effective, managers need a solid sense of how IS are used and managed within the organization. Studying details
of technologies is also outside the scope of this text. Details of the technologies are relevant, of course, and it is
important that any organization maintain a sufficient knowledge base to plan for and adequately align with business
priorities. However, because technologies change so rapidly, keeping a textbook current is impossible. Instead, this
text takes the perspective that understanding what questions to ask and having a framework for interpreting the
answers are skills more fundamental to the general manager than understanding any particular technology. That
understanding must be constantly refreshed using the most current articles and information from experts. This text
provides readers with an appreciation of the need to ask questions, a framework from which to derive the ques-
tions to ask, and a foundation sufficient to understand the answers received. The remaining chapters build on the
foundation provided in the Information Systems Strategy Triangle.
Brief Overview of Business Strategy Frameworks A strategy is a coordinated set of actions to fulfill objectives, purposes, and goals. The essence of a strategy is setting limits on what the business will seek to accomplish. Strategy starts with a mission. A mission is a clear and compelling statement that unifies an organization’s effort and describes what the firm is all about (i.e., its purpose).
Mark Zuckerberg’s reflection on the mission of Facebook provides an interesting example. Originally conceived as
a product rather than a service, the CEO of Facebook commented, “after we started hiring more people and building
out the team, I began to get an appreciation that a company is a great way to get a lot of people involved in a mission
you’re trying to push forward. Our mission is getting people to connect.”4
In a few words, the mission statement sums up what is unique about the firm. The information in Figure 1.2 indi-
cates that even though Zappos, Amazon, and L.L. Bean are all in the retail industry, they view their missions quite
differently. For example, Zappos’ focus is on customer service, Amazon is about customer sets, and L.L. Bean is
3 F. Hogue, V. Sambamurthy, R. Zmud, T. Trainer, and C. Wilson, Winning the 3‐Legged Race (Upper Saddle River, NJ: Prentice Hall, 2005). 4 Shayndi Raice, “Is Facebook Ready for the Big Time?” The Wall Street Journal (January 14–15, 2012), B1.
c01.indd 19 11/26/2015 6:19:39 PM
20 The Information Systems Strategy Triangle
about the merchandise and treating people the right way. It’s interesting to note that although Amazon purchased
Zappos in 2009, the acquisition agreement specified that Zappos would continue to run independently of its new
parent. Today, Zappos continues to remain both culturally and physically separate from Amazon. Zappos is located
near Las Vegas, Nevada, and Amazon is in Seattle, Washington.
A business strategy is a plan articulating where a business seeks to go and how it expects to get there. It is the means by which a business communicates its goals. Management constructs this plan in response to market
forces, customer demands, and organizational capabilities. Market forces create the competitive context for the
business. Some markets, such as those faced by package delivery firms, laptop computer manufacturers, and credit
card issuers, face many competitors and a high level of competition, such that product differentiation becomes
increasingly difficult. Other markets, such as those for airlines and automobiles, are similarly characterized by
high competition, but product differentiation is better established. Customer demands comprise the wants and
needs of the individuals and companies who purchase the products and services available in the marketplace.
Organizational capabilities include the skills and experience that give the corporation a currency that can add value
in the marketplace.
Consider Dell, originally a personal computer company. Initially Dell’s business strategy was to sell personal
computers directly to the customer without going through an intermediary. Reaching customers in this way was
less expensive and more responsive than selling the computers in retail stores. The Internet, combined with Dell’s
well‐designed IS infrastructure, allowed customers to electronically contact Dell, which then designed a PC for a
customer’s specific needs. Dell’s ordering system was integrated with its production system and shared information
automatically with each supplier of PC components. This IS enabled the assembly of the most current computers
without the expense of storing large inventories, and inventory uncertainties were pushed back to the vendors. Cost
savings were passed on to the customer, and the direct‐to‐customer model allowed Dell to focus its production
capacity on building only the most current products. With small profit margins and new products quickly able to
replace existing products, IS aligned with Dell’s business strategy to provide low‐cost PCs. The cost savings from
the IS was reflected in the price of systems. In addition, Dell executives achieved a strategic advantage in reducing
response time, building custom computers that had one of the industry’s lowest costs, and eliminating inventories
that could become obsolete before they are sold. Thus, this business strategy was consistent with Dell’s mission of
delivering the best customer experience in the markets it serves.
But things aren’t always as they seem. If the direct‐to‐customer strategy was so effective, why is Dell now
also selling its computers at major retail outlets such as Walmart, Staples, and Best Buy? It is likely that the sales
figures and profit margins were not measuring up to Dell’s stated objectives and performance targets. And Dell
has branched out to other hardware, such as printers and servers, and more recently, providing IT services. Con-
sequently, Dell adjusted its business strategy, and we can expect to see changes in its organizational design and
information systems to reflect its altered direction.
Now consider your favorite dot‐com company. Every dot‐com company has a business strategy of delivering
its products or services over the Internet. To do so, the dot‐coms need organizations filled with individuals and
processes that support this business strategy. Their employees must be Internet savvy; that is, they must have
FIGURE 1.2 Mission statements of three retail businesses.
Company Mission Statement
Zappos To provide the best customer service possible. Internally we call this our WOW philosophy.a
Amazon We seek to be Earth’s most customer‐centric company for three primary customer sets: consumer customers, seller customers and developer customers.b
L.L. Bean Sell good merchandise at a reasonable profit, treat your customers like human beings and they will always come back for more.c
a http://about.zappos.com (accessed March 19, 2015). b http://www.amazon.com Mission Statement on Amazon Investor Relations page (accessed March 19, 2015). c http://www.llbean.com/customerService/aboutLLBean/company_values.html (accessed March 19, 2015).
c01.indd 20 11/26/2015 6:19:40 PM
21Brief Overview of Business Strategy Frameworks
Business Models versus Business Strategy
Some new managers confuse the concept of a business model with the concept of a business strategy. The
business strategy , as discussed in this chapter, is the coordinated set of actions used to meet the business goals
and objectives. It ’ s the path a company takes to achieve its goals. One of the components of the business strategy
is the business model, the design of how the business will make money and how customers will get value from its
products and services. Some might argue that a business model is the outcome of strategy. *
Some examples of business models commonly seen in the digital world include † :
• Subscription: Customers pay a recurring fee for the product or service.
• Advertising: Customers access the product or service for “free,” and sponsors or vendors pay fees for
advertising that goes with the product or service.
• Cost plus: Somewhat like a traditional retailer, customers purchase the product or service for a specific price
that is usually the cost plus some markup for profit.
• Renting/Licensing: Customers pay a fee to use the product or service for a specified period of time.
• All‐you‐can‐Eat: Customers pay one fee for access to as much of the product or service as they want to
consume, usually over a specific period of time.
• Freemium: Customers get something for “free,” and the company makes money from selling customers
something after they get the giveaway. This is similar to a business model used in brick‐and‐mortar busi-
nesses that give away something or sell something for a very low price, but the customer has to pay for
refills or upgrades such as giving razors away but making money from selling razor blades.
* For a more detailed treatment of the concepts of business models, strategy, and tactics, see Ramon Casadesus‐Masanell and Joan Ricart, “From Strategy to Business Models and to Tactics,” Harvard Business School working paper 10‐036, http://www.hbs.edu/ faculty/Publication%20Files/10‐036.pdf (accessed August 21, 2015). † For a list of 15 different business models, see http://www.digitalbusinessmodelguru.com/2012/12/15‐business‐models‐complete‐ list.html (accessed August 21, 2015).
skills and knowledge that are relevant to the dot‐com business. Their processes must support the dot‐com strategy.
Imagine what would happen if the order process for their services was not Internet based. It seems silly to even
consider a dot‐com that would insist that orders be placed in person or even by telephone. The dot‐com processes
are aligned with companies ’ on‐line‐based business strategy. Further, their IS strategy must also be aligned with
their processes. It would be equally silly to expect information to be based on paper fi les rather than electronic fi les.
A classic, widely used model developed by Michael Porter still frames most discussions of business strategy. In
the next section, we review Porter ’ s generic strategies framework as well as dynamic environment strategies. 5 We
then share questions that a general manager must answer to understand the business ’ strategy.
The Generic Strategies Framework
Companies sell their products and services in a marketplace populated with competitors. Michael Porter ’ s frame-
work helps managers understand the strategies they may choose to build a competitive advantage. In his book
Competitive Advantage , Porter claims that the “fundamental basis of above‐average performance in the long run is sustainable competitive advantage.” 6 Porter identifi ed three primary strategies for achieving competitive advantage:
(1) cost leadership, (2) differentiation, and (3) focus. These advantages derive from the company ’ s relative position
5 Another popular model by Michael Porter, the value chain, provides a useful model for discussing internal operations of an organization. Some find it a
useful model for understanding how to link two firms. This framework is used in Chapter 5 to examine business process design. For further information,
see M. Porter , Competitive Advantage , 1st ed. ( New York : The Free Press , 1985 ) . 6 M. Porter , Competitive Advantage: Creating and Sustaining Superior Performance , 2nd ed. ( New York : The Free Press , 1998 ) .
c01.indd 21 11/26/2015 6:19:40 PM
22 The Information Systems Strategy Triangle
in the marketplace, and they depend on the strategies and tactics used by competitors. See Figure 1.3 for a summary
of these three strategies for achieving competitive advantage.
Cost leadership results when the organization aims to be the lowest‐cost producer in the marketplace. The organization enjoys above‐average performance by minimizing costs. The product or service offered must be
comparable in quality to those offered by others in the industry so that customers perceive its relative value. Typ-
ically, only one cost leader exists within an industry. If more than one organization seeks an advantage with this
strategy, a price war ensues, which eventually may drive the organization with the higher cost structure out of the
marketplace. Through mass distribution, economies of scale, and IS to generate operating efficiencies, Walmart
epitomizes the cost‐leadership strategy.
Through differentiation, the organization offers its product or service in a way that appears unique in the mar- ketplace. The organization identifies which qualitative dimensions are most important to its customers and then
finds ways to add value along one or more of those dimensions. For this strategy to work, the price charged cus-
tomers for the differentiator must seem fair relative to the price charged by competitors. Typically, multiple firms
in any given market employ this strategy. Progressive Insurance is able to differentiate itself from other automobile
insurance companies.
In its earlier days, Progressive Insurance’s service was unique. Representatives responded to accident claims
24‐7, arriving at the scene of the accident with powerful laptops and software that enabled them to settle claims and
cut a check on the spot. More recently, Progressive was the first to offer a usage‐based insurance product, called
Snapshot, that bases insurance rates on the miles driven by customers. These innovations enabled a strategy that
spurred Progressive’s growth and widened its profit margins. Apple Inc. is another example of a company that com-
petes in its markets on its ability to differentiate its products. Apple’s various innovations in its operating system,
laptop design, iPads, iPhones, iPods, iTunes and iWatches have created a strategy based on the uniqueness of its
products and services.
Focus allows an organization to limit its scope to a narrower segment of the market and tailor its offerings to that group of customers. This strategy has two variants: (1) cost focus, in which the organization seeks a cost advantage within its segment and (2) differentiation focus, in which it seeks to distinguish its products or services within the segment. This strategy allows the organization to achieve a local competitive advantage even if it does
not achieve competitive advantage in the marketplace overall. Porter explains how the focuser can achieve compet-
itive advantage by focusing exclusively on certain market segments:
Breadth of target is clearly a matter of degree, but the essence of focus is the exploitation of a narrow target’s differ-
ences from the balance of the industry. Narrow focus in and of itself is not sufficient for above‐average performance.7
Marriott International demonstrates both types of focus with two of its hotel chains: Marriott has a cost focus,
and Ritz‐Carlton has a differentiation focus. To better serve its business travelers and cut operational expenses,
Marriott properties have check‐in kiosks that interface with their Marriott Rewards loyalty program. A guest can
swipe a credit card or Marriott Rewards card at the kiosk in the lobby and receive a room assignment and keycard
Strategic Advantage
S tr
a te
g ic
T a
rg e
t
Uniqueness perceived by customer Low-cost position
Industrywide Differentiation Cost leadership
Particular segment only Focus
Source: Adapted from M. Porter, Competitive Advantage, 1st ed. (New York: The Free Press, 1985) and Competitive Advantage: Creating and Sustaining Superior Performance, 2nd ed. (New York: The Free Press, 1998).
FIGURE 1.3 Three strategies for achieving competitive advantage.
7 Porter, Competitive Advantage: Creating and Sustaining.
c01.indd 22 11/26/2015 6:19:40 PM
23Brief Overview of Business Strategy Frameworks
from the machine. She can also print airline boarding passes at the kiosks. Further, the kiosks help the Marriott
chain implement its cost focus by cutting down on the personnel needed in at the front desk. The kiosk system is
integrated with other systems such as billing and customer relationship management (CRM) to generate operating
efficiencies and enhanced corporate standardization.
In contrast, stand‐alone kiosks in the lobby would destroy the feeling that the Ritz‐Carlton chain, acquired by
Marriott in 1995, creates. To the Ritz‐Carlton chain, CRM means capturing and using information about guests,
such as their preference for wines, a hometown newspaper, or a sunny room. Each Ritz‐Carlton employee is
expected to promote personalized service by identifying and recording individual guest preferences. To demon-
strate how this rule could be implemented, a waiter, after hearing a guest exclaim that she loves tulips, could log the
guest’s comments into the Ritz‐Carlton CRM system called “Class.” On her next visit to a Ritz‐Carlton hotel, tulips
could be placed in the guest’s room after querying Class to learn more about her as her visit approaches. The CRM
is instrumental in implementing the differentiation‐focus strategy of the Ritz‐Carlton chain.8 Its strategy allows the
Ritz‐Carlton chain to live up to its unique motto which emphasizes that its staff members are distinguished people
with distinguished customers.
Airline JetBlue adopted a differentiation strategy based on low costs coupled with unique customer experience.
It might be called a “value‐based strategy.” It is not the lowest cost carrier in the airline industry; at 12.3 cents per
passenger seat mile, JetBlue has one of the lowest costs, but Virgin America, Spirit, and Allegiant had even lower
per seat mile costs in 2013. But JetBlue manages its operational costs carefully, making decisions that keep its per
passenger costs among the lowest in the business, such as a limited number of airplane models in its fleet, gates at
less congested airports, paperless cockpit and many other operations, and snacks instead of meals on flights. Jet-
Blue has one of the longest stage length averages (the length of the average flight) in the industry, and the longer
the flight, the lower the unit costs. Competing network carriers, who are more well known and established, may
have different pay scales because they’ve been in the business longer and have a different composition of staff.
These carriers also have higher maintenance costs for their older, more diverse fleets. If it could realize its plans for
growth while maintaining its low cost structure, JetBlue could move from its cost focus based on serving a limited,
but growing, number of market segments to a cost leadership strategy.9
While sustaining a cost focus, JetBlue’s chairman believes that JetBlue can compete on more than price, which
is part of its unique differentiation strategy. It is why the airline continually strives to keep customers satisfied with
frills such as extra leg room, leather seats, prompt baggage delivery, DirectTV, and movies. It has been recognized
with many awards for customer satisfaction in the North American airline industry.
Dynamic Environment Strategies
Porter’s generic strategies model is useful for diagnostics, for understanding how a business seeks to profit in
its chosen marketplace, and for prescriptions, or building new opportunities for advantage. It reflects a careful
balancing of countervailing competitive forces posed by buyers, suppliers, competitors, new entrants, and substitute
products and services within an industry. As is the case with many models, dynamic environment strategies offer
managers useful tools for thinking about strategy.
However, the Porter model was developed at a time when competitive advantage was sustainable because the
rate of change in any given industry was relatively slow and manageable. Since the late 1980s, when this frame-
work was at the height of its popularity, newer models have been developed to take into account the increasing
turbulence and velocity of the marketplace. Organizations need to be able to respond instantly and change rapidly,
which requires dynamic structures and processes. One example of this type of approach is the hypercompetition
framework. Discussions of hypercompetition take a perspective different from that of the previous framework. Por-
ter’s framework focuses on creating competitive advantage in relatively stable markets, whereas hypercompetition frameworks suggest that the speed and aggressiveness of the moves and countermoves in a highly competitive and
8 Scott Berinato, “Room for Two,” CIO.com (May 15, 2002), http://www.cio.com/archive/051502/two_content.html. 9 http://www.oliverwyman.com/content/dam/oliver‐wyman/global/en/2014/nov/Airline_Economic_Analysis_Screen_OW_Nov_2014.pdf (accessed
March 23, 2015).
c01.indd 23 11/26/2015 6:19:40 PM
24 The Information Systems Strategy Triangle
turbulent market create an environment in which advantages are rapidly created and eroded. In a hypercompetitive
market, trying to sustain a specific competitive advantage can be a deadly distraction because the environment and
the marketplace change rapidly. To manage the rapid speed of change, firms value agility and focus on quickly
adjusting their organizational resources to gain competitive advantage. Successful concepts in hypercompetitive
markets include dynamic capabilities, creative destruction, and blue ocean strategy.10
Dynamic capabilities are means of orchestrating a firm’s resources in the face of turbulent environments. In particular, the dynamic capabilities framework focuses on the ways a firm can integrate, build, and reconfigure
internal and external capabilities, or abilities, to address rapidly changing environments. These capabilities are
built rather than bought. They are embedded in firm‐specific routines, processes, and asset positions. Thus,
they are difficult for rivals to imitate. In sum, they help determine the speed and degree to which the firm can
marshal and align its resources and competences to match the opportunities and requirements of the business
environment.11
Since the 1990s, a competitive practice, called creative destruction, has emerged. First predicted over 60 years ago by the economist Joseph Schumpeter, it was made popular more recently by Harvard Professor Clay Christensen.
Coincidentally (or maybe not), the accelerated competition has occurred concomitantly with sharp increases in the
quality and quantity of information technology (IT) investment. The changes in competitive dynamics are particu-
larly striking in sectors that spend the most on IT.12
One example of using dynamic models was implemented by leadership guru Jack Welch at General Electric
(GE). Often nicknamed “Neutron Jack” because of the way businesses were radically changed, Welch’s approach
to creative destruction was termed destroy your business (DYB). Welch recognized that GE could sustain its com- petitive advantage only for a limited time as competitors attempted to outmaneuver the company. He knew that
if GE did not identify its weaknesses, its competitors would relish doing so. DYB is an approach that places GE
employees in the shoes of their competitors.13 Through the DYB lenses, GE employees develop strategies to destroy
the company’s competitive advantage. Then, in light of their revelations, they apply the grow your business (GYB)
strategy to find fresh ways to reach new customers and better serve existing ones. This allows GE to protect its
business from its competitors and sustain its position in the marketplace over the long run.
A similar strategy of cannibalizing its own products was used by Apple. Steve Jobs, Apple’s founder and former
CEO, felt strongly that if a company was not willing to cannibalize its own products, someone else would come
along and do it for them. That was evident in the way Apple introduced the iPhone while iPod sales were brisk and
the iPad while its Macintosh sales were strong.14 Apple continues to exhibit this strategy with subsequent releases
of new models of all of its products.
Most discussions of strategy focus on gaining competitive advantage in currently existing industries and mar-
ketplaces, which are referred to by Kim and Mauborgne as red ocean strategy. Using a red ocean strategy, firms fiercely compete to earn a larger share of existing demand. Kim and Mauborgne recommend a better approach:
Firms adopt a blue ocean strategy in which they create new demand in untapped marketspaces where they have the “water” to themselves. When applying the blue ocean strategy, the goal is not to beat the competition but to make
it irrelevant. This is what Dell did when it challenged current industry logic by changing the computer purchasing
and delivery experiences of its customers. “With its direct sales to customers, Dell was able to sell its PCs for
40 percent less than IBM dealers while still making money.”15 Dell also introduced into unchartered seas an unprec-
edented delivery process that allowed buyers to receive their new computers within four days of ordering them as
compared to the red ocean process, which typically required 10 weeks.
10 For more information, please see Don Goeltz, “Hypercompetition,” vol. 1 of The Encyclopedia of Management Theory, ed. Eric Kessler (Los Angeles: Sage, 2013), 359–60. 11 D. J. Teece, G. Pisano, and A. Shuen, “Dynamic Capabilities and Strategic Management,” Strategic Management Journal 18 (1997), 509–33; David Teece, “Dynamic Capabilities,” vol. 1 of The Encyclopedia of Management Theory, ed. Eric Kessler (Los Angeles: Sage, 2013), 221–24. 12 Andrew McAfee and Erik Brynjolfsson, “Investing in the IT That Makes a Competitive Difference,” Harvard Business Review (July–August 2008), 98–107. 13 M. Levinson, “GE Uses the Internet to Grow Business,” CIO (October 15, 2001), http://www.cio.com/article/30624/HOT_TOPIC_E_BUSINESS_ GE_Uses_the_Internet_to_Grow_Business_ (accessed May 5, 2012). 14 Walter Isaacson, Steve Jobs (New York: Simon and Shuster, 2011). 15 W. Chan Kim and Renee Mauborgne, Blue Ocean Strategy (Cambridge, MA: Harvard Business School, 2005), 202.
c01.indd 24 11/26/2015 6:19:40 PM
25Brief Overview of Organizational Strategies
Why Are Strategic Advantage Models Essential to Planning for Information Systems?
A general manager who relies solely on IS personnel to make IS decisions may not only give up any authority over
IS strategy but also hamper crucial future business decisions. In fact, business strategy should drive IS decision
making, and changes in business strategy should entail reassessments of IS. Moreover, changes in IS potential
should trigger reassessments of business strategy—as in the case of the Internet when companies that understood
or even considered its implications for the marketplace quickly outpaced their competitors who failed to do so.
For the purposes of our model, the Information Systems Strategy Triangle, understanding business strategy means
answering the following questions:
1. What is the business goal or objective?
2. What is the plan for achieving it? What is the role of IS in this plan?
3. Who are the crucial competitors and partners, and what is required of a successful player in this marketplace?
4. What are the industry forces in this marketplace?
Porter’s generic strategies framework and the dynamic frameworks (summarized in Figure 1.4) are revisited in
the next few chapters. They are especially helpful in discussing the role of IS in building and sustaining competitive
advantages (Chapter 2) and for incorporating IS into business strategy. The next section of this chapter establishes
a foundation for understanding organizational strategies.
Brief Overview of Organizational Strategies Organizational strategy includes the organization’s design as well as the choices it makes to define, set up, coor- dinate, and control its work processes. How a manager designs the organization impacts every aspect of opera-
tions from dealing with innovation to relationships with customers, suppliers, and employees. The organizational
strategy is a plan that answers the question: “How will the company organize to achieve its goals and implement
its business strategy?”
A useful framework for organizational design can be found in the book Building the Information Age Orga- nization by Cash, Eccles, Nohria, and Nolan.16 This framework (Figure 1.5) suggests that the successful execu- tion of a company’s organizational strategy comprises the best combination of organizational, control, and cultural
variables. Organizational variables include decision rights, business processes, formal reporting relationships, and
informal networks. Control variables include the availability of data, nature and quality of planning, effectiveness
of performance measurement and evaluation systems, and incentives to do good work. Cultural variables comprise
the values of the organization. These organizational, control, and cultural variables are managerial levers used by decision makers to effect changes in their organizations. These managerial levers are discussed in detail in Chapter 3.
FIGURE 1.4 Summary of strategic approaches and IT applications.
Strategic Approach Key Idea Application to Information Systems
Porter’s generic strategies Firms achieve competitive advantage through cost leadership, differentiation, or focus.
Understanding which strategy is chosen by a firm is critical to choosing IS to complement the strategy.
Dynamic environment strategies Speed, agility, and aggressive moves and countermoves by a firm create competitive advantage.
The speed of change is too fast for manual response, making IS critical to achieving business goals.
16 James I. Cash, Robert G. Eccles, Nitin Nohria, and Richard L. Nolan, Building the Information Age Organization (Homewood, IL: Richard D. Irwin, 1994).
c01.indd 25 11/26/2015 6:19:40 PM
26 The Information Systems Strategy Triangle
Our objective is to give the manager a framework to use in evaluating various aspects of organizational design.
In this way, the manager can review the current organization and assess which components may be missing and
what future options are available. Understanding organizational design means answering the following questions:
1. What are the important structures and reporting relationships within the organization?
2. Who holds the decision rights to critical decisions?
3. What are the important people‐based networks (social and informational), and how can we use them to get work done better?
4. What are the characteristics, experiences, and skill levels of the people within the organization?
5. What are the key business processes?
6. What control systems (management and measurement systems) are in place?
7. What are the culture, values, and beliefs of the organization?
The answers to these questions inform the assessment of the organization’s use of IS. Chapters 3, 4, and 5 use
the Managerial Levers model to assess the impact of information systems (IS) on the firm. Chapters 8 and 9 use this
same list to understand the business and governance of the IS organization.
Brief Overview of Information Systems Strategy IS strategy is the plan an organization uses to provide information services. IS allow a company to implement its business strategy. JetBlue’s former Vice President for People explains it nicely: “We define what the business needs
and then go find the technology to support that.”17
Business strategy is a function of competition (What does the customer want and what does the competition
do?), positioning (In what way does the firm want to compete?), and capabilities (What can the firm do?). IS help
Organizational effectiveness
Strategy
Organization Control
Culture
Performance measurement
and evaluation
Incentives and rewards
Values
Formal reporting
relationships Planning
Business processes
Decision rights
Data
Informal networks
People, Information, and
Technology
Execution
FIGURE 1.5 Managerial Levers model. Source: J. Cash, R. G. Eccles, N. Nohria, and R. L. Nolan, Building the Information Age Organization (Homewood, IL: Richard D. Irwin, 1994).
17 Hogue et al., Winning the 3‐Legged Race, 111.
c01.indd 26 11/26/2015 6:19:40 PM
27Brief Overview of Information Systems Strategy
determine the company ’ s capabilities. An entire chapter is devoted to understanding key issues facing general man-
agers concerning IT architecture, but for now a more basic framework is used to understand the decisions related
to IS that an organization must make.
The purpose of the matrix in Figure 1.6 is to give the manager a high‐level view of the relation between the
four IS infrastructure components and the other resource considerations that are keys to IS strategy. Infrastructure
FIGURE 1.6 IS strategy matrix.
What Who Where
Hardware The physical devices of the system System users and managers Physical location of devices (cloud, data center, etc.)
Software The programs, applications, and utilities
System users and managers The hardware it resides on and physical location of that hardware
Networking The way hardware is connected to other hardware, to the Internet, and to other outside networks
System users and managers; company that provides the service
Where the nodes, the wires, and other transport media are located
Data Bits of information stored in the system
Owners of data; data administrators
Where the information resides
Social Business Lens: Building a Social Business Strategy
Some companies use social IT as point solutions for business opportunities, but others build a social business
strategy that considers the application of social IT tools and capabilities to solve business opportunities holisti-
cally. A social business strategy is a plan of how the fi rm will use social IT that is aligned with its organizational strat-
egy and IS strategy. Social business strategy includes a vision of how the business would operate if it seamlessly
and thoroughly incorporated social and collaborative capabilities throughout the business model. It answers the
same type of questions of what, how, and who, as do many other business strategies.
Social businesses infuse social capabilities into their business processes. Most of the social business opportu-
nities fall into one of three categories:
Collaboration —using social IT to extend the reach of stakeholders, both employees and those outside the
enterprise walls. Social IT such as social networks enable individuals to find and connect with each other to
share ideas, information, and expertise.
Engagement —using social IT to involve stakeholders in the traditional business of the enterprise. Social IT such as
communities and blogs provide a platform for individuals to join in conversations, create new conversations,
and offer support to each other and other activities that create a deeper feeling of connection to the company,
brand, or enterprise.
Innovation —using social IT to identify, describe, prioritize, and create new ideas for the enterprise. Social IT offers
community members a “super idea box” where individuals suggest new ideas, comment on other ideas, and
vote for their favorite idea, giving managers a new way to generate and decide on products and services.
National Instruments (ni.com) is an example of a company that has embraced social IT and created a social
business strategy. Managers developed a branded community consisting of a number of social IT tools like Face-
book, Twitter, blogs, forums, and more. By thinking holistically about all the ways that customers and employees
might interact with one another, the branded community has become the hub of collaboration, engagement, and
idea generation.
Source: Adapted from Keri Pearlson , “ Killer Apps for a Social Business ” (February 17, 2011 ) , http://instantlyresponsive.wordpress. com/2011/02/27/killer‐apps‐for‐a‐social‐business/ (accessed March 19, 2015). For more information on National Instruments, see Harvard Business school case study 813001, “National Instruments” by Lynda Applegate, Keri Pearlson, and Natalie Kindred.
c01.indd 27 11/26/2015 6:19:40 PM
28 The Information Systems Strategy Triangle
includes hardware, such as desktop units and servers. It also includes software, such as the programs used to do
business, to manage the computer itself and to communicate between systems. The third component of IS infra-
structure is the network, which is the physical means by which information is exchanged among hardware com-
ponents. Examples include fiber networks such as Google Fiber, cable networks such as those provided by Time
Warner, AT&T, and Comcast, WiFi provided by many local services, and 3G/4G/WiMax technologies (which are
actually Internet communication standards, but some phone companies adopt those terms as the name of networks
they offer). Some communications are conducted through a private digital network, managed by an internal unit).
Finally, the fourth part of the infrastructure is the data. The data include the bits and bytes stored in the system.
In current systems, data are not necessarily stored alongside the programs that use them; hence, it is important to
understand what data are in the system and where they are stored. Many more detailed models of IS infrastructure
exist, and interested readers may refer to any of the dozens of books that describe them. For the purposes of this
text, the IS strategy matrix provides sufficient information to allow the general manager to assess the critical issues
in information management.
Because of the advanced state of technology, many managers are more familiar with the use of platforms and
applications, or apps. Platforms are technically any set of technologies upon which other technologies or appli-
cations run. Often they are a combination of hardware and operating system software. Microsoft Windows and
Apple’s Macintosh with its latest operating system are two examples of platforms. Also common are mobile plat-
forms such as the iPhone and Samsung/Android phone. Applications or apps, on the other hand, are self‐contained software programs that fulfill a specific purpose and run on a platform. The term “apps” became popular from the
smart phone industry, beginning when Apple offered an online marketplace for customers to download small pro-
grams to run on their devices. But more recently, because all platforms have applications that run on them, the term
apps has taken on a broader meaning.
S U M M A R Y
The Information Systems Strategy Triangle represents a simple framework for understanding the impact of IS on businesses. It
relates business strategy with IS strategy and organizational strategy and implies the balance that must be maintained in business
planning. The Information Systems Strategy Triangle suggests the following management principles.
Business Strategy
Business strategy drives organizational strategy and IS strategy. The organization and its IS should clearly support defined
business goals and objectives.
• Definition: A well‐articulated vision of where a business seeks to go and how it expects to get there
• Example Models: Porter’s generic strategies model; dynamic environment models
Organizational Strategy
Organizational strategy must complement business strategy. The way a business is organized either supports the implementation
of its business strategy or it gets in the way.
• Definition: The organization’s design, as well as the choices it makes to define, set up, coordinate, and control its work processes
• Example Model: managerial levers
IS Strategy
IS strategy must complement business strategy. When IS support business goals, the business appears to be working well. IS
strategy can itself affect and is affected by changes in a firm’s business and organizational strategies. Moreover, IS strategy
always has consequences—intended or not—on business and organizational strategies.
c01.indd 28 11/26/2015 6:19:40 PM
29Discussion Questions
• Definition: The plan the organization uses in providing information systems and services
• Models: A basic framework for understanding IS decisions for platform, applications, network and data‐relating architecture (the “what”), and the other resource considerations (“who” and “where”) that represent important planning
constraints
Strategic Relationships
Organizational strategy and information strategy must complement each other. They must be designed so that they support,
rather than hinder, each other. If a decision is made to change one corner of the triangle, it is necessary to evaluate the other two
corners to ensure that balance is preserved. Changing business strategy without thinking through the effects on the organization
and IS strategies will cause the business to struggle until balance is restored. Likewise, changing IS or the organization alone
will cause an imbalance.
D I S C U S S I O N Q U E S T I O N S
1. Why is it important for business strategy to drive organizational strategy and IS strategy? What might happen if the business strategy was not the driver?
2. In 2015, the NFL decided to hand out Microsoft Surface tablets to all coaches for use during games, and there are reports that in the future, they will add HoloLens devices to provide augmented reality.18 A HoloLens device is a high‐definition,
head‐mounted display that allows coaches to see the plays with text and animation superimposed right on the live images. If
the NFL simply handed them out without making any other formal changes in organizational strategy or business strategy,
what might be the outcome? What unintended consequences might occur?
3. Consider a traditional manufacturing company that wants to build a social business strategy. What might be a reasonable business strategy, and how would organization and IS strategy need to change? How would this differ for a restaurant chain?
A consumer products company? A nonprofit?
4. This chapter describes key components of an IS strategy. Describe the IS strategy of a consulting firm using the matrix framework.
5. What does this tip from Fast Company mean: “The job of the CIO is to provide organizational and strategic flexibility”?19
K E Y T E R M S
apps (p. 27)
blue ocean strategy (p. 24)
business model (p. 20)
business strategy (p. 21)
collaboration (p. 28)
cost leadership (p. 22)
creative destruction (p. 24)
differentiation (p. 22)
dynamic capabilities (p. 24)
engagement (p. 28)
focus (p. 22)
hypercompetition (p. 23)
Information Systems Strategy
Triangle (p. 18)
innovation (p. 28)
IS strategy (p. 26)
managerial levers (p. 25)
mission (p. 19)
organizational strategy (p. 25)
red ocean strategy (p. 24)
social business strategy (p. 27)
strategy (p. 19)
18 Sean Michael, “NFL Teams Will Use Surface Pro 3s in 2015 and May Use HoloLens in the Future,” WinBeta (August 7, 2015), http://www.winbeta.
org/news/nfl‐teams‐will‐use‐surface‐pro‐3s‐2015‐and‐may‐use‐hololens‐future (accessed August 21, 2015). 19 “Technology: How much? How fast? How revolutionary? How expensive?” Fast Company (March 2002), http://www.fastcompany.com/44651/ technology‐how‐much‐how‐fast‐how‐revolutionary‐how‐expensive (accessed August 21, 2015).
c01.indd 29 11/26/2015 6:19:40 PM
30 The Information Systems Strategy Triangle
Lego has long been an industry leader in children ’ s toys with its simple yet unique building block‐style products. A Danish
carpenter whose family still owns Lego today founded the privately held company in 1932. But by 2004, the company found
itself close to extinction, losing $1 million a day. A new CEO was brought in, and within fi ve years sales were strong, profi ts
were up, and naysayers who felt the new strategy was going to fail were proved wrong. In fact, sales, revenues and profi ts
continued to be strong. Revenues grew from 16 billion Danish krone (DKK) in 2010 to over 28 billion DKK in 2014, and in
the same period, profi t almost doubled from 3.7 billion DKK to 7 billion DKK.
With the advent of high‐tech forms of entertainment, such as the iPod and PlayStation, Lego found itself more antique
than cutting edge in the toy world. When new CEO Jorgen Vig Knudstorp, a father and former McKinsey consultant, took
over, the company was struggling with poor performance, missed deadlines, long development times, and a poor delivery
record. The most popular toys frequently would be out of stock, and the company was unable to ship enough products or
manage the production of its more complicated sets. Retail stores were frustrated, and that translated into reduced shelf
space and ultimately to business losses.
Knudstorp changed all of that. He reached out to top retailers, cut costs, and added missing links to the supply chain. For
example, prior to the new strategy, 90% of the components were used in just one design. Designers were encouraged to reuse
components in their new products, which resulted in a reduction from about 13,000 different Lego components to 7,000.
Because each component ’ s mold could cost up to 50,000 euros on average to create, this reduction saved signifi cant expense.
Lego was known for its traditional blocks and components that would allow children to build just about anything their
imagination could create. The new strategy broadened the products, targeting new customer segments. Lego managers cre-
ated products based on themes of popular movies, such as Star Wars and the Indiana Jones series. The company moved into video games, which featured animated Lego characters sometimes based on movies. The company created a product
strategy for adults and engaged the communities who had already set up thousands of Web sites and blogs featuring Lego
creations. It embraced the community who thought of Lego as a way to create art rather than simply as a building toy. And
the company designed a line of Legos aimed at girls because the majority of its products had primarily targeted boys.
The culture of Lego changed to one that refused to accept nonperformance. The company ’ s past showed a tendency to
focus on innovation and creativity, often at the expense of profi ts. But that changed. “Knudstorp . . . made it clear that results,
not simply feeling good about making the best toys, would be essential if Lego was to succeed. . . . Its business may still be
fun and games, but working here isn ’ t,” 20 describes the current culture at Lego .
Some of the most drastic changes came from within the Lego organization structure. After its massive losses in 2004,
Lego switched its employee pay structure, offering incentives for appropriate product innovation and sales. Key performance
indicators encourage product innovation that catalyzes sales while decreasing costs. Development time dropped by 50%, and
some manufacturing and distribution functions were moved to less expensive locations, but the focus on quality remained.
The creation of reusable parts alleviated some of the strain on Lego ’ s supply chain, which in turn helped its bottom line.
Lego also expanded into the virtual world, extending into video gaming and virtual‐interaction games on the Internet.
Thinking outside the company ’ s previous product concepts cut costs while encouraging real‐time feedback from customers
across a global market. Additionally, Lego created brand ambassadors who organized conventions across the world to dis-
cuss product innovation and to build communities of fellow customers. With increased revenue, Lego managers considered
entering the movie‐making business—a risky proposition for a toy company. However, Lego ’ s success with Hollywood‐type
action fi gures fueled its interest in a movie‐making endeavor.
The growth put strains on the IS supporting the business. Order management and fulfi llment were particularly affected,
resulting in the inability to meet customer demand. Employee management systems were stretched as new employees were
added to support the growth and additional locations. Product design and development, especially the virtual and video
games, required new technology, too.
To solve some of these problems, Lego managers used the same approach they used for their blocks. They created a
modularized and standardized architecture for their IS, making it possible to expand more quickly and add capacity and
functionality as it was needed. They implemented an integrated enterprise system that gave them new applications for
human capital management, operations support, product life cycle management, and data management. The new systems
and services, purchased from vendors such as SAP and IBM , simplifi ed the IT architecture and the management processes
needed to oversee the IS.
■ CASE STUDY 1‐1 Lego
20 Nelson D. Schwartz , “ Turning to Tie‐Ins, Lego Thinks Beyond the Brick ,” The New York Times , September 5, 2009 , http://www.nytimes. com/2009/09/06/business/global/06lego.html?pagewanted=all&_r=0 (accessed August 21, 2015) .
c01.indd 30 11/26/2015 6:19:41 PM
31Case Study
One manager at Lego summed it up nicely, “The toy world moves onwards constantly, and Lego needs to re‐invent itself
continuously. Signifi cant corporate re‐shaping introduced new energy to the company.” 21 He went on to say that simplifying
Lego ’ s IT systems and implementing an effi cient product development process that was able to maintain quality and cost
favorably positioned Lego to respond to the fast changing pace of the toy industry.
Discussion Questions
1. How did the information systems and the organization design changes implemented by Knudstorp align with the changes
in business strategy?
2. Which of the generic strategies does Lego appear to be using based on this case? Provide support for your choice.
3. Are the changes implemented by Knudstorp an indication of hypercompetition? Defend your position.
4. What advice would you give Knudstorp to keep Lego competitive, growing, and relevant?
Sources: Adapted from http://www.nytimes.com/2009/09/06/business/global/06lego.html (accessed August 21, 2015) ; Brad Wieners , “ Lego Is for Girls ” (December 19, 2011 ), 68 – 73 ; information from Lego ’ s 2012 annual report, http://www.lego.com/en‐us/aboutus/news‐ room/2013/february/annual‐result‐2012 (accessed March 29, 2015); and “Lego Case Study,” http://thelegocasestudy.com (accessed March 29, 2015).
Started in the late 1990s, Google grew rapidly to become one of the leading companies in the world. Its mission is “to
organize the world ’ s information and make it universally accessible and useful.” It is operating on a simple but innovative
business model of attracting Internet users to its free search services and earning revenue from targeted advertising. In the
winner‐takes‐all business of Internet search, Google has captured considerably more market share than its next highest rival,
Yahoo . This has turned Google ’ s Web pages into the Web ’ s most valuable real (virtual) estate. Through its two fl agship pro-
grams, AdWords and AdSense, Google has capitalized on this leadership position in searching to capture the lion ’ s share in
advertisement spending. AdWords enables businesses to place ads on Google and its network of publishing partners using
an auction‐engine algorithm to decide which ad will appear on a given page. On the other hand, Google uses AdSense to
push advertisements on publishing partners ’ Web sites targeting a specifi c audience and share ad revenue with the publishing
partner. This creates a win–win situation for both advertisers and publishers; Google makes more than 90% of its revenue
from ads.
Even as a large company, Google continues to take risks and expand into new markets. Innovation is at the core of their
enterprise. Sergey Brin and Larry Page, the founders, declared in Google ’ s IPO prospectus, “We would fund projects that
have a 10% chance of earning a billion dollars over the long term. . . We place smaller bets in areas that seem very specula-
tive or even strange. As the ratio of reward to risk increases, we will accept projects further outside our normal areas.” They
add that they are especially likely to fund new types of projects when the initial investment is small.
Google promotes a culture of creativity and innovation in a number of ways. It encourages innovation in all employees
by allowing them to spend 20% of their time on a project of their own choosing. In addition, the company offers benefi ts
such as free meals, on‐site gym, on‐site dentist, and even washing machines at the company for busy employees.
Despite an open and free work culture, a rigid and procedure‐fi lled structure is imposed for making timely decisions and
executing plans. For example, when designing new features, the team and senior managers meet in a large conference room.
They use the right side of the conference room walls to digitally project new features and the left side to project any tran-
scribed critique with a timer clock giving everyone 10 minutes to lay out ideas and fi nalize features. Thus, Google utilizes
rigorous, data‐driven procedures for evaluating new ideas in the midst of a chaotic innovation process.
Nine notions of innovations are embedded in the organizational culture, processes, and structure of Google: 22
1. “Innovation Comes from Anywhere”: All Google employees can innovate.
2. “Focus on the User”: When focus is on the user, the money and all else will follow.
■ CASE STUDY 1‐2 Google
21 https://www.vmware.com/files/pdf/partners/sap/sap‐vmware‐lego‐cs‐en.pdf (accessed September 11, 2015). 22 Kathy Chin Long , “ Google Reveals its Nine Principles of Innovations ,” Fast Company , http://www.fastcompany.com/3021956/how‐to‐be‐a‐success‐ at‐everything/googles‐nine‐principles‐of‐innovation (accessed March 30, 2015 ) .
c01.indd 31 11/26/2015 6:19:41 PM
32 The Information Systems Strategy Triangle
3. “Aim to be Ten Times Better”: To get radical and revolutionary innovation, think 10 times improvement to force
out‐of‐the‐box thinking.
4. “Bet on Technical Insights”: Trust your organization ’ s unique insights and bet on them for major innovation.
5. “Ship and Iterate”: Do not wait for perfection; let users help you to “iterate.”
6. “Give Employees 20 Percent Time”: Employees will delight you with their creative thinking. Give them 20 percent
of their work time to pursue projects they are passionate about.
7. “Default to Open Processes”: Make processes open to all to tap into the collective energy of the user base to find
great ideas.
8. “Fail Well”: Do not attach stigma to failure. If you do not fail often, you are not trying hard enough. Let people and
projects fail with pride.
9. “Have a Mission That Matters”: Google believes that its work has a positive impact on millions of people and that
this is motivating its people every day.
Keeping up with the organizational strategy of Google , its IT department provides free and open access to IT for all
employees. Rather than keeping tight control, Google allows employees to choose from several options for computer and
operating systems, download software themselves, and maintain offi cial and unoffi cial blog sites. Google ’ s intranet provides
employees information about every piece of work at any part of the company. In this way, employees can fi nd and join hands
with others working on similar technologies or features.
In building the necessary IT infrastructure, Google ’ s IT department balances buying and making its own software depend-
ing on its needs and off‐the‐shelf availability. Google thinks of every IT decision “at Web Scale” to make sure its technology
works well for its customers. Given the nature of business, security of information resources is critical for Google . For
instance, its master search algorithm is considered a more valuable secret formula than Coca‐Cola ’ s. However, rather than
improving IT security by stifl ing freedom through preventive policy controls, Google puts security in the infrastructure and
focuses more on detective and corrective controls. Its network management software tools combined with a team of security
engineers constantly look for viruses and spyware as well as strange network traffi c patterns associated with intrusion.
Discussion Questions
1. How is Google ’ s mission statement related to its business strategy?
2. How does Google ’ s information systems strategy support its business strategy?
3. How does Google ’ s organizational strategy support its business strategy?
4. Which of Porter ’ s three generic strategies does Google appear to be using based on this case? Provide a rationale for
your response.
5. Analyze Google ’ s strategy and the type of market disruption it has created using a dynamic environment perspective.
Sources: Adapted from Michelle Colin , “ Champions of Innovation ,” Businessweek 3989 (June 1 8 , 2006 ), 18–26 , http://www.bloomberg. com/bw/stories/2006‐06‐18/champions‐of‐innovation; Vauhini Vara , “ Pleasing Google ’ s Tech‐Savvy Staff ” (March 18, 2008 ) , B6; Jason Bloomberg , “ Google ’ s Three‐Pronged Enterprise Strategy ,” Forbes Online (December 12, 2014 ) ; and Connor Forrest , “ Four Ways Google Makes Money ,” TechRepublic (January 16, 2015 ) , http://www.techrepublic.com/article/four‐ways‐google‐makes‐money‐ outside‐of‐advertising/ (accessed August 21, 2015 ).
c01.indd 32 11/26/2015 6:19:41 PM
33
2 chapter
This chapter introduces the concept of building competitive advantage using information systems‐based applications. It begins with a discussion of a set of eras that describe the use of information resources historically. It then presents information resources as strategic tools, discussing information technology ( IT ) assets and IT capabilities. Michael Porter ’ s Five Com- petitive Forces model then provides a framework for discussing strategic advantage, and his Value Chain model addresses tactical ways organizations link their business processes to create strategic partnerships. We then introduce the Piccoli and Ive ’ s model to show how strategic advantage may be sustained in light of competitive barriers while the Resource‐ Based View focuses on gaining and maintaining strategic advantage through information and other resources of the fi rm. The chapter concludes with a brief discussion of strategic alliances, co‐opetition, risks of strategic use of IT, and cocreating IT and business strategy. Just as a note: this chapter uses the terms competitive advantage and strategic advantage interchangeably.
1 Inditex Web site, http://www.inditex.com/en/who_we_are/concepts/zara (accessed February 20, 2012); http://www.marinabaysands.
com/shopping/zara.html (accessed May 2, 2015).
Strategic Use of Information Resources
Zara , a global retail and apparel manufacturer based in Arteixo, Spain, needed a dynamic business
model to keep up with the ever‐changing demands of its customers and industry. At the heart of its
model was a set of business processes and an information system that linked demand to manufactur-
ing and manufacturing to distribution. The strategy at Zara stores was simply to have a continuous
fl ow of new products that were typically in limited supply. As a result, regular customers visited
their stores often—an average of 17 times a year whereas many retail stores averaged only four
times a year. When customers saw something they liked, they bought it on the spot because they
knew it would probably be gone the next time they visited the store. The result was a very loyal and
satisfi ed customer base and a wildly profi table business model.
How did Zara do it? It was possible in part because the company aligned its information system
strategy with its business strategy. Its corporate Web site gave some insight:
Zara ’ s approach to design is closely linked to our customers. A non‐stop fl ow of information from
stores conveys shoppers ’ desires and demands, inspiring our 200‐person strong creative team. 1
The entire process from factory to shop fl oor is coordinated from Zara ’ s headquarters by using
information systems. The point‐of‐sale (POS) system on the shop fl oor records the information from
each sale, and the information is transmitted to headquarters at the end of each business day. Using
a handheld device, the Zara shop managers also report daily to the designers at headquarters to let
them know what has sold and what the customers wanted but couldn ’ t fi nd. The information is used
to determine which product lines and colors should be kept and which should be altered or dropped.
c02.indd 33 11/26/2015 6:20:48 PM
34 Strategic Use of Information Resources
The designers communicate directly with the production staff to plan for the incredible number of designs—more
than 30,000—that will be manufactured every year.2
The shop managers have the option to order new designs twice a week using handheld computers. Before order-
ing, they can use these devices to check out the new designs. Once an order is received at the manufacturing plant at
headquarters, a large computer‐controlled piece of equipment calculates how to position patterns to minimize scrap
and cut up to 100 layers of fabric at a time. The cut fabric is then sent from Zara factories to external workshops for
sewing. The completed products are sent to distribution centers where miles of automated conveyor belts are used
to sort the garments and recombine them into shipments for each store. Zara’s Information Systems (IS) department
wrote the applications controlling the conveyors, often in collaboration with vendors of the conveyor equipment.
As the Zara example illustrates, innovative use of a firm’s information resources can provide it substantial
and sustainable advantages over competitors. Every business depends on IS, making its use a necessary resource
every manager must consider. IS also can create a strategic advantage for firms who bring creativity, vision, and
innovation to their IS use. The Zara case is an example. This chapter uses the business strategy foundation from
Chapter 1 to help general managers visualize how to use information resources for competitive advantage. This
chapter highlights the difference between simply using IS and using IS strategically. It also explores the use of
information resources to support the strategic goals of an organization.
The material in this chapter can enable a general manager to understand the linkages between business strategy
and information strategy on the Information Systems Strategy Triangle. General managers want to find answers to
questions such as: Does using information resources provide a sustainable and defendable competitive advantage?
What tools are available to help shape strategic use of information? What are the risks of using information resources
to gain strategic advantage?
Evolution of Information Resources The Eras model (Figure 2.1) summarizes the evolution of information resources over the past six decades. To think
strategically about how to use information resources now and in the future within the firm, a manager must under-
stand how the company arrived at where it is today. This model provides a good overview of trends and uses that
have gotten the company from simple automation of tasks to extending relationships and managing their business
ecosystems to where it is today.
IS strategy from the 1960s to the 1990s was driven by internal organizational needs. First came the need to
lower existing transaction costs. Next was the need to provide support for managers by collecting and distributing
information followed by the need to redesign business processes. As competitors built similar systems, organi-
zations lost any advantages they had derived from their IS, and competition within a given industry once again
was driven by forces that existed prior to the new technology. Most recently, enterprises have found that social IT
platforms and capabilities drive a new evolution of applications, processes, and strategic opportunities that often
involve an ecosystems of partners rather than a list of suppliers. Business ecosystems are collections of interacting participants, including vendors, customers, and other related parties, acting in concert to do business.3
In Eras I through III, the value of information was tied to physical delivery mechanisms. In these eras, value was
derived from scarcity reflected in the cost to produce the information. Information, like diamonds, gold, and MBA
degrees, was more valuable because it was found in limited quantities. However, the networked economy beginning
in Era IV drove a new model of value—value from plenitude. Network effects offered a reason for value derived from plenitude; the value of a network node to a person or organization in the network increased when others joined
the network. For example, an e‐mail account has no value without at least one other e‐mail account with which to
communicate. As e‐mail accounts become relatively ubiquitous, the value of having an e‐mail account increases
as its potential for use increases. Further, copying additional people on an e‐mail is done at a very low cost (virtu-
ally zero), and the information does not wear out (although it can become obsolete). As the cost of producing an
2 Shenay Kentish, Zara (October 18, 2011), http://unilifemagazine.com.au/special‐interest/zara/ (accessed April 10, 2012). 3 For further discussion of business ecosystems, please refer to Nicholas Vitalari and Hayden Shaughnessy, The Elastic Enterprise (Longboat Key, FL: Telemachus Press, 2012).
c02.indd 34 11/26/2015 6:20:48 PM
35Evolution of Information Resources
additional copy of an information product within a network becomes trivial, the value of that network increases.
Therefore, rather than using production costs to guide the determination of price, information products might be priced to reflect their value to the buyer.4
As each era begins, organizations adopt a strategic role for IS to address not only the firm’s internal circum-
stances but also its external circumstances. Thus, in the value‐creation era (Era V), companies seek those appli-
cations that again provide them an advantage over their competition and keep them from being outgunned by
start‐ups with innovative business models or traditional companies entering new markets. For example, companies
like Microsoft, Google, Apple, and Facebook have created and maintained a competitive advantage by building
technical platforms and organizational competencies that allow them to bring in partners as necessary to create
new products and services for their customers. Their business ecosystems give them agility as well as access to
talent and knowledge, extending the capabilities of their internal staff. Other firms simply try to solve all customer
requests themselves.
Era VI has brought another paradigm shift in the use of information with an era of hyperplenitude: seem-
ingly unlimited availability of information resources such as the Internet and processing and storage through
FIGURE 2.1 Eras of information usage in organizations.
Era I 1960s Era II 1970s Era III 1980s Era IV 1990s Era V 2000s Era VI 2010+
Primary Role of IT
Efficiency Effectiveness Strategy Strategy Value creation
Value extension
Automate existing paper‐based processes
Solve problems and create opportunities
Increase individual and group effectiveness
Transform industry/ organization
Create collaborative partnerships
Create community and social business
Connecting intelligent devices
Justify IT Expenditures
Return on investment
Increase in productivity and better decision quality
Competitive position
Competitive position
Added value Creation of relationships
Automated information exchange
Target of Systems
Organization Organization/ Group
Individual manager/ Group
Business processes
Customer/ Supplier relationships
Customer/ Employee/ supplier ecosystem
Intelligent devices
Information Models
Application specific
Data driven User driven Business driven
Knowledge driven
People driven (or relationship driven)
Data exchange driven
Dominant Technology
Mainframe, “centralized intelligence”
Minicomputer, mostly “centralized intelligence”
Microcomputer, “decentralized intelligence”
Client server, “distributed intelligence”
Internet, global “ubiquitous intelligence”
Social platforms, social networks, mobile, cloud
Intelligent devices, sensors, electronics
Basis of Value
Scarcity Scarcity Scarcity Plenitude Plenitude Hyperplenitude
Underlying Economics
Economics of information bundled with economics of things
Economics of information bundled with economics of things
Economics of information bundled with economics of things
Economics of information separated from economics of things
Economics of information separated from economics of things
Economics of relationships bundled with economics of information
Economics of informa tion bundled with economics of things
4 Adapted from M. Broadbent, P. Weill, and D. Clair. “The Implications of Information Technology Infrastructure for Business Process Redesign,” MIS Quarterly 23, no. 2 (1999), 163.
c02.indd 35 11/26/2015 6:20:48 PM
36 Strategic Use of Information Resources
cloud computing sparked new value sources such as community and social business and the Internet of Things
(connecting intelligent devices, sensors, and other electronics).
The Information System Strategy Triangle introduced in Chapter 1 reflects the linkages between a firm’s IS strat-
egy, organizational strategy, and business strategy. A link between IS strategy and business strategy focuses on the
firm’s external requirements whereas a link between IS strategy and organizational strategy fulfills and enhances
internal requirements of the firm. Maximizing the effectiveness of the firm’s business strategy requires that the
general manager be able both to identify and use information resources. This chapter describes how information
resources can be used strategically by general managers.
Information Resources as Strategic Tools Crafting a strategic advantage requires the general manager to cleverly combine all the firm’s resources, includ-
ing financial, production, human, and information, and to consider external resources such as the Internet and
opportunities in the global arena. Information resources are more than just the infrastructure. This generic term,
information resources, is defined as the available data, technology, people, and processes within an organization to be used by the manager to perform business processes and tasks. Information resources can either be assets or
capabilities. An IT asset is any thing, tangible or intangible, that can be used by a firm to create, produce, and/or offer its products (goods or services). Examples of IT assets include a firm’s Web site, data files, or computer equip-
ment. An IT capability is something that is learned or developed over time for the firm to create, produce, or offer its products. An IT capability makes it possible for a firm to use its IT assets effectively.5 The ability and knowledge
to create a Web site, work with data files, and take advantage of IT equipment are examples of capabilities.
An IS infrastructure (a concept that is discussed in detail in Chapter 6) is an IT asset. It includes each of an information resource’s constituent components (i.e., data, technology, people, and processes). The infrastructure
provides the foundation for the delivery of a firm’s products or services. Another IT asset is an information repos- itory, which is logically related data captured, organized, and retrieved by the firm. Some information repositories are filled with internally oriented information designed to improve the firm’s efficiency. Other repositories tap the
external environment and contain significant knowledge about the industry, the competitors, and the customers.
Although most firms have these types of information repositories, not all firms use them effectively.
In the continually expanding Web space, the view of IT assets is broadening to include potential resources that
are available to the firm but that are not necessarily owned by it. These additional information resources are often
available as a service rather than as a system to be procured and implemented internally. For example, Internet‐
based software (also called software as a service, or SAAS), such as SalesForce.com, offers managers the opportu- nity to find new ways to manage their customer information with an externally based IT resource. Social networking
systems such as Facebook and LinkedIn offer managers the opportunity to find expertise or an entire network of
individuals ready to participate in the corporate innovation processes using relatively little capital or expense.
The three major categories of IT capabilities are technical skills, IT management skills, and relationship skills.
Technical skills are applied to designing, developing, and implementing information systems. IT management skills are critical for managing the IS department and IS projects. They include an understanding of business processes,
the ability to oversee the development and maintenance of systems to support these processes effectively, and the
ability to plan and work with the business units in undertaking change. Relationship skills can be focused either externally or internally. An externally focused relationship skill includes the ability to respond to the firm’s market
and to work with customers and suppliers. The internal relationship between a firm’s IS managers and its business
managers is a spanning relationship skill and includes the ability of IS to manage partnerships with the business
units. Even though it focuses on relationships in the firm, it requires spanning beyond the IS department. Rela-
tionship skills develop over time and require mutual respect and trust. They, like the other information resources,
can create a unique advantage for a firm. Figure 2.2 summarizes the different types of information resources and
provides examples of each.
5 G. Piccoli and B. Ives, “IT‐Dependent Strategic Initiatives and Sustained Competitive Advantage: A Review and Synthesis of the Literature,” MIS Quarterly 29, no. 4 (2003), 747–76.
c02.indd 36 11/26/2015 6:20:48 PM
37How Can Information Resources Be Used Strategically?
Information resources exist in a company alongside other resources. The general manager is responsible for
organizing all resources so that business goals are met. Understanding the nature of the resources at hand is a pre-
requisite to using them effectively. By aligning IS strategy with business strategy, the general manager maximizes
the company’s profit potential. To ensure that information resources being deployed for strategic advantage are used
wisely, the general manager must identify what makes the information resource valuable (and the Eras model may
provide some direction) and sustainable. Meanwhile, the firm’s competitors are working to do the same. In this
competitive environment, how should the information resources be organized and applied to enable the organiza-
tion to compete most effectively?
How Can Information Resources Be Used Strategically? The general manager confronts many elements that influence the competitive environment of his or her enterprise.
Overlooking a single element can bring about disastrous results for the firm. This slim tolerance for error requires
the manager to take multiple views of the strategic landscape. Three such views can help a general manager align
IS strategy with business strategy. The first view uses the five competitive forces model by Michael Porter to look at the major influences on a firm’s competitive environment. Information resources should be directed strategically
to alter the competitive forces to benefit the firm’s position in the industry. The second view uses Porter’s value chain model to assess the internal operations of the organization and partners in its supply chain. Information resources should be directed at altering the value‐creating or value‐supporting activities of the firm. We extend this
view further to consider the value chain of an entire industry to identify opportunities for the organization to gain
competitive advantage. The third view specifically focuses on the types of IS resources needed to gain and sustain competitive advantage. These three views provide a general manager with varied perspectives from which to iden-
tify strategic opportunities to apply the firm’s information resources.
Using Information Resources to Influence Competitive Forces
Porter provides the general manager a classic view of the major forces that shape the competitive environment of an
industry, which affects firms within the industry. These five competitive forces are shown in Figure 2.3 along with
some examples of how information resources can be applied to influence each force. This view reminds the general
FIGURE 2.2 Information resources. Source: Adapted from G. Piccoli and B. Ives, “IT‐Dependent Strategic Initiatives and Sustained Competitive Advantage: A Review and Synthesis of the Literature,” MIS Quarterly 29, no. 4 (2005), 755.
IT Assets IT Capabilities
IT Infrastructure
• Hardware • Software and company apps • Network • Data • Web site
Information Repository
• Customer information • Employee information • Marketplace information • Vendor information
Technical Skills
• Proficiency in systems analysis • Programming and Web design skills • Data analysis/data scientist skills • Network design and implementation skills
IT Management Skills
• Business process knowledge • Ability to evaluate technology options • Project management skills • Envisioning innovative IT solutions
Relationship Skills
• Spanning skills such as business‐IT relationship management
• External skills such as vendor management
c02.indd 37 11/26/2015 6:20:48 PM
38 Strategic Use of Information Resources
manager that competitive forces result from more than just the actions of direct competitors. We explore each force
in detail from an IS perspective.
Potential Threat of New Entrants
Existing firms within an industry often try to reduce the threat of new entrants to the marketplace by erecting bar-
riers to entry. New entrants seem to come out of nowhere; established firms can diversify their business models and
begin to compete in the space occupied by existing firms, or an enterprising entrepreneur can create a new business
that changes the game for existing firms. Barriers to entry— including a firm’s controlled access to limited distribu-
tion channels, public image of a firm, unique relationships with customers, and an understanding of their industry’s
government regulations—help the firm create a stronghold by offering products or services that are difficult to dis-
place in the eyes of customers based on apparently unique features. Information resources also can be used to build
barriers that discourage competitors from entering an industry. For example, Google’s search algorithm is a source
of competitive advantage for the search company, and it’s a barrier of entry for new entrants that would have to cre-
ate something better to compete against Google. New entrants have failed to erode Google’s market share, which
holds fast at 65% in the United States and at over 90% in Europe.6 Walmart, another example, effectively blocks
competition with its inventory control system, which helps it drive down expenses and ultimately offer lower costs
to customers. Any company entering Walmart’s marketplace would have to spend millions of dollars to build the
inventory control system and IS required to provide its operations with the same capabilities. Therefore, the system
at Walmart may be a barrier to entry for new companies.
Search engine optimization (actions that a firm can take to improve its prominence in search results) has served
as a barrier to entry for some businesses. Consider the Web site that has the number one position in a user’s search.
There is only one number one position, making it an advantage for the company enjoying that position and a barrier
for all other Web sites seeking that position.
Bargaining Power of Suppliers
3
Bargaining Power of Buyers
2
Strategic use • Cost effectiveness • Market access • Differentiation of product or service
Strategic use • Switching costs • Access to distribution channels • Economies of scale
Strategic use • Selection of supplier • Threat of backward integration
Strategic use • Buyer selection • Switching costs • Differentiation
Strategic use • Redefine products and services • Improve price/performance
Potential Threat of New Entrants
1
Threat of Substitute Products
4
Industry Competitors
5
FIGURE 2.3 Five competitive forces with potential strategic use of information resources. Sources: Adapted from M. Porter, Competitive Strategy (New York: The Free Press, 1998); and Lynda M. Applegate, F. Warren McFarlan, and James L. McKenney, Corporate Information Systems Management : The Issues Facing Senior Executives, 4th ed. (Homewood, IL: Irwin, 1996).
6 “Viewed as a Monopoly in Europe, Google Takes on Role as a Wireless Trust‐Buster in U.S.,” New York Times (May 8, 2015), B1, B6.
c02.indd 38 11/26/2015 6:20:49 PM
39How Can Information Resources Be Used Strategically?
Bargaining Power of Buyers
Customers often have substantial power to affect the competitive environment. This power can take the form of
easy consumer access to several retail outlets to purchase the same product or the opportunity to purchase in large
volumes at superstores like Walmart. Information resources can be used to build switching costs that make it less
attractive for customers to purchase from competitors. Switching costs can be any aspect of a buyer’s purchas-
ing decision that decreases the likelihood of “switching” his or her purchase to a competitor. Such an approach
requires a deep understanding of how a customer obtains the product or service. For example, Amazon.com’s
patented One Click option encourages return purchases by making buying easier. Amazon.com stores buyer
information, including a default credit card number, shipping method, and “ship‐to” address so that purchases
can be made with one click, saving consumers the effort of data reentry and further repetitive choices. Similarly,
Apple’s iTunes simple‐to‐use interface and proprietary software for downloading and listening to music makes
it difficult for customers to use other formats and technologies, effectively reducing the power of the buyers, the
customers.
Bargaining Power of Suppliers
Suppliers’ bargaining power can reduce a firm’s options and ultimately its profitability. Suppliers often strive to
“lock in” customers through the use of systems (and other mechanisms). For example, there are many options for
individuals to back up their laptop data, including many “cloud” options. The power of any one supplier is low
because there are a number of options. But Apple’s operating system enables easy creation of backups and increases
Apple’s bargaining power. Millions of customers find it easy to use the iCloud, and they do.
The force of bargaining power is strongest when a firm has few suppliers from which to choose, the quality of
supplier inputs is crucial to the finished product, or the volume of purchases is insignificant to the supplier. For
example, steel firms lost some of their bargaining power over the automobile industry because car manufacturers
developed technologically advanced quality control systems for evaluating the steel they purchase. Manufacturers
can now reject steel from suppliers when it does not meet the required quality levels.
Through the Internet, firms continue to provide information for free as they attempt to increase their share of
visitors to their Web sites and gather information about them. This decision reduces the power of information sup-
pliers and necessitates finding new ways for content providers to develop and distribute information. Many Internet
firms are integrating backward or sideways within the industry, that is, creating their own information supply and
reselling it to other Internet sites. Well‐funded firms simply acquire these content providers, which is often quicker
than building the capability from scratch. One example of this was Amazon.com’s purchase of Zappos, the shoe
retailer. More recently, in 2015 LinkedIn acquired online learning company Lynda.com to add a capability to offer
professional development to the company’s business of networking, recruitment, and advertising.
Threat of Substitute Products
The potential of a substitute product in the marketplace depends on the buyers’ willingness to substitute, the
relative price‐to‐performance ratio of the substitute, and the level of switching costs a buyer faces. Information
resources can create advantages by reducing the threat of substitution. Substitutes that cause a threat come from
many sources. Internal innovations can cannibalize existing revenue streams for a firm. For example, new iPhones
motivate current customers to upgrade, essentially cannibalizing the older product line revenue. Of course, this is
also a preemptive move to keep customers in the iPhone product family rather than to switch to another competi-
tor’s product. The threat might come from potentially new innovations that make the previous product obsolete.
Tablets have reduced the market for laptops and personal computers. GPS systems have become substitutes for
paper maps, digital cameras have made film and film cameras obsolete, and MP3 music has sharply reduced the
market for vinyl records, record players, CDs, and CD players. Free Web‐based applications are a threat to soft-
ware vendors who charge for their products and who do not have Web‐based delivery. Revolutions of many kinds
and levels of maturity seem to be lurking everywhere. Cloud services are a substitute for data centers. Uber offers a
substitute for taxicabs. Managers must watch for potential substitutes from many different sources to fully manage
this competitive threat.
c02.indd 39 11/26/2015 6:20:49 PM
40 Strategic Use of Information Resources
Industry Competitors
Rivalry among the firms competing within an industry is high when it is expensive for a firm to leave the industry,
the growth rate of the industry is declining, or products have lost differentiation. Under these circumstances, the
firm must focus on the competitive actions of rivals to protect its own market share. Intense rivalry in an industry
ensures that competitors respond quickly to any strategic actions. Facebook enjoys a competitive advantage in the
social networking industry. Other sites have tried to compete with Facebook by offering a different focus, either a
different type of interface or additional ways to network. Competition is fierce and many start‐ups hope to “be the
next Facebook.” However, Facebook continues to lead the industry, in part by continued innovation and in part by
its huge customer base, which continues to raise the bar for competitors.
The processes that firms use to manage their operations and to lower costs or increase efficiencies can provide
an advantage for cost‐focus firms. However, as firms within an industry begin to implement standard business
processes and technologies—often using enterprisewide systems such as those of SAP and Oracle—the industry
becomes more attractive to consolidation through acquisition. Standardizing IS lowers the coordination costs of
merging two enterprises and can result in a less competitive environment in the industry.
One way competitors differentiate themselves with an otherwise undifferentiated product is through creative use
of IS. Information provides advantages in such competition when added to an existing product. For example, the
iPod, iPhone, iPad, and iWatch are differentiated in part because of the iTunes store and the applications available
only to users of these devices. Competitors offer some of the same information services, but Apple was able to take
an early lead by using information systems to differentiate their products. Credit card companies normally compete
on financial services such as interest rate, fees, and payment period. But Capital One differentiated its credit cards
by adding information to its services; it provided customers their credit scores.
Each of the competitive forces identified by Porter’s model is acting on firms at all times, but perhaps to a greater
or lesser degree. There are forces from potential new entrants, buyers, sellers, substitutes, and competitors at all
times, but their threat varies. Consider Zara, the case discussed in at the beginning of this chapter. See Figure 2.4
for a summary of these five forces working simultaneously at the retailer and manufacturer.
General managers can use the five competitive forces model to identify the key forces currently affecting compe-
tition, to recognize uses of information resources to influence forces, and to consider likely changes in these forces
FIGURE 2.4 Application of five competitive forces model for Zara.
Competitive Force IT Influence on Competitive Force
Threat of New Entrant Zara’s IT supports its tightly knit group of designers, market specialists, production managers, and production planners. New entrants are unlikely to be able to provide IT to support such relationships that have been built over time at Zara. Further, it has a rich information repository about customers that would be hard to replicate.
Bargaining Power of Buyers Recently, Zara has employed laser technology to measure 10,000 women volunteers so that it can add the measurements of “real” customers into its information repositories. This means that the new products will be more likely to fit Zara customers.
Bargaining Power of Suppliers Its computer‐controlled cutting machine cuts up to 1,000 layers at a time. A large number of sellers are available for the simple task of sewing the pieces together. Zara has great flexibility in choosing the sewing companies.
Industry Competitors Zara tracks breaking trends and focuses on meeting customer preferences for trendy, low‐cost fashion. The result is the highest sales per square foot in its industry, virtually no advertising, only 10% of stock remaining unsold, very low inventory levels, new products offered in 15 days from idea to shelves, and extremely efficient manufacturing and distribution operations.
Threat of Substitute Products IT helps Zara offer extremely fashionable lines that are expected to last for approximately 10 wears. IT enables Zara to offer trendy, appealing apparel at hard‐to‐beat prices, making substitutes difficult.
c02.indd 40 11/26/2015 6:20:49 PM
41How Can Information Resources Be Used Strategically?
over time. The changing forces drive both the business strategy and IS strategy, and this model provides a way to
think about how information resources can create competitive advantage for a business unit and, even more broadly,
for the firm. The forces also can reshape an entire industry—compelling general managers to take actions to help
their firm gain or sustain competitive advantage.
Using Information Resources to Alter the Value Chain
A second lens for describing the strategic use of information systems is Porter’s value chain. The value chain model
addresses the activities that create, deliver, and support a company’s product or service. Porter divided these activ-
ities into two broad categories (Figure 2.5): support and primary activities. Primary activities relate directly to the
value created in a product or service whereas support activities make it possible for the primary activities to exist
and remain coordinated. Each activity may affect how other activities are performed, suggesting that information
resources should not be applied in isolation. For example, more efficient IS for repairing a product may increase
the possible number of repairs per week, but the customer does not receive any value unless his or her product is
repaired, which requires that the spare parts be available. Changing the rate of repair also affects the rate of spare
parts ordering. If information resources are focused too narrowly on a specific activity, then the expected value may
not be realized because other parts of the chain have not adjusted.
The value chain framework suggests that competition stems from two sources: lowering the cost to perform
activities and adding value to a product or service so that buyers will pay more. To achieve true competitive
advantage, a firm requires accurate information on elements outside itself. Lowering activity costs achieves an
advantage only if the firm possesses information about its competitors’ cost structures. Even though reducing
isolated costs can improve profits temporarily, it does not provide a clear competitive advantage unless the
firm can lower its costs below a competitor’s. Doing so enables the firm to lower its prices as a way to grow its
market share.
For example, many Web sites sell memory to upgrade laptops. But some sites, such as crucial.com, have an
option that automates the process prior to the sales process. These sites have the “Crucial System Scanner Tool,”
which scans the customer’s laptop, identifies the current configuration and the capacity, and then suggests com-
patible memory upgrade kits. The customer uses the scanner, which identifies the configuration of the laptop, and
automatically opens a Web page with the appropriate memory upgrades. The customer does not have to figure out
the configuration or requirements; it’s done automatically. By combining a software program like its configurator
with the sales process, crucial.com has added value to the customer’s experience by automating a key process.
Organization
Human Resources
Technology
Purchasing
Inbound
Logistics
Outbound
Logistics
Operations Marketing
and Sales
Service
Materials handling Delivery
Manufacturing Assembly
Order processing Shipping
Product Pricing Promotion Place
Customer service Repair
P ri
m a ry
A c ti
v it
ie s
S u
p p
o rt
A c ti
v it
ie s
FIGURE 2.5 Value chain of the firm. Source: Adapted from Michael Porter and Victor Millar, “How Information Gives You Competitive Advantage,” Harvard Business Review (July–August 1985), reprint no. 85415.
c02.indd 41 11/26/2015 6:20:49 PM
42 Strategic Use of Information Resources
Although the value chain framework emphasizes the activities of the individual firm, it can be extended, as
in Figure 2.6, to include the firm in a larger value system. This value system is a collection of firm value chains
connected through a business relationship and through technology. From this perspective, a variety of strategic
opportunities exist to use information resources to gain a competitive advantage. Understanding how information is
used within each value chain of the system can lead to new opportunities to change the information component of
value‐added activities. It can also lead to shakeouts within the industry as firms that fail to provide value are forced
out and as surviving firms adopt new business models.
Opportunity also exists in the transfer of information across value chains. For example, sales forecasts gener-
ated by a manufacturer, such as a computer or automotive company, and linked to supplier systems create orders
for the manufacture of the necessary components for the computer or vehicle. Often this coupling is repeated from
manufacturing company to vendor/supplier for several layers, linking the value chains of multiple organizations. In
this way, each member of the supply chain adds value by directly linking the elements of its value chains to others.
Optimizing a company’s internal processes, such as its supply chain, operations, and customer relationship
processes, can be another source of competitive advantage. Tools are routinely used to automate the internal oper-
ations of a firm’s value chain, such as supply chain management (SCM) to source materials for operations, enterprise resource planning (ERP) systems to automate functions of the operations activities of the value chain, and customer relationship management (CRM) systems to optimize the processing of customer information. These systems are discussed in more detail in Chapter 5.
In an application of the value chain model to the Zara example discussed earlier, Figure 2.7 describes the value
added to Zara’s primary and support activities provided by information systems. The focus in Figure 2.7 is on
value added to Zara’s processes, but suppliers and customers in its supply chain also realize the value added by
information systems. Most notably, the customer is better served as a result of the systems. For example, the stores
place orders twice a week over personal digital assistants (PDAs). Each night, managers use their PDAs to learn
about newly available garments. The orders are received and promptly processed and delivered. In this way, Zara
can be very timely in responding to customer preferences.
Unlike the five competitive forces model, which focuses on industry dynamics, the focus of the value chain is
on the firm’s activities. Yet, using the value chain as a lens for understanding strategic use of information resources
affects competitive forces because technology innovations add value to suppliers, customers, or even competitors
and potential new entrants.
Supplier’s
Value
Chains
Firm’s
Value
Chain
Channel’s
Value
Chains
Buyer’s
Value
Chains
FIGURE 2.6 The value system: Interconnecting relationships between organizations.
c02.indd 42 11/26/2015 6:20:49 PM
43Sustaining Competitive Advantage
Sustaining Competitive Advantage It might seem obvious that a firm would try to sustain its competitive advantage. After all, the firm might have
worked very hard to create advantages, such as those previously discussed. However, there is some controversy
about trying to sustain a competitive advantage.
On one side are those who warn of hypercompetition as discussed in Chapter 1.7 In an industry facing hyper-
competition, recall that trying to sustain an advantage can be a deadly distraction. Consider the banking industry as
a good example that has undergone much change over the past five decades. In the 1960s, people needed to visit a
physical bank for all transactions, including withdrawing from or depositing to their accounts and transferring among
accounts. In the 1970s, some banks took a chance and invested in automated teller machines (ATMs) and were
among the innovators in the industry. In the 1980s, some banks pioneered “bank‐by‐phone” services that enabled
customers to pay bills by phone, attempting to establish competitive advantage with technology. In the late 1990s,
Web sites served to augment banking services, and “bank‐by‐web” was the new, exciting way to compete. Most
recently, many banks are providing mobile banking, enabling customers to make deposits by using their smartphone
camera to take photos of checks that previously needed to be turned in physically. Then the checks can be destroyed.
The obvious picture to paint here is that competitors caught up with the leaders very quickly, and competitive
advantage was brief. When ATMs were introduced, it did not take long for others to adopt the same technology.
Even small banks found that they could band together with competitors and invest in the same technologies. The
same imitation game took place with “bank by phone,” “bank by Web,” and mobile banking.
More interestingly, what sounds like an exciting way to show off the power of technology can also be interpreted
as a way to increase the cost of doing business. Although some investments, such as using ATMs to replace tellers,
lowered costs, other investments raised costs (such as needing to offer phone, Web, and mobile banking options to customers).
FIGURE 2.7 Application of value chain model to Zara.
Activity Zara’s Value Chain
Primary Activities
Inbound Logistics IT‐enabled just‐in‐time (JIT) strategy results in inventory being received when needed. Most dyes are purchased from its own subsidiaries to better support JIT strategy and reduce costs. Many suppliers are located near its production facilities.
Operations Information systems support decisions about the fabric, cut, and price points. Cloth is ironed and products are packed on hangers so they don’t need ironing when they arrive at stores. Price tags are already on the products. Zara produces 60% of its merchandise in house. Fabric is cut and dyed by robots in 23 highly automated Spanish factories.
Outbound Logistics Clothes move on miles of automated conveyor belts at distribution centers and reach stores within 48 hours of the order.
Marketing and Sales Limited inventory allows low percentage of unsold inventory (10%); POS at stores linked to headquarters track how items are selling; customers ask for what they want, and this information is transmitted daily from stores to designers over handheld computers.
Service No focus on service on products.
Support Activities
Organization IT supports tightly knit collaboration among designers, store managers, market specialists, production managers, and production planners.
Human Resources Managers are trained to understand what’s selling and report data to designers every day. The manager is key to making customers feel listened to and to communicating with head- quarters to keep each store and the entire Zara clothing line at the cutting edge of fashion.
Technology Technology is integrated to support all primary activities. Zara’s IT staff works with vendors to develop automated conveyors to support distribution activities.
Purchasing Vertical integration reduces amount of purchasing needed.
7 Don Goeltz, “Hypercompetition,” vol. 1 of The Encyclopedia of Management Theory, ed. Eric Kessler (Los Angeles: Sage, 2013), 359–60.
c02.indd 43 11/26/2015 6:20:49 PM
44 Strategic Use of Information Resources
Rather than arguing that sustaining a competitive advantage is a deadly distraction, Piccoli and Ives8 provide
a framework that outlines the ways in which a firm can provide barriers to competitors, which would build sus-
tainability. The framework outlines four types of barriers: IT project barrier, IT resources and capabilities barrier,
complementary resources barrier, and preemption barrier. See Figure 2.8 for a brief definition and a few examples
of each.
So, should a firm focus attention on building barriers to the competition, or should it just give up on the
established competitive advantage and focus on seeking the next revolution? Given that some technologies can be
copied quickly, or even just purchased from the same well‐known vendor who supplied it to the leader, it seems
prudent to spend some time to explore each technological option in the Piccoli and Ives’ framework and determine
where the firm can increase sustainability. If the project is rather small, then the firm should focus on the other
three barriers. If the firm can build loyalty with customers who appreciate innovation, a two‐month competitive
advantage might turn into a two‐year or longer advantage (thus building a preemption barrier). If a firm can capture
valuable data right at the beginning, a copycat firm may fall further behind. Also, building partnerships or securing
exclusive rights to some of the technologies can further slow down a competitor.
It would not be wise to stop there, however. The firm should continue to seek ways in which IT can improve
offerings or service to customers. And the firm should go beyond those steps, focusing on how it might change
its entire industry. One example is the way in which Netflix continued to speed its DVD delivery service while
focusing on movie streaming, a technology that will someday make the delivery service obsolete. Netflix was more
than aware that its revenue was falling every quarter, but it expected and embraced the shortfall with its strategic
move into streaming.9 Given that other services such as Amazon and many cable companies had begun streaming,
Netflix has created original series offerings such as House of Cards and Orange Is the New Black. Therefore, a firm might (1) seek ways to build sustainability by looking into each of the four potential barriers
to identify promising ways to block the competition and at the same time (2) continue to innovate and change the
industry. Netflix has done both by building a dependable and efficient mailing business and creating new business
models such as streaming and series production. Focusing only on building sustainability has the potential effect of
fighting a losing battle, and focusing only on new business models might be too risky as the sole source of growth.
The last strategic framework, resource‐based view, is more general and emphasizes ways in which to exploit its
many potential resources. The framework, described next, can be helpful for sustaining and creating competitive
advantage.
FIGURE 2.8 Barriers to competition and building sustainability.
Barrier Definition Examples
IT project barrier It would be a large undertaking for a competitor to build the system to copy the capability.
• Requires a large investment • Requires a long time to build • Complicated to build
IT assets and capabilities barrier Competitors might lack the IT resources to copy the capability.
• Database of customers that cannot be copied
• Expert developers or project managers
Complementary resources barrier The firm has other resources that create a synergy with the IT that provides competitive advantage.
• Respected brand • Partnership agreements • Exclusivity arrangements • Good location
Preemption barrier The firm “got there first.” • Loyal customer base built at the beginning
• Firm known as “the” source
8 Piccoli and Ives, “IT‐Dependent Strategic Initiatives and Sustained Competitive Advantage,” 755. 9 Greg Sandoval, “Netflix CEO, DVD Subscribers to Decline Now and Forever,” CNET, http://www.cnet.com/news/netflix‐ceo‐dvd‐subscribers‐to‐ decline‐now‐and‐forever (accessed August 19, 2015).
c02.indd 44 11/26/2015 6:20:50 PM
45Sustaining Competitive Advantage
Using the Resource‐Based View (RBV)
A fourth framework, the resource‐based view (RBV),10 is useful for determining whether a firm’s strategy has created value by using IT. Like the value chain model, the RBV concentrates on areas that add value to the firm.
Whereas the value chain model focuses on a firm’s activities, the resource‐based view focuses on the resources that
it can manage strategically in a rapidly changing competitive environment. Like the Piccoli and Ives framework,
the RBV focuses on sustaining competitive advantage but through use of resources rather than by raising compet-
itive barriers.
The RBV has been applied in the area of IS to help identify two types of information resources: those that enable
a firm to attain competitive advantage and those that enable a firm to sustain the advantage over the long term. From the IS perspective,11 some types of resources are better than others for creating attributes that enable a firm to
attain competitive advantage (i.e., value, rarity) whereas other resources are better for creating attributes to sustain
competitive value (e.g., low substitutability, low mobility, low imitability).
Resources to Attain Competitive Advantage
Valuable and rare resources that firms must leverage to establish a superior resource position help companies attain
competitive advantage. A resource is considered valuable when it enables the firm to become more efficient, effec-
tive, or innovative. It is a rare resource when other firms do not possess it. For example, many banks today would
not think of doing business without a mobile banking app. Mobile banking apps are very valuable to the banks in
terms of their operations. A bank’s customers expect it to provide a mobile banking app that can be used on any
mobile device. However, because many other banks also have mobile banking apps, they are not a rare resource,
and they do not offer a strategic advantage. Some call them table stakes or resources required just to be in the business. Many systems in Eras I and II, and especially Era III, were justified on their ability to provide a rare and
valuable resource. In some cases these very systems have become table stakes.
Resources to Sustain Competitive Advantage
Many firms that invested in systems learned that gaining a competitive advantage does not automatically mean that
they could sustain it over the long term. The only way to do that is to continue to innovate and to protect against
resource imitation, substitution, or transfer. For example, Walmart’s complex logistics management is deeply
embedded in both its own and its suppliers’ operations so that imitations by other firms is unlikely. The Oakland
Athletics’ use of information systems propelled it to victory, as depicted in the movie Moneyball, but as soon as other teams learned about the secret behind the success Oakland was having with analytics and information sys-
tems, they, too began to use similar techniques, reducing the advantage Oakland initially enjoyed. Finally, to sustain
competitive advantage, resources must be difficult to transfer or replicate, or relatively immobile. Some information
resources can be easily bought. However, technical knowledge—especially that which relates to a firm’s opera-
tion—an aggressive and opportunistic company culture, deep relationships with customers, and managerial experi-
ence in the firm’s environment is less easy to obtain and, hence, considered harder to transfer to other firms.
Some IT management skills are general enough in nature to make them easier to transfer and imitate. Although
it clearly is important for IS executives to manage internally oriented resources such as IS infrastructure, systems
development, and running cost‐effective IS operations, these skills can be acquired in many different forms. They
are basic IT management skills possessed by virtually all good IS managers. Other skills, however, are unique to a
firm and require considerable time and resources to develop. For example, it takes time to learn how the firm oper-
ates and to understand its critical processes and socially complex working relationships. However, the message sug-
gested by the RBV is that IS executives must look beyond their own IS shop and concentrate on cultivating resources
10 The resource‐based view was originally proposed by management researchers, most prominently Jay Barney, “Firm Resources and Sustained Compet-
itive Advantage,” Journal of Management 17, no. 1 (1991), 99–120 and “Is the Resource‐Based ‘View’ a Useful Perspective for Strategic Management Research? Yes,” Academy of Management Review 26, no. 1 (2001), 41–56; M. Wade and J. Hulland, “Review: The Resource‐Based View and Information Systems Research: Review, Extension and Suggestions for Future Research,” MIS Quarterly 28, no. 1 (2004), 107–42. This article reviewed the resource‐ based view’s application in the MIS literature and derived a framework to better understand its application to IS resources. 11 http://www.minonline.com/best_of_web/Best‐of‐the‐Web‐CommunitySocial‐Networking_10185.html (accessed January 1, 2012).
c02.indd 45 11/26/2015 6:20:50 PM
46 Strategic Use of Information Resources
that help the firm understand changing business environments and allow it to work well with all its external stake-
holders. Even when considering internally oriented information resources, there are differences in the extent to
which these resources add value. Many argue that IS personnel are willing to move, especially when offered higher
salaries by firms needing these skills. Yet, some technical skills, such as knowledge of a firm’s use of technology to
support business processes, and technology integration skills are not easily exported to, or imported from, another
firm. Further, hardware and many software applications can be purchased or outsourced, making them highly imita-
ble and transferrable. Because it is unlikely that two firms have exactly the same strategic alternatives, resources at
one firm might have only moderate substitutability in the other firm.
Zara and RBV
Figure 2.9 indicates the extent to which the attributes of each information resource may add value to Zara, the
company discussed earlier in the chapter. Zara’s advantage did not come from the specific hardware or software
technologies it employed. Its management spent five to ten times less on technology than its rivals. In contrast,
FIGURE 2.9 Information resources at Zara, by attribute. Source: Based on M. Wade and J. Hulland, “The Resource‐Based View and Information Systems Research: Review, Extension and Suggestions for Future Research,” MIS Quarterly 28, no. 1 (2004), 107–42.
Value Creation Value Sustainability
Resource/Attribute Value Rarity Imitation Substitution Transfer
IT ASSET
IT Infrastructure Moderate because of its skillful use of the POS equipment, handheld computers, automated conveyors, and computer‐controlled equipment to cut patterns, but similar technology could be purchased and used by competitors
Easy to imitate and transfer its infrastructure
Moderate for substitution of infrastructure (automated conveyers)
Information Repository
High value and rarity because of its information about customers’ preferences and body types, which Zara leverages strategically; well integrated with Zara’s operations and personnel; retail information analyzed by designers to identify future products
Difficult to imitate and transfer
Extremely difficult to substitute because of the volume and nature of the data
IT CAPABILITY
Technical Skills Low value/rarity because IS professionals could be hired relatively easily to perform the technical work
Moderately difficult to imitate, substitute, or transfer; some sustainability results because the skills are used to integrate across a range of systems
IT Management Skills
High value/rarity because they were acquired over time
Difficult to imitate, substitute, or transfer; resources leveraged well
Relationship Skills—Externally Focused
High value from relationships with European manufacturers
Moderate rarity because other companies also have relationships with manufacturers although required time to develop the relationship
Difficult to imitate, substitute, or transfer; turnaround time of under 5 weeks from conception to distribution
Relationship Skills—Spanning
High rarity of spanning Difficult to imitate, substitute, or transfer spanning; unusual tight‐knit teams at headquarters not easy to imitate or purchase in the marketplace, allowing the ability to correctly interpret and quickly respond to customer needs
c02.indd 46 11/26/2015 6:20:50 PM
47Strategic Alliances
Zara has created considerable value from the other information asset—its valuable information repository with cus-
tomers ’ preferences and body types.
In terms of information capability, much of Zara ’ s value creation is from its valuable and rare IT management
skills. Zara ’ s relationship skills also serve as a tool for value creation and sustainability. Overall, Zara is able to
create high value from its IT management and relationship skills. It would be moderately to extremely diffi cult to
substitute, imitate, or transfer them.
The resource‐based theory, although highly cited, has received its share of criticism. 12 The major criticism is that
it doesn ’ t clearly distinguish between value and strategic competitive advantage. Another criticism of the original
theory is that it doesn ’ t consider different types of resources. However, IS researchers addressed this concern when
they categorized resources into assets and capabilities and then provided examples of each. In applying the theory,
it is important to recognize that it is focused on internal sources of a fi rm ’ s competitive advantage and, thus, does
not thoroughly take into account the environment in which the fi rm is embedded, especially when the environment
is quite dynamic.
Most fi rms don ’ t really have a choice of creating competitive advantage by manipulating industry forces either
through their use of information resources or IT‐enhanced activities. Yet, like Zara , they can leverage the IT
resources they do have to create and sustain strategic value for their fi rms.
Strategic Alliances The value chain helps a fi rm focus on adding value to the areas of most value to its partners. The resource‐based
view suggests adding value using externally oriented relationship skills. The Eras framework emphasizes the
importance of collaborative partnerships and relationships. The increasing number of Web applications focused on
collaboration and social networking only foreshadow even more emphasis on alliances. These relationships can
take many forms, including joint ventures, joint projects, trade associations, buyer–supplier partnerships, or car-
tels. Often such partnerships use information technologies to support strategic alliances and integrate data across
Social Business Lens: Social Capital
A management theory that is gaining in popularity as a tool in understanding a social business is the social capital
theory. Social capital is the sum of the actual and potential resources embedded within, available through, and
derived from the network of relationships possessed by an individual or social unit. Relationships associated with
networks have the potential of being a valuable resource for businesses. The theory ’ s focus is not on managing
individuals but on managing relationships.
The value from networks may be derived in one of three interrelated ways: structural, relational, and cognitive.
The structural dimension is concerned with the pattern of relationships in the network—who is connected to whom.
The relational dimension looks at the nature of relationships among members in the network (i.e., respect, friend-
ship)—how the connected people interact. The third cognitive dimension looks at the way people think about
things in the network, in particular whether they have a shared language, system of meanings or interpretations—
how the connected people think. The unusual thing about social capital is that no one person owns it. Rather, the
people in the relationship own it jointly. Thus, it can ’ t be traded easily, but it can be used to do certain things more
easily. In particular, in social business applications, social capital may make it easier to get the information needed
to perform a task or connect with certain key people. In IS development teams, social capital may improve the
willingness and ability of team members to coordinate their tasks in completing a project.
Source: J. Nahapiet and S. Ghosal , “ Social Capital, Intellectual Capital and the Organizational Value , “ Academy of Management Review , 23 , no. 2 ( 1998 ), 242 – 66 .
12 For an excellent discussion of criticisms of the resource‐based view, see J. Kraaijenbrink , J‐C Spender , and A. J. Groen “ The Resource‐Based View:
A Review and Assessment of Its Critiques ,” Journal of Management , 36 , no. 1 , ( 2010 ), 349 – 72 .
c02.indd 47 11/26/2015 6:20:50 PM
48 Strategic Use of Information Resources
partners’ information systems. A strategic alliance is an interorganizational relationship that affords one or more companies in the relationship a strategic advantage. An example is the strategic alliance between game maker
Zynga and Facebook. As documented in Facebook’s IPO filing in January 2012, the relationship is a mutually
beneficial one. Zynga developed some of the most popular games found on Facebook, including Mafia Wars,
Farmville, and WordsWithFriends. Facebook has exclusive rights to Zynga’s games, many of which have generated
thousands of new members for Facebook. It also gained access to Zynga’s customer database. The alliance gen-
erates significant revenue for both parties because players of these games purchase virtual goods with real money
and Zynga purchases significant advertising space from Facebook to promote its games. Zynga benefits from the
revenue resulting from its gamers on Facebook community.13
Business ecosystems are often groups of strategic alliances in which a number of partners provide important ser-
vices to each other and jointly create value for customers. The Facebook ecosystem could be said to include many
of the companies that use that platform to deliver their apps, that allow customers to post directly on their Facebook
page from the app, or that allow customers to log on to their site using their Facebook account. This adds value
for customers by providing greater convenience, and by offering the ability to automatically update their activity
stream with information from the app, and both Facebook and the app provider benefit from their alliance.
IS often provides the platform upon which a strategic alliance functions. Technology can help produce the prod-
uct developed by the alliance, share information resources across the partners’ existing value systems, or facilitate
communication and coordination among the partners. Because many services are information based today, an IS
platform is used to deliver these services to customers. The Facebook– Zynga alliance is an example of this type of
IS platform. Further, linking value chains through supply chain management (SCM) is another way that firms build
an IT‐facilitated strategic alliance.
Co‐opetition
Clearly, not all strategic alliances are formed with suppliers or customers as partners. Rather, co‐opetition is an
increasingly popular alternative model. As defined by Brandenburg and Nalebuff in their book of the same name,
co‐opetition is a strategy whereby companies cooperate and compete at the same time with companies in their value net.14 The value net includes a company and its competitors and complementors as well as its customers and
suppliers and the interactions among all of them. A complementor is a company whose product or service is used in conjunction with a particular product or service to make a more useful set for the customer. For example, Goodyear
is a complementor to Ford and GM because tires are a complementary product to vehicles. Likewise, Amazon is a
complementor to Apple in part because the Amazon reading application, the Kindle, the reading tablet that Amazon
sells, is one of the most popular apps for the iPad. Finally, a cellular service is a complementor to Google’s search
engine because the service allows more consumers to use Google’s search function.
Co‐opetition, then, is the strategy for creating the best possible outcome for a business by optimally combining
competition and cooperation. It can also be used as a strategy for sourcing as discussed in Chapter 10. It fre-
quently creates competitive advantage by giving power in the form of information to other organizations or groups.
For example, Covisint.com hosts the auto industry’s e‐marketplace, which grew out of a consortium of compet-
itors, including General Motors, Ford, DaimlerChrysler, Nissan, and Renault. By addressing multiple automo-
tive functional needs across the entire product life cycle, Covisint offers support for collaboration, supply chain
management, procurement, and quality management. Covisint.com has extended this business‐to‐partner platform
to other industries including health care, manufacturing, life sciences, food and beverage, and oil and gas. Thus,
co‐opetition as demonstrated by Covisint not only streamlines the internal operations of its backers but also has the
potential to transform an industry.
13 Adapted from N. Wingfield, “Virtual Products, Real Profits” The Wall Street Journal (September 9, 2011), A1, 16; L. B. Baker, “Zynga’s Sales Soar on Facebook Connection,” Reuters News (February 2, 2012), http://www.reuters.com/article/2012/02/02/us‐zynga‐shares‐idUSTRE8111PO20120202 (accessed September 14, 2015); Jackie Cohen, “So Much for the Facebook Effect: Zynga Sees $978.6 Million Loss In 2011,” Yahoo News (February 14, 2012), http://www.allfacebook.com/facebook‐zynga‐eps‐2012‐02 (accessed February 20, 2012). 14 A. Brandenburg and B. Nalebuff, Co‐opetition (New York: Doubleday, 1996).
c02.indd 48 11/26/2015 6:20:50 PM
49Risks
Risks As demonstrated throughout this chapter, information resources may be used to gain strategic advantage even if that
advantage is fleeting. When information systems are chosen as the tool to outpace a firm’s competitors, executives
should be aware of the many risks that may surface. Some of these risks include the following:
• Awakening a sleeping giant: A firm can implement IS to gain competitive advantage only to find that it nudged a larger competitor with deeper pockets into implementing an IS with even better features. FedEx
offered its customers the ability to trace the transit and delivery of their packages online. FedEx’s much
larger competitor, UPS, rose to the challenge. UPS not only implemented the same services but also added
a new set of features eroding some of the advantages FedEx enjoyed, causing FedEx to update its offerings.
Both the UPS and FedEx sites passed through multiple Web site iterations as the dueling delivery companies
continue to struggle for competitive advantage.
• Demonstrating bad timing: Sometimes customers are not ready to use the technology designed to gain strategic advantage. For example, Grid Systems created the GRiDPAD in 1989. It was a tablet computer
designed for businesses to use in the field and was well reviewed at that time. But it didn’t get traction.
Three decades later, in 2010, Apple introduced the iPad, and tablet computing took off.
• Implementing IS poorly: Stories abound of information systems that fail because they are poorly imple- mented. Typically, these systems are complex and often global in their reach. An implementation fiasco took
place at Hershey Foods when it attempted to implement its supply and inventory system. Hershey devel-
opers brought the complex system up too quickly and then failed to test it adequately. Related systems prob-
lems crippled shipments during the critical Halloween shopping season, resulting in large declines in sales
and net income. More recently, in 2012, more than 100,000 Austin Energy customers received incorrect util-
ity bills due to problems with the company’s vendor‐supplied bill collection system. Some customers went
months without a bill, and others were incorrectly billed. Some businesses that owed $3,000 were billed
$300,000. Still others tried to pay their bill online only to be told that the payment had not recorded when it
had been. The utility calculated that the problems cost it more than $8 million.15
• Failing to deliver what users want: Systems that do not meet the needs of the firm’s target market are likely to fail. For example, in 2011, Netflix leadership divided the company into two, calling the DVD‐rental
business Qwikster and keeping the streaming business under Netflix. But customers complained, and worse,
closed their accounts, and less than a month later, Qwikster was gone. Netflix reunited both businesses
under the Netflix name.16
• Running afoul of the law: Using IS strategically may promote litigation if the IS results in the violation of laws or regulations. Years ago, American Airlines’ reservation system, Sabre, was challenged by the airline’s
competitors on the grounds that it violated antitrust laws. More recently, in 2010, Google said it was no
longer willing to adhere to Chinese censorship. The Chinese government responded by banning searching
via all Google search sites (not only google.cn but all language versions, e.g., google.co.jp. google.com.au),
including Google Mobile. Google then created an automatic redirect to Google Hong Kong, which stopped
June 30, 2010, so that Google would not lose its license to operate in China. Today, Google, Inc. is acting
in compliance with the Chinese government’s censorship laws and Chinese users of Google.cn see filtered
results as before. More recently, European antitrust officials claimed that Google’s search engine unfairly
generates results that favor its shopping sites over those of its competitors and that its Android mobile phone
operating system unfairly features Google as the default search engine.17
15 Marty Toohey, “More Than 100,000 Austin Energy Customers Hit by Billing Errors from $55 Million IBM System,” Statesman (February 18, 2012), http://www.statesman.com/news/local/more‐than‐100‐000‐austin‐energy‐customers‐hit‐2185031.html (accessed February 20, 2012). 16 Qwikster = Gonester (October 10, 2011), http://www.breakingcopy.com/netflix‐kills‐qwikster (accessed February 20, 2012). 17 “Viewed as a Monopoly in Europe, Google Takes on Role as a Wireless Trust‐Buster in U.S.,” The New York Times (May 8, 2015), B1, B6.
c02.indd 49 11/26/2015 6:20:50 PM
50 Strategic Use of Information Resources
Every business decision has risks associated with it. However, with the large expenditure of IT resources needed
to create sustainable, strategic advantages, the manager should carefully identify and then design a mitigation strat-
egy to manage the associated risks.
Co‐Creating IT and Business Strategy This chapter has discussed the alignment of IT strategy with business strategy. Certainly, the two strategies must
be carefully choreographed to ensure receiving maximum value from IT investments and obtaining the maximum
opportunity to achieve the business strategy. However, in the fast‐paced business environment where information
is increasingly a core component of the product or service offered by the fi rm, managers must co‐create IT and
business strategy. That is to say that IT strategy is business strategy; one cannot be created independently of the other. In many cases, they are now one in the same.
For companies whose main product is information, such as fi nancial services companies, it ’ s clear that information
management is the core of the business strategy itself. How an investment fi rm manages the clients ’ accounts, how
its clients interact with the company, and how investments are made are all done through the management of
information. A fi nancial services company must co‐create business and IT strategy.
But consider a company like FedEx , most well known as the package delivery company. Are customers paying
to have a package delivered or to have information about that package ’ s delivery route and timetable? One could
argue that they are one in the same and that increasingly the company ’ s business strategy is its IS strategy. Certainly, there are components of the operation that are more than just information. There are actual packages to be loaded
on actual trucks and planes, which are then actually delivered to their destinations. However, to make it all work,
the company must rely on IS. Should the IS stop working or have a serious failure, FedEx would be unable to do
business. A company like this must co‐create IT strategy and business strategy.
This was not true a few years ago. Companies could often separate IS strategy from business strategy in part
because their products or services did not have a large information component. For example, a few years ago,
should the IS of a trucking company stop working, the trucks would still be able to take their shipments to their
destination and pick up new ones. It might be slower or a bit more chaotic, but the business wouldn ’ t stop. Today,
that ’ s not the case. Complicated logistics are the norm, and IS are the foundation of the business as seen at FedEx .
With the increasing number of IS applications on the Web and on mobile devices, fi rms increasingly need to
co‐create business and IT strategy. Managers who think they can build a business model without considering the
opportunities and impact of information systems, using both the resources owned by the fi rm and those available on
the Web, will fi nd they have signifi cant diffi culties creating business opportunities as well as sustainable advantage
in their marketplace.
Geographic Box: Mobile‐Only Internet Users Dominate Emerging Countries
More than 25% of mobile Web users in emerging markets connect to the Internet solely through mobile devices.
This is the case for 70% of mobile Web users in Egypt, 59% in India, and 50% in Nigeria but only for 25% of U.S. and
22% of U.K. mobile Web users. Malaysia is emerging as a test case for a mobile‐only Internet. It has rolled out a
next‐generation, high‐speed broadband network that covers most of its population. This infrastructure makes it
possible to make video calls with Apple ’ s FaceTime application in locations throughout the country using a tiny
pocket router that accesses a WiMAX wireless‐broadband network set up by a local conglomerate, YTL Corp.
Bhd . To further encourage the spread of Internet, Malaysia ’ s leaders have pledged not to censor the Internet.
Sources: G. Dunaway , “ Mobile‐Only Internet Users Dominate Emerging Markets ” Adotas.com (October 24, 2011), http://www.adotas. com/201w1/10/mobile‐only‐internet‐users‐dominate‐emerging‐markets/ (accessed August 19, 2015) ; J. Hookway , “ Broadband in the Tropics ,” The Wall Street Journal (September 21, 2011 ) , B6.
c02.indd 50 11/26/2015 6:20:50 PM
51Discussion Questions
S U M M A R Y
• Information resources include data, technology, people, and processes within an organization. Information resources can be either assets or capabilities.
• IT infrastructure and information repositories are IT assets. Three major categories of IT capabilities are technical skills, IT management skills, and relationship skills.
• Using IS for strategic advantage requires an awareness of the many relationships that affect both competitive business and information strategies.
• The five competitive forces model implies that more than just the local competitors influence the reality of the business situation. Analyzing the five competitive forces—threat of new entrants, buyers’ bargaining power, suppliers’ bargaining
power, industry competitors, and threat of substitute products—from both a business view and an information systems
view helps general managers use information resources to minimize the effect of these forces on the organization.
• The value chain highlights how information systems add value to the primary and support activities of a firm’s internal operations as well as to the activities of its customers and of other components of its supply chain.
• The resource‐based view (RBV) helps a firm understand the value created by its strategy. RBV maintains that compet- itive advantage comes from a firm’s information resources. Resources enable a firm to attain and sustain competitive
advantage.
• IT can facilitate strategic alliances. Ecosystems are groups of strategic alliances working together to deliver goods and services. Supply chain management (SCM) is a mechanism that may be used for creating strategic alliances.
• Co‐opetition is the complex arrangement through which companies cooperate and compete at the same time with other companies in their value net.
• Numerous risks are associated with using information systems to gain strategic advantage: awaking a sleeping giant, demonstrating bad timing, implementing poorly, failing to deliver what customers want, avoiding mobile‐based alterna-
tives, and running afoul of the law.
K E Y T E R M S
business ecosystem (p. 34)
co‐opetition (p. 48)
customer relationship management
(CRM) (p. 42)
enterprise resource planning
(ERP) (p. 42)
information resources (p. 36)
IT asset (p. 36)
IT capability (p. 36)
network effects (p. 34)
resource‐based view (RBV) (p. 45)
strategic alliance (p. 48)
social capital (p. 47)
supply chain management
(SCM) (p. 42)
D I S C U S S I O N Q U E S T I O N S
1. How can information itself provide a competitive advantage to an organization? Give two or three examples. For each example, describe its associated risks.
2. Use the five competitive forces model as described in this chapter to describe how information technology might be used to provide a winning position for each of these businesses:
a. A global advertising agency b. A local restaurant c. A mobile applications provider d. An insurance company e. A Web‐based audio book service
c02.indd 51 11/26/2015 6:20:50 PM
52 Strategic Use of Information Resources
3. Using the value chain model, describe how information technology might be used to provide a winning position for each of these businesses:
a. A global advertising agency b. A local restaurant c. A mobile applications provider d. An insurance company e. A Web‐based audio book service
4. Use the resource‐based view as described in this chapter to describe how information technology might be used to provide and sustain a winning position for each of these businesses:
a. A global advertising agency b. A local restaurant c. A mobile applications provider d. An insurance company e. A Web‐based audio book service
5. Some claim that the only sustainable competitive advantage for an organization is its relationships with its customers. All other advantages eventually erode. Do you agree or disagree? How can information systems play a role in maintaining the
organization ’ s relationship with its customers? Defend your position.
6. Cisco Systems has a network of component suppliers, distributors, and contract manufacturers that are linked through Cisco ’ s extranet. When a customer orders a Cisco product at its Web site, the order triggers contracts to manufacturers of
printed circuit board assemblies when appropriate and alerts distributors and component suppliers. Cisco ’ s contract manu-
facturers are aware of the order because they can log on to its extranet and link with Cisco ’ s own manufacturing execution
systems. What are the advantages of Cisco ’ s strategic alliances? What are the risks to Cisco? To the suppliers?
Groupon, Inc. raised $700 million at its IPO in the fall of 2011, instantly providing a valuation of almost $13 billion for a
company that was only three years old at the time. Some question the value, claiming Groupon has no sustainable compet-
itive advantage. Others see Groupon as an innovative company with high potential.
Groupon sells Internet coupons for events, services, and other popular items that customers might want to buy. Customers
sign up for daily e‐mails targeted to their local market. The daily deal, offered for one‐day only and only if a predetermined
minimum number of customers buy it, gives customers 50% off the “retail” price. For example, a $100 three‐month health
club membership would sell for $50 on Groupon . The customer pays $50 to Groupon and prints a certifi cate to redeem at the
health club. Groupon keeps 50% of the revenue, or $25 in this case, and gives the rest to the health club. Effectively, retailers
are offering 75% off with the customer saving 50% and Groupon taking the rest.
Groupon pays the retailer when the coupon is redeemed, making money both on the fl oat between the time revenue is
collected and the time the retailer is paid and on the certifi cates that are never redeemed at all, which the industry calls break- age. Retailers make money in the long run by introducing customers to their products, selling them additional products and services when they come in to redeem their coupons, and turning them into repeat customers. And retailers benefi t from the
buzz created when their business is on Groupon .
In August 2010, Groupon launched its fi rst national deal, a coupon worth $50 of Gap apparel and accessories for $25.
It sold over 440,000 coupons, netting Groupon and the Gap close to $11 million. But not all vendors are the size of the
Gap , and smaller vendors have been overwhelmed with too many coupons. One local business owner said the company lost
$8,000 on its Groupon promotion when too many coupons were issued. In fact, a study of 150 retailers showed that only
66% found their deals profi table.
Around the time of the IPO, analysts and observers alike claimed that Groupon ’ s business model was not sustainable. In
addition to the large number of retailers who found their deals unprofi table, observers noted that Groupon does not produce
anything of value, and it isn ’ t adding value to the retailers. Further, there are no barriers to entry to stop competitors. In May
2011, more than 450 competitors offering discounts and deals included LivingSocial , another daily deal site; restaurant.com,
a site for restaurant gift certifi cates at a deep discount; and overstock.com and woot.com , sites offering discounted merchan-
dise, not to mention deep‐pocketed competitors like Amazon.com .
■ CASE STUDY 2‐1 Groupon
c02.indd 52 11/26/2015 6:20:50 PM
53Case Study
Zipcar is an answer for customers who want to rent a car for a few hours in their home city rather than for a few days from
a traditional rental agency. Car reservations are for a specifi c pick‐up time and location around the city, often in neighbor-
hoods so the customers need only to walk to pick up their reserved car. Customers apply for a Zipcard, which enables them
to reserve a car online and unlock their car when they arrive at its location.
The company operates with a very small staff compared to traditional rental agencies. Very little human interaction is
required between the customer and Zipcar for a transaction. A customer reserves a car online, enters into the reserved car by
waving the RFID‐enabled Zipcard against the card reader mounted behind the driver ’ s side windshield, returns the car to the
same location, and is billed on the credit card already on fi le. The customer can check all rental records and print receipts
from the online reservation system. The system also has a color‐coded time chart showing the availability and location of all
rental cars in the vicinity. This transparent information exchange allows a customer to pick the car he or she wants, if avail-
able, or delay the reservation until that car is returned by another customer. Zipcar also created and installed a GPS‐enabled
wireless device in each car, which allows members to fi nd and reserve a vehicle nearby using a cell phone. Customers also
can use an iPhone or Android app on their iPhone or Android mobile device to fi nd and reserve a Zipcar on a 24/7 basis.
Zipcar sends text alerts near the end of the rental period, and customers can text back if they want to extend their rental time.
All cars were outfi tted with patented wireless technology. Zipcar ’ s proprietary IT platform carries information fl ow bet-
ween customers, vehicles, and the company. It is used to monitor car security, fulfi ll reservations, record hourly usage, and
maintain mileage information. The platform also relays vital technical information such as battery voltage and fuel level. It
even informs the central system if a customer forgot to turn off headlights, which can quickly drain battery power.
This business model provides unique advantages over traditional car rentals. Customers do not have to stand in line or
fi ll out papers to rent a car. They know exactly which make and model they will be getting. Unlike most off‐airport rental
agency locations, which are open only during business hours, Zipcar locations are open 24 hours. The company ’ s rates also
include the cost of gas and insurance as well as reserved parking spots at some locations.
Additionally, the company uses social networking technologies to develop an online community of Zipcar members—
Zipsters. It encourages Zipsters to talk about their Ziptrips (i.e., share their personal experiences with Zipcar ).
Thus, information technology is not only the key enabler of this business model but also a facilitator in creating a
buzz and encouraging community development around the concept. Zipcar changed the rules of the rental car industry by
■ CASE STUDY 2‐2 Zipcar
But Groupon added to its business strategy with mobile capability and new services. In February 2012, it purchased
Kima Labs , a mobile payment specialist, and Hyperpublic , a company that builds databases of local information. In May
2011, in a few cities, the company launched Groupon Now, a time‐based local application that gives customers instant deals
at merchants nearby using location‐based software. CEO Andrew Mason told Wall Street analysts in February 2012 that he
saw signifi cant growth potential, including working on new features that will help customers personalize offers and avoid
deals they don ’ t want.
Discussion Questions
1. How does information technology help Groupon compete?
2. Do you agree or disagree with the statement that “Groupon has no sustainable competitive advantage?” Please explain
your point of view.
3. How does Groupon add value to the companies whose offers are sold on the site?
4. What impact, if any, will Groupon Now have on Groupon ’ s competitive position? Explain.
5. What would you advise Groupon leaders to consider as their next application?
6. Analyze the business model of Groupon using Porter ’ s five forces model.
Sources: Adapted from http://mashable.com/2010/08/19/gap‐groupon/ (accessed February 21, 2012); http://www.forbes.com/sites/ petercohan/2011/06/06/memo‐to‐sec‐groupon‐has‐no‐competitive‐advantage‐stop‐its‐ipo/ (accessed February 21, 2012); http://blogs. wsj.com/venturecapital/2010/09/29/rice‐university‐study‐groupon‐renewal‐rate‐not‐so‐hot/ (accessed February 21, 2012); http://articles. chicagotribune.com/2011‐05‐18/business/ct‐biz‐0519‐groupon‐now‐20110518_1_groupon‐chief‐executive‐andrew‐mason‐fi rst‐phase (accessed February 21, 2012); http://www.reuters.com/article/2012/02/09/us‐groupon‐idUSTRE81727 B20120209 (accessed February 21, 2012).
c02.indd 53 11/26/2015 6:20:50 PM
54 Strategic Use of Information Resources
bringing the new Web 2.0 mind‐set of focusing on automation, customer empowerment, transparency, and community.
Zipcar is very successful; as of August 2015, its Website boasts over 900,000 paying members and renting over 10,000
vehicles in 30 major metro markets in the United States, Canada, and the United Kingdom, as well as 400 college cam-
puses and 50 airports.
Discussion Questions
1. Apply the resource‐based view to Zipcar ’ s business model to show how information resources may be used to gain and
sustain competitive advantage.
2. Discuss the synergy between the business strategy of Zipcar and information technology.
3. What network effects are part of Zipca r ’ s strategy? How do they add value?
4. As the CEO of Zipca r, what is your most threatening competition? What would you do to sustain a competitive
advantage?
Sources: Adapted from Paul Boutin , “ A Self‐Service Rental Car ,” Businessweek (May 3 , 2006 ), http://www.bloomberg.com/bw/ stories/2006‐05‐03/a‐self‐service‐rental‐car (accessed August 19, 2015) ; Mary K. Pratt , “ RFID: A Ticket to Ride ,” Computerworld (Decem- ber 18, 2006 ), http://www.computerworld.com/article/2554153/mobile‐wireless/rfi d—a‐ticket‐to‐ride.html (accessed August 19, 2015) ; “Zipcar: Our Technology Downloaded,” http://www.zipcar.com/how/technology; Zipcar: “Zipcar Overview,” http://www.zipcar.com/ press/overview (accessed August 19, 2015).
c02.indd 54 11/26/2015 6:20:51 PM
55
3 chapter
In order for information systems (IS) to support an organization in achieving its goals, the organization must refl ect the business strategy and be coordinated with the organizational strategy. This chapter focuses on linking and coordinating the IS strategy with the three components of organizational strategy:
• Organizational design (decision rights, formal reporting relationships and structure, informal networks)
• Management control systems (planning, data collection, performance measurement, evaluation, incentives, and rewards)
• Internal culture (values, locus of control)
Organizational Strategy and Information Systems
After 20 years of fast growth, in 2014 Cognizant Technology Solutions was a company with $8.84
billion in revenues from providing IS outsourcing services. However, growing at such a breakneck
speed, it had to reinvent its organizational structure many times to make sure that it facilitated the
fl ow of information. Initially, its India‐centric structure located managers of each group in India
along with software engineers. Employees at customer locations worldwide reported to the man-
agers. As the company grew and its focus shifted from simple, cost‐based solutions to complex,
relationship‐based solutions, this structure had to be changed to be more customer oriented. Under
the redesigned reporting structure, managers were moved to customer locations but software engi-
neers remained in India. This change improved customer relations but brought about new headaches
on the technical side. Under the new arrangement, managers had to spend their days with cus-
tomers and unexpectedly ended up spending their nights with software engineers to clarify customer
requirements and fi x bugs. This created a tremendous strain on managers, who threatened to quit.
It also hampered the company ’ s business of systems development. Thus, neither of these organiza-
tional structures was working well. Neither structure was well aligned with the business strategy
and the IS strategy.
However, Cognizant found that despite these problems, some work teams were working and
performing well. Upon an extensive analysis of those groups, the company decided to adopt a matrix
structure of comanagement throughout the company. In this matrix structure, each project has two
managers equally responsible for the project in a location. One manager is in India and the other
is at the client site. They work out among themselves how and when to deal with issues. And both
managers are equally responsible for customer satisfaction, project deadlines, and group revenue.
The new structure (Figure 3.1 ) enables Cognizant to work more closely with its clients to focus on
improving operations. That is, the new matrix structure makes it possible to build IS that the cus-
tomers wanted.
During the same time period in 2008, the largest outsourcing company and software exporter
in India, Tata Consultancy Services (TCS), also found that growth led to problems. “As we scale
up over 100,000 employees, TCS needs a structure that allows us to build a nimble organization to
c03.indd 55 11/26/2015 6:22:12 PM
56 Organizational Strategy and Information Systems
capture new growth opportunities,” said then TCS CEO and Managing Director S. Ramadorai.1 Growth led to a
high volume of issues that needed the attention of the CEO and COO, and eventually it was difficult to keep up.
At the same time, there was a need to spend significantly more time investigating new potential markets and new
strategic initiatives than the CEO/COO could spare. In 2011, the new TCS CEO N. Chandrasekaran modified the
structure and added a new layer of leaders to oversee the businesses and free up their time to work on strategy (see
Figure 3.2). The new layer focuses on customers and aims to boost revenue growth.2
While both Cognizant and TCS are large Indian outsourcing companies that found they needed to reorganize
to respond to problems resulting from growth, their problems were profoundly different. Cognizant’s main prob-
lem was its lack of necessary information flows between the software engineers in India and the customer service
managers on the client location. Its complex problems resulted in a correspondingly complex matrix structure. It
focused on the delivery of information systems that reflect refined technical solutions to their problems to its cus-
tomers. Its new organization structure both improves customer responsiveness and necessary information flows.
It focuses on system development and delivery and seeks to address the information flow problem that Cognizant
previously experienced in building systems.
In contrast, TCS’s organization chart reflects a focus not only on current customers but also on future markets.
That is why it added major units called “New Growth Markets” and “Strategic Initiative Unit.” The Business Pro-
cess Outsourcing and Small and Medium Enterprise solutions in this latter major unit indicate the strategic direc-
tions that TCS wants to take. The organizational structure is designed to emphasize these new growth areas and
facilitate information flows along these lines in the organization. Its focus is on building an ever bigger market for
its IS and the IS services that it provides.
CEO
Vertical Functions
Software Engineer
Business Manager
Customer 1 USA
H o
ri z o
n ta
l F
u n
c ti
o n
s
Business Manager
Customer 2 UK
Business Manager
Customer 3 China
Database Manager Telecommunication
Specialist
FIGURE 3.1 Example of possible cognizant matrix structure. Source: Adapted from “The Issue: For Cognizant, Two’s Company,” Businessweek (January 17, 2008), http://www.bloomberg. com/bw/stories/2008‐01‐17/the‐issue‐for‐cognizant‐twos‐companybusinessweek‐business‐news‐stock‐market‐and‐financial‐advice (accessed August 20, 2015).
1 “Reinvented Blog by Prashanth Rai” (March 19, 2008), http://cio‐reinvented.typepad.com/cioreinvented/2008/03/tcs—new‐organ.html (accessed
December 19, 2011). 2 N. Shivapriya, “TCS CEO N Chandrasekaran Creates New Layer to Oversee Verticals” (May 25, 2011), http://articles.economictimes.indiatimes.
com/2011‐05‐25/news/29581999_1_tcs‐ceo‐n‐chandrasekaran‐tcs‐spokesperson‐structure (accessed December 19, 2011).
c03.indd 56 11/26/2015 6:22:12 PM
57 Organizational Strategy and Information Systems
Cognizant and TCS are both in the same business but chose different organizational structures to carry out
their objectives. The point is that different organizational structures reflect different organizational strategies
that are used to implement business strategies and accomplish organizational goals. These organizational strat-
egies need to be aligned with IS strategies. When used appropriately, IS leverage human resources, capital, and
materials to create an organization that optimizes performance. Companies that design organizational strategy
without considering IS strategies run into problems like those Cognizant experienced. A synergy results from
designing organizations with IS strategy in mind—a synergy that cannot be achieved when IS strategy is just
added on.
Chapter 1 introduced a simple framework for understanding the role of IS in organizations. The Information
Systems Strategy Triangle relates business strategy with IS strategy and organizational strategy. In an organization
that operates successfully, an overriding business strategy drives both organizational strategy and information strat-
egy. The most effective businesses optimize the interrelationships between the organization and its IS, maximizing
efficiency and productivity.
Organizational strategy includes the organization’s design, as well as the managerial choices that define, set up, coordinate, and control its work processes. As discussed in Chapter 1, many models of organizational strategy
are available. One is the managerial levers framework that includes the complementary design variables shown
in Figure 3.3. Optimized organizational designs support optimal business processes, and they, in turn, reflect the
firm’s values and culture. Organizational strategy may be considered as the coordinated set of actions that lever-
ages the use of organizational design, management control systems, and organizational culture to make the orga-
nization effective by achieving its objectives. The organizational strategy works best when it meshes well with
the IS strategy.
This chapter builds on the managerial levers model. Of primary concern is how IS impact the three types of
managerial levers: organizational, control, and cultural. This chapter looks at organizational designs that incorpo-
rate IS to define the flow of information throughout the organization, explores how IS can facilitate management
control at the organizational and individual levels, and concludes with some ideas about how culture impacts IS
and organizational performance. It focuses on organizational‐level issues related to strategy. The next two chapters
complement these concepts with a discussion of new approaches to work and organizational processes.
Chief Executive
Officer
Chief Operating
Officer
Director,
Industry
Solutions Unit
Director,
Organization
Infrastructure
Director,
Strategic
Initiative Unit
Director,
Major
Markets
Director, New
Growth
Markets
India
APAC
Emerging
Markets Europe
UK
USA
Business
Process
Outsourcing
Solutions
SME
Solutions
Financial
Solutions
Process
Excellence
Resource
Management
Shared
Services
Technology
Excellence
Multiple units
FIGURE 3.2 Tata Consultancy Services. Source: “TCS Plans New Organizational Structure” (February 12, 2008), http://www.livemint.com/Companies/2ODg7L1mCcRlFow K1ktX5N/TCS‐plans‐new‐organisational‐structure.html (accessed August 20, 2015).
c03.indd 57 11/26/2015 6:22:12 PM
58 Organizational Strategy and Information Systems
Information Systems and Organizational Design Organizations must be designed in a way that enables them to perform effectively. Different designs accomplish
different goals. This section examines organizational variables. It focuses on how IS are designed in conjunction
with an organization’s structure. Ideally, an organizational structure is designed to facilitate the communication
and work processes necessary for it to accomplish the organization’s goals, and the use of IS is often the way
coordination and workflow are done. The organizational structures of Cognizant and TCS, while very different,
reflect and support the goals of each company. Perhaps intuitively, organizational designers at those companies used
organizational variables described in Figure 3.3 to build their structures. Those variables include decision rights
that underlie formal structures, formal reporting relationships, and informal networks. Organizational processes are
another important design component discussed in more detail in Chapter 5.
Decision Rights
Decision rights indicate who in the organization has the responsibility to initiate, supply information for, approve, implement, and control various types of decisions. Ideally, the individual who has the most information about a
decision and who is in the best position to understand all of the relevant issues should be the person who has its
decision rights. But this may not happen, especially in organizations in which senior leaders make most of the
important decisions. Much of the discussion of IT governance and accountability in Chapter 9 is based upon who
has the decision rights for critical IS decisions. When talking about accountability, one has to start with the person
who is responsible for the decision—that is, the person who has the decision rights. Organizational design is all
about making sure that decision rights are properly assigned—and reflected in the structure of formal reporting
FIGURE 3.3 Organizational design variables. Source: Adapted from James I. Cash, Robert G. Eccles, Nitin Nohria, and Richard L. Nolan, Building the Information Age Organiza- tion (Homewood, IL: Richard D. Irwin, 1994).
Variable Description
Organizational variables
Decision rights The authority to initiate, approve, implement, and control various types of decisions necessary to plan and run the business
Business processes The set of ordered tasks needed to complete key objectives of the business
Formal reporting relationships The structure set up to ensure coordination among all units within the organization; reflects allocation of decision rights
Informal networks Mechanisms, such as ad hoc groups, which work to coordinate and transfer information outside the formal reporting relationships
Control variables
Data The facts collected, stored, and used by the organization
Planning The processes by which future direction is established, communicated, and implemented
Performance measurement and evaluation The set of measures that are used to assess success in the execution of plans and the processes by which such measures are used to improve the quality of work
Incentives The monetary and nonmonetary devices used to motivate behavior within an organization
Cultural variables
Values The set of implicit and explicit beliefs that underlies decisions made and actions taken; reflects aspirations about the way things should be done
Locus The span of the culture, i.e., local, national, regional
c03.indd 58 11/26/2015 6:22:13 PM
59Information Systems and Organizational Design
relationships. IS support decision rights by getting the right information to the decision maker at the right time and
then transmitting the decision to those who are affected. In some cases, IS enables a centralized decision maker
to pass information that has been gathered from operations and stored centrally down through the organization. If
information systems fail to deliver the right information, or worse, deliver the wrong information to the decision
maker, poor decisions are bound to be made.
Consider the case of Zara from the last chapter. Each of its 1,000 stores orders clothes in the same way, using the
same type of handheld devices, and follows a rigid weekly timetable for ordering, which provides the headquarters
commercial team with the information needed to manage fulfillment. Many other large retailers make the decision
centrally about what to send to their stores, using forecasting and inventory control models. However, at Zara, store
managers have decision rights for ordering, enabling each store to reflect the tastes and preferences of customers
in its localized area. But, the store managers do not have decision rights for order fulfillment because they have no
way of knowing the consolidated demand of stores in their area. The decision rights for order fulfillment lie with the
commercial team in headquarters because it is the team that knows about overall demand, overall supply, and store
performance in their assigned areas. The information from the commercial team then flows directly to designers
and production, allowing them to respond quickly to customer preferences.3
Formal Reporting Relationships and Organizational Structures
Organizational structure is the design element that ensures that decision rights are correctly allocated. The structure of reporting relationships typically reflects the flow of communication and decision making throughout the orga-
nization. Traditional organizational structures are hierarchical, flat, or matrix. The networked structure is a newer
organizational form. A comparison of these four types of organizational structures may be found in Figure 3.4.
Hierarchical Organizational Structure
As business organizations entered the 20th century, their growth prompted a need for systems for processing and
storing information. A new class of worker—the clerical worker—flourished. From 1870 to 1920 alone, the number
of U.S. clerical workers mushroomed from 74,200 to more than a quarter of a million.4
FIGURE 3.4 Comparison of organizational structures.
Hierarchical Flat Matrix Networked
Description Bureaucratic form with defined levels of management
Decision making pushed down to the lowest level in the organization
Workers assigned to multiple supervisors in an effort to promote integration
Formal and informal communication networks that connect all parts of the company
Characteristics Division of labor, specialization, unity of command, formalization
Informal roles, planning, and control; often small and young organizations
Dual reporting relationships based on function and purpose
Known for flexibility and adaptability
Type of Environment Best Supported
Stable, certain Dynamic uncertain Dynamic uncertain Dynamic uncertain
Basis of Structuring Primarily function Very loose Function and purpose (i.e., location, product, customer)
Networks
Power Structure Centralized Decentralized Distributed (matrix managers)
Distributed (network)
3 Andrew McAfee and Erik Brynjolfsson, “Investing in the IT That Makes a Competitive Difference, https://cb.hbsp.harvard.edu/cbmp/product/R0807J‐
PDF‐ENG (accessed August 20, 2015); James Surowiecki, The Wisdom of Crowds (New York: Anchor Books, 2005). 4 Frances Cairncross, The Company of the Future (London: Profile Books, 2002).
c03.indd 59 11/26/2015 6:22:13 PM
60 Organizational Strategy and Information Systems
Factories and offices structured themselves using the model that Max Weber observed when studying the
Catholic Church and the German army. This model, called a bureaucracy, was based on a hierarchical organiza- tional structure.
Hierarchical organizational structure is an organizational form based on the concepts of division of labor, specialization, span of control, and unity of command. Decision rights are highly specified and centralized. When
work needs to be done, orders typically come from the top and work is subjected to the division of labor. That
means it is segmented into smaller and smaller pieces until it reaches the level of the business in which it will be
done. Middle managers do the primary information processing and communicating, telling their subordinates what
to do and telling senior managers the outcome of what was done. Jobs within the enterprise are specialized and
often organized around particular functions, such as marketing, accounting, manufacturing, and so on. Span of control indicates the number of direct reports. The new TCS CEO, N. Chandrasekaran, revised the organizational structure to lower his span of control by inserting a new layer with only a few leaders reporting directly to him.
Unity of command means that each person has a single supervisor. Rules and policies are established to handle the routine work performed by employees of the organization. When in doubt about how to complete a task, employees
turn to the rules. If a rule doesn’t exist to handle the situation, employees turn to a supervisor in the hierarchy for the
decision. Key decisions are made at the top and filter down through the organization in a centralized fashion. Hier-
archical structures, which are sometimes called vertical structures, are most suited to relatively stable, certain envi- ronments in which the top‐level executives are in command of the information needed to make critical decisions.
This allows them to make decisions quickly.
IS are typically used to store and communicate information and to support the information needs of managers
throughout the hierarchy. IS convey the decisions of top managers downward and data from operations are sent
upward through the hierarchy using IS. Hierarchical structures are also very compatible with efforts to organize
and manage data centrally. The data from operations that have been captured at lower levels and conveyed through
IS increasingly need to be consolidated, managed, and made secure at a high level. The data are integrated into
databases that are designed so that employees at all levels of the organization can see the information that they need
when they need it. Often there is an information dashboard for executives, a system that provides a summary of key
performance indicators (KPIs). Each level of KPI has additional detail behind it and executives can drill down into
the details as necessary. For example, a KPI revealing lower profitability might have been caused by higher costs
or lower sales, and managers would need to drill down through additional levels of information to understand why
the KPI changed. Managers throughout the hierarchy often have similar dashboards with the KPIs for their organi-
zation so that up and down the hierarchy, managers are looking at the same information consolidated for their level
of decision making.
Flat Organizational Structure
In contrast to the hierarchical structure, the flat, or horizontal, organizational structure has a less well‐defined chain of command. You often don’t see an actual organization chart for a flat organization because the relationships
are fluid and the jobs are loosely defined. That is, drawing an organization chart for a flat organization is like trying
to tie a ribbon around a puddle. In flat organizations, everyone does whatever needs to be done to conduct business.
There are very few “middle managers.” For this reason, flat organizations can respond quickly to dynamic, uncer-
tain environments. Entrepreneurial organizations, as well as smaller organizations, often use this structure because
they typically have fewer employees, and even when they grow, they initially build on the premise that everyone
must do whatever is needed. Teamwork is important in flat organizations. To increase flexibility and innovation,
decision rights may not be clearly defined. Hence, the decision making is often decentralized because it is spread
across the organization to where the decisions are made. It is also time consuming. As the work grows, new indi-
viduals are added to the organization, and eventually a hierarchy is formed where divisions are responsible for
segments of the work processes. Many companies strive to keep the “entrepreneurial spirit,” but in reality, work is
done in much the same way as with the hierarchy described previously. Flat organizations often use IS to off‐load
certain routine work in order to avoid hiring additional employees. As a hierarchy develops, the IS become the glue
tying together parts of the organization that otherwise would not communicate. IS also enable flat organizations to
respond quickly to their environment.
c03.indd 60 11/26/2015 6:22:13 PM
61Information Systems and Organizational Design
Matrix Organizational Structure
The third popular form, which Cognizant ultimately adopted, is the matrix organizational structure. It typically assigns employees to two or more supervisors in an effort to make sure multiple dimensions of the business are
integrated. Each supervisor directs a different aspect of the employee’s work. For example, a member of a matrix
team from marketing would have a supervisor for marketing decisions and a different supervisor for a specific
product line. The team member would report to both, and both would be responsible in some measure for that mem-
ber’s performance and development. That is, the marketing manager would oversee the employee’s development of
marketing skills and the product manager would make sure that the employee develops skills related to the product.
Thus, decision rights are shared between the managers. The matrix structure allows organizations to concentrate
on both functions and purpose. The matrix structure allows the flexible sharing of human resources and achieves
the coordination necessary to meet dual sets of organizational demands. It is suited for complex decision making
and dynamic and uncertain environments. IS reduce the operating complexity of matrix organizations by allowing
information sharing among the different managerial functions. For example, a saleswoman’s sales would be entered
into the information system and appear in the results of all managers to whom she reports.
Cognizant might have moved to the matrix structure (see Figure 3.1) from a hierarchical structure because the
complexity of its projects had increased. “As part of the structure of a Cognizant engagement, we always pair our
technologists with people who have business context experience,” says Raj Mamodia, who was then the Assistant
Vice President of Cognizant’s Consumer Goods business unit. The purpose of these formally structured relation-
ships is to meet the customer’s needs, and not just focus on “how beautiful the technology is in and of itself.”5
The matrix organizational structure carries its own set of weaknesses. Although theoretically each boss has a
well‐defined area of authority, the employees often find the matrix organizational structure frustrating and confus-
ing because they are frequently subjected to two authorities with conflicting opinions. Consequently, working in
a matrix organizational structure can be time consuming because confusion must be dealt with through frequent
meetings and conflict resolution sessions. Matrix organizations often make it difficult for managers to achieve their
business strategies because they flood managers with more information than they can process.
Networked Organizational Structure
Made possible by advances in IT, a fourth type of organizational structure emerged: the networked organiza- tional structure. Networked organizations characteristically feel flat and hierarchical at the same time. An article published in the Harvard Business Review describes this type of organization: “Rigid hierarchies are replaced by formal and informal communication networks that connect all parts of the company. . . . [This type of organiza-
tional structure] is well known for its flexibility and adaptiveness.”6 It is particularly suited to dynamic, unstable
environments.
Networked organizational structures are those that rely on highly decentralized decision rights and utilize distrib-
uted information and communication systems to replace inflexible hierarchical controls with controls based in IS.
Networked organizations are defined by their ability to promote creativity and flexibility while maintaining opera-
tional process control. Because networked structures are distributed, many employees throughout the organization
can share their knowledge and experience and participate in making key organizational decisions. IS are fundamental
to process design; they improve process efficiency, effectiveness, and flexibility. As part of the execution of these
processes, data are gathered and stored in centralized data warehouses for use in analysis and decision making. In
theory at least, decision making is more timely and accurate because data are collected and stored instantly. The
extensive use of communication technologies and networks also renders it easier to coordinate across functional
boundaries. In short, the networked organization is one in which IT ties together people, processes, and units.
The organization feels flat when IT is used primarily as a communication vehicle. Traditional hierarchical lines
of authority are used for tasks other than communication when everyone can communicate with everyone else, at
5 Cognizant Computer Goods Technology, “Creating a Culture of Innovation: 10 Steps to Transform the Consumer Goods Enterprise” (October 2009),
6, http://www.cognizant.com/InsightsWhitepapers/Cognizant_Innovation.pdf (accessed August 20, 2015). 6 L. M. Applegate, J. I. Cash, and D. Q. Mills, “Information Technology and Tomorrow’s Manager,” Harvard Business Review (November–December 1988), 128–36.
c03.indd 61 11/26/2015 6:22:13 PM
62 Organizational Strategy and Information Systems
least in theory. The term used is technological leveling because the technology enables individuals from all parts of the organization to reach all of its other parts.
Portions of Zara’s organizational structure appear networked. Being networked enables the store managers to
use technology to communicate directly with designers. Zara uses the technology‐supported structure to coordinate
the actions and decisions of tens of thousands of its employees so that they can focus their attention on the same
goal of making and selling clothes that people want to buy.
Other Organizational Structures
An organization is seldom a pure form of one of the four structures described here. It is much more common to see
a hybrid structure in which different parts of the organization use different structures depending on the information
needs and desired work processes. For example, the IS department may use a hierarchical structure that allows
more control over data warehouses and hardware, whereas the research and development (R&D) department may
employ a networked structure to capitalize on knowledge sharing. In the hierarchical IS department, information
flows from top to bottom, whereas in the networked R&D department, all researchers may be connected to one
another.
Further, IS are enabling even more advanced organization forms such as the adaptive organization, the zero
time organization,7 and the elastic enterprise.8 Common to these advanced forms is the idea of agile, responsive
organizations that can configure resources and people quickly. These organizations are flexible enough to sense
and respond to changing demands. Elastic enterprises, for example, have a core competency of adding partners
as necessary to quickly respond to customer needs. They do this by creating a platform and common interfaces
to reduce the effort and friction of partnering. Building in the capability to respond instantly means designing the
organization so that each of the key structural elements is able to respond instantly.
Informal Networks
The organization chart reflects the authority derived from formal reporting relationships in the organization’s for-
mal structure. However, informal relationships also exist and can play an important role in an organization’s func-
tioning. Informal networks, in addition to formal structures, are important for alignment with the organization’s
business strategy.
Sometimes, management designs some of the informal relationships or networks. For example, when working
on a special project, an employee might be asked to let the manager in another department know what is going
on. This is considered an informal reporting relationship. Or a company may have a job rotation program that
provides employees with broad‐based training by allowing them to work a short time in a variety of areas. Long
after they have moved on to another job, employees on job rotations may keep in touch informally with former
colleagues, or call upon their past co‐workers when a situation arises that their input may be helpful. Hewlett Pack-
ard’s Decision Support and Analytics Services unit encouraged the development of work‐related informal networks
when it established focused interest group/forums known as Domain Excellence Platforms (DEPs). An IT‐enabled
DEP allows at least five people who hold a common interest related to the business to form a team to share their
knowledge on a topic (e.g., cloud computing, Web analytics). For nonbusiness related topics, the employees can
join conferences to talk about the topic and get to know one another better. The hope is that they will start thinking
beyond their work silos.9
However, not all informal relationships are a consequence of a plan by management. Some networks unintended
by management develop for a variety of other factors including work proximity, friendship, shared interests, family
ties, and so on. The employees can make friends with employees in another department when they play together on
7 For more information on zero time organizations, see R. Yeh, K. Pearlson, and G. Kozmetsky, ZeroTime: Providing Instant Customer Value Every Time, All the Time (Hoboken, NJ: John Wiley, 2000). 8 For more information on elastic enterprises, see N. Vitalari and H. Shaughnessy, The Elastic Enterprise (Longboat Key, FL: Telemachus Press, 2012). 9 T. S. H. Teo, R. Nishant, M. Goh, and S. Agarwal, “Leveraging Collaborative Technologies to Build a Knowledge Sharing Culture at HP Analytics,”
MIS Quarterly Executive 10, no. 1 (March 2011), 1–18.
c03.indd 62 11/26/2015 6:22:13 PM
63Information Systems and Management Control Systems
the company softball team, share the same lunch period in the company cafeteria, or see one another at social gath-
erings. Informal networks can also arise for political reasons. Employees can cross over departmental, functional,
or divisional lines in an effort to create political coalitions to further their goals. Some informal networks even cross
organizational boundaries. As computer and information technologies facilitate collaboration across distances,
social networks and virtual communities are formed. Many of these prove useful in getting a job done, even if not
all of the members of the network belong to the same organization. LinkedIn is an example of a tool that enables
large, global informal networks.
Information Systems and Management Control Systems Controls are the second type of managerial lever. Not only does IS change the way organizations are structured, but
also it profoundly affects the way managers control their organizations. Management control is concerned with how
planning is performed in organizations and how people and processes are monitored, evaluated, and compensated or
rewarded. Ultimately, it means that senior leaders make sure the things that are supposed to happen actually happen.
Management control systems are similar to room thermostats. Thermostats register the desired temperature.
A sensing device within the thermostat determines whether the temperature in the room is within a specifi ed range
of the one desired. If the temperature is beyond the desired range, a mechanism is activated to adjust the temper-
ature. For instance, if the thermostat is set at 70 degrees and the temperature in the room is 69, then the heater
can be activated (if it is winter) or the air conditioning can be turned off (if it is summer). Similarly, management
control systems must respond to the goals established through planning. Measurements are taken periodically and
if the variance is too great, adjustments are made to organizational processes or practices. For example, operating
processes might need to be changed to achieve the desired goals.
IS offer new opportunities for collecting and organizing data for three management control processes:
1. Data collection: IS enable the collection of information that helps managers determine whether they are satisfactorily progressing toward realizing the organization ’ s mission as refl ected in its stated goals.
Social Business Lens: Social Networks
Social networks are a form of informal networks. They even have begun to supplement and possibly replace
organization charts in enterprises. A social network is an IT‐enabled network that links individuals together in
ways that enable them to fi nd experts, get to know colleagues, and see who has relevant experience for pro-
jects across traditional organization lines. Much like the networked organization, a social network provides an IT
backbone linking all individuals in the enterprise, regardless of their formal title or position. Some might regard a
social network as a “super‐directory” that provides not only the names of the individuals but also their role in the
company, their title, their contact information, and their location. It might even list details such as their supervisor
(and their direct reports and peers), the project(s) they are currently working on, and personal information specifi c
to the enterprise.
What differentiates a social network from previous IT solutions to connect individuals is that it is integrated with
the work processes themselves. Conversations can take place, work activities can be recorded, and information
repositories can be linked or merely represented within the structure of the social network.
IBM has a good example of how a social network permeates an organization, changing its culture, structure,
and collaboration processes. With over 400,000 employees, the company has a fl urry of social activity embod-
ied in more than 17,000 individual blogs, 1 million daily page views of internal wikis and Web sites, and 400,000
employee profi les on IBM Connections. Its social network allows employees to share status updates, collaborate
on internal systems, and share fi les. There have been 15 million downloads of employee‐generated videos and
podcasts so far.
Source: http://www.forbes.com/sites/haydnshaughnessy/2011/12/09/is‐social‐business‐the‐same‐as‐social‐media/ (accessed April 5, 2012).
c03.indd 63 11/26/2015 6:22:13 PM
64 Organizational Strategy and Information Systems
2. Evaluation: IS facilitate the comparison of actual performance with the desired performance that is established as a result of planning.
3. Communication: IS speed the flow of information from where it is generated to where it is needed. This allows an analysis of the situation and a determination about what can be done to correct for problematic
situations.
When managers need to control work, IS can play a crucial role. IS provide decision models for scenario
planning and evaluation. For example, the airlines routinely use decision models to study the effects of changing
routes or schedules. IS collect and analyze information from automated processes, and they can make automatic
adjustments to the processes. For example, a paper mill uses IS to monitor the mixing of ingredients in a batch of
paper and to add more ingredients or change the temperature of the boiler as necessary. IS collect, evaluate, and
communicate information, leaving managers with time to make more strategic decisions.
Planning and Information Systems
In the first chapter, the importance of aligning organizational strategy with the business strategy was discussed.
An output of the strategizing process is a plan to guide in achieving the strategic objectives. IS can play a role in
planning in four ways:
• IS can provide the necessary data to develop the strategic plan. They can be especially useful in collecting data from organizational units and integrating the data to transform those data into information for the stra-
tegic decision makers.
• IS can provide scenario and sensitivity analysis through simulation and data analysis.
• IS can be a major component of the planning process.
• In some instances, an information system is a major component of a strategic plan. That is, as discussed in Chapters 1 and 2, information systems can be used to gain strategic advantage.
Data and Information Systems
In addition to focusing on organizational‐level planning and control, managers use information systems to build
controls for individuals. An important part of management control lies in making sure that individuals perform
appropriately. At the individual level, IS can streamline the process of data collection (usually through monitoring
and analytical processes that use the collected data, as Chapter 4 discusses) and support performance measurement
and evaluation as well as compensation through salaries, incentives, and rewards.
Monitoring work can take on a completely new meaning with the use of information technologies. IS make it
possible to collect such data as the number of keystrokes, the precise time spent on a task, exactly who was con-
tacted, and the specific data that passed through the process. The data collected from operations creates large data
stores that can be analyzed for trends. For example, a call center that handles customer service telephone calls is
typically monitored by an information system that collects data on the number of calls each representative received
and the length of time each representative took to answer each call and then to respond to the question or request for
service. Managers at call centers can easily and nonintrusively collect data on virtually any part of the process. The
organizational design challenge in data collection is twofold: (1) to embed monitoring tasks within everyday work
and (2) to reduce the negative impacts to employees being monitored. Workers perceive their regular tasks as value
adding but have difficulty in seeing how value is added by tasks designed to provide information for management
control. Research has found that monitoring does not always increase stress of the employee, especially when it fits
the task and is automatic and nonintrusive.10 But employees often avoid activities aimed at monitoring their work
10 D. Galletta and R. Grant, “Silicon Supervisors and Stress: Merging New Evidence from the Field,” Accounting, Management and Information Tech- nology 5, no. 3 (1995), 163–83.
c03.indd 64 11/26/2015 6:22:13 PM
65Information Systems and Management Control Systems
or worse, find ways to ensure that data recorded are inaccurate, falsified, or untimely. Collecting monitoring data
directly from work tasks—or embedding the creation and storage of performance information into software used to
perform work—renders the data more reliable.
A large number of software products are available for companies to monitor employees. Software monitoring
products are installed by companies to get specific data about what employees are doing. This information can help
ensure that work is being performed correctly. It can also be used to avoid barriers to employee productivity from
“cyberslacking” and “cyberslouching.”11 The intention may seem both ethical and in the best interest of business,
but in practice, the reverse may actually be true. In many cases, employees are not informed that they are being
monitored or that the information gleaned is being used to measure their productivity. In these cases, monitoring
violates both privacy and personal freedoms. Managers need to take into account employee privacy rights and try to
balance their right to privacy against the needs of the business to have surveillance mechanisms in place.
Performance Measurement, Evaluation, and Information Systems
IS make it possible to evaluate actual performance data against reams of standard and historical data, often by using
models and simulations. Analytics and big data tools have changed the way many companies use data to make
decisions. Managers can more easily and completely understand work progress and performance. In fact, the ready
availability of so much information catches some managers in “analysis paralysis”: analyzing too much or too long.
In our example of the call center, a manager can compare an employee’s output to that of colleagues, to earlier
output, and to historical outputs reflecting similar work conditions at other times. Even though evaluation consti-
tutes an important use of IS, how the information is used has significant organizational consequences. Information
collected for evaluation may be used to provide feedback so that the employee can improve personal performance;
it also can be used to determine rewards and compensation. The former use—for improvement in performance—is
nonthreatening and generally welcomed.
Using the same information for determining compensation or rewards, however, can be threatening. Suppose a
call center manager is evaluating the number and duration of calls that service representatives answer on a given
day. The manager’s goal is to make sure all calls are answered quickly, and he communicates that goal to his staff.
Now think about how the evaluation information is used.
If the manager simply provides the employees with information, then the evaluation is not threatening. If han-
dled this way, employees might respond by improving their call numbers and duration. A discussion may even
occur in which the service representative highlights other important considerations, such as customer satisfaction
and quality. Perhaps the representative takes longer than average on each call because she believes that the attention
devoted to the customer would result in higher customer satisfaction.
On the other hand, some managers use the same information to rank employees so that top‐ranked employees
are rewarded and those lower ranked are, in some way, punished or reprimanded. This may cause employees to
feel threatened and respond accordingly. The representative who is not on the top of the list might shorten calls or
deliver less quality, consequently decreasing customer satisfaction, while increasing the values of the metrics that
are measured. The lesson for managers is to pay attention to what is monitored and how the information is used.
Metrics for performance must be meaningful in terms of the organization’s broader goals, and measured, managed,
and communicated appropriately.
How feedback is communicated in the organization plays a role in affecting behavior. Some feedback can be
communicated via IS themselves. A simple example is the feedback built into an electronic form that will not allow
it to be submitted until it is properly filled out. For more complex feedback, IS may not be the appropriate vehi-
cle. For example, no one would want to be told she or he was doing a poor job via e‐mail or voice mail. Negative
feedback of significant consequence often is best delivered in person.
IS can allow for feedback from a variety of participants who otherwise could not be involved. Many companies
provide “360‐degree” feedback in which the individual’s supervisors, subordinates, and co‐workers all provide
11 Bernd Carsten Stahl, “The Impact of the UK Human Rights Act 1998 on Privacy Protection in the Workplace,” Computer Security, Privacy and Politics: Current Issues, Challenges and Solutions (Hershey, PA: Idea Group Publishing, 2008), 55–68.
c03.indd 65 11/26/2015 6:22:13 PM
66 Organizational Strategy and Information Systems
formal input. Social tools are making inroads in evaluation, too. For example, a “thumbs up” or “1–5 stars” evalu-
ation system makes it easy and fast to provide informal feedback and evaluate activities. Because that feedback is
received more quickly, improvements can be made faster.
Incentives and Rewards and Information Systems
Incentives and rewards are the ways organizations encourage good performance. A clever reward system can make
employees feel good without paying them more money. IS can affect these processes, too. Some organizations use
their Web sites to recognize high performers, giving them electronic badges that are displayed on the social network
to identify them as award recipients. Others reward them with new technology. At one organization, top performers
get new computers every year, while lower performers get the “hand‐me‐downs.”
IS make it easier to design complex incentive systems, such as shared or team‐based incentives. IS make it eas-
ier to keep track of contributions of team members and, in conjunction with qualitative inputs, allocate rewards
according to complex formulas. For example, in a call center, agents can be motivated to perform better by providing
rewards based on tracking metrics, such as average time per call, number of calls answered, and customer satis-
faction. Information systems can provide measures of all of these on a real‐time basis—even customer satisfaction
through automated audio or Web site questionnaires after a customer interaction.
When specifying reward metrics, managers must be careful because they tend to drive the behavior they specify.
For example, call center agents who know they will be evaluated only by the volume of calls they process may rush
callers and provide poorer service in order to maximize their performance according to the narrow metric. Those
measured only by customer satisfaction might spend more time than necessary on each call and perhaps try end-
lessly to solve problems that should be routed to more technical personnel.
Information Systems and Culture The third managerial lever of organizational strategy is culture. Culture plays an increasingly important role in
information system management and use. Because information systems management and use are complicated
by human factors, it is important to consider culture’s impact. Culture is defined as the set of “shared values and beliefs” that a group holds and that determines how the group perceives, thinks about, and appropriately reacts to
its various environments.12
A “collective programming of the mind” distinguishes not only societies (or nations) but also industries, profes-
sions, and organizations.13 Beliefs are the perceptions that people hold about how things are done in their community whereas values reflect the community’s aspirations about the way things should be done. Culture is something of a moving target because it evolves over time as the group solves problems adapting to the environment and internal
operations.
Culture has been compared to an iceberg because, like an iceberg, only part of the culture is visible from the
surface. In fact, it is necessary to look below the surface to understand the deep‐rooted aspects of culture that are
not visible. That is, culture may be thought of in terms of layers: observable artifacts, values, and assumptions.
Observable artifacts are the most visible level. They include such physical manifestations as type of dress, sym- bols in art, acronyms, awards, myths and stories told about the group, rituals, and ceremonies. Espoused values are the explicitly stated preferred organizational values. Ideally, they should be consistent with the enacted values, which are the values and norms that are actually exhibited or displayed in employee behavior. For example, if
an organization says that it believes in a good work–life balance for its employees but actually requires them to
work 12‐hour days and on weekends, the enacted values don’t match with the espoused ones. The deepest layer of
culture is the underlying assumption layer, or the fundamental part of every culture that helps discern what is real
12 A. Kinicki, Organizational Behavior: Core Concepts (Boston, MA: McGraw‐Hill Irwin, 2008), 183. 13 G. J. Hofstede, Culture’s Consequences: Comparing Values, Behaviors, Institutions, and Organizations Across Nations, 2nd ed. (Thousand Oaks, CA: Sage Publications, 2001).
c03.indd 66 11/26/2015 6:22:13 PM
67Information Systems and Culture
and important to the group. Assumptions are unobservable because they reflect organizational values that have become taken for granted to such an extent that they guide organizational behavior without any group members
thinking about them.14
Levels of Culture and IT
Culture can vary depending upon which group you are studying. Countries, organizations, and subgroups in orga-
nizations all have a culture. IS management and use can be impacted by culture at all these levels. IS can even play
a role in promoting it. For instance, Cognizant used IT to implement “10/10/10,” a program designed to keep its
associates focused on innovation. On the tenth workday of each month at 10 a.m., everyone’s computer screen is
frozen, allowing the entire Cognizant workforce to spend 10 minutes thinking about and sharing innovative ideas.15
With the growth of analytics and the availability of large stores of data, many organizations are adopting a data‐
driven culture in which virtually all decisions are made with the support of analytics. In a data‐driven culture, man-
agers are typically expected to provide data to support their recommendations and to back up decisions. Information
is often freely shared in this culture, and IS take on the important role of collecting, storing, analyzing, and deliver-
ing data and information to all levels of the organization. Dell, Procter and Gamble, GE, Google, and Facebook are
examples of companies that are known to have a data‐driven culture. Sometimes the employees in these companies
are said to “speak the language of data” as part of their culture.
When IS developers have values that differ from the clients in the same organization for whom they are devel-
oping systems, cultures can clash. For example, clients may favor computer‐based development practices that
encourage reusability of components to enable flexibility and fast turnaround. Developers, on the other hand, may
prefer a development approach that favors stability and control but tends to be slower. Both national and organiza-
tional cultures can affect IT management and usage and vice versa. National culture may affect IT in a variety of
ways, impacting information systems development, technology adoption and diffusion, system use and outcomes,
and management and strategy. These relationships are shown in Figure 3.5 and described next. The model and the
discussion of the impact of culture on IT issues draws heavily from the work of Leidner and Kayworth.16
14 E. Schein, Organizational Change and Leadership, 4th ed. (San Francisco, CA: Jossey‐Bass, 2010). 15 Cognizant Computer Goods Technology, “Creating a Culture of Innovation,” 1–6. 16 D. Leidner and T. Kayworth, “A Review of Culture in Information Systems Research: Toward a Theory of Information Technology Culture Conflict,”
MIS Quarterly 30, no. 2 (2006), 357–99.
Information
Systems
Development
IT Adoption
and Diffusion
IT Issues
Organizational Values
(Entire Organization and within Organization)
National Values
IT Use and
Outcomes
IT Management
and Strategy
FIGURE 3.5 Levels of culture. Source: Adapted from D. Leidner and T. Kayworth, “A Review of Culture in Information Systems Research: Toward a Theory of Information Technology Culture Conflict,“ MIS Quarterly 30, no. 2 (2006), 372, Figure 1.
c03.indd 67 11/30/2015 7:25:49 PM
68 Organizational Strategy and Information Systems
Culture and Information Systems Development
Variation across national cultures may lead to differing perceptions and approaches to IS development. In particular,
systems designers may have different perceptions of the end users and how the systems would be used. For example,
Danish designers who had more socialist values were more concerned about people‐related issues when compared
to Canadian designers with more capitalist values. The Canadian designers were more interested in technical issues.
National culture may also affect the perceptions of project risk and risk management behaviors. At the organiza-
tional level, cultural values can affect the features of new software and the way it is implemented.
Culture and Information Technology Adoption and Diffusion
National cultures that are more willing to accept risk appear to be more likely to adopt new technologies. Those
cultures that are less concerned about power differences among people (i.e., have low power distance) are more
likely to adopt technologies that help promote equality. People are more likely to adopt a new technology if they
think that the technology’s embedded values match those of their national culture. Further, if a technology is to be
successfully implemented into an organization, either the technology must fit with the organization’s culture or the
culture must be shaped to fit the behavioral requirements of the technology. For example, a dashboard that shares
analytics and key performance indicators to all employees would reduce the “power” of leaders in a hierarchical
organization in which only the senior managers have access to the data. In such organizations, implementation of
such an information system would likely be very slow or rejected altogether because the culture would not support
broad information sharing.
Culture and Information Technology Use and Outcomes
Research has shown that differences in culture result in differences in the use and outcomes of IT. At the orga-
nizational level, cultural values are often related to satisfied users, successful IS implementations or knowledge
management successes. At the national level, e‐mail adoption was much slower in Japan than in the United States.
Japanese prefer richer forms of communication such as meeting face‐to‐face. The lean e‐mail can’t accommodate
the symbols in their language as easily as a fax. Further, in countries that are more likely to avoid uncertainty like
Japan and Brazil, IT is used often for planning and forecasting, whereas in countries that are less concerned about
risk and uncertainty, IT is more often used for maintaining flexibility. Furthermore, some things are acceptable in
one country but not another. For example, DitchWitch could not use its logo globally because a witch is offensive
in some countries.
Culture and Information Technology Management and Strategy
National and organizational culture affects planning, governance, and perceptions of service quality. For example,
having planning cultures at the top levels of an organization typically signal that strategic systems investment is
important. At Adidas, a multinational sports apparel company headquartered in Germany, national culture played
a role in its multisourcing strategy. Adidas’ managers selected an Eastern European vendor because they were
looking for a provider whose culture was similar to their own. They thought that vendor’s employees were more
likely to question system requirements and to make creative, innovative contributions than the Indian vendors they
had hired.17
National Cultural Dimensions and Their Application
One of the best‐known (and prolific) researchers in the area of differences in the values across national cultures
is Geert Hofstede. Most studies about the impact of national cultures on IS have used Hofstede’s dimensions
of national culture. Hofstede18 originally identified four major dimensions of national culture: power distance,
17 Martin Wiener and Carol Saunders, “Forced Coopetition in IT Multi‐Sourcing,” Journal of Strategic Information Systems 23, no. 3 (2014), 210–25. 18 G. Hofstede, Culture’s Consequences: International Differences in Work‐Related Values (London: Sage, 1980).
c03.indd 68 11/26/2015 6:22:14 PM
69Information Systems and Culture
uncertainty avoidance, individualism‐collectivism, and masculinity‐femininity.19 To correct for a possible bias
toward Western values, a new dimension, Confucian work dynamism, also referred to “short‐term vs. long‐term
orientation,” was added.20 Many others have used, built upon, or tried to correct problems related to Hofst-
ede’s four dimensions. One notable project is the Global Leadership and Organizational Behavior Effectiveness
(GLOBE) research program, which is a team of 150 researchers who have collected data on cultural values and
practices and leadership attributes from over 18,000 managers in 62 countries. The GLOBE project has uncov-
ered nine cultural dimensions, six of which have their origins in Hofstede’s pioneering work. The Hofstede
dimensions and their relationship to the GLOBE dimensions are summarized in Figure 3.6.
19 Ibid. 20 G. Hofstede and M. H. Bond, “The Confucius Connection: From Cultural Roots to Economic Growth,” Organizational Dynamics 16 (1988), 4021.
FIGURE 3.6 National cultural dimensions.
Hofstede Dimensions (Related GLOBE Dimensions)
Descriptiona Examples of Effect on ITb
Uncertainty Avoidance (Uncertainty Avoidance)
Extent to which a society tolerates uncertainty and ambiguity; extent to which members of an organization or society strive to avoid uncertainty by reliance on social norms, rituals, and bureaucratic practices to alleviate the unpredictability of future events.
Countries with high uncertainty avoidance are less likely to adopt new IT and have higher perceptions of project risk than countries with low uncertainty avoidance.
Power Distance (Power Distance) Degree to which members of an organization or society expect and agree that power should be equally shared.
Individuals from high power distance countries are found to be less innovative and less trusting of technology than individuals from low power distance countries.
Individualism/Collectivism (Societal and In‐Group Collectivism)
Degree to which individuals are integrated into groups; extent to which organizational and societal institutional practices encourage and reward collective distribution of resources and collective action.
Individualistic cultures are more predisposed than collectivistic cultures to report bad news about troubled IT projects; companies in collectivist societies are more likely than individualistic societies to fill an IS position from within the company.
Masculinity/Femininity (General Egalitarianism and Assertiveness)
Degree to which emotional roles are distributed between the genders; extent to which an organization or society minimizes gender role differences and gender discrimination; often focuses on caring and assertive behaviors.
Australian groups (high masculinity) generated more conflict and relied less on conflict resolution strategies than Singaporean groups (low masculinity).
Confucian Work Dynamism (Future Orientation)
Extent to which society rewards behaviors related to long‐ or short‐term orientations; degree to which individuals in organizations or societies engage in future‐oriented behaviors such as planning, investing in the future, and delaying gratification.
When considering future orientation, studies found differences in the use of Executive Information Systems and the evaluation of service quality across countries.
a Adapted from R. House, M. Javidan, P. Hanges, and P. Dorfman, “Understanding Cultures and Implicit Leadership Theories across the Globe: An Introduction to Project GLOBE, “ Journal of World Business 37, no. 1 (2002), 3–10; and G. Hofstede and G. J. Hofstede, Dimensions of National Culture, http://www.geerthofstede. nl/dimensions‐of‐national‐cultures.aspx (accessed August 20, 2015). b Examples were provided in D. Leidner and T. Kayworth, “A Review of Culture in Information Systems Research: Toward a Theory of Information Technology Culture Conflict,” MIS Quarterly 30, no. 2 (2006), 357–99.
c03.indd 69 11/26/2015 6:22:14 PM
70 Organizational Strategy and Information Systems
Even though the world may be becoming “fl atter,” cultural differences have not totally disappeared. But some
leadership traits, such as being trustworthy, just, and honest; having foresight and planning ahead; being positive,
dynamic, encouraging, and motivational; and being communicative and informed are seen as universally acceptable
across cultures. 21
The generally accepted view is that the national culture predisposes citizens of a nation to act in a certain way
along a Hofstede or GLOBE dimension, such as in an individualistic way in England or in a collectivist way in
China. Yet, the extent of the infl uence of a national culture may vary among individuals, and culturally based idi-
osyncrasies may surface based upon the experiences that shape each person ’ s ultimate orientation on a dimension.
Having an understanding and appreciation for cultural values, practices, and subtleties can help in smoothing the
challenges that occur in dealing with these idiosyncrasies. An awareness of the Hofstede or GLOBE dimensions
may help to improve communications and reduce confl ict.
Effective communication means listening, framing the message in a way that is understandable to the receiver,
and responding to feedback. Effective cross‐cultural communication involves each of these plus searching for an
integrated solution that can be accepted and implemented by members of diverse cultures. This may not be as
simple as it sounds. For instance, typical American managers, noted for their high‐performance orientation, pre-
fer direct and explicit language full of facts and fi gures. However, managers in lower performance‐oriented coun-
tries like Russia or Greece tend to prefer indirect and vague language that encourages the exploration of ideas. 22
Communication differences surfaced when one of this book ’ s authors was designing a database in Malaysia. She
asked questions that required a “yes” or “no” response. In trying to reconcile the strange set of responses she
received, the author learned that Malaysians are hesitant to ever say “no.” Communication in meetings is also
subject to cultural differences. In countries with high levels of uncertainty avoidance such as Switzerland and
Geographic Lens: Does National Culture Affect Firm Investment in IS Training?
In a massive study of 6,000 fi rms in 21 countries, Hilla Peretz and Zehava Rosenblatt found that differences along
Hofstede ’ s cultural dimensions do affect employee training. In particular, fi rms in countries that embrace low
power distance (i.e., Germanic countries, Anglo‐American countries, the Netherlands, and Israel) tend to invest
more in training than fi rms in countries with high power distance (i.e., some Asian, Latin America, and Middle
Eastern countries).
Why might this be the case? Perhaps fi rms in high power distance societies view investment in training as less
favorable because it might narrow the power gaps by making a higher level of skills available across all levels of
the organization. Those in power might not want to see a leveling of power throughout the organization.
Peretz and Rosenblatt also discovered that fi rms in countries that had a strong orientation toward the future
(i.e., some Asian countries) were more likely to invest in training than fi rms in countries with a shorter‐term orien-
tation (i.e., some Anglo‐American countries). The researchers think this might be so because training is all about
helping employees develop so that they can perform better in the future. Better‐trained employees help the
fi rm ’ s competitive prospects down the line.
Finally, the researchers found that fi rms in countries with high uncertainty avoidance (i.e., some Hispanic cul-
tures, Japan, South Korea, Israel, and Russia) spend more on training than countries with low uncertainty avoid-
ance (i.e., the United Kingdom, Ireland, Hong Kong, and Singapore)—maybe because employee training may be
seen as a way to reduce uncertainty.
Although the study was about training in general, the fi ndings are even more likely to hold for IS training.
Because IS change so quickly, IS professionals need considerable training to stay current and do their jobs well.
Source: H. Peretz and Z. Rosenblatt , “ The Role of Societal Cultural Practices in Organizational Investment in Training: A Comparative Study in 21 Countries ,” Journal of Cross‐Cultural Psychology 42 , no. 5 ( 2011 ), 817 – 31 .
21 Mansour Javidan and R. J. House , “ Cultural Acumen for the Global Manager ,” Organizational Dynamics 29 , no. 4 ( 2001 ), 289 – 305 . 22 Ibid.
c03.indd 70 11/26/2015 6:22:14 PM
71Discussion Questions
Austria, meetings should be planned in advance with a clear agenda. The managers in Greece or Russia who come
from a low uncertainty avoidance culture often shy away from agendas or planned meetings.
Knowing that a society tends to score high or low on certain dimensions helps a manager anticipate how a per-
son from that society might react. However, this provides only a starting point because each person is different.
Importantly, without being aware of cultural differences, a company is unlikely to develop IS or to use it effectively.
S U M M A R Y
• Organizational strategy reflects the use of the managerial levers of an organization’s design, organizational culture, and management control systems that coordinate and control work processes.
• Organizational designers today must have a working knowledge of what information systems can do and how the choice of information system will affect the organization itself.
• Organizational structures can facilitate or inhibit information flows.
• Organizational design should take into account decision rights, organizational structure, and informal networks.
• Structures such as flat, hierarchical, matrix and, networked organizations are being enhanced by information technology. Increasingly information technology enables and supports networked organizations that can better respond to dynamic,
uncertain organizational environments.
• Information technology affects managerial control mechanisms: planning, data, performance measurement and evalua- tion, incentives and rewards.
• Management control at the individual level is concerned with monitoring (i.e., data collection), evaluating, providing feedback, compensating, and rewarding. It is the job of the manager to ensure that the proper control mechanisms are
in place and the interactions between the organization and the information systems do not undermine the managerial
objectives.
• Organizational and national culture should be taken into account when designing, managing, and using IS.
K E Y T E R M S
assumptions (p. 67)
beliefs ( p. 66)
bureaucracy (p. 60)
culture (p. 66)
decision rights (p. 58)
enacted values (p. 66)
espoused values (p. 66)
flat organizational structure (p. 60)
hierarchical organizational
structure (p. 60)
matrix organizational
structure (p. 61)
networked organizational
structure (p. 61)
observable artifacts (p. 66)
organizational strategy (p. 57)
social network (p. 63)
span of control (p. 60)
unity of command (p. 60)
values (p. 66)
D I S C U S S I O N Q U E S T I O N S
1. How might IS change a manager’s job?
2. Is monitoring an employee’s work on a computer a desirable or undesirable activity from a manager’s perspective? From the employee’s perspective? How does the organization’s culture impact your position? Defend your position.
3. Consider the brief description of the elastic enterprise. What is an example of a control system that would be critical to man- age for success in elastic enterprise? Why?
4. Mary Kay, Inc. sells facial skin care products and cosmetics around the globe. The business model is to provide one‐on‐one, highly personalized service. More than 500,000 Independent Beauty Consultants (IBCs) sell in 43 markets worldwide. Each
IBC runs his or her own business by developing a client base and then providing services and products for sale to those
clients. The IBCs were offered support through an e‐commerce system with two major components: mymk.com and Mary
c03.indd 71 11/26/2015 6:22:14 PM
72 Organizational Strategy and Information Systems
Southwest Airlines ’ merger with AirTran Airlines , valued at over US$3 billion, made Southwest the largest domestic car-
rier based on number of passengers fl own. 25 The merger increases Southwest ’ s presence in a number of major cities, most
notably New York (LaGuardia) and Washington D.C. (Ronald Reagan National Airport). Thanks to AirTran , Southwest now
fl ies into the coveted Atlanta ’ s Hartsfi eld‐Jackson Atlanta International, the world ’ s busiest airport, along with a number
of international vacation destinations such as Aruba, Puerto Rico, and the Bahamas. In all, 21 new cities were added, 7 of
which were in the international market, positioning Southwest to expand in Central and South America. The result was a
signifi cant increase in profi tability for Southwest , growing from $178 million in 2011 to $1.1 billion in 2014. 26
Southwest has grown organically, acquiring only two other smaller carriers—Morris Air and Muse Air —in the 1980s.
This has made it easier to maintain its quirky identity. On the other hand, AirTran was created from several airlines, includ-
ing the former ValuJet , about 15 years ago. It is known mostly as a low‐cost, on‐time carrier. The Company Culture page
on AirTran ’ s Web site prior to the merger claimed that “loyal crew members keep AirTran airways customers soaring” and
who have a “timely and accommodating demeanor.” AirTran ’ s values included a total commitment to safety, technical ex-
cellence, continuous learning, fun, and profi t. 27
Southwest , headquartered at Love Field in Dallas, uses the ticker symbol LUV and uses all kinds of ways to show that
“Luv” to their customers. Southwest has cultivated a corporate culture that focuses on employees and customers having a
good time while fl ying. The company carefully selects its employees using interviews that involve creative activities and
even asking the recruits to wear tutus. Southwest ’ s training program with karaoke and amusing challenges is designed
to socialize the new recruits into the airline ’ s fun‐loving culture. According to its Web site, its cultural values include
“A Warrior Spirit, A Servant ’ s Heart, A Fun‐Luving Attitude.” 28
Wharton management professor Peter Cappelli commented just after the merger was announced in 2010 that “South-
west ’ s whole business model is built on a particular approach to managing employees. It ’ s a big bet they are making that
they can swallow AirTran . . . . This is a very different approach, taking thousands of AirTran employees, dumping them
into the system and hoping it works. It ’ s a pretty risky move." Cappelli adds that airline mergers are always diffi cult because
integration has to take place while a carrier continues to carry out complex operations. Thousands of employees can ’ t easily
be put through an orientation program in the merger ’ s short time frame, and the information systems supporting the complex
operations of two airlines can ’ t be easily changed. 29
■ CASE STUDY 3‐1 The Merger of Airtran by Southwest Airlines: Will the Organizational Cultures Merge? 24
Kay InTouch. Mymk.com allows IBCs to create instant online sites where customers can shop anytime directly with their
personal IBC. Mary Kay InTouch streamlines the ordering process by automatically calculating discounts, detecting pro-
motion eligibility, allowing the IBCs to access up‐to‐date product catalogs, and providing a faster way to transact business
with the company. 23
a. How would the organizational strategy need to change to respond to Mary Kay ’ s new business strategy and information system?
b. What changes would you suggest Mary Kay, Inc. managers make in their management systems in order to realize the intended benefits of the new systems? Specifically, what types of changes would you expect to make in the evaluation
systems, the reward systems, and feedback systems?
23 Adapted from “ Mary Kay, Inc .,” Fortune (Microsoft supplement, November 8, 1999 ) . 24 An earlier version of this case was written by Parul Acharya.
25 “ What Has AirTran Done for Southwest Airlines ,” Forbes (December 11, 2014), http://www.forbes.com/sites/greatspeculations/2014/12/11/what‐has‐ airtran‐done‐for‐southwest‐airlines/ (accessed April 27, 2015) .
26 Charisse Jones , “ Southwest Scores Record Profit—Again ” USA Today (January 22, 2015 ), http://www.usatoday.com/story/money/2015/01/22/ southwest‐sees‐record‐profits‐in‐2014/22166225/ (accessed August 20, 2015).
27 www.airtran.com (accessed April 2011).
28 Southwest Airlines, http://www.southwest.com/html/about‐southwest/careers/culture.html (accessed January 27, 2012).
29 “ By Acquiring AirTran, Will Southwest Continue to Spread the LUV? ” Knowledge@Wharton (October 13, 2010), http://knowledge.wharton.upenn.
edu/article.cfm?articleid=2614 (accessed August 20, 2015) ; and B. Snyder , “ How the Southwest‐AirTran Merger Creates a Labor Problem ,” CBS Money (October 5, 2010 ), http://www.cbsnews.com/8301‐505123_162‐43642550/how‐the‐southwest‐airtran‐merger‐creates‐a‐labor‐problem/ (accessed April 12, 2012) .
c03.indd 72 11/26/2015 6:22:14 PM
73Case Study
The Federal Bureau of Investigation of the U.S. government, the FBI, was forced to scrap its $170 million virtual case fi le
(VCF) management system. Offi cial reports blamed numerous delays, cost overruns, and incompatible software. But a deep-
er examination of the cause of this failure uncovered issues of control, culture, and incompatible organizational systems.
Among its many duties, the FBI is charged with the responsibility to fi ght crime and terrorism. To do so requires a
large number of agents located within the United States and around the world. That means agents must be able to share
information among themselves within the bureau and with other federal, state, and local law enforcement agencies. But
sharing information has never been standard operating procedure for this agency. According to one source, “agents are accus-
tomed to holding information close to their bulletproof vests and scorn the idea of sharing information.” This turned out to
be a real problem in an investigation of DarkMarket, an Internet forum that connected buyers and sellers so that they could
exchange stolen information such as bank details and credit card numbers. When both the FBI and Secret Service agents were
investigating each other as criminals, it took their British colleagues, who knew the secrets of both agencies, to avert a crisis.
Enter the FBI ’ s efforts to modernize its infrastructure, codenamed “Trilogy.” The efforts included providing agents with
30,000 desktop PCs, high‐bandwidth networks to connect FBI locations around the world, and the VCF project to facilitate
sharing of case information worldwide. The FBI Director explained to Congress that VCF would provide “an electronic
means for agents to globally send fi eld notes, documents, pieces of intelligence and other evidence so they could hopefully
act faster on leads.” It was designed to replace a paper‐intensive process with an electronic, Web‐based process. With such
a reasonable goal, why didn ’ t it work?
■ CASE STUDY 3‐2 The FBI
In November 2011, Southwest Airlines ’ more than 6,000 pilots and AirTran Airways ’ 1,700 pilots overwhelmingly
approved a plan to combine the seniority lists of the two carriers with fi ve of six pilots voting in favor. 30 The personnel sys-
tems had to be modifi ed to refl ect the new seniority and pay systems.
The disparate cultures of Southwest and AirTran also posed problems for the merger of their online reservation systems
and their frequent‐fl yer programs. Southwest switched from Sabre to Amadeus system to better accommodate merchandis-
ing and international fl ights. AirTran ’ s reservations system vendor was Navitaire. 31 AirTran and Southwest had diametrically
opposed views on distribution through online travel agencies. Southwest usually sold its tickets via telephone or through its
Web site whereas AirTran preferred online reservation systems such as Orbitz and Expedia. 32 It took several years after to
fi gure out how to blend the two different reservations systems. The Southwest frequent‐fl yer program was the last system
to be updated to include the top customers of AirTran. In December 2014, the new merged airline was just fi nishing up the
integration. Will the cultures of Southwest and AirTran come together? People are optimistic, but the real answer lies in the
future.
Discussion Questions
1. Discuss the layers of culture that are evident in this case. Why do you think Southwest has preferred to grow organically
over its history?
2. What are the similarities and dissimilarities between the cultures, values, and beliefs of Southwest and AirTran airlines?
Where would you expect the differences to be most difficult to manage? Why?
3. What problems could arise due to the different perspectives of both airlines toward online reservation systems? What do
you recommend the managers do to solve these problems?
4. What would you recommend managers to do ensure a smooth integration of the information systems given the culture
differences?
30 T. Maxon , “ Southwest Airlines, AirTran Pilots Overwhelming Approve Plan to Combine Seniority Lists ,” Aviationblog, Dallas News (November 7, 2011 ), http://aviationblog.dallasnews.com/archives/mergers‐consolidation/ (accessed November 7, 2011) ; Snyder, “How the Southwest‐AirTran Merger
Creates a Labor Problem.” 31 D. Schall , “ Distribution Questions Loom Following US Approval of Southwest‐AirTran Merger ,” tnooz.com (April, 27, 2011 ), http://www.tnooz.
com/2011/04/27/news/distribution‐questions‐loom‐following‐us‐approval‐of‐southwest‐airtran‐merger/ (accessed April 12, 2012) . 32 J. Brancatelli , “ The Fight Stuff: Why the Airlines Are Fighting Travel Sites ,” Portfolio.com (January 5, 2011 ), http://www.portfolio.com/business‐
travel/2011/01/05/why‐legacy‐airlines‐are‐warring‐with‐expedia‐and‐orbitz/ (accessed November 7, 2011) .
c03.indd 73 11/26/2015 6:22:14 PM
74 Organizational Strategy and Information Systems
The CIO of the FBI offered one explanation. He claimed that the FBI needed to change its culture. “If the Bureau is ever
going to get the high‐tech analysis and surveillance tools it needs to. . . fi ght terrorism, we must move from a decentralized
amalgam of 56 fi eld offi ces. . . to a seamlessly integrated global intelligence operation capable of sharing information and
preventing crimes in real‐time.” He added that the Bureau personnel were also very distrustful of the technology, as well as
others not only in other organizations but also within the FBI.
A former project manager at the FBI further explained, “They work under the idea that everything needs to be kept secret.
But everything doesn ’ t have to be kept secret. To do this right, you have to share information.”
The VCF system has been shut down, but the CIO is working on a new approach. He is busy trying to win buy‐in from
agents in the fi eld so that the next case management system will work. In addition, he is working to establish a portfolio
management plan that will cover all of the FBI ’ s IT projects, even those begun in decentralized offi ces. His team has been
designing an enterprise architecture that will lay out standards for a bureauwide information system. The Director of the
FBI has helped too. He reorganized the governance of IT, taking its budget control away from the districts and giving total
IT budget authority to the CIO.
The FBI is building a new case management system called Sentinel in four phases. The fi rst two phases have been de-
ployed and, according to the Federal IT dashboard, the project is on schedule and on budget. The new system, according to
the CIO, will include workfl ow, document management, record management, audit trails, access control, and single sign‐on.
It will provide enhanced information sharing, search, and analysis capabilities to FBI agents and facilitate information
sharing with members of the law enforcement and intelligence communities. To manage the expectations of the agents, the
CIO plans to communicate often and signifi cantly increase the training program for the new system. The CIO commented,
“We want to automate those things that are the most manually cumbersome for the agents so they can see that technology
can actually enhance their productivity. That is how to change their attitudes.”
The FBI also has a billion‐dollar Next Generation Identifi cation (NGI) system with 52 million searchable facial images
and 100 million individual fi ngerprint records as well as millions of palm prints, DNA samples, and iris scans. NGI can scan
mug shots for a match and pick out suspects from a crowd scanned by a security camera or in a photograph on the Internet.
The information can be exchanged with 18,000 law enforcement agencies 24 hours a day, 365 days a year. 33 When combined
with Sentinel, NGI will further enhance the effectiveness of the FBI ’ s antiterror efforts.
Discussion Questions
1. What do you think were the real reasons why the VCF system failed?
2. What were the points of alignment and misalignment between the information systems strategy and the FBI
organization?
3. What do you think of the CIO ’ s final comment about how to change attitudes? Do you think it will work? Why or
why not?
4. If you were the CIO, what would you do to help the FBI modernize and make better use of information technology?
Sources: Adapted from Allan Holmes , “ Why the G‐Men Aren ’ t IT Men “ CIO (June 15, 2005 ), 42 – 45 ; IT Dashboard, ”FBI Sentinel,” http:// www.itdashboard.gov/investment?buscid=441 ; Marc Goodman , Future Crimes ( Toronto, Canada : Random House , 2015 ) .
33 Federal Bureau of Investigation, “FBI Announces Full Operational Capability of the Next Generation Identification System” (September 15, 2014),
https://www.fbi.gov/news/pressrel/press‐releases/fbi‐announces‐full‐operational‐capability‐of‐the‐next‐generation‐identification‐system (accessed
August 20, 2015).
c03.indd 74 11/26/2015 6:22:14 PM
75
4 chapter
New approaches to work such as workplace fl exibility and remote work combined with newer collaboration and social technologies, mobile technologies, and cloud computing have drastically changed the way we work. This chapter explores the impact technology has on the nature and design of work. A Work Design Framework is used to explore how digital technology can be used effectively to support these changes and help make employees more effective. In particular, this chapter discusses technologies to support communication and collaboration, new types of work, new ways of doing traditional work, new challenges in managing employees, and issues in working remotely and on virtual teams. It concludes with a section on change management.
Digital Systems and the Design of Work
Consumer fi nancial services powerhouse American Express viewed workplace fl exibility as a stra-
tegic lever. Its award‐winning BlueWork program was a good example of turning strategic intent
into action. In addition to receiving the Chairman ’ s Award for Innovation—Top Innovators Prize, the
BlueWork program enabled increased employee productivity and more than $10 million in annual
savings from reduced cost of offi ce space. 1 BlueWork was Amex ’ s term for arrangements for fl exi-
bility in workspace. Integrated into the company ’ s human resource policies, the fl exibility included
staggered working hours, off‐site work areas such as home/virtual offi ce arrangements, shared offi ce
space, touch‐down (laptop‐focused, temporary) space, and telecommuting. The corporate focus is on
results rather than on hours clocked in the offi ce and face‐to‐face time. But BlueWork also supported
the sustainability and corporate social responsibility objectives. According to the Amex Web site,
Our sustainable facilities story is also woven into the fabric of our employees ’ daily routine. BlueWork,
our fl exible workplace program, allows American Express employees to better utilize company work
space and work remotely. The installation of 63 telepresence studios in 46 offi ce locations encourages
virtual meetings, reduces the need for travel, and contributes positively to our carbon reduction target. 2
Employees are assigned to a type of work arrangement based on their role. Hub employees
require a fi xed desk because they work in the offi ce every day. Club employees can share time bet-
ween the offi ce and other locations because their roles involve both face‐to‐face and virtual meet-
ings. Home employees work from home at least three days a week. Roam employees are on the road
or at customer sites. Susan Chapman, SVP at American Express commented on the importance of
1 Christopher Palafax , “ American Express ’ s New Design Team ,” American Builders Quarterly (April/May/June 2014), http:// americanbuildersquarterly.com/2014/american‐express/ (accessed August 25, 2015); http://www.employeralliance.sg/toolkit/tool
kit/tk1_13_2a.html (accessed August 25, 2015); Monak Mitra , “ Best Companies to Work for 2012 ,” The Economic Times, http:// articles.economictimes.indiatimes.com/2012‐07‐16/news/32698433_1_employee‐benefits‐jyoti‐rai‐american‐express‐india (accessed
August 25, 2015) ; Jeanne Meister , “ Flexible Workspaces: Employee Perk or Business Tool to Recruit Top Talent? ” Forbes (April 1, 2013), http://www.forbes.com/sites/jeannemeister/2013/04/01/flexible‐workspaces‐another‐workplace‐perk‐or‐a‐must‐have‐to‐attract‐
top‐talent/ (accessed August 25, 2015) . 2 American Express Corporate Social Responsibility Report, Quarter 3 2014 Update , http://about.americanexpress.com/csr/crr‐2014‐
q3.aspx (accessed August 25, 2015) .
c04.indd 75 11/26/2015 7:16:44 PM
76 Digital Systems and the Design of Work
technology’s role in alternative work arrangements, “Technology drives workplace flexibility. . . . Technology has
become a strategic competency that drives revenue growth. It’s not just about enabling productivity.”3
How has BlueWork impacted the staff? In addition to the productivity improvements and savings in office expense,
overall employee satisfaction is up. American Express managers are happy with these arrangements too. They have
found employees to be more engaged while working, more committed to the company, and better able to drive needed
results.4 American Express has clearly adopted one of the most accommodating approaches to work hours, but many
employers allow their employees some flexibility in their work schedule. A third or more of IBM, Aetna, and AT&T
employees have no official desks at the company. Communications giant Cisco, which has over 75,000 employees on
six continents, uses technology‐enabled flexible work practices such as telecommuting, remote work, and flex time.5
Sun Microsystems Inc. calculates that it has saved over $400 million in real estate costs by allowing nearly half of
its employees to work anywhere they want.6 Even the U.S. Government has a flexible work program, Flexiwork, that
enables eligible employees to do their job under alternative work arrangements such as work from home.7
The American Express example illustrates how the nature of work has changed—and information technology is
supporting, if not propelling, the changes. In preindustrial societies, work was seamlessly interwoven into everyday
life. Activities all revolved around nature’s cyclical rhythms (i.e., the season, day, and night; the pangs of hunger)
and the necessities of living. The Industrial Revolution changed this. With the practice of dividing time into mea-
surable, homogeneous units for which they could be paid, people started to separate work from other spheres of life.
Their workday was distinguished from family, community, and leisure time by punching a time clock or responding
to the blast of a factory whistle. Work was also separated into space as well as time as people went to a particular
place to work.8
Technology and new work arrangements have once again enabled an integration of work activities into every-
day life. Technologies have made it possible for employees to do their work in their own homes, on the road, or
at an alternative work space at times that accommodate home life and leisure activities.9 Paradoxically, however,
employees often want to create a sense of belonging within the space where they work. That is, they wish to create a
sense of “place,” which is a bounded domain in space that structures their experiences and interactions with objects
that they use and other people that they meet in their work “place.” People learn to identify with these “places,” or
locations in space, based on a personal sharing of experiences with others within the space. Over time, visitors to
the place associate it with a set of appropriate behaviors.10 Increasingly “places” are being constructed in space with
Web tools that encourage collaboration, allowing people to easily communicate on an ongoing basis, once again
changing the nature of where work is done.
The Information Systems Strategy Triangle, discussed in Chapter 1, suggests that changing information sys-
tems (IS) results in altered organizational characteristics. Significant changes in IS and the work environments in
which they function are bound to coincide with significant changes in the way that companies are structured and
how people experience work in their daily lives. Chapter 3 explores how information technology (IT) influences
organizational design. This chapter moves the focus to the way IT is changing the nature of work, the rise of new
work environments, and IT’s impact on different types of employees, where and when they do their work, and how
they collaborate. This chapter looks at how IT enables and facilitates a shift toward collaborative and virtual work.
The terms IS and IT are used interchangeably in this chapter, and only basic details are provided on technologies used. The point of this chapter is to look at the impact of IT on the way work is done by individuals and teams.
This chapter should help managers understand the challenges in designing technology‐intensive work and develop
a sense of how to address these challenges and overcome resistance to IT in our rapidly changing world.
3 Gensler, Dialog 22, http://www.gensler.com/uploads/documents/Dialogue‐22.pdf (accessed August 25, 2015). 4 http://www.forbes.com/sites/jeannemeister/2013/04/01/flexible‐workspaces‐another‐workplace‐perk‐or‐a‐must‐have‐to‐attract‐top‐talent/. 5 http://csr.cisco.com/casestudy/flexible‐work (accessed May 30, 2015). 6 “Smashing the Clock,” Bloomberg News (December 10, 2006), http://www.bloomberg.com/bw/stories/2006‐12‐10/smashing‐the‐clock (accessed May 29, 2015). 7 The IRS is one example of these U.S. government programs. For more information, see http://www.irs.gov/irm/part6/irm_06‐800‐002.html (accessed
May 29, 2015). 8 S. Barley and G. Kunda, “Bringing Work Back In,” Organizational Science 12, no. 1 (2001), 76–95. 9 S. Harrison and P. Dourish, “Re‐Place‐ing Space: The Roles of Place and Space in Collaborative Systems,” Proceedings of the 1996 ACM Conference
on Computer Supported Cooperative Work (1996), 67–76. 10 C. Saunders, A. F. Rutkowski, M. Genuchten, D. Vogel, and J. M. Orrega, “Virtual Space and Place: Theory and Test,” MIS Quarterly 35, no. 4 (2011), 1079–98.
c04.indd 76 11/26/2015 7:16:44 PM
77Work Design Framework
Work Design Framework As the place and time of work becomes less distinguishable from other aspects of people’s lives, the concept of
“jobs” is changing and being replaced by the concept of work. Prior to the Industrial Revolution, a job meant a
discrete task of a short duration with a clear beginning and end.11 By the mid‐20th century, the concept of job
had evolved into an ongoing, often unending stream of meaningful activities that allowed the worker to fulfill a
distinct role. More recently, organizations are moving away from organization structures built around particular
jobs to a setting in which a person’s work is defined in terms of what needs to be done.12 In many organizations,
it is no longer appropriate for people to establish their turfs and narrowly define their jobs to address only specific
functions. Yet, as jobs “disappear,” IT can enable employees to better perform their roles in tomorrow’s workplace;
that is, IT can help employees function and collaborate in accomplishing work that more broadly encompasses all
the tasks that need to be done.
In this chapter, a simple framework is used to assess how emerging technologies may affect work. As is suggested
by the Information Systems Strategy Triangle (in Chapter 1), this framework links the organizational strategy with
IS decisions. This framework is useful in designing characteristics of work by asking key questions and helping
identify where IS can affect how the work is done.
Consider the following questions:
• What work will be performed? Understanding what tasks are needed to complete the process being done by the employee requires an assessment of specific desired outcomes, inputs, and transformation needed to
turn inputs into outcomes. Many types of work are based upon recurring operations such as those found in
manufacturing plants or service industries. The value chain helps in understanding the workflow for key tasks
that are performed (i.e., purchasing, materials handling, manufacturing, customer service, repair). Increas-
ingly, much work is done at a keyboard and involves managing knowledge, information, or data. Each type
of work has a unique set of characteristics and tasks that needs to be supported by information technology.
• Who is going to do the work? Sometimes the work can be automated. However, if a person is going to do the work, who should that person be? What skills are needed? From what part of the organization should that
person come? If a team is going to do the work, many of these same questions need to be asked. However, they
are asked within the context of the team: Who should be on the team? What skills do the team members need?
What parts of the organization need to be represented by the team? Will the team members be dispersed?
• Where will the work be performed? With the increasing availability of networks, Web tools, apps, mobile devices, cloud‐based computing, and the Internet in general, managers can now design work for employees
who come to the office or who work remotely. Does the work need to be performed locally at a company
office? Can it be done remotely at home? On the road?
• When will the work be performed? Traditionally, work was done during “normal business hours,” which meant 9 a.m. to 5 p.m. In many parts of the world, a job between the hours of 9 and 5 is an anomaly. Tech-
nologies also make it easier to work whenever necessary. The reality of modern technologies is that they
often tether employees to a schedule of 24 hours a day, seven days a week (24/7) when they are always
accessible to calls or other communications through their mobile devices.
• How can the acceptance of IT‐induced change be increased? In this text, the overarching questions are how to leverage IT to help improve work and how to keep IT from inhibiting work. Sometimes this means
automating certain tasks. For example, computers are much better at keeping track of inventory, calculating
compensation, and many other repetitious tasks that are opportunities for human error. On the other hand,
technologies provide increasing support for tasks at which humans excel, such as decision making, com-
munication, and collaboration tasks among employees. Using a structured change management approach to
manage IT‐induced change will increase the probability of success.
11 William Bridges, JobShift: How to Prosper in a Workplace without Jobs (New York: Addison‐Wesley, 1995). 12 Ibid.
c04.indd 77 11/26/2015 7:16:44 PM
78 Digital Systems and the Design of Work
Figure 4.1 shows how these questions can be used in a framework to incorporate technologies into the design of
work. Although it is outside the scope of this chapter to discuss the current research on either work or job design,
you are encouraged to read these rich literatures.
How Information Technology Changes the Nature of Work Advances in IT provide an expanding set of tools that make individual employees more productive and broaden
their capabilities. They transform the way work is performed—and the nature of the work itself. This section exam-
ines three ways in which new IT alters employee life: by creating new types of work, by enabling new ways to do
traditional work, and by supporting new ways to manage people.
Creating New Types of Work
IT often leads to the creation of new jobs or redefines existing ones. The high‐tech field has emerged in its entirety
over the past 60 years and has created a wide range of positions in the IT sector, such as programmers, analysts,
managers, hardware assemblers, Web site designers, software sales personnel, social media specialists, and consul-
tants. A study based on the Bureau of Labor statistics places the number of IT employees in the United States at an
all‐time high of 4.9 million.13 Even within traditional non‐IT organizations, the growing reliance on IS creates new
types of jobs, such as data scientists who mine for insights in the company’s data, community managers who man-
age the firm’s online communities, and communications managers who manage the use of communication technol-
ogies for the business. IS departments also employ individuals who help create and manage the technologies, such
WHAT:
What work will be
performed?
(e.g., operations,
sales,
management)
HOW:
How can acceptance of IT-induced
change be increased?
(e.g., unfreeze-change-refreeze,
Kotter’s 8 steps to managing
change, technology
acceptance model)
WHO:
Who is going to do the
work?
(e.g., individuals,
groups)
WHERE:
Where will the work be
performed?
(e.g., at the office,
at home,
on the road)
WHEN:
When will the work be
performed?
(e.g., 9–5, 24/7,
flexible scheduling)
FIGURE 4.1 Framework for work design.
13 TechServe Alliance, “IT Employment Grows Modestly in April,” http://www.techservealliance.org/pressroom/documents/Press_Release_May2015_
MBR.pdf (accessed May 30, 2015).
c04.indd 78 11/26/2015 7:16:44 PM
79How Information Technology Changes the Nature of Work
as systems analysts, database administrators, network administrators, and network security advisors. The Internet
has given rise to many other types of jobs, such as Web masters and site designers. Virtually every department in
every business has someone who “knows the information systems” as part of her or his job.
New Ways to Do Traditional Work
Changing the Way Work Is Done
IT has changed the way work is done. Many traditional jobs are now done by computers. For example, computers
can check spelling in documents, whereas traditionally that was the job of an editor or writer. Jobs once done by art
and skill are often greatly changed by the introduction of IT. Workers at one time needed an understanding of not
only what to do but also how to do it; now their main task often is to make sure the computer is working because the
computer does the task for them. Sadly, many cashiers no longer seem to be able to add, subtract, or take discounts
because they have grown up letting the computer in their point‐of‐sale (POS) terminal do the calculations for them.
Workers once were familiar with others in their organization because they passed work to them; now they may
never know those co‐employees because the IT routes the work. In sum, the introduction of IT into an organization
can greatly change the day‐to‐day tasks performed by its employees.
In her landmark research, Shoshana Zuboff describes a paper mill in which papermakers’ jobs were radically
changed with the introduction of computers.14 The papermakers mixed big vats of paper and knew when the paper
was ready by the smell, consistency, and other subjective attributes of the mixture. For example, one employee
could judge the amount of chlorine in the mixture by sniffing and squeezing the pulp. They were masters at their
craft, but they were not able to explicitly describe to anyone else exactly what was done to make paper. An appren-
ticeship was needed to train new generations of masters, and the process of learning how to smell and squeeze the
paper pulp was arduous. The company, in an effort to increase productivity in the papermaking process, installed
an information and control system. Instead of the employees looking at and personally testing the vats of paper,
the system continuously tested parameters and displayed the results on a panel located in the control room. The
papermakers sat in the control room, reading the numbers, and making decisions on how to make the paper.
Many found it much more difficult, if not impossible, to make the same quality paper when watching the control
panel instead of personally testing, smelling, and looking at the vats. The introduction of the information system
resulted in the need for different skills to make paper. Abstracting the entire process and displaying the results
on electronic readouts required skills to interpret the measurements, conditions, and data generated by the new
computer system.
In another example, sales and delivery people at a snack company have portable devices that not only keep
track of inventory but also help them in the selling function. Prior to the information system, the salespeople used
manual processes to keep track of inventory in their trucks. When visiting customers, it was possible only to tell
them what was missing from their shelves and to replenish any stock they wanted. With IT, the salespeople have
become more like marketing and sales consultants, helping the customers with models and data of previous sales,
floor layouts, and replenishment as well as forecasting demand based on analysis of the data histories stored in the
IS. The salespeople need to do more than be persuasive. They now must also do data analysis and floor plan design
in addition to using the computer. Thus, the skills needed by the salespeople as well as the workflow, have greatly
changed with the introduction of IT.
One of the biggest changes in workflow has been in the area of data entry. In the past, the workflow included
capturing the data, keying it into the system, rekeying it to check its accuracy, and then processing it. The workflow
has now changed to capture the data directly when it is entered by the user in a variety of ways such as from the
Web, with a GPS signal, or by reading the RFID code. A program may check its accuracy when it is captured and
then process it. Companies are moving way from entering sales data at all; customers enter it for them when they
place an order. As data entry tasks are eliminated, the steps in the workflow are drastically reduced, and the process
is much faster.
14 Shoshana Zuboff, In the Age of the Smart Machine: The Future of Work and Power (New York: Basic Books, 1988), 211.
c04.indd 79 11/26/2015 7:16:44 PM
80 Digital Systems and the Design of Work
A study by Frey and Osborn examined 702 occupations and noted that 47% of total U.S. employment is at
high risk of being automated in the next few years. Least likely to be automated are those jobs with nonroutine
tasks involving complex perception and manipulation as well as creative and social intelligence.15 Even knowledge
employees, who once felt safe in their jobs because of the high degree of analysis and diagnosis they performed,
are at risk of automation as analytics and cognitive intelligence systems become increasingly more accurate in their
predictions and diagnoses.
The Internet enables changes in many types of work. For example, within minutes, financial analysts can down-
load an annual report from a corporate Web site to their smartphones and check what others have said about the
company’s growth prospects on social networks. Librarians can check the holdings of other libraries online and
request that particular volumes be routed to their own clients or download the articles from a growing number of
databases. Marketing professionals can pretest the reactions of consumers to potential products in virtual worlds.
Technical support agents diagnose and resolve problems on remote client computers using the Internet. The cost
and time required to access information has plummeted, increasing personal productivity and giving employees
new tools. It is hard to imagine a job today that doesn’t have a significant information systems component.
For those tasks that must be done by people, companies can use information technology to find willing employees
at what may seem like bargain rates. Amazon’s Mechanical Turk has created a marketplace site on which an orga-
nization can post tasks at specified rates. Willing employees can use this site to find those tasks. For example, a
company posted that it wanted employees to enter data from photos of cash register receipts. Another company
posted a task offer of transcribing a 25‐second audiotape. Many of these task offers involve very small amounts,
often $.05 to $.25. Some tasks take a significant portion of an hour and pay up to $5 or more. Some of the employees
do very brief tasks at low pay so they can gain higher status and qualify for higher‐paying tasks. Although this isn’t
automating a task inside an organization, from the manager’s perspective, it’s another way to use IT to change the
work done by the employees of the organization.
Changing Communication Patterns
All one has to do is observe people walking down a busy downtown street or a college campus to note changes in
communication patterns over a period as short as the last decade. Some people are talking on their cell phones, but
even more are texting or using apps for all kinds of reasons, such as checking out game scores, specials at nearby
restaurants, or movie times. Or observe what happens when a plane lands. It seems that over half the people on
the plane whip out their portable devices or cell phones as soon as the plane touches down. They are busy making
arrangements to meet the people who are picking them up at the airport or checking to see the calls or e‐mails they
missed while in flight. Finally, consider meeting a friend at a busy subway station in Hong Kong. It is virtually
impossible without the aid of a cell phone to locate each other. Some may say that we are addicted to our mobile
technologies, unable to put them away even when driving or walking, unfortunately sometimes leading to dan-
gerous behaviors.
Applications (Apps) such as iMessage, Skype, Twitter, and Sina Weibo (Chinese Twitter) have changed how
people communicate. Traditionally, people found each other in person to have a conversation in the moment. With
the telephone, people called each other and both parties had to participate at the same time to have a conversation.
Along came e‐mail, which rapidly became the communication technology of choice because it eliminated the need
for those involved in the conversation to participate at the same time. Today, people have an array of communica-
tions technologies, and, once again, IT is changing communication patterns. Some rely on texting, others on video
conferences, such as Facetime or Skype, and still others on social networks such as Facebook or Renren, for their
primary communications channel. The challenge created by the large number of choices is that individuals now
must have a presence on numerous platforms to ensure that they can be contacted. Further, one must know how
not only to contact someone but also to recognize that the person’s preferred medium might change during the day,
week, or month. For example, during normal business hours, an employee might prefer to receive e‐mail or a phone
call. But after hours, he or she might prefer a text, and late at night, while surfing the Web, may prefer a message on
15 C. B. Frey and M. Osborn, “The Future of Employment: How Susceptible Are Jobs to Computerisation?” (September 17, 2013), http://www.oxfordmartin.
ox.ac.uk/downloads/academic/The_Future_of_Employment.pdf (accessed August 25, 2015).
c04.indd 80 11/26/2015 7:16:44 PM
81How Information Technology Changes the Nature of Work
Facebook Messenger or Skype. Without knowledge of the recipients’ preferences for how to receive the message,
the sender is likely to be unsuccessful in communicating with the recipients over the proper channel. A sender who
doesn’t know which medium the recipient prefers might use one medium (e.g., e‐mail) to see whether the recipient
is open to using another medium (e.g., phone).
Similarly, IT is changing the communication patterns of employees. There are still some employees who do not
need to communicate with others for the bulk of their workday. For example, many truck drivers do not interact
with others in their organization while driving to their destination. But there are other ways communication tech-
nologies have changed the work done by truck drivers. Consider the example of a Walmart driver who picks up
goods dropped off by manufacturers at the Walmart distribution center and then delivers them in small batches to
one or more Walmart stores. Walmart has provided its drivers with radios and satellite systems so that, on short
notice, on their way back to the distribution center to load up for the next delivery, they can opportunistically pick
up goods from manufacturers and take them to the distribution center. In this way, the company saves the delivery
charges from that manufacturer and conserves energy in the process. Walmart office staff and drivers therefore use
IT to save money by enhancing their communications with suppliers.16
Many changes in communication have been supported, if not propelled, by IT. Some communication technol-
ogies, such as social networking and microblogs, are rather new and unfamiliar, motivating managers in many orga-
nizations to understand how to apply them to work‐related applications in a way that adds value to their business.
These and other communication tools help make large companies feel smaller by bringing together employees
from geographic disparate locations and from a variety of divisions and levels in the organization. Large companies
can feel smaller because communications technology enables individuals to find each other despite the organiza-
tion’s size. These tools also help small companies feel like large companies because, to some degree, they level the
playing field in the ways companies communicate and collaborate. Thomas Friedman, the author of the popular
The World Is Flat and other books, argues that collaboration is the way that small companies can “act big” and flourish in today’s flat world. The key to success is for such companies “to take advantage of all the new tools for
collaboration to reach farther, faster, wider and deeper.”17 For example, any company can have a Facebook page or
a Twitter feed, making it difficult to distinguish between small and large organizations simply by interacting over
these technologies.
Changing Organizational Decision Making and Information Processing
IT changes not only organizational decision‐making processes but also the information used in making those
decisions. Data processed to create more accurate and timely information are being captured earlier in a process.
Analytics (see Chapter 12) have made it possible to mine data stores and identify insights, make predictions, and
even suggest decisions. Through information technologies, information that employees need to do their job can be
pushed to them in real time or saved and made available when they need it.
IT can change the amount and type of information available to employees. For example, salespeople can use
technology to get quick answers to customer questions. Further, IT‐based tools allow salespeople to search for
best practices on a marketing topic over a social network and to benefit from blogs and wikis written by informed
employees in their company. Organizations now maintain large comprehensive business databases, called data warehouses, that can be mined by using tools to analyze patterns, trends, and relationships. We discuss data management in Chapter 12.
Modern devices with voice interfaces have assistants that further change decision‐making processes. Apps such
as Siri, Cortana, and Google‐Now allow users to talk to their devices, often mobile ones, to access information from
either their devices or the Internet. These types of interfaces are increasingly being built into enterprise systems to
supplement ways employees gather information, increasing employee efficiency.
In their classic 1958 Harvard Business Review article, Leavitt and Whisler boldly predicted that IT would shrink the ranks of middle management by the 1980s.18 Because of IT, top‐level executives would have access
16 Thomas L. Friedman, The World is Flat (New York: Farrar, Straus and Giroux, 2005), 145. 17 Ibid. 18 Harold Leavitt and Thomas Whisler, “Management in the 1980s,” Harvard Business Review (November–December 1958), 41–48.
c04.indd 81 11/26/2015 7:16:44 PM
82 Digital Systems and the Design of Work
to information and decision‐making tools and models that would allow them to easily assume tasks previously
performed by middle managers. Other tasks clearly in the typical job description of middle managers at the time
would become so routinized and programmed because of IT that lower‐level managers could perform them. As
Leavitt and Whisler predicted, the 1980s saw a shrinking in the ranks of middle managers. This trend was partly
attributable to widespread corporate downsizing, which forced many organizations to find alternatives to getting
the work done and IT solutions to proliferate to fill the gap. However, it was also attributable to changes in decision
making induced by IT. Since the 1980s, IT has become an even more commonly employed tool of executive
decision makers. IT has increased the flow of information to them and provided tools for filtering and analyzing
the information.
Changing Collaboration
IT helps make work more team oriented and collaborative. Technologies such as texting (SMS), instant messaging
(IM), Web logs (blogs), virtual worlds, groupware, wikis, social networking, and video teleconferencing are at the
heart of collaboration today. Groups can form and share documents with less effort using these platforms. Group
members can seek or provide information from or to each other much more easily than ever before. And groups can
connect by voice or with voice and video using these platforms.
Collaboration takes place in one of four ways. Teams are collocated and work together at the same time, they are
collocated but work at different times, they are not located in the same place but work at the same time, or they work
from different places at different times. Figure 4.2 summarizes these options and lists representative technologies
that facilitate collaboration for each type of team.
Consider the New York‐based marketing firm CoActive Digital whose president decided to implement a wiki to
have a common place where 25 to 30 people could go to share a variety of documents ranging from large files to
meeting notes and PowerPoint presentations.19 An added benefit was that the wiki was encrypted, protected, and
could be used only with a virtual private network (VPN). The president recognized that the challenge for imple-
menting the wiki would be to change a culture in which e‐mail had long been the staple for communication. Conse-
quently, he decided to work closely with the leader of the business development group. This group handles inquiries
from customers and coordinates the work (i.e., marketing campaigns) internally. The group needed to hold many
meetings and share much work. He populated the wiki site with the documents that had formerly been traded over
e‐mail and asked the leader to encourage her group members to use the wikis. It took some effort, but eventually the
group learned to appreciate the benefits of the wiki for collaboration and to reduce members’ dependence on e‐mail.
Verifone’s company culture is one that encourages information sharing. A story is told of a new salesperson who
was trying to close a particularly big deal. He was about to get a customer signature on the contract when he was
asked about the competition’s system. Being new to the company, he did not have an answer, but he knew he could
FIGURE 4.2 Collaboration technologies matrix: Examples of key enabling technologies. Source: Adapted from Geraldine DeSanctis and R. Brent Gallupe, “A Foundation for the Study of Group Decision Support Systems,” Management Science 33, no. 5 (May 1987), 589–609.
Team Works at the Same Time Team Works at Different Time
Team Works in the Same Place Face‐to‐face meetings
Meeting room technologies
Document sharing systems (wikis)
Electronic bulletin boards
Document sharing systems (wikis)
Team Works in Different Places Video conferencing
Chat rooms
Texting (SMS) and instant messaging (IM)
Document sharing systems (wikis)
E‐mail
Microblogs (e.g., Twitter)
Texting (SMS) and instant messaging (IM)
Document sharing systems (wikis)
19 C. G. Lynch, “How a Marketing Firm Implemented an Enterprise Wiki,” http://www.cio.com/article/print/413063 (accessed July 9, 2008).
c04.indd 82 11/26/2015 7:16:44 PM
83How Information Technology Changes the Nature of Work
count on the company’s information network for help. He asked his customer for 24 hours to research the answer.
He then sent an e‐mail to everyone in the company asking the questions posed by the customer. The next morning,
he had several responses from others around the company. He went to his client with the answers and closed the
deal. What is interesting about this example is that others around the world treated the “new guy” as a colleague
even though they did not know him personally. He was also able to collaborate with them instantaneously. It was
standard procedure, not panic time, because of the culture of collaboration in this company. With increased use of
social networks and other social tools, instantaneous collaboration is commonplace.20
The Internet has greatly enhanced collaboration. Beyond sharing and conversing, teams can also use the Web
to create something together. An example of this is Wikipedia on which individuals who do not know each other
contribute to the information on a topic. At computer company Dell, a Web‐based site named IdeaStorm has
been used since 2008 for idea generation, discussion, and prioritization between and among individuals in the
Dell community, including staff, executives, customers, and potential customers. Recent statistics show that over
23,000 ideas have been submitted, over 747,000 votes for ideas have been recorded, and over 100,000 comments
have been posted about the ideas suggested. Dell’s management has implemented over 500 of the ideas. Ideas
can range from small incremental improvements such as adding a port to an existing product to large sweeping
changes such as creating a new product line. Some ideas, such as how to change the retail experience or support
activities, are process oriented. Some ideas are about education, the environment, and other topics related to Dell’s
business. The company has since implemented an internal version of this system, Employee Storm, only open to
internal staff. Employee Storm invites ideas on company benefits, innovations, ways to work better, and other
company‐focused issues. Many other companies have implemented similar platforms, including IBM’s Think-
Place, BestBuy’s BlueShirt Nation, and ESPN’s SportsNation.
Changing the Ways to Connect
Probably one of the biggest changes that people are experiencing as a result of new technologies is that they are
always connected. In fact, many feel tethered to their mobile phones, tablets, or laptops to such a large extent that
they must be available at all times so that they can respond to requests from their supervisors, colleagues, or cus-
tomers. As a result, the boundaries between work and play have become blurred, now causing people to struggle
even more with work–life balance.
Businesses are still trying to understand the technological advances that have become commonplace. Many in
the workforce find that their technology at home differs from that at work and prefer those at home. For example,
while although many use social media tools on their tablets, laptops, or smartphones during the weekend at home,
on Monday morning, they find themselves working on an older desktop system with slow access to the files and
Web‐based systems they want to use for their work.21 They find this quite bothersome. In fact, a Cisco Systems
survey of young professionals and college students found that one in three believes the Internet is as important as
air, water, food, and shelter. Two people in five say they would accept a lower‐paying job that had more flexibility
with regard to device choice, social media access, and mobility over a higher‐paying job with less flexibility.22 In
commenting on the survey findings, Marie Hattar, vice president, Enterprise Marketing, Cisco, stated:
The results of the Cisco Connected World Technology Report should make businesses re‐examine how they need to
evolve in order to attract talent and shape their business models. Without a doubt, our world is changing to be much
more Internet‐focused, and becomes even more so with each new generation.
CIOs need to plan and scale their networks now to address the security and mobility demands that the next generation
workforce will put on their infrastructure, and they need to do this in conjunction with a proper assessment of corporate
policies.23
20 Hossam Galal, Donna Stoddard, Richard Nolan, and Jon Kao, “VeriFone: The Transaction Automation Company,” Harvard Business School Case
Study 195–088, July 1994. 21 Cognizant, “The Future of Work Has Arrived: Time to Re‐Focus IT” (February 2011), 1–15, http://www.cognizant.com/SiteDocuments/CBC_FoW_
Time_to_Refocus_IT.pdf (accessed August 25, 2015). 22 Cisco Connected World Technology Report, 2011 Findings, http://www.cisco.com/en/US/netsol/ns1120/index.html#~2011 (accessed August 25, 2015). 23 “Air, Food, Water, Internet—Cisco Study Reveals Just How Important Internet and Networks Have Become as Fundamental Resources in Daily Life,”
http://newsroom.cisco.com/press‐release‐content?type=webcontent&articleId=474852 (accessed August 25, 2015).
c04.indd 83 11/26/2015 7:16:44 PM
84 Digital Systems and the Design of Work
Consider IBM ’ s SmallBlue—an opt‐in social network analysis tool that maps the knowledge and the connec-
tions of IBM employees. SmallBlue can be used to fi nd employees with specifi c knowledge or skills, display
employee networks on particular topics, validate a person ’ s expertise based on her or his corporate profi le, and
display a visualization of an employees ’ personal social networks. IBM claims that SmallBlue has promoted inno-
vation, effectiveness, and effi ciency. 24
The preceding examples show how technologies have become a key component in the design of work. IT has
greatly changed day‐to‐day tasks, which in turn has changed the skills needed by employees. The examples show
how adding IT to a work environment can change the way that work is done.
New Ways to Manage People
New working arrangements create new challenges in how employees are supervised, evaluated, compensated, and
even hired. When most work was performed individually in a central location, supervision and evaluation were
relatively easy. A manager could directly observe the employee who spent much of his or her day in an offi ce. It
was fairly simple to determine whether or not the employee was present and productive.
Modern organizations often face the challenge of managing a workforce that is spread across the world in iso-
lation from direct supervision and working mostly in teams. Sales work is one area in which we see this. Rather
than working in a central offi ce, external salespeople work remotely, relying on laptop computers, smart phones,
the Web and apps linking them to customers, offi ce colleagues, sales support information, and other databases.
The technical complexity of some products, such as enterprise software, necessitates a team‐based sales approach
combining the expertise of many individuals, and technologies connect the team together.
Modern organizations must also choose among three types of formal controls to ensure that work is done
properly. 25 Behavior controls involve direct monitoring and supervision of employee actions while the work is being done. Vivid depictions of behavior controls are provided in road construction projects that have one employee dig-
ging and another watching, motionless with arms folded. On the other hand, outcome controls involve examining work outcomes rather than work actions. Finally, personnel controls represent a proper fi t between the person and the job, often involving picking the right person for the task.
Social Business Lens: Activity Streams
An activity stream is a list of activities on a Web site that briefl y highlight what the individuals connected to that
stream are doing. Activity streams can include posts by individuals who share what they are doing or thinking and
posts directly by other programs, which deposit an update about what an individual is doing. By collecting all of
these posts in a single feed, the activity stream gives a reader a good sense of what is happening in a community.
Examples of activity streams are Facebook ’ s news feed and Salesforce.com ’ s Chatter. Companies that incor-
porate activity streams in their social business platform report that teams using that technology had fewer face‐to‐
face meetings, reduced e‐mail, faster information fl ows, better collaboration, and increased responsiveness. An
activity stream can keep staff updated on the happenings around an organization. For example, SAS , the interna-
tional statistics and analytics software company, implemented an activity stream for its employees. Staff were able
to keep track of what others were working on over an activity stream that mimicked the news feed that Facebook
users see on their home page. Staff could share, comment on, or “like” pages and documents they found in their
systems or on the Web and those entries would show up in the activity stream.
Source: David F. Carr , “ SAS Creates Internal Facebook with Socialcast ” (April 29, 2011 ), http://www.informationweek.com/ thebrainyard/news/social_networking_private_platforms/229402527/sas‐institute‐creates‐internal‐facebook‐with‐socialcast (accessed on April 5, 2012) .
24 For additional information on SmallBlue, see http://www.watson.ibm.com/cambridge/Projects/project8.shtml (accessed May 31, 2015). 25 L. J. Kirsch , “ Portfolios of Control Modes and IS Project Management ,” Information Systems Research 8 , no. 3 ( 1997 ), 215 – 239 ; W. G. Ouchi , “ The Transmission of Control through Organizational Hierarchy ,” Academy of Management Journal 21 , no. 2 ( 1978 ), 173 – 92 ; K. A. Merchant , Modern Management Control Systems, Text and Cases ( Upper Saddle River, NJ : Prentice‐Hall , 1998 ).
c04.indd 84 11/26/2015 7:16:45 PM
85How Information Technology Changes the Nature of Work
It is important for a firm to choose the right type of control for each position being supervised. Behavior controls
make the most sense for physical labor in which incorrect particular body movements might be inefficient or even
dangerous. Programmers would consider it quite insulting to have a supervisor exercise action control and watch
every keystroke whereas transcriptionists might understand the need to track each keystroke. Outcome controls
make more sense not only for programmers but also for many other personnel, such as engineers, sales managers,
and ad writers. However, personnel controls are more useful when it would take several years to evaluate the results
of work, which is often the case when goals are indefinable, conflicting, or confusing and the stakes are high. For
instance, when Apple was having difficulty defining a meaningful product line in the mid‐1990s, the firm resorted
to personnel controls when it determined that the right way to redefine its mission was to bring back Steve Jobs.
After two decades, hindsight shows that Jobs was the right choice. Personnel controls are useful for situations in
which it is difficult not only when to expect results but also to define what results should even be expected. When the results of work are fairly well defined, technology can change dramatically how it is monitored. One
technological solution, electronic employee monitoring (introduced in Chapter 3), can replace direct supervision
and provide detailed behavior controls, automatically logging keystrokes, listing the Web sites visited, or even
recording the contents of an employee’s screen. Technology can also provide outcome controls by tracking the
number of calls processed, e‐mail messages sent, or time spent surfing the Web. When output is monitored digi-
tally, pay‐for‐performance compensation strategies reward employees for deliverables produced or targets met as
opposed to vague subjective factors such as “attitude” or “teamwork.” Further, supervisors can spend time coaching,
motivating, and planning rather than personally monitoring performance because they can utilize the information
gathered from electronic monitoring systems for that task. The introduction of BlueWork at American Express illus-
trates the need to change from an approach in which managers watch employees and count the hours they spend at
their desks to one that focuses instead on the work they actually do. These changes are summarized in Figure 4.3.
IT has also impacted the way employees are hired, becoming an essential part of that process for many firms.
Open positions are posted on job Web sites, and applicants submit resumes over the Web, complete applications on
line, and refer potential employers to their personal Web sites. When researching candidates, companies often look
at their Facebook pages and do online searches of the candidates to see what pops up. Social networking provides
a forum for informal introductions and casual conversations in cyberspace. Interviews can be arranged in virtual
worlds or via teleconferencing to reduce travel costs. A face‐to‐face interview is usually eventually required, but
recruiters can significantly and more effectively filter the applicant pool, reducing the number of expensive site visits.
In addition, companies increasingly realize that hiring is changing and that recruiting efforts should reflect
the new approaches people are using to look for jobs. Tech‐savvy job applicants are now using business‐oriented
social networks such as LinkedIn to seek contacts for jobs and online job search engines like Monster.com and
CareerBuilder.com to find job listings. A Facebook app, BeKnown, provides a profile detailing an individual’s work
experience, a news feed for contact updates and actions, a search tool to locate people and connect with them, and
FIGURE 4.3 Changes to supervision, evaluations, compensation, and hiring.
Traditional Approach: Subjective Observation Digital Approach: Objective Assessment
Supervision It is personal and informal. Manager is usually present or relies on others to ensure that the employee is present and productive.
It is electronic or assessed by deliverables. As long as the employee is producing value, he or she does not need direct formal supervision.
Evaluation Behavior controls are predominant. Focus is on process through direct observation. Manager sees how employee performs at work. Subjective (personal) factors are very important.
Outcome controls are predominant. Focus is on output by deliverable (e.g., produce a report by a certain date) or by target (e.g., meet a sales quota). Fewer subjective measures are used.
Compensation and Rewards
It is often individually based. It is often team based or contractually spelled out.
Hiring Hiring is done through meetings with HR personnel with little concern for computer skills.
It is often electronic with recruiting Web sites and electronic testing for more information‐based work that requires a higher level of IT skills.
c04.indd 85 11/26/2015 7:16:45 PM
86 Digital Systems and the Design of Work
a way to recommend other users or display badges earned for completing certain professional goals. The app also
is integrated with Monster.com’s job listings.26
Furthermore, the way an organization uses IT affects the array of technical and nontechnical skills needed in
its employees. For example many basic clerical tasks can be performed expeditiously with IT, so fewer employees
with those basic skills are required, making room for those with more targeted skills. Just to be sure employees are
IT savvy, too, the actual hiring process may require applicants to complete an assessment or perform other activities
online. In this way, hiring managers can raise the overall IT competency exhibited by employees in their businesses.
Employees who cannot keep pace with IT are increasingly unemployable.
The design of the work needed by an organization is a function of the skill mix required for its work processes
and of the flow of those processes themselves. Thus, a company that infuses technology effectively and employs
a workforce with a high level of IT skills designs itself differently from a company that does not. The skill mix
required by an IT‐savvy firm reflects a high capacity for using the technology itself. For example, because many
clerical skills are now embedded in the technologies staff use, fewer clerical staff are needed and those who are
hired by the company often do specialized work that is not easily automated or subsumed by technology.
As workforce demographics shift, so do the IT needs and opportunities to change work. Digital natives—people
who have grown up using computers, social networking sites, texting, and the Web as a normal, integrated part of
their daily lives—are finding new and innovative ways to do their work. There are widely varying impacts from
the skills these employees bring to their work, including how to do their work in a new, and often more efficient,
manner.
IT has drastically changed the landscape of work today. As a result of IT, many new jobs have been created. In
the next section, we examine how IT can change where work is done, when it is done, and who does it.
Where Work Is Done and Who Does It: Mobile and Virtual Work Arrangements This section examines another important effect of IT on work: the ability of some employees to work anywhere
at any time. With WiFi virtually ubiquitous, individual employees can connect to the Web from almost anywhere.
And with powerful technologies available in the consumer space, employees often find the tools and apps they
have at home function as well as, or even better than, their workplace technologies. Research also suggests that
employees—especially those younger employees who have never known a world without ubiquitous access to
personal smart devices and the Web—prefer to have the work–life flexibility that remote and mobile work arrange-
ments provide. At the group level, virtual teams have become standard operating mechanisms to bring the best
individuals available to work together on a task. We explore remote work from the perspective of both individuals
and teams in the next section.
Remote Work and Virtual Teams
Flexible work arrangements, although not the norm for many organizations, have been gaining support as
technologies enable employees to be “virtually present” for their employers. The terms telecommuting, mo- bile worker, and remote worker are often used to describe flexible work arrangements. Telecommuting, some- times called teleworking, refers to employees working from home, at a customer site, or from other convenient locations instead of coming into the corporate office. The word telecommute is derived from combining “tele- communications” with “commuting,” indicating that these employees use telecommunications instead of driving,
or commuting, to the office. Mobile workers are those who work from wherever they are. They are outfitted with the technology necessary for access to co‐workers, company computers, intranets, and other information
sources. We use the term remote workers when we refer to both telecommuters and mobile workers.
26 Kristin Burnham, “Monster.com Brings Professional Social Networking to Facebook,” CIO.com (July 15, 2011), http://blogs.cio.com/print/16406
(accessed February 2, 2012).
c04.indd 86 11/26/2015 7:16:45 PM
87Where Work Is Done and Who Does It: Mobile and Virtual Work Arrangements
Phase Preparation Launch Performance Management
Team Development
Disbanding
Key Activities Mission statement
Personnel selection
Task design
Rewards system
Technology selection and installment
Kick‐off meetings
Getting acquainted
Goal clarification
Norm development
Leadership
Communication
Conflict resolution
Task accomplishment
Motivation
Knowledge management
Norm enforcement and shaping
Assessment of needs/deficits
Individual and/or team training
Evaluation of training effects
Trust building
Recognition of achievements
Re‐integration of team members
Such employees work not only on a remotely independent basis but also with remote members on virtual teams.
Virtual teams are defined as two or more people who (1) work together interdependently with mutual accountability for achieving common goals, (2) do not work in either the same place and/or at the same time, and (3) must use
electronic communication and other digital technologies to communicate, coordinate their activities, and complete
their team’s tasks. Initially, virtual teams were seen as an alternative to conventional teams that meet face‐to‐face.
However, it is simplistic to view teams as either meeting totally face‐to‐face or totally virtually. Rather, teams may
reflect varying degrees of virtuality. Virtual team members may be in different locations, organizations, time zones,
or work shifts (day, evening, or overnight). Further, like most teams, virtual teams may have distinct, relatively
permanent membership, or they may be relatively fluid as they evolve to respond to changing task requirements and
as members leave and are replaced by new members.
Virtual teams are thought to have a life cycle like most teams.27 Their lifecycle, shown in Figure 4.4, is note-
worthy because it the important activities in team development: Teams are formed; their work is completed; and,
the team is disbanded.
Factors Driving Use of Remote Work and Virtual Teams
Remote working has been around since the 1970s, but it has steadily been gaining popularity since the late 1990s.
One poll of 11,300 employees in 22 countries found that one 1 of 6 telecommute worldwide.28 And as managers
move to build teams of the best talent available, they inevitably turn to virtual teams as the mechanism to bring
people together for a task. Several factors that drive these trends are shown in Figure 4.5.
The first factor is that work is increasingly knowledge based. The United States and many other world econ-
omies continue to shift from manufacturing to service industries. Equipped with the right IT, employees can create,
assimilate, and distribute knowledge as effectively from home as they can from an office. The shift to knowledge‐
based work thus tends to minimize the need for a particular locus of activity.
The second factor is that remote workers and virtual team members often shift the time of their work to accom-
modate their lifestyles. For instance, parents modify their work schedules to allow time to take their children to
school and attend extracurricular activities. Telecommuting provides an attractive alternative for parents who might
otherwise decide to take leaves of absence from work for child rearing. Telecommuting also enables people who are
housebound by illness, disability, or the lack of access to transportation to join the workforce.
FIGURE 4.4 Key activities in the life cycle of teams.
27 G. Hertel, S. Geister, and U. Konradt, “Managing Virtual Teams: A Review of Current Empirical Research,” Human Resource Management Review 15, no. 1 (2005), 69–95. 28 The actual statistics for the number of telecommuters is hard to find. These figures were obtained from Smart Planet, http://www.smartplanet.com/blog/
business‐brains/one‐sixth‐of‐the‐worlds‐employees‐now‐telecommute‐survey/21616 (accessed June 19, 2015).
Source: Adapted from Guido Hertel, Susanne Geister, and Udo Konradt, “Managing Virtual Teams: A Review of Current Empirical Research,” Human Resource Management Review 15, no. 1 (2005), 69–95.
c04.indd 87 11/26/2015 7:16:45 PM
88 Digital Systems and the Design of Work
Geographic Lens: How Do People Around the World Feel About Working Remotely?
A recent survey by Cisco found marked national differences about how professionals viewed their ability to be
productive when working remotely. On average, 39% of the 1,303 professionals in 13 countries surveyed answered
“yes” when asked whether it was necessary for them to be in the offi ce to make decisions more effectively and
effi ciently (i.e., nothing replaces daily in‐person interaction), but only 7% answered “yes” in India whereas 56%
and 57% answered “yes” in Japan and Germany, respectively. That is, a large percentage of people in Japan and
Germany thought they had to come into the physical offi ce to be productive. This wasn ’ t the case at all in India.
A very small percentage of Indians felt they had to be tethered to a desk in a physical offi ce. They could do their
work by staying connected to their workplaces through a variety of devices including their laptops, tablets, and
smartphones.
Source: “ The Cisco Connected World Report ” (October 2010), http://newsroom.cisco.com/dlls/2010/ekits/ccwr_final.pdf (accessed February 4, 2012).
FIGURE 4.5 Driving factors of remote work and virtual teams.
Driver Effect
Shift to knowledge‐based work Eliminates requirement that certain work be performed in a specifi c place
Changing demographics and lifestyle preferences Provides workers geographic and time‐shifting fl exibility
New technologies with enhanced bandwidth Makes remotely performed work practical and cost effective
Reliance on Web Provides employees the ability to stay connected to co‐workers and customers and to access work‐related apps, even on a 24/7 basis
Energy concerns Reduces the cost of commuting (for telecommuters), energy costs associated with real estate (for companies) and travel costs (for companies and for people on virtual teams)
Remote work also provides employees and virtual team members enormous geographic fl exibility. The freedom
to live where one wishes, even at a location remote from one ’ s corporate offi ce, can boost employee morale and
job satisfaction. As a workplace policy, it may also lead to improved employee retention. For example, American
Express employees use the BlueWork program as part of its recruiting pitch. Further, productivity and employee sat-
isfaction for those on the BlueWork program are markedly higher, and voluntary turnover is down. Many employees
can be more productive at home, and they actually work more hours than if they commuted to an offi ce. Further-
more, such impediments to productivity as traffi c delays, canceled fl ights, bad weather, and mild illnesses become
less signifi cant. Companies enjoy this benefi t, too. Those who build in remote work as a standard work practice are
able to hire employees from a much larger talent pool than those companies that require geographical presence.
The third driving factor is that the new technologies, which make work in remote locations viable, are becoming
better, cheaper, and more widely available. Telecommunication and PC speeds are increasing exponentially at
the same time that their costs are plummeting. The oft‐cited time frame involved in this progression is a doubling
of computer capabilities (such as speed) every 18 months. 29 The drastic increase in capabilities of portable tech-
nologies makes small devices more powerful than the computers of yesterday, enabling effective and productive
mobile work. Applications also provide integration between applications. Virtual team members can use Skype,
Webex, Zoom, or any number of video and audio conferencing technologies to work together. Cloud computing
also has contributed to this trend because applications are moved from computers housed in company data centers
to Web‐based hosts such as Amazon Web Services (AWS), Rackspace, and other service providers.
29 Gordon Moore, head of Intel, observed that the capacity of microprocessors doubled roughly every 12 to 18 months. Even though this observation was
made in 1965, it still holds true. Eventually, it became known in the industry as Moore ’ s law.
c04.indd 88 11/26/2015 7:16:45 PM
89Where Work Is Done and Who Does It: Mobile and Virtual Work Arrangements
A fourth driving factor is the increasing reliance on Web‐based technologies by all generations, especially
younger generations, such as Generation Y and the Millennials. The younger generations are at ease with Web‐
based social relationships and are adept at using social networking tools to grow these relationships. Face‐to‐face
work arrangements are not necessary for these employees to build productive connections. Web‐based tools allow
them to stay connected with their co‐workers and customers. Further, as more and more organizations turn to
fl exible working hours in programs such as BlueWork implemented by American Express and as 24/7 becomes
the norm in terms of service, the Web becomes the standard platform to allow employees to respond to work ’ s
increasing demands.
A fi fth factor is the increasing emphasis on energy conservation. As concerns about greenhouse gasses, carbon
footprints, and even potential future gasoline price increases, employees are looking for ways to be more respon-
sible and frugal at the same time. Telecommuting is quite appealing in such a scenario, especially when public
transportation is not readily available. Companies can also experience lower energy usage and costs from telecom-
muting. SAP reduced its global greenhouse footprint by encouraging employees to shift their commuting behavior.
As a result of these ongoing efforts, emissions from employees ’ commutes dropped. In addition to telecommuting
and encouraging the use of mass transit and carpooling, SAP also began providing employees information on their
carbon footprint from commuting through a new internal dashboard aimed at ensuring greater transparency and
accountability. 30
Many employees no longer need to be tied to offi cial desks. Thus, the real estate needs of their employers are
shrinking, and companies are saving costs by reducing the offi ce space they own or rent. This reduction lowers
their energy needs by no longer needing to heat, cool, or maintain these spaces. Companies are realizing that they
can comply with the Clean Air Act and be praised for their “green computing” practices at the same time they are
reaping considerable cost savings.
Advantages and Disadvantages of Remote Work
There are clearly advantages to remote work. Employees have greater fl exibility in where they work. They can
work from home or from just about any location as long as they have a laptop and a WiFi connection. Employees
often fi nd that they are more productive because they can work in the environment of their choosing without the
distractions of the offi ce. Homebound individuals can work for a company that embraces remote work. Employees
also seem to have higher morale and lower absenteeism in part because they can work from wherever they are,
wearing whatever clothes they want. A remote employee who has a cold may not want to go into the offi ce and
risk spreading the germs to others but can work from home. Employers fi nd advantages of enabling remote work
compelling, too. They are able to hire employees who do not live in the geographic area of the offi ce. They don ’ t
have to monitor the employees the same way, freeing up their time to focus on exceptions and issues that require a
Geographic Lens: Who Telecommutes? A Look at Global Telecommuting Habits
Flexible work arrangements have been around for decades, but as technologies enable new capabilities for
work away from a traditional offi ce, telework has been gaining popularity. In 2015, advisory services fi rm EY sur-
veyed about 9,700 employees in the eight top economies across the globe—the United States, United Kingdom,
India, Japan, China, Germany, Mexico, and Brazil. The fi rm found fl exible work arrangements varied signifi cantly
by country. The report cited countries with the highest and lowest percentages of employees with fl exible work
schedules. Germany (70%), India (61%), and the United States (61%) had the highest percentage, and Japan (30%)
and China (22%) had the lowest.
Source: “EY Global Generations: A Global Study on Work‐Life Challenges Across Generations,” EY.com, http://www.ey.com/ Publication/vwLUAssets/EY‐global‐generations‐a‐global‐study‐on‐work‐life‐challenges‐across‐generations/$FILE/EY‐global‐ generations‐a‐global‐study‐on‐work‐life‐challenges‐across‐generations.pdf (accessed August 26, 2015), 6.
30 SAP Sustainability Report, Greenhouse Gas Footprint, http://www.sapsustainabilityreport.com/greenhouse‐gas‐footprint (accessed February 2, 2012).
c04.indd 89 11/26/2015 7:16:45 PM
90 Digital Systems and the Design of Work
supervisor. And employers often find that it is less expensive to provide a remote employee the tools needed than
to pay for the office space to house the employee.
Remote employees sometimes report that work–life balance often suffers. Because work can be done anyplace
and anytime, they sometimes find the option attractive because of the ability to work around the schedules of chil-
dren or other family members. Paradoxically, it is often difficult for them to separate work from their home life.
Consequently, they may work many more hours than the standard nine‐to‐five employee or experience the stress
of trying to separate work from play.
Remote work challenges managers to address performance evaluation and compensation. Managers of remote
workers must evaluate employee performance in terms of results or deliverables. Virtual offices make it more dif-
ficult for managers to appreciate the skills of the people reporting to them, which in turn makes it more difficult to
evaluate their performance. Managers must rely heavily on the remote worker’s self‐discipline to ensure that work
is done. As a result, managers may feel they are losing control over their employees, and some remote employees
do, in fact, abuse their privileges. Managers accustomed to traditional work models in which they are able to exert
control more easily may strongly resist remote working. In fact, managers are often the biggest impediment to
implementing remote work programs.
Self‐discipline is a key concern for many remote workers. Workers who go to an office or who must make
appearances at customer locations have a structure that gets them up and out of their home. But remote workers find
that working from home, in particular, is full of distractions such as personal phone calls, visitors, the television,
Facebook and other social networking sites, and inconvenient family disruptions. A remote worker must carefully
set up a home‐work environment and develop strategies to enable quality time for the work task.
Remote work also requires managers to undertake special planning and communicating activities. In terms of
planning, business and support tasks must be designed to support remote workers. Managers must also work to
coordinate schedules, ensure adequate communication among all workers, establish policies to support communi-
cations, and build business processes to support remote workers.
Working remotely can disconnect employees from their company’s culture and make them feel isolated. The
casual, face‐to‐face encounters that take place in offices transmit extensive cultural, political, and other organiza-
tional information. These encounters are lost to an employee who seldom, if ever, works at the office. Consequently,
telecommuters need to undertake special efforts to stay connected. They must engage in forms of conversation to
replace “water cooler” talk. This could take the form of instant messaging or participating in telephone calls/con-
ferences, e‐mail, social networking, blogs, or even video conferencing. The most successful remote work arrange-
ments do include regular visits to the office to solidify personal connections.
Not all jobs are suitable for remote work. Some jobs, such as server in a restaurant, a clerk in a grocery store,
and a facilities manager in a high‐rise building, require the employee to be at the work location. Further, new
employees who need to be socialized into the organization’s practices and culture are not good candidates for
remote work. Finally, some organizations’ culture does not support remote workers. Notably, when Marissa Meyer
took over as President of Yahoo, one of her first decisions was to eliminate remote work and bring everyone back
into the home office. She felt that the culture had taken a wrong turn and the only way to fix it was to have everyone
in the same place.
Remote work also raises the specter of offshoring, or foreign outsourcing of jobs once performed internally in the organization. Once a company establishes an infrastructure for remote work, it often can be performed abroad
as easily as domestically. U.S. immigration laws limit the number of foreigners who may work in the United States.
However, no such limitations exist on work performed outside this country by employees who transmit their work
to the United States electronically. Because such work is not subject to minimum wage controls, companies may
have a strong economic incentive to outsource work abroad. They find it particularly easy to outsource clerical work
related to electronic production, such as data processing and computer programming. Sourcing is further discussed
in Chapter 9. Benefits and potential problems associated with telecommuting are summarized in Figure 4.6.
Security is another issue for remote workers who might bring to the office an infected computer and plug it into
the network, posing a threat to other office computers. Further, as demonstrated by the Department of Veterans
Affairs (VA) employee whose laptop carrying unencrypted, sensitive personal information on more that 2.2 million
active‐duty military personnel was stolen from the employee’s home, remote workers can be the source of security
c04.indd 90 11/26/2015 7:16:45 PM
91Where Work Is Done and Who Does It: Mobile and Virtual Work Arrangements
breaches.31 Organizational security mechanisms are continually increasing in effectiveness; however, it is impos-
sible for organizations to make remote workers totally secure. General managers need to get involved in assessing
the areas and severity of risk and take appropriate steps, via policies, education, and technology, to reduce the risks
and make remote workers as secure as possible. IS leaders are aware that even with the best policies and tools avail-
able, breaches occur. The IS organizations typically has many levels of security to sense and respond to threats. IT
security is discussed more fully in Chapter 7.
Advantages and Disadvantages of Virtual Teams
Virtual teams clearly offer advantages in terms of expanding the knowledge base through team membership. Thanks
to new and ever‐emerging communication and information technologies, managers can draw team members with
needed skills or expertise from around the globe without having to commit to huge travel expenses. Further, virtual
teams can benefit from following the sun. One classic example of this can be found in software development. London members of a virtual team of software developers at Tandem Services Corporation initially code a project
and transmit its code each evening to a U.S. team for testing. The U.S. team forwards the tested code to Tokyo for
debugging. London team members start their next day with the code debugged by the Japanese team, and another
cycle is initiated.32 Increasingly, growing pressure for faster turn around time for systems has resulted in systems
development by global virtual teams whose members are located around the world.
There are some clear disadvantages to virtual teams. For example, different time zones, although helpful when
following the sun, can work against virtual team members when they are forced to stay up late or work in the middle
of the night to communicate with team members in other time zones. There also are a considerable number of chal-
lenges that if not correctly managed could turn into disadvantages. A summary of these challenges in comparison
with more traditional teams can be found in Figure 4.7.
Managing Remote Workers and Virtual Teams
Managers cannot manage remote workers or virtual teams in the same way that they manage in‐office workers or
traditional teams. The differences in management control activities are particularly pronounced because managers
cannot observe the actual behavior of remote workers or virtual team members. Thus, monitoring behavior is likely
to be more limited. As stated earlier, performance for both remote workers and virtual teams is more likely to be
evaluated through outcomes controls rather than behavior controls. Because team members and remote workers are
dispersed, providing feedback is especially important—not just at the end of a project, but throughout the workers’
employment and the team’s life.
FIGURE 4.6 Some advantages and disadvantages of remote work.
Advantages of Remote Working Potential Problems
Reduced stress due to increased ability to meet schedules and to have fewer work‐related distractions
Increased stress from inability to separate work life from home life
Higher morale; lower absenteeism Harder for managers to evaluate and communicate about performance
Geographic flexibility for worker; capitalization on distant expertise for organization
Employee may become disconnected from company culture
Higher personal productivity Lack of suitability for all jobs or employees
Inclusion of housebound individuals in the workforce Telecommuters more easily replaced by offshore workers
Very informal dress is acceptable Harder to achieve high security
31 Robert Lemos, “VA Data Theft Affects Most Soldiers” (June 7, 2006), http://www.securityfocus.com/brief/224 (accessed May 7, 2012). 32 Marie‐Claude Boudreau, Karen Loch, Daniel Robey, and Detmar Straub, “Going Global: Using Information Technology to Advance the Competitive-
ness of the Virtual Transnational Organization,” Academy of Management Executive 12, no. 4 (1998), 120–28.
c04.indd 91 11/26/2015 7:16:45 PM
92 Digital Systems and the Design of Work
Compensation for virtual teams must be based heavily on the team’s performance and ability to reach its goal
rather than on individually measured performance. Compensating team members for individual performance may
result in “hot‐rodding” or lack of cooperation among team members. Organizational reward systems must be
aligned with the accomplishment of desired team goals. This alignment is especially difficult when virtual team
members belong to different organizations, each with her or his own unique reward and compensation system, each
of which may affect individual performance in a different way. Managers need to be aware of differences and dis-
cover ways to provide motivating rewards to all team members. Further, policies about the selection, evaluation,
and compensation of virtual team members may need to be enacted.
In addition to management control challenges, there are other challenges as included in Figure 4.7. The rest of
this section is devoted to managing the challenges.
Managing Communication Challenges
Because virtual teams and remote workers communicate differently than workers in the office, managers must
make sure the communications policies and practices support these work arrangements. For example, holding a
team meeting in the office and expecting remote members to listen in requires the manager to prepare differently
for the meeting. Any presentation slides to be used in the meeting must also be shared with the remote participants,
either over a video conference with meeting software or beforehand. When most of the co‐workers are in the office
and only one or two are dialing in from other locations, the remote participants miss all the nonverbal communica-
tion that takes place in the meeting room. Soft‐spoken individuals are often difficult to hear. Managers must make
sure key messages are being conveyed to the remote participants or the results of the meeting are sub‐optimal.
Team leaders may decide to initiate or supplement a team’s virtual activity with a face‐to‐face meeting so that
the seeds of trust can be planted and team members feel as if they know one another on a more personal basis. Face‐
to-face meetings indeed appear to contribute to successful global virtual teams. An in‐depth study of three global
virtual teams found that the two effective teams created a rhythm organized around regularly scheduled face‐to‐face
meetings coupled with virtual meetings as needed. Before each face‐to‐face meeting, there was a flurry of com-
munication and activity as team members prepared for the meeting. After the meeting, there were many follow‐up
messages and tasks. The ineffective team did not demonstrate a similar pattern.33 Because not all teams can meet
face‐to‐face, well‐managed synchronous meetings using video teleconferencing or in a virtual world can activate
the rhythm and accelerate the workflow.
FIGURE 4.7 Comparison of challenges facing virtual teams and traditional teams.
Challenges Virtual Teams (VT) Traditional Teams
Communication • Difficulties in terms of scheduling meetings and interactions • Increased inefficiencies when passing work between time
zones • Altered communication dynamics such as facial expressions,
vocal inflections, verbal cues, and gestures
• Collocated in same time zone. Scheduling is less difficult
• Use of richer communication media, including face‐to‐face discussions
Technology • Need for proficiency across wide range of technologies • Automatic creation of electronic repository to build
organizational memory • Need for ability to align group structure and technology
with the task environment
• Support for face-to-face interaction without replacing it
• Electronic communication skills not needed by team members
• Task technology fit less critical
Team Diversity • Harder to establish a group identity • Require better communication skills • More difficult to build trust, norms, and shared meanings
about roles because team members have fewer cues about their teammates’ performance
• More likely to have different perceptions about time and deadlines
• Group identity easier to create • Easier communication among
members
33 M. L. Maznevski and K. Chudoba, “Bridging Space Over Time: Global Virtual Team Dynamics and Effectiveness,” Organization Science 11, no. 5 (2000), 373–92.
c04.indd 92 11/26/2015 7:16:45 PM
93Where Work Is Done and Who Does It: Mobile and Virtual Work Arrangements
Because team leaders cannot always see what their team members are doing or whether they are experiencing
any problems, frequent communications are important. If remote employee or team members are quiet, the team
leader must reach out to them to identify their participation and ensure that they feel their contributions are appre-
ciated. Further, team leaders can scrutinize the team’s asynchronous communications and its repository to evaluate
and give feedback about each team member’s contributions. Even when a majority of team members are in one
location, the team leader should rotate meeting times to alternate the convenience among team members. The rule
of thumb is that “more communication is better than less” because it is very difficult to “overcommunicate.” Man-
agers and team leaders with remote participants must make sure to think about how their remote colleagues are
receiving the information they need, not just how the managers are communicating it.
Managing Technology Challenges
Information and communication technologies are at the heart of the success of remote work and virtual team
accomplishments. However, managers must ensure that their remote colleagues have access to the technologies
and support they need. All team members must have the ability to connect to the information sources and com-
munications pathways used by the group. Well‐designed Web‐based conferencing applications make this easier
because any device connected to the Internet can access them. Managers must make sure meetings over video
or audio conference tools are well coordinated and all attendees have the right access codes and meeting times.
Time zone differences often confuse this issue, so it is critical to make sure everyone knows the right time for
a meeting.
Support processes for technologies must also be designed with remote employees in mind. If the only support
for them is in the office, they will find it difficult if not impossible to access the help they need. Bringing a laptop to
the office during normal business hours may not be possible if the remote worker is hundreds or thousands of miles
away. Processes must be designed to accommodate the remote employee or team member.
Managers must ensure that all employees and team members have the tools they need to do their jobs. That
might mean providing seamless telephone transfers, desktop support, network connectivity, and security support
to the remote workers. How and where information is stored must be considered because all workers must have
access to the files and applications they need to do their work. And, of course, the importance of security for remote
work cannot be overstated. A good rule of thumb is to design work processes so they work for remote workers,
and consider the office as just another location. If the process works for the remote workers, it most likely will
work for someone in the office, but the converse is not necessarily true. Unforeseen problems can develop for those
remotely located.
Further, managers must also provide the framework for using the technology. Policies and norms or unwritten
rules about how all employees should use the technology to work with one another must be established.34 These
include norms about telephone, e‐mail, and videoconferencing etiquette (i.e., how often to check for messages, the
maximum time to wait to return e‐mails, and alerting team members about absences or national holidays), work to
be performed, and so on. Such norms are especially important when team members are not in the same office and
cannot see when team members are unavailable. For example, leaving a paper note on someone’s desk works fine if
that person is in the office, but that option does not exist for remote participants. Leaving an e‐mail or sending texts
may be a better alternative because both work for everyone.
Managing Diversity Challenges
Managers may also seek to provide technologies to support diverse team member characteristics. For example,
team members from different parts of the globe may have different views of time. Team members from Anglo‐
American cultures (i.e., United States, United Kingdom, Canada, Australia, New Zealand) may view time as a
continuum from past to present and future. For such team members, each unit of time is the same. These team
members are likely to be concerned with deadlines and often prefer to complete one task before starting another
(i.e., are monochronic). For team members who are conscious of deadlines, planning and scheduling software may
34 C. Saunders, C. Slyke, and D. R. Vogel, “My Time or Yours? Managing Time Visions in Global Virtual Teams,” Academy of Management Executive 18, no. 1 (2004), 19–31.
c04.indd 93 11/26/2015 7:16:45 PM
94 Digital Systems and the Design of Work
be especially useful. In contrast, team members from India often have a cyclical view of time. They do not get
excited about deadlines and there is no hurry to make a decision because it is likely to cycle back—at which time
the team member may be in a better position to make the decision. Many people from India tend to be polychronic,
preferring to do several activities at one time. Team members who are polychronic may benefit from having instant
messaging or instant video chats available to them so that they can communicate with their teammates and still
work on other tasks.35
In addition to providing the appropriate technologies, managers with team members who have different views
of time need to be aware of the differences and try to develop strategies to motivate those who are not concerned
with deadlines to deliver their assigned tasks on time. Or the managers may wish to assign these team members to
do tasks that are not sensitive to deadlines.
Of course, views of time are only one dimension of diversity. Although team diversity has been demonstrated
to lead to more creative solutions, it can also make it harder for team members to learn to communicate, to trust
one another, and to form a single group identity. Through open communications, managers may be able to uncover
and deal with other areas of diversity, such as culture, training, gender, personality, position, and language, that
positively or negatively affect the team.36 Managers may establish an expertise directory at the start of the team’s
life or encourage other ways of getting team members to know more about one another. The rule of thumb here is
to not assume a team will work just because it has been created by management. Specific thought must be giving
to helping the team members function together and embrace, rather than reject, the differences diversity brings to
the table.
Gaining Acceptance for IT‐Induced Change The changes described in this chapter no doubt alter the frames of reference of organizational employees and may
be a major source of concern for them. Employees may resist the changes if they view the changes as negatively
affecting them. In the case of a new information system that they do not fully understand or are not prepared to
operate, they may resist in several ways:
• They may deny that the system is up and running.
• They may sabotage the system by distorting or otherwise altering inputs.
• They may try to convince themselves, and others, that the new system really will not change the status quo.
• They may refuse to use the new system when its usage is voluntary.
Managing Change
To help avoid these resistance behaviors, John Kotter37 builds upon Kurt Lewin’s38 change model of unfreezing,
changing, and refreezing. Kotter recommends eight specific steps to bring about change. Kotter’s steps are related
to Lewin’s changes and listed in Figure 4.8.
Managers can keep these eight steps in mind as they introduce change into their workplaces. It is important for
managers to make clear why the change is being made before it is implemented, and they must follow the change
with reinforcement behaviors such as rewarding those employees who have successfully adopted new desired
behaviors.
35 Ibid. 36 Terri R. Kurtzberg and Teresa M. Amabile, “From Guilford to Creative Synergy: Opening the Black Box of Team‐Level Creativity,” Creativity Research Journal 13, no. 3–4 (2001), 285–94. 37 John Kotter, Leading Change (Boston, MA: Harvard Business School Press, 1996). 38 Kurt Lewin, “Frontiers in Group Dynamics II. Channels of Group Life; Social Planning and Action Research,” Human Relations 1, no. 22 (1947), 143–53.
c04.indd 94 11/26/2015 7:16:45 PM
95Gaining Acceptance for IT‐Induced Change
Technology Acceptance Model and Its Variants
To avoid the negative consequences of resistance to change, those implementing change must actively manage
the change process and gain acceptance for new IS. To help explain how to gain acceptance for a new technology,
Professor Fred Davis and his colleagues developed the Technology Acceptance Model (TAM). Many variations of
TAM exist, but its most basic form is displayed on the right‐hand side in Figure 4.9. TAM suggests that managers
FIGURE 4.8 Stages and steps in change management. Source: Adapted from John Kotter, Leading change (Boston, MA: Harvard Business School Press, 1996).
Lewin’s Stage Unfreezing Changing Refreezing
Definition Creating motivation to change Providing stakeholders with new information, systems, products, or services
Reinforcing change by integrating stakeholders’ changed behaviors and attitudes into new operations resulting from change
Kotter’s Steps 1. Establish a sense of urgency: Create a compelling reason why change is needed.
2. Create the guiding coalition: Select a team with enough expertise and power to lead the change.
3. Develop a vision and strategy: Use the vision and strategic plan to guide the change process.
4. Communicate the change vision: Devise and implement a communication strategy to consistently convey the vision.
5. Empower broad‐based action: Encourage risk‐taking and creative problem solving to overcome barriers to change.
6. Generate short‐term wins: Celebrate short‐term improvements and reward contributions to change effort.
7. Consolidate gains and produce more change: Use credibility from short‐term wins to promote more change so that change cascades throughout the organization.
8. Anchor new approaches in the culture: Reinforce change by highlighting areas in which new behaviors and processes are linked to success.
Individual
Differences
Perceived
Usefulness
Social
Influence
Facilitating
Conditions
Perceived
Ease of Use
Technology Acceptance Model (TAM)
Behavioral
Intention
Use
Behavior
System
Characteristics
FIGURE 4.9 Simplified technology acceptance model (TAM3). Source: Viswanath Venkatesh and Hillol Bala, “Technology Acceptance Model 3 and a Research Agenda on Interventions,” Decision Sciences 39, no. 2 (2008), 276.
c04.indd 95 11/26/2015 7:16:46 PM
96 Digital Systems and the Design of Work
cannot get employees to use a system until they want to use it. To convince employees to want to use the system,
managers may need to employ unfreezing tactics to change employee attitudes about the system. Attitudes may
change if employees believe that the system will allow them to do more or better work for the same amount of effort
(perceived usefulness), and that it is easy to use. Training, documentation, and user support consultants are external
variables that may help explain the usefulness of the system and make it easier to use.
The left‐hand side of Figure 4.9 provides four categories of determinants of perceived usefulness and perceived
ease of use from the point of view of organizational users. Specifically, they are individual differences (e.g., gender, age), system characteristics (e.g., output quality and job relevance that help individuals develop favorable or unfa- vorable views about the system), social influence (e.g., subjective norms), and facilitating conditions (e.g., top management support). TAM assumes that system use is under the control of the individual users. When employees
are mandated to use the system, they may use it in the short run, but over the long run, negative consequences of
their resistance may surface. Thus, gaining acceptance of the system is important, even in those situations where
it is mandated.
S U M M A R Y
• The nature of work is changing, and IT supports, if not propels, these changes.
• Communication and collaboration are vital for today’s work. Technology to support communication includes e‐mail, intranets, instant messaging (IM), video conferences, virtual private networks (VPN), and file transfer software. Tech-
nology to support collaboration includes social networking sites, Web logs (blogs), virtual worlds, wikis, teleconference
systems, groupware, microblogs and Internet sharing sites.
• IT affects work by creating new work, creating new working arrangements, and presenting new managerial challenges in employee supervision, evaluation, compensation, and hiring.
• Newer approaches to management reflect increased use of computer and information technology in hiring and super- vising employees, a more intense focus on output (compared to behavior), and an increased team orientation.
• The shift to knowledge‐based work, changing demographics and lifestyle preferences, new technologies, growing reli- ance on the Web, and energy concerns contribute to the increase in remote work and virtual teams.
• Companies find that building telecommuting capabilities can be an important tool for attracting and retaining employees, increasing their productivity, providing flexibility to otherwise overworked individuals, reducing office
space and associated costs, responding to environmental concerns about energy consumption, and complying with the
Clean Air Act. Alternative work arrangements also promise employees potential benefits: schedule flexibility, higher
personal productivity, less commuting time and fewer expenses, and increased geographic flexibility.
• Disadvantages of remote work include increased stress from trying to maintain work–life balance; difficulties in planning, communicating, and evaluating performance; feelings of isolation among employees; easier displacement of
employees by offshoring; and limitations of jobs and employees in its application.
• Virtual teams can be defined as two or more people who (1) work together interdependently with mutual account- ability for achieving common goals, (2) do not work in either the same place and/or at the same time, and (3) must use
electronic communication technology to communicate, coordinate their activities, and complete their team’s tasks. They
are an increasingly common organizational phenomenon and must be managed differently than more traditional teams.
• Managers of remote workers and virtual teams must focus on overcoming the challenges of communication, technology, and diversity of team members.
• To gain acceptance of a new technology, potential users must exhibit a favorable attitude toward the technology. In the case of information systems, the users’ beliefs about its perceived usefulness and perceived ease of use color their atti-
tudes about the system. Kotter provides some suggested steps for change management that are related to Lewin’s three
stages of change: unfreezing, change, and refreezing.
c04.indd 96 11/26/2015 7:16:46 PM
97Case Study
D I S C U S S I O N Q U E S T I O N S
1. Why might an employee resist the implementation of a new technology? What are some of the possible consequences of asking an employee to use a computer or similar device in his or her job?
2. How can IT alter an individual ’ s work? How can a manager ensure that the impact is positive rather than negative?
3. What current technologies do you predict will show the most impact on the way work is done? Why?
4. Given the growth in telecommuting and other mobile work arrangements, how might offices physically change in the com- ing years? Will offices as we think of them today exist by 2030? Why or why not?
5. How is working at an online retailer different from working at a brick‐and‐mortar retailer? What types of jobs are necessary at each? What skills are important?
6. Paul Saffo, former director of the Institute for the Future, noted, “Telecommuting is a reality for many today, and will con- tinue to be more so in the future. But beware, this doesn ’ t mean we will travel less. In fact, the more one uses electronics,
the more they are likely to travel.” 39 Do you agree with this statement? Why or why not?
7. The explosion of information‐driven self‐serve options in the consumer world is evident at the gas station where customers pay, pump gas, and purchase a car wash without ever seeing an employee; in the retail store such as Walmart, Home Depot,
and the local grocery where self‐service checkout stands mean that customers can purchase a basket of items without ever
speaking to a sales agent; at the airport where customers make reservations and pay for and print tickets without the help of
an agent; and at the bank, where ATMs have long replaced tellers for most transactions. But a backlash is coming, experts
predict. Some say that people are more isolated than they used to be in the days of face‐to‐face service, and they question
how much time people are really saving if they have to continually learn new processes, operate new machines, and over-
come new glitches. Labor‐saving technologies were supposed to liberate people from mundane tasks, but it appears that
these technologies are actually shifting some tasks to the customer. On the other hand, many people like the convenience of
using these self‐service systems, especially because it means customers can visit a bank for cash or order books or gifts from
an online retailer 24 hours a day. Does this mean the end of “doing business the old‐fashioned way”? Will this put a burden
on the elderly or the poor when corporations begin charging for face‐to‐face services? 40
K E Y T E R M S
behavior controls (p. 84)
mobile workers (p. 86)
offshoring (p. 90)
outcome controls (p. 84)
personnel controls (p. 84)
remote workers (p. 86)
telecommuting (p. 86)
virtual teams (p. 87)
39 “Online Forum: Companies of the Future,” http://www.msnbc.com/news/738363.asp (accessed June 11, 2002). 40 Stevenson Swanson , “ Are Self‐Serve Options a Disservice? ” Chicago Tribune (May 8, 2005 ), Section H, 1d .
Martin Andersen is responsible for 143 of Trash and Waste Pickup Services, Inc. ’ s (TWPS ’ s) garbage trucks. TWPS is a
commercial and household trash hauler. When a caller recently complained to Andersen that a brown and green Trash and
Waste Pickup Services truck was speeding down Farm Route 2244, Andersen turned to the company ’ s information system.
He learned that the driver of a company front‐loader had been on that very road at 7:22 a.m., doing 51 miles per hour (mph)
in a 35 mph zone. The driver of that truck was in trouble!
The TWPS information system uses a global positioning system (GPS) not only to smooth its operations but also to
keep closer track of its employees, who may not always be doing what they are supposed to be doing during work hours.
Andersen pointed out, “If you ’ re not out there babysitting them, you don ’ t know how long it takes to do the route. The guy
could be driving around the world, he could be at his girlfriend ’ s house.”
■ CASE STUDY 4‐1 Trash and Waste Pickup Services, Inc.
c04.indd 97 11/26/2015 7:16:46 PM
98 Digital Systems and the Design of Work
IBM ’ s award‐winning developerWorks site was established in 2000 as a technical resource repository for the company ’ s
global development community. Designed to share knowledge and skills related to IBM products and other key technol-
ogies, it has been a solid success. The site attracts about 4 million unique visitors a month—including students, profes-
sionals, and developers from almost all the world ’ s countries—who search its library of 30,000 articles, demos, podcasts,
and tutorials. developerWorks is available in eight languages, including Russian, Chinese, and Spanish, and about 70% of
its visitors come from outside IBM.
My developerWorks, a social networking function, was added to the repository platform in 2009 to allow developers to
connect, communicate, and collaborate on projects. Soon the network had added more than 600,000 user profi les as well as
numerous blogs and forums. In addition to allowing established business, start‐ups, and partners to collaborate, it has also
helped users fi nd answers to support questions that would otherwise go to IBM ’ s call centers and help desks, thus saving
the company an estimated $100 million.
Alice Chou, Director of IBM developerWorks, carefully monitored the number of My developerWorks profi les and the
volume of traffi c to the site. She looked at unique visitors, developer demographics, time spent on the site, and patterns of
page views. She created a reward and recognition framework so that when users contributed a highly regarded article or
blogpost to the site, “they got the kudos they deserve.”
Discussion Questions
1. How might My developerWorks leverage changes in the way people work?
2. Why do you think Alice Chou carefully monitors the My developerWorks site? What would be an example of an insight
she would gain from the data she ’ s collecting?
3. Why do you think Alice Chou thinks a rewards program is necessary for My developerWorks because so many profiles
have already been developed. Do you agree that a reward would be necessary?
Sources: IBM, www.ibm.com/developerworks (accessed April 17, 2012); Ellen Traudt and Richard Vancil , “ Becoming a Social Business: The IBM Story ,” IDC White Paper #226706 (January 2011), 1–14 (quote on p. 6, developerWorks at http://www.ibm.com/developerworks/) .
■ CASE STUDY 4‐2 Social Networking: How Does IBM Do It?
Before TWPS installed the GPS system, the drivers of his 37 front‐loaders clocked in approximately 250 hours a week
of overtime at one and a half times pay. Once TWPS started monitoring the time they spent in the yard before and after
completing their routes and the time and location of stops that they made, the number of overtime hours plummeted to 70
per week. This translated to substantial savings for a company whose drivers earn about $20 an hour.
TWPS also installed GPS receivers in salesmen ’ s cars. Andersen was not surprised to learn that some of the company ’ s
salespeople frequented The Zone, a local bar, around 4 p.m . when they were supposed to be calling on customers. Andersen
decided to set digital boundaries around the bar.
Understandably, the drivers and salespeople aren ’ t entirely happy with the new GPS‐based system. Ron Simon, a TWPS
driver, admits: “It ’ s kind of like Big Brother is watching a little bit. But it ’ s where we ’ re heading in this society. . . . I get testy
in the deli when I ’ m waiting in line for coffee, because it ’ s like, hey, they ’ re (managers) watching. I ’ ve got to go.”
Andersen counters that employers have a right to know what their employees are up to: “If you come to work here, and
I pay you and you ’ re driving one of my vehicles, I should have the right to know what you ’ re doing.”
Discussion Questions
1. What are the positive and negative aspects of Andersen ’ s use of the GPS‐based system to monitor his drivers and sales-
people?
2. What advice do you have for Andersen about the use of the system for supervising, evaluating, and compensating his
drivers and salespeople?
3. As more and more companies turn to IS to help them monitor their employees, what do you anticipate the impact will
be on employee privacy? Can anything be done to ensure employee privacy?
Source: This is a fi ctitious case. Any resemblance to an actual company is purely coincidental.
c04.indd 98 11/26/2015 7:16:46 PM
99
5 chapter
1 Adapted from S. Balaji , C. Ranganathan , and T. Coleman , “ IT‐Led Process Reengineering: How Sloan Valve Redesigned Its New
Product Development Process ,” MIS Quarterly Executive 10 , no. 2 ( June 2011 ), 81 – 92 .
Transformation requires discontinuous thinking—recognizing and shedding outdated rules and fundamental assumptions that underlie operations. Business processes, the cross‐ functional sets of activities that turn inputs into outputs, are at the heart of how businesses operate and how transformation takes place. This chapter discusses business processes and the systems that support them. The chapter begins with a discussion of a functional (silo) versus a process perspective of a fi rm, including agile and dynamic business processes. The chapter then focuses on the way managers change business processes, including incremental and radical approaches. Information systems ( IS ) including workfl ow and business process management systems and enterprise systems that support and automate business processes follow. The chapter concludes by examining when IS drive business transformations and the complexities that arise when companies integrate systems.
Information Systems and Business Transformation
Business strategy at Sloan Valve Company , 1 a family‐owned global manufacturer of plumbing prod-
ucts, had executives launching a range of new products every year. The new product development
(NPD) process was both core and strategic for Sloan , but it was also complex and slow; over
16 functional units were involved, and it often took 18–24 months to bring a new product to
market. Sloan Valve ’ s process of initiating and screening new product ideas was broken. More
than 50% of the ideas that began the process didn ’ t make it through, resulting in wasted resources.
Further, no one was accountable for the process, making it diffi cult to get a handle on process
management and improvement. Information fl ow was blocked in part because of the structure of
the organization.
Management initially invested in an enterprise system to automate the company ’ s internal
processes, believing that IS would provide a common language, database, and platform. Despite
successful implementation, the communication and coordination problems continued. Further, the
new system did not provide an NPD process. Upon deeper analysis by a new CIO brought in to “fi x
things,” management realized that the enterprise system was working fi ne, but the underlying pro-
cess was broken. Top management decided to redesign the NPD process.
The NPD process redesign team was led by an IT manager with considerable process experience
and involved members from manufacturing, engineering, IT, fi nance, marketing, operations, and
quality assurance. The director of design engineering was made process owner to provide oversight
for all changes. The team spent nine months assessing the current way of working and proposed a
new end‐to‐end NPD process. The reengineered NPD process included six subprocesses: ideation,
business case development, project portfolio management, product development, product and pro-
cess validation, and launch. The underlying information system was the enterprise system upgraded
to include newer modules, which supported product life cycle management.
c05.indd 99 11/26/2015 6:25:53 PM
100 Information Systems and Business Transformation
The quality, timing, and output of NPD greatly improved. The new NPD process reduced time‐to‐market to less
than 12 months. New product ideas that were unlikely to work were filtered out early, eliminating problems of wast-
ing resources. Synthesis of product and process information improved. Customer feedback was easier to access.
And accountability increased, smoothing out responsibilities and workflow.
Not all IS enterprise system implementations are as successful as that at Sloan Valve. There are hundreds of
stories of companies that ran into significant problems when automating and transforming their business processes,
especially when an information system is at the heart of the change. Overstock.com’s order tracking system failed
for a full week when it rolled out a new enterprise system. By rushing to implement the new system, a glitch put
the enterprise system out of sync with the accounting system, causing the company to have to restate more than five
years of earnings, which showed lower revenue and higher losses. Clothing manufacturer Levi Strauss had simi-
lar problems with its new enterprise system, causing shipping errors and issues with its financial control systems.
The latter was blamed for the company’s 98% decrease in net income for the second quarter in 2008. Avis Europe
attempted to implement an enterprise system, but project delays and cost overruns caused the company to cancel
the project and write off £28 million on its books. With so much at risk, general managers must be informed and
involved in these types of complex information systems that change business processes.2
IS can enable or impede business change. The right design coupled with the right technology can result in
changes such as those experienced by Sloan Valve. The wrong business process design or the wrong technology,
however, can force a company into operational, and sometimes financial, crisis as the Overstock.com, Levi Strauss,
and Avis Europe examples show.
To a manager in today’s business environment, an understanding of how IS enable business change is essential.
The terms management and change management are used almost synonymously in today’s business vocabulary: To manage effectively means to manage change effectively. As IS become ever more prevalent and more power-
ful, the speed and magnitude of the changes that organizations must address to remain competitive continue to
increase. To be a successful manager, one must understand how IS enable change in a business; one must gain
a process perspective of business and must understand how to transform business processes effectively. This
chapter provides managers a view of business process change. It provides tools for analyzing how a company
currently does business and for thinking about how to effectively manage the inevitable changes that result from
competition and the availability of IS. This chapter also describes an IT‐based solution commonly known as
enterprise IS. A brief word to the reader is needed. The term process is used extensively in this chapter. In some instances, it
is used to refer to the steps taken to change aspects of the business. At other times, it is used to refer to the part of
the business to be changed: the business process. The reader should be sensitive to the potentially confusing use of
the term process.
Silo Perspective versus Business Process Perspective When effectively linked with improvements to business processes, advances in IS enable changes that make it pos-
sible to do business in a new way, one that is better and more competitive than before. On the other hand, IS can
also inhibit change, which occurs when managers fail to adapt business processes because they rely on inflexible
systems to support those processes. Finally, IS can also drive change for better or for worse. Examples abound of
industries that were fundamentally changed by advances in IS and of companies whose success or failure depended
on the ability of their managers to adapt. This chapter considers IS as an enabler of business transformation, a
partner in transforming business processes to achieve competitive advantages. We begin by comparing a process
view of the firm with a functional view.
Transformation requires discontinuous thinking—recognizing and shedding outdated rules and fundamental
assumptions that underlie operations. “Unless we change these rules, we are merely rearranging the deck chairs
on the Titanic. We cannot achieve breakthroughs in performance by cutting fat or automating existing processes.
2 Adapted from http://www.baselinemag.com/c/a/ERP/Five‐ERP‐Disasters‐Explained‐878312/ (accessed February 24, 2012).
c05.indd 100 11/26/2015 6:25:53 PM
101Silo Perspective versus Business Process Perspective
Rather, we must challenge old assumptions and shed the old rules that made the business under perform in the
first place.”3
Functional (Silo) Perspective
Many think of business by imagining a hierarchical structure (described in Chapter 3) organized around a set of
functions. Looking at a traditional organization chart allows an understanding of what the business does to achieve
its goals. A typical hierarchical structure, organized by function, results in disconnected silos that might look like
the one in Figure 5.1.
When an organization has silos, departments are organized on the basis of their core competencies. Specialized
silos allow them to focus on what they do best. For example, the operations department focuses on operations, the
marketing department focuses on marketing, and so on. Each major function within the organization usually forms
a separate department to ensure that work is done by groups of experts in that function. This functional structure
is widespread in today’s organizations and is reinforced by business education curricula, which generally follow
functional structures, that is, students take courses in functions (i.e., marketing, management, accounting) and
major in functions and then are predisposed to think in terms of these same functions.
Even when companies use the perspective of the value chain model (as discussed in Chapter 2), they still focus on
functions that deliver their portion of the process and “throwing it over the wall” to the next group on the value chain.
These silos become self‐contained functional units, which can be useful for several reasons. First, they allow an orga-
nization to optimize expertise and training. For example, all the marketing people can belong to the same department,
allowing them to informally network and learn from each other. Second, the silos allow the organization to avoid
redundancy in expertise by hiring one person who can be assigned to projects across functions on an as‐needed basis
instead of hiring an expert in each function. Third, with a silo organization, it is easier to benchmark outside organi-
zations, utilize bodies of knowledge created for each function, and easily understand the role of each silo.
On the other hand, silo organizations can experience significant suboptimization. First, individual departments
often recreate information maintained by other departments. Second, communication gaps between departments
are often wide. Third, handoffs between silos are often a source of problems, such as finger‐pointing and lost
information. Finally, silos tend to lose sight of the objective of the overall organization and operate in a way that
maximizes their local goals. The last point is illustrated by a production department that pushes the concept of a
small number of product sizes or options while the marketing department urges management to consider a larger
variety or highly customized products. Such conflicts do arise in many organizations, and it can be difficult to nego-
tiate to find a solution that is best, overall, for the firm.
A firm’s work changes over time. In a functionally organized silo business, each group is primarily concerned
with its own set of objectives. The executive officers jointly seek to ensure that these functions work together to
create value, but the task of providing the “big picture” to so many functionally oriented personnel can prove
extremely challenging. As time passes and business circumstances change, new work is created that relies on more
than one of the old functional departments. Departments that took different directions must now work together.
They negotiate the terms of any new work processes with their own functional interests in mind, and the “big
Typical Hierarchical Organization Structure
Operations Marketing Accounting Finance Administration
Executive Offices
CEO
President
FIGURE 5.1 Hierarchical structure.
3 Michael Hammer, “Reengineering Work: Don’t Automate, Obliterate” Harvard Business Review 68, no. 4 (July–August 1990), 104–12.
c05.indd 101 11/26/2015 6:25:54 PM
102 Information Systems and Business Transformation
picture” optimum gets scrapped in favor of suboptimal compromises among the silos. These compromises then
become repeated processes; they become standard operating procedures.
Losing the big picture means losing business effectiveness. After all, a business’s main objective is to create as
much value as possible for its shareholders and other stakeholders by satisfying its customers to stimulate repeat
sales and positive word of mouth. When functional groups duplicate work, fail to communicate with one another, or
lose the big picture and establish suboptimal processes, the customers and stakeholders are not being well served.
Business Process Perspective
A manager can avoid such suboptimization—or begin to “fix” it—by managing from a business process perspec-
tive. A business process perspective, or more simply a process perspective, keeps the big picture in view and allows the manager to concentrate on the work that must be done to ensure the optimal creation of value. A process
perspective helps the manager avoid or reduce duplicate work, facilitate cross‐functional communication, optimize
business processes, and ultimately, best serve the customers and stakeholders.
In business, a process is defined as an interrelated, sequential set of activities and tasks that turns inputs into outputs and includes the following:
• A beginning and an end
• Inputs and outputs
• A set of tasks (subprocesses or activities) that transform the inputs into outputs
• A set of metrics for measuring effectiveness
Metrics are important because they focus managers on the critical dimensions of the process. Metrics for a
business process are things like throughput, which is how many outputs can be produced per unit time, or cycle time, which is how long it takes for an entire process to execute. Examples of process measures are the number of handoffs in the process or actual work versus total cycle time. Other metrics are based on the outputs themselves,
such as customer satisfaction, revenue per output, profit per output, and quality of the output.
Examples of business processes include customer order fulfillment, manufacturing planning and execution,
payroll, financial reporting, and procurement. A procurement process might look like the sample in Figure 5.2.
The process has a beginning and an end, inputs (requirements for goods or services) and outputs (receipt of goods,
vendor payment), and subprocesses (filling out a purchase order, verifying the invoice). Metrics of the success of
the process might include turnaround time and the number of paperwork errors.
The procurement process in Figure 5.2 cuts across the functional lines of a traditionally structured business.
For example, the requirements for goods might originate in the operations department based on guidelines from
the finance department. Paperwork would likely flow through the administration department, and the accounting
department would be responsible for paying the vendor.
Focusing on business processes ensures focusing on the business’s goals (the “big picture”) because each pro-
cess has an “endpoint” that is usually a deliverable to a customer, supplier, or other stakeholder. A business process
perspective recognizes that processes are often cross‐functional. In the diagram in Figure 5.3, the vertical bars
represent functional departments within a business. The horizontal bars represent processes that flow across those
functional departments. A business process perspective requires an understanding that processes properly exist to
serve the larger goals of the business and that functional departments must work together to optimize processes in
regard to these goals.
Receive
Requirement
for Goods/
Services
Pay
Vendor
Verify
Invoice
Receive
Goods
Create and
Send
Purchase
Order
FIGURE 5.2 Sample procurement business process.
c05.indd 102 11/26/2015 6:25:54 PM
103Silo Perspective versus Business Process Perspective
For example, an order‐fulfillment process might include payment, order delivery, product implementation, and
after‐sales service tasks. This process would involve multiple functions, including operations, accounting, service,
and sales, making it a cross‐functional business process. The “sales order” would be the input for this process. A sat-
isfied customer might be the output, and a number of metrics, such as a survey of the customer’s satisfaction, time to
complete the order fulfillment process, number of defects (or other quality measure), can be used to measure success.
When managers take a business process perspective, they are able to optimize the value that customers and
stakeholders receive by managing the flow as well as the tasks. They begin to manage processes by:
• Identifying the customers of processes (who receives the output of the process?)
• Identifying these customers’ requirements (what are the criteria for successful implementation of the process?)
• Clarifying the value that each process adds to the overall goals of the organization
• Sharing their perspective with other organizational members until the organization itself becomes more pro- cess focused
The differences between the silo and business process perspectives are summarized in Figure 5.4. A silo perspective refers to self‐contained functional units such as marketing, operations, finance, and so on. Unlike a
Functions
Sample
Business
Processes
Purchasing
Customer Support
O P E R A T I O N S
M A R K E T I N G
A C C O U N T I N G
F I N A N C E
A D M I N I S T R A T I O N
FIGURE 5.3 Cross‐functional nature of business processes.
FIGURE 5.4 Comparison of silo perspective and business process perspective.
Silo Perspective Business Process Perspective
Definition Self‐contained functional units such as marketing, operations, finance, and so on
Interrelated, sequential set of activities and tasks that turns inputs into outputs
Focus Function Cross‐function
Goal Accomplishment Goals optimized for the function, which may be suboptimal for the organization
Goals optimized for the organization, or the “big picture”
Benefits Core competencies highlighted and developed; functional efficiencies
Avoidance of work duplication and cross‐functional communication gaps; organizational effectiveness
Problems Redundancy of information throughout the organization; cross‐functional inefficiencies; communication difficulties
Difficulty in finding staff who can be knowledgeable generalists; need for sophisticated software
c05.indd 103 11/26/2015 6:25:54 PM
104 Information Systems and Business Transformation
silo perspective, a business process perspective recognizes that businesses operate as a set of processes that flow
across functional departments. The business process perspective enables a manger to analyze the processes of the
business in regard to its larger goals in comparison to the functional orientation of the silo perspective. Finally, it
provides a manager with insights into how those processes might better serve these goals.
An example illustrates the problem. Using a silo perspective, a customer with a warranty issue would need to
explain a problem with a product to a customer service representative in the service department. If the problem is
technical, the call would be transferred to a technical support person (in a different department), and the customer
might need to explain the entire problem again. If the technical support representative determined that a part is
needed, the customer would be transferred to the sales department and would need to explain the issue yet another
time. Because the departments are not talking with one another, the customer might even need to provide proof of
purchase several times to avoid having to pay for a warranty problem.
In contrast, with a business process perspective, either one representative would work with the customer on all
problems or an enterprise system would enable the representative to transfer both the call and notes with the details to any specialists who are needed along the way. Having one representative handle all problems is not always pos-
sible because it is often difficult to find staff able to handle an entire process for the same reasons that support the
functional hierarchical structure: People are normally trained in a function, such as marketing or accounting, not
in a process that requires many different skill sets. For example, individuals who excel at marketing may not also
possess the accounting skills needed to fix a billing problem.
Zara’s Cross‐Functional Business Processes
Consider Spanish clothing retailer Zara (introduced in Chapter 2). With over 1,600 stores in 78 countries around
the world and a well‐designed set of cross‐functional business processes, Zara often is able to design, produce, and
deliver a garment within 15 days. For this to happen, its managers must regularly create and rapidly replenish small
batches of goods all over the world. Zara’s organization, operational procedures, performance measures, and even
its office layout are all designed to make information transfer easy.
Zara’s designers are colocated with the production team, including marketing, procurement, and production
planners. Prototypes are created nearby, facilitating easy discussion about the latest design. Large circular tables
in the middle of the production process encourage impromptu meetings where ideas are readily exchanged among
the designers, market specialists, and production planners. The speed and quality of the design process is greatly
enhanced by the colocation of the entire team because the designers can quickly check their ideas with others on
their cross‐functional teams. For example, the market specialists can quickly respond to designs in terms of the
style, color, and fabric whereas the procurement and production planners can update these specialists about manu-
facturing costs and available capacity.
Zara’s information technology provides a platform but does not preclude informal face‐to‐face conversations.
Retail store managers are linked to marketing specialists through customized handheld computers but sometimes
use the telephone to share order data, sales trends, and customer reactions to a new style. Zara’s cross‐functional
teams enable information sharing among everyone who “needs to know” and therefore creates the opportunity to
change directions quickly to respond to new market trends.
Building Agile and Dynamic Business Processes To stay competitive and consistently meet changing customer demands, organizations build dynamic business processes or agile business processes, processes that repeat through a constant renewal cycle of design, deliver, evaluate, redesign, and so on. Agile business processes are designed to simplify redesign and reconfiguration. They
are designed to be flexible and easily adaptable to changes in the business environment and can be incrementally
changed with little effort. Dynamic business processes, on the other hand, reconfigure themselves as they “learn”
and the business utilizes them.
c05.indd 104 11/26/2015 6:25:54 PM
105Changing Business Processes
To be agile or dynamic, a process necessitates a high degree of IT use. The more of the process that can be done
with software, the easier it is to change, and the more likely it can be designed to be agile or dynamic.
Examples of agile processes are often found in manufacturing operations, where production lines are reconfig-
ured regularly to accommodate new products and technologies. For example, automobile production lines produce
large numbers of vehicles, but very few are identical to the one made before or after it on the production line. Also,
vehicles are often built with space and wiring for options (such as a remote starter) that can be added by a dealer
quickly and with minimal labor. The design of the line is such that many changes in design, features, or options are
just incorporated into the assembly of the vehicle at hand.
Another common example is in software development. Agile software development methodologies underlie an
incremental and iterative development process that is often used to rapidly and collaboratively create working and
relevant software.
More recently, with the use of the Internet and social technologies, building agility into business processes is
increasingly common. Processes run entirely in the digital world. Some common examples are order management,
service/product provisioning, human resource support, and bill payment. The pervasiveness of the digital world has
necessitated rethinking many business processes; customers, employees, and other stakeholders expect to be able
to access processes on the Web and perform self‐service.
In fact, many processes have been designed as an app, as described in the Introduction. Consider smart phones
or tablets. Each app loaded on these devices is, in reality, an automated business process. And because it’s an app,
it’s relatively easy for the developer to upgrade, fix, and enhance. Apps are good examples of software that supports
agile processes.
An example of a dynamic process is a network with a changing flow of data. The network could have sensors
built in to monitor the flow, and when flow is greater than the current network configuration can handle, the net-
work automatically redistributes or requisitions more capacity to handle the additional data and reconfigures itself
to balance the flow over the new channels. Another example, with a more physical configuration, would be a call
center. Call center systems are designed to monitor the flow of calls coming into a center and the time it takes for
agents to respond to them. These systems can automatically redistribute calls to or from other centers as volume
increases or decreases. The system might be sufficiently sophisticated so that it can add additional agents to the
schedule or alert a supervisor of an increase and route calls to standby agents. Enabling the system to redistribute
incoming calls to respond to changes in the center is an important capability.
Dynamic IT applications, a component of software defined architecture, described more fully in Chapter 6,
are required for dynamic business processes. When the underlying IT is not designed with this goal in mind,
the business process itself cannot adapt as necessary to changing requirements of the business environment. The
benefits of agile and dynamic business processes are operational efficiency gained by the ease of incrementally
improving the process as necessary and the ability to create game‐changing innovative processes more quickly.
Sloan Valve’s NPD process is another example of a more flexible approach. Previously steeped in the old way of
doing things, and tied to legacy information systems, the redesigned NPD process was faster and enabled detection
of and reaction to customer feedback, process problems, and team misalignments.
Changing Business Processes Sloan Valve decided to do a complete redesign of its NPD process. After trying to incrementally change it with a
new IS, and minor changes to the process, managers realized that a complete transformation was necessary.
Transforming a business today means redesigning business processes. Two techniques used to transform a static
business process are: (1) radical process redesign, which is sometimes called business process reengineering (BPR) or simply reengineering and (2) incremental, continuous process improvement, which includes total quality management (TQM) and Six Sigma. Radical and incremental improvement concepts are important; they continue to be different tools a manager can use to effect change in the way his or her organization does business. The basis
of both approaches is viewing the business as a set of business processes rather than using a silo perspective.
c05.indd 105 11/26/2015 6:25:54 PM
106 Information Systems and Business Transformation
Incremental Change
At one end of the continuum, managers use incremental change approaches to improve business processes through
small, incremental changes. This improvement process generally involves the following activities:
• Choosing a business process to improve
• Choosing a metric by which to measure the business process
• Enabling personnel to find ways to improve the business process based on the metric
Personnel often react favorably to incremental change because it gives them control and ownership of improve-
ments and, therefore, renders change less threatening. The improvements grow from their grassroots efforts. TQM
is one such approach that incorporates methods of continuous process improvement. At the core of the TQM
method is W. Edwards Deming’s “14 Points,” or key principles to transform business processes. The principles
outline a set of activities for increasing quality and improving productivity.4 TQM has lost some of its luster in the
United States, but it continues to be very popular in Europe and Asia.
Six Sigma is an incremental and data‐driven quality management approach for eliminating defects from a process. The term six sigma comes from the idea that if the quality of all output from a process were to be mapped on a bell‐shaped curve, the tail of the curve, six sigma (standard deviations) from the mean, would
represent less than 3.4 defects per million. Such a low rate of defects would be close to perfect. The Six Sigma
methodology is carried out by experts known as Green Belts and more experienced experts known as Black Belts, who have taken special Six Sigma training and worked on numerous Six Sigma projects. Motorola was one of the first companies in the United States to use Six Sigma, but GE made the method a part of its business
culture driving significant and continuous improvement throughout the corporation. The GE Web site states “Six
Sigma is a highly disciplined process that helps us focus on developing and delivering near‐perfect products
and services.”5
Radical Change
Incremental change approaches work well for tweaking existing processes. However, they tend to be less effec-
tive for addressing cross‐functional processes. Major changes usually associated with cross‐functional processes
require a different type of management tool. At the other end of the change continuum, radical change enables
the organization to attain aggressive improvement goals (again, as defined by a set of metrics). The goal of rad-
ical change is to make a rapid, breakthrough impact on key metrics. Some businesses even have made radical
process reconfiguration a core competency so that they can better serve customers whose demands are constantly
changing.
Sloan Valve is an example of a company that set aggressive improvement goals and reached them with a rad-
ical change approach. The company set out to dramatically improve new products’ time to market and was able to
reduce it from 18–24 months to 12 months.
The difference in the incremental and radical approaches over time is illustrated by the graph in Figure 5.5. The
vertical axis measures, in one sense, how well a business process meets its goals. Improvements are made either
incrementally or radically. The horizontal axis measures time.
Not surprisingly, radical change typically faces greater internal resistance than does incremental change. There-
fore, radical change processes should be carefully planned and used only when major change is needed in a short
time. Some examples of situations requiring radical change are when the company is in trouble, when it imminently
4 For more information about TQM and Deming’s 14 Point approach to quality management, see the ASQ (Formerly known as the American Society
for Quality), a global community of experts on quality and the administrators of the Malcolm Baldrige National Quality Award program, http://asq.org/
learn‐about‐quality/total‐quality‐management/overview/overview.html (accessed August 26, 2015). 5 http://www.ge.com/en/company/companyinfo/quality/whatis.htm (accessed August 27, 2015).
c05.indd 106 11/26/2015 6:25:54 PM
107Workflow and Mapping Processes
faces a major change in the operating environment, or when it must change significantly to outpace its competition.
Key aspects of radical change approaches include the following:
• Need for major change in a short amount of time
• Thinking from a cross‐functional process perspective
• Challenge to old assumptions
• Networked (cross‐functional) organization
• Empowerment of individuals in the process
• Measurement of success via metrics tied directly to business goals and the effectiveness of new processes (e.g., production cost, cycle time, scrap and rework rates, customer satisfaction, revenues, and quality)
Workflow and Mapping Processes Workflow in its most basic meaning is the series of connected tasks and activities performed by people and com- puters that together form a business process. Consideration of workflow is a way to assess a cross‐functional
process. But the term workflow has come also to mean software products that document and automate processes. Workflow software facilitates the design of business processes and creates a digital workflow diagram. workflow
software lets the manager diagram answers to questions such as how a process will work, who will do what, what
the information system will do, and what decisions will be made and by whom. When combined with business pro-
cess management modules, processes can be managed, monitored, and modified.
The tool used to understand a business process is a workflow diagram, which shows a picture, or map, of the sequence and detail of each process step. More than 200 products are available for helping managers diagram the
workflow. The objective of process mapping is to understand and communicate the dimensions of the current pro-
cess. Typically, process engineers begin the process mapping procedure by defining the scope, mission, and bound-
aries of the business process. Next, engineers develop a high‐level overview flowchart of the process and a detailed
flow diagram of everything that happens in the process. The diagram uses active verbs to describe activities and
identifies all process actors, inputs, and outputs. The engineers verify the detailed diagram for accuracy with the
actors in the process and adjust it accordingly.
Business Process Management (BPM)
Thinking about the business as a set of processes has become more common, but managing the business as a set of
processes is another story. Some claim that to have truly dynamic or agile business processes requires a well‐defined
80
R ad
ic al
60
Time
P e rc
e n t Im
p ro
v e m
e n t
Incremental40
20
0
FIGURE 5.5 Comparison of radical and incremental improvement.
c05.indd 107 11/26/2015 6:25:54 PM
108 Information Systems and Business Transformation
and optimized set of IT processes, tools, and skills called business process management (BPM). In the 1990s, a class of systems to help manage workflows in the business emerged. The systems primarily helped track docu-
ment‐based processes where people executed the steps of the workflow. BPM systems go way beyond document
management capabilities and include features that manage person‐to‐person process steps, system‐to‐system steps,
and those processes that include a combination of them. Systems include process modeling, simulation, code gener-
ation, process execution, monitoring, and integration capabilities for both company‐based and Web‐based systems.
The tools allow an organization to actively manage and improve its processes from beginning to end.
Enterprise Rent‐a‐Car, one of the largest car rental companies in the world with 7,000 locations and more than
65,000 employees worldwide, used BPM to model, manage, and streamline its IT‐based processes. It used BPM to
build Request Online, the system through which employees requested laptops, software and applications, system
access, reports, and other services available from the IS department. The prior system was mostly manual, not
scalable as volume increased, and not automatable. Not surprisingly, it was difficult to make improvements to that
system. Using a BPM system, the IT staff developed a model that copied the way service requests were already
handled so the experience would be familiar and added features slowly to enhance the experience. The result was a
BPM‐based system that provided better management capabilities and created a common platform for rapid change
and capacity for future growth. That proved critical when Enterprise acquired National Car Rental and Alamo Rent
A Car, creating much more demand for Request Online. Enterprise was able to shift development to less costly
IT staff who could make process modifications directly through the BPM. Finally, the usability of the system was
increased as the BPM facilitated the creation of customized interfaces based on characteristics of the specific users.6
BPM systems provide a way to build, execute, and monitor automated processes that may go across organiza-
tional boundaries. Some of the functionality of a BPM may be found in enterprise applications such as enterprise
resource planning (ERP), customer relationship management (CRM), and financial software because these systems
also manage processes within a corporation. But BPM systems go outside a specific application to help companies
manage across processes. Some BPM systems manage front office applications that are often person‐to‐person
processes such as sales or ordering. These processes are people centric and incorporate social IT. Other BPM sys-
tems support back‐office processes that often are more system‐to‐system oriented and possibly extend outside the
corporation to include Web‐based components. See Figure 5.6 for a representative illustration of the components
of a BPM system.
Enterprise’s Request Online used a BPM system by Appian, which includes components to help a company
design, manage, and optimize core business processes. Appian offers sophisticated features that combine social
Social ITProcess
P ro
c e s s E
n g
in e
B u
s in
e s s R
u le
s
E v e n
ts
A n
a ly
ti c s
A c ti
v it
y M
o n
it o
ri n
g
In te
g ra
ti o
n
C o
n te
n t
P o
rt a l
C o
ll a b
o ra
ti o
n
Data
Web/Mobile/Cloud/Internal Data Center
Business Process Management (BPM) Platform
FIGURE 5.6 Sample BPM architecture. Source: Adapted from www.appian.com (accessed May 1, 2012).
6 Adapted from http://www.appian.com/about/news‐item/enterprise‐rent‐car‐goes‐live‐appian‐enterprise/ (accessed August 27, 2015).
c05.indd 108 11/26/2015 6:25:55 PM
109Workfl ow and Mapping Processes
IT capabilities with process modeling, content management, data management, and integration with existing
enterprise systems. Microsoft ’ s SharePoint, one of the most popular collaboration environments, can be managed
through Appian ’ s suite, creating a one‐stop‐shop for managing business processes in an enterprise.
Two other common vendors for BPM are IBM and SoftwareAG ’ s ARIS, which stands for architecture of
integrated information systems. ARIS has also come to mean an entire modeling approach. ARIS structures four
views of the enterprise, including an organizational view, a data view, a functional view, and a control view.
Using ARIS, managers can model the business, including its processes, using a common language and set of
procedures.
Integration versus Standardization
Processes are the ways organizations deliver goods and services to customers. Designing, building, and execut-
ing processes is one of the roles of management. Dr. Jeanne Ross, Principal Research Scientist at MIT ’ s Center for
Information Research, suggested that the level of integration and standardization of business processes, another
management decision, determines the role of IS. Ross pointed out that “Companies make two important choices
in the design of their operations: (1) how standardized their business processes should be across operational
units (business units, region, function, market segment) and (2) how integrated their business processes should
be across those units.” The resulting model defi nes important IT and business capabilities (see the following fi g-
ure). The level of process integration and standardization defi nes the necessary IS capabilities and ultimately the
investment the fi rm will need to make in IS.
Process Integration versus Standardization
Business Process Standardization
B u
si n
e ss
P ro
c e
ss
In te
g ra
ti o
n
Low High
High The business is focused on process integration, usually creating a single face to customers and suppliers but does not usually impose process standards on operating units.
The business has a centralized design with high needs for reliability, predictability, and sharing data across business units, creating a single view of the process.
Low The business has a decentralized design with which business units make local decisions on processes to meet customer needs.
The business is focused on process standardiza- tion in which tasks are done the same way with the same systems across business units, but the business units have little need to interact.
CEMEX , the multinational cement company based in Monterrey, Mexico, built a business high in process stan-
dardization and low in process integration. CEMEX standardized on eight information systems‐based business
processes to cover logistics, manufacturing, accounting, planning, operations, procurement, fi nance, and HR. Each
operating unit uses the same processes and creates similar data, but each runs autonomously, rarely sharing data.
This approach provides a competitive advantage because it enables the company to grow quickly, easing the
assimilation of acquired companies.
Merrill Lynch ’ s Global Private Client business with high integration and low standardization provides a wide
range of fi nancial services to clients across multiple channels such as fi nancial advisory services, online services,
and help center support services. The key to the company ’ s success is integration across processes to provide
a single view of the customer, which can then be leveraged when new products and services are announced. At
the same time, the company does not expect standardization across processes; each operating unit can create
what it needs as long as it uses a standardized technology platform that supports the integrated design. That is,
the separate systems need to coordinate the various information resources among themselves.
Source: J. Ross , “ Forget Strategy: Focus IT on Your Operating Model ,” MIT Center for Information Research, Research Briefing (December 2005 ), V(3C), http://cisr.mit.edu/blog/documents/2005/12/09/2005_12_3c_operatingmodels.pdf/ (accessed May 23, 2015) .
c05.indd 109 11/26/2015 6:25:55 PM
110 Information Systems and Business Transformation
Enterprise Systems Information technology is a critical component of almost every business process today because information flow
is at its core. A class of IT applications called enterprise systems is a set of information systems tools that many organizations use to enable this information flow within and between processes across the organization.
These tools help ensure integration and coordination across functions such as accounting, production, customer
management, and supplier management. Some are designed to support a particular industry such as health care,
retail, and manufacturing.
Computer systems in the 1960s and early 1970s were typically designed around a specific application. These
early systems were often not connected with each other and often had their own version of data. One of the authors
moved to another home in 1980 and visited the bank to change his address. He had to fill out a separate form for
his checking and savings account. It was lucky that the post office forwarded mail for a year after the move; four
months after moving, the bank sent a year‐end auto loan summary document via his old address, requiring another
update of the address, and nearly a year later, the bank sent his safe deposit box renewal form via his old address
too, requiring yet another update. It was obvious that each system contained its own copy of redundant data and
existed in its own silo.
Organizational computing groups faced the challenge of linking and maintaining the patchwork of loosely over-
lapping, redundant systems. In the 1980s and 1990s, software companies in a number of countries, including the
United States, Germany, and the Netherlands, began developing integrated software packages that used a common
database and cut across organizational systems. Some of these packages were developed from administrative sys-
tems (e.g., finance and human resources), and others evolved from materials resource planning (MRP) in manu-
facturing. These comprehensive software packages that incorporate all modules needed to run the operations of
a business are called enterprise information systems (EIS) or simply enterprise systems. Enterprise systems include ERP, supply chain management (SCM), CRM, and product life cycle management (PLM) systems (see
Figure 5.7). Some companies develop proprietary enterprise systems to support mission‐critical processes when
they believe these processes give them an advantage and using a vendor‐supplied system would jeopardize that
advantage. Other enterprise systems may be developed specifically to integrate organizational processes. Figure 5.8
describes some examples of the processes supported by an enterprise system.
Two of the largest vendors of enterprise systems are German‐based SAP and California‐based Oracle. Initially,
SAP defined the ERP software space, and Oracle had the database system supporting it. But more recently, SAP
has moved to its own database system, and Oracle has acquired many other smaller vendors, creating their own
suite of enterprise software solutions.
Sloan Valve, the case introduced at the beginning of this chapter, used SAP. Initially, Sloan implemented the
ERP module, but as the design emerged for the NPD process, the PLM module was key. It enabled the process
owner to keep track of targets, look at efficiencies in the process, and understand process problems. It also helped
track and allocate resources for each new product idea and enabled coordination between all the cross‐functional
team members.
Enterprise Resource Planning (ERP)
Enterprise resource planning (ERP) was designed to help large companies manage the fragmentation of information stored in hundreds of individual desktop, department, and business unit computers across the organi-
zation. These modules offered the IS department in many large organizations an option for switching from under-
performing, obsolete mainframe systems to client‐server environments designed to handle the changing business
demands of their operational counterparts. Many firms moved from their troubled systems in the late 1990s to avoid
the year 2000 (Y2K) problem7 and to standardize processes across their businesses.
7 The Y2K problem was of great concern in the 1990s because many old systems used two digits instead of four digits to represent the year, making it
impossible to distinguish between years such as 2000 and 1900.
c05.indd 110 11/26/2015 6:25:55 PM
111Enterprise Systems
FIGURE 5.8 Enterprise systems and examples of processes they support.
Enterprise System Sample Processes
Enterprise resource planning (ERP)
Financial management (accounting, financial close, invoice to pay process, receivable management); human capital management (talent management, payrolls, succession planning); operations management (procurement, logistics, requisition invoice payment, parts inventory)
Customer relationship management (CRM)
Marketing (brand management, campaign management); lead management; loyalty program management; sales planning and forecasting; territory and account management; customer service and support (claims, returns, warranties)
Supply chain management (SCM)
Supply chain design; order fulfillment; warehouse management; demand planning, forecasting; sales and operations planning; service parts planning; source‐to‐pay/ procurement process; supplier life cycle management; supply contract management
Product life cycle management (PLM)
Innovation management (strategy and planning, idea capture and management, program/ project management); product development and management; product compliance management
Implements functions of order
placement, order scheduling,
shipping and invoicing. Maximise cost savings with support
for the end-to-end procurement and
logistics processes.
Helps in planning and optimising
the manufacturing capacity and
material resources. It is evolved
from the MRP.
Control warehouse processes and
manage movements in the
warehouse and respond faster to
challenges and changes in
supply and demand.
Automate any financial operations
while ensuring regulatory compliance
and gaining real-time insight into overall
performance.
Maintain a complete employee
database and to optimally utilise of
all employees.
Aims to streamline and gain
greater control of the corporate
services.
Capture and maintain customer
relationships, facilitate the use of
customer experiences and evaluate
the knowledge management.
Analyse data and
convert to information. Focus on external strategies.
Efficiently and sustainably manage
the entire asset lifecycle, improve
asset usage and cut costs with
powerful analytics.
Customer services
(CRM)
Business Intelligence
Sales
Enterprise asset
management
e-Commerce
and others...
Procurement (SRM)
Production (PLM)
Distribution (SCM)
Accounting Human Resource
Corporate performance
and governance
Traditional ERP modules ERP II modulesIII
I
I I
II
II
II
II
II
II
II
I
FIGURE 5.7 Enterprise systems and the processes they automate. Source: Adapted from Shing Hin Yeung, http://commons.wikimedia.org/wiki/File:ERP_Modules.png (accessed August 27, 2015).
The next generation of enterprise system emerged: ERP II systems. Whereas an ERP makes company information
immediately available to all departments throughout the company, ERP II also makes company information
immediately available to external stakeholders, such as customers and partners. ERP II enables e‐business by inte- grating business processes between an enterprise and its trading partners. More recently, a move to better manage
information systems using the cloud has again called into question the design of some business processes.
c05.indd 111 11/26/2015 6:25:55 PM
112 Information Systems and Business Transformation
Today, ERP systems include all of the ERP II functionality plus social and collaboration features. A good example
is Chatter from Salesforce.com,8 which includes an activity stream interface (similar to Facebook) for employees
with easy connections to the firm’s information in its ERP. SAP’s ERP solution includes SAP ERP Financials, SAP
ERP Human Capital Management, and SAP ERP Operations. Oracle’s ERP solution, EnterpriseOne, offers these
same functions. Both vendors have integrated their ERP solutions with their supply chain/logistics solutions, their
CRM solutions, and several other modules that make them a one‐stop shop for software that provides the backbone
of an enterprise.
Characteristics of ERP Systems
ERP systems have several characteristics:9
• Integration. ERP systems are designed to seamlessly integrate information flows throughout the company. ERP systems are configured by installing various modules, such as:
• Manufacturing (materials management, inventory, plant maintenance, production planning, routing, shipping, purchasing, etc.)
• Accounting (general ledger, accounts payable, accounts receivable, cash management, forecasting, cost accounting, profitability analysis, etc.)
• Human resources (employee data, position management, skills inventory, time accounting, payroll, travel expenses, etc.)
• Sales (order entry, order management, delivery support, sales planning, pricing, etc.)
• Packages. ERP systems are usually commercial packages purchased from software vendors. Unlike many packages, ERP systems usually require long‐term relationships with software vendors because the complex
systems must typically be modified on a continuing basis to meet the organization’s needs.
• Best practices. ERP systems reflect industry best (or at least “very good”) practices for generic business processes. To implement them, businesses often have to change their processes in some way to accommo-
date the software.
• Some assembly required. The ERP system is software that needs to be integrated with the organization’s hardware, operating systems, databases, and network. Further, ERP systems often need to be integrated with
proprietary legacy systems. It often requires that middleware (software used to connect processes running in one or more computers across a network) or “bolt‐on” systems be used to make all the components opera-
tional. Vendor‐supplied ERP systems have a number of configurable components, too, which need to be set
up to best fit with the organization. Rarely does an organization use an ERP system directly “out of the box”
without configuration.
• Evolving. ERP systems were designed first for mainframe systems, then for client‐server architectures, and now for Web‐enabled or cloud‐based delivery.
Integrating ERP packages with other software in a firm is often a major challenge. For example, integrating
internal ERP applications with supply chain management software seems to create issues. Making sure the link-
ages between the systems happen seamlessly is a challenge. One important problem in meeting this challenge is to
allow companies to be more flexible in sourcing from multiple (or alternative) suppliers while also increasing the
transparency in tightly coupled supply chains. A second problem is to integrate ERP’s transaction‐driven focus into
a firm’s workflow.10
8 See http://www.salesforce.com/chatter/overview/ (accessed August 27, 2015). 9 M. Lynne Markus and Cornelis Tanis, “The Enterprise System Experience—From Adoption to Success,” Framing the Domains of IT Management: Projecting the Future Through the Past, ed. R. Zmud (Cincinnati, OH: Pinaflex Educational Resources, 2000), 176–79. 10 Amit Basu and Akhil Kumar, “Research Commentary: Workflow Management Issues in e‐Business,” Information Systems Research 13, no. 1 (March 2002), 1–14.
c05.indd 112 11/26/2015 6:25:55 PM
113Enterprise Systems
Managing Customer Relationships
A type of software package that is increasingly considered an enterprise system is customer relationship management
systems. Customer relationship management (CRM) is a set of software programs that supports management activities performed to obtain, enhance relationships with, and retain customers. They include sales, support, and
service processes. Today, CRM has come to mean the enterprise systems that support these processes, and the term
is used interchangeably with the set of activities.
CRM processes create ways to learn more about customers ’ needs and behaviors with the objective of developing
stronger relationships. CRM systems consist of technological components as well as many pieces of information
about customers, sales, marketing effectiveness, responsiveness, and market trends. Optimized CRM processes and
systems can lead to better customer service, more effi cient call centers, product cross‐selling, simplifi ed sales and
marketing efforts, more effi cient sales transactions, and increased customer revenues. The goal of CRM is to pro-
vide more effective interaction with customers and bring together all information the company has on a customer.
The top‐selling CRM systems are from Salesforce.com, SAP, Oracle, and Microsoft Dynamics . 11 Oracle and
SAP have CRM systems that integrate with their other enterprise systems. Oracle ’ s CRM system includes mod-
ules for pricing, sales force automation, sales order management, support activities, customer self‐service, and
11 Louis Columbus , “ Gartner CRM Market Share Update: 41% Of CRM Systems Are SaaS‐based, Salesforce Dominating Market Growth ,” Forbes , May 6, 2014 , http://www.forbes.com/sites/louiscolumbus/2014/05/06/gartners‐crm‐market‐share‐update‐shows‐41‐of‐crm‐systems‐are‐saas‐based‐with‐
salesforce‐dominating‐market‐growth/ (accessed August 27, 2015) .
Geographic Lens: Global vs. Local ERPs
ERP systems are usually designed around best practices—but whose best practices? SAP and Oracle , the leading
vendors of ERP systems, have a Western bias. More specifi cally, best practices at the heart of their systems are
based upon business processes that are found in successful companies in Germany and North America. How-
ever, when these systems are transplanted into Asian companies, problematic “misfi ts” have been found to occur.
An example is the use of ERP systems designed for hospitals. Western health care models are decidedly dif-
ferent from those used in Singapore. In Western countries, insurance enables patients to pay a fraction of their
medical expenses themselves, and the government or private insurance covers the rest. Singapore has a com-
pletely different model. In Singapore, health care expenses are covered primarily by the individual. Government
subsidies and other community support is minimal.
How does this affect processes embedded in ERP systems in hospitals? When ERP systems are designed for
Western hospitals, they include modules that help manage the complexity of billing and collections that result
from claims submissions and insurance verifi cation. When the primary payment is from individuals paying at the
time of service or in installments, the collections process is signifi cantly different. Further, “bed class” is important
in Singapore where patients in public hospitals can choose from a variety of plans ranging from one bed to six or
more per room. The Western model is simpler because single‐bed rooms are more common.
Because of differences and “misfi ts,” businesses in many non‐Western companies are turning to local vendors that
have developed systems refl ecting local best practices. For example, local ERP vendors in Taiwan have developed
ERP systems to support the majority of fi rms in the market space—small‐ to medium‐sized Taiwanese companies with
sophisticated, adaptive logistic networks. The local ERP vendors have adopted a strategy of customization and are
more willing to modify their systems to satisfy local needs than are their large global competitors.
These examples suggest that another factor needs to be considered when designing and implementing and
ERP: It should not be implemented if the system is based on a cultural model that confl icts with the local customs
and that cannot easily be accommodated.
Sources: C. Soh , S. K. Sia , and J. Tay‐Yap , “ Cultural Fits and Misfits: Is ERP a Universal Solution ,” Communications of the ACM 43 , no. 4 ( 2000 ), 47 – 51 ; E. T. G. Wang , G. Kleing , and J. J. Jiang , “ ERP Misfit: Country of Origin and Organizational Factors ,” Journal of Management Information Systems 23 , no. 1 ( 2006 ), 263 – 92 .
c05.indd 113 11/26/2015 6:25:55 PM
114 Information Systems and Business Transformation
service management. SAP’s CRM system has similar modules plus marketing support such as resource and brand
management, campaign management, real‐time offer management, loyalty management, and e‐marketing. There
is also an e‐commerce module that facilitates personalized interface and self‐service applications for customers.
Salesforce.com is a different type of CRM. Whereas Oracle and SAP came from the enterprise systems space and
then created a CRM module, Salesforce.com started with a CRM solution. In addition, the products by Oracle
and SAP grew from on‐premise enterprise systems, and each company eventually built Web‐based versions of its
products, but Salesforce.com started as a Web‐based cloud system. Managers who seek a CRM system for their
organizations should compare the features and delivery systems of these and other solutions provided by niche ven-
dors who specialize in systems optimized for specific industry applications.
Social IT is increasingly integrated into CRM solutions. Providing software or Web applications that extend
the brand, engage customers, allow customers to interact with each other and with employees, and provide ser-
vice options generates additional “touches” with customers. CRM systems record these touches. The information
becomes an additional channel of data useful for building customer relationships. Salesforce.com teamed with Dun
& Bradstreet to use Data.com, a cloud‐based storehouse of company and customer contact information for use in
CRM systems. Data.com uses a crowd‐sourcing model to collect up‐to‐date information with users of the server
contributing data and helping to keep that data accurate.
In Chapter 1, we described the Ritz‐Carlton’s CRM, Class, which captures information about guest pref-
erences and enables the chain to provide enhanced, customized service during future visits. Web sites collect
information from customers who visit, make purchases, or request information. That information is stored in the
company’s CRM and used in many ways to better meet customer needs and enhance the customer experience.
For example, movie site Netflix stores all the purchases and product reviews a customer makes in its CRM. Using
that information, the site recommends additional films the customer might enjoy based on analysis of the data
in the CRM.
Managing Supply Chains
Another type of enterprise system in common use is a supply chain management (SCM) system, which manages the integrated supply chain. Business processes are not just internal to a company. With the help of information
technologies, many processes are linked across companies with a companion process at a customer or supplier,
creating an integrated supply chain. Technology, especially Web‐based technology, allows the supply chains of a
company’s customers and suppliers to be linked through a single network that optimizes costs and opportunities
for all companies in the supply chain. By sharing information across the network, guesswork about order quan-
tities for raw materials and products can be reduced, and suppliers can make sure they have enough on hand if
demand for their products unexpectedly rises.
The supply chain of a business is the process that begins with raw materials and ends with a product or service
ready to be delivered (or in some cases actually delivered) to a customer. It typically includes the procurement
of materials or components, the activities to turn these materials into larger subsystems or final products, and
the distribution of these final products to warehouses or customers. But with the increase in information systems
use, the supply chain may also include product design, product planning, contract management, logistics, and
sourcing. Globalization of business and ubiquity of communication networks and information technology have
enabled businesses to use suppliers from almost anywhere in the world. At the same time, this has created an
additional level of complexity for managing the supply chain. Supply chain integration is the approach of tech- nically linking supply chains of vendors and customers to streamline the process and to increase efficiency and
accuracy.
Without such linking, a temporary increase in demand from a retailer might become interpreted by its suppliers
as permanent, and the changes can become magnified by each supplier up the chain when each supplier attempts to
add another percent or two just to be “safe.” Those erratic and wild changes are called the bullwhip effect. Linking synchronizes all suppliers to the same demand increase up and down the chain and prevents that effect.
c05.indd 114 11/26/2015 6:25:55 PM
115Enterprise Systems
Integrated supply chains have several challenges, primarily resulting from different degrees of integration and
coordination among supply chain members.12 At the most basic level, there is the issue of information integration.
Partners must agree on the type of information to share, the format of that information, the technological stan-
dards they both use to share it, and the security they use to ensure that only authorized partners access it. Trust
must be established so the partners can solve higher‐level issues that may arise. At the next level is the issue of
synchronized planning. At this level, the partners must agree on a joint system of planning, forecasting, and replen-
ishment. The partners, having already agreed on what information to share, now have to agree on what to do with
it. The third level can be described as workflow coordination—the coordination, integration, and automation of
critical business processes between partners. For some supply chains, this might mean simply using a third party
to link the procurement process to the preferred vendors or to communities of vendors who compete virtually for
the business. For others, it might be a more complex process of integrating order processing and payment systems.
Ultimately, supply chain integration leads to new business models as varied as the visionaries who think them up.
These business models are based on new ideas of coordination and integration made possible by the Internet and
information‐based supply chains. In some cases, new services have been designed by the partnership between
supplier and customer, such as new financial services offered when banks link up electronically with businesses
to accept online payments for goods and services purchased by the businesses’ customers. In other cases, a new
business model for sourcing has resulted, such as one in which companies list their supply needs and vendors elec-
tronically bid to be the supplier for that business.
Demand‐driven supply networks are the next step for companies with highly evolved supply chain capabilities.
Kimberly Clark, the 135‐year‐old consumer products company, is one such example. Its vision is for a highly
integrated suite of supply chain systems that provide end‐to‐end visibility of the supply processes in real time.
Key processes in the company’s demand‐driven supply network are forecast to stock and order to cash. Using an
integrated suite of systems allows the firm’s users to share the same information as close to real time as possible and
to use the data in their systems for continually updating their supply chain, category management, and consumer
insight processes. IS have allowed managers to reduce the problems of handing off data from one system or process
to another (because now everything is in one system), having employees work from different databases (because it’s
now one database), and working with old data (because it’s as real time as possible). This has improved managers’
ability to see what’s going on in the marketplace and evaluate the impact of promotions, production, and inventory
much more quickly.
Integrated supply chains are truly global in nature. Thomas Friedman, in his book The World is Flat, describes how the Dell computer that he had ordered for writing his book was developed from the contributions of an
integrated supply chain that involved about four hundred companies in North America, Europe, and, primarily,
Asia. However, the globalization of integrated supply chains faces a growing challenge from skyrocketing trans-
portation costs. For example, Tesla Motors, a pioneer in electric‐power cars, had originally planned the production
of a luxury roadster for the U.S. market based on an integrated global supply chain. The 1,000‐pound battery packs
for the cars were to be manufactured in Thailand, shipped to Britain for installation, and then shipped to the United
States where they would be assembled into cars. However, because of the extensive costs associated with shipping
the batteries more than 5,000 miles, Tesla decided to make the batteries and assemble the cars near its headquarters
in California. Darryl Siry, Tesla’s Senior Vice President of Global Sales, Marketing, and Service explains: “It was
kind of a no‐brain decision for us. A major reason was to avoid the transportation costs, which are terrible.” Econ-
omists warn managers to expect the “neighborhood effect” in which factories may be built closer to component
suppliers and consumers to reduce transportation costs. This effect may apply not only to cars and steel but also to
chickens and avocados and a wide range of other items.13
12 Hau Lee and Seungjin Whang, “E‐Business and Supply Chain Integration,” Stanford University Global Supply Chain Management Forum (November
2001). 13 Larry Rohter, “Shipping Costs Start to Crimp Globalization” The New York Times, 1, 10, http://www.nytimes.com/2008/08/03/business/worldbusiness/ 03global.html (accessed August 27, 2015).
c05.indd 115 11/26/2015 6:25:56 PM
116 Information Systems and Business Transformation
Dell continues to be not only a great example of an integrated supply chain but also of the neighborhood
effect. Its “build‐to‐order” strategy of building computers as they are ordered rather than to mass‐produce them for
inventory requires an integrated supply chain. One of the authors of this textbook visited a Dell plant in Malaysia
with several dozen students. An official there described how the plant’s zero inventory goal was accomplished by
ordering components only when computers were ordered, to arrive on the day of assembly. Also, suppliers were
strategically located in adjacent buildings surrounding the plant with an airport practically in walking distance. In
this way, suppliers are closely linked with the actual production process.
Product Life Cycle Management (PLM)
A less well-known type of enterprise system is a product life cycle management (PLM) system. PLM systems automate the steps that take ideas for products and turn them into actual products. PLM refers to the process that starts with the idea for a product and ends with the “end of life” of a product. It includes the innovation activities,
new product development, and management, design, and product compliance (if necessary). PLM systems con-
tain all the information about a product such as design, production, maintenance, components, vendors, customer
feedback, and marketing.
Advantages and Disadvantages of Enterprise Systems
One major benefit of enterprise systems is that they represent a set of industry best practices. One confidential
story relayed to the authors described a large university that had suffered for years with inconsistent, incomplete,
and immature processes. The university’s leader announced in advance that rather than customize a new ERP
to fit those processes, the directive was to replace completely those poor processes provided by the ERP. As a
result, the ERP’s best practices dramatically improved the university’s ability to provide information services to
faculty, staff, and students and also to track the entire “life cycle” of people from initial inquiry to graduation
and beyond.
Another major benefit of an enterprise system is that all modules of the information system easily communi-
cate with each other, offering enormous efficiencies over stand‐alone systems. In business, information from one
functional area is often needed by another area. For example, an inventory system stores information about vendors
who supply specific parts. This same information is required by the accounts payable system, which pays vendors
for their goods. It makes sense to integrate these two systems to have a single accurate record of vendors and to use
an enterprise system to facilitate that integration.
Because of the focus on integration, enterprise systems are useful tools for an organization seeking to centralize
operations and decision making. As described earlier in the Integration versus Standardization box about the Ross
framework, high integration allows units to coordinate easily and unify their data for global access. Redundant data
entry and duplicate data may be eliminated; standards for numbering, naming, and coding may be enforced; and
data and records can be cleaned up through standardization. Further, the enterprise system can reinforce the use of
standard procedures across different locations.
The obvious benefits notwithstanding, implementing an enterprise system represents an enormous amount of
work. For example, if an organization has allowed both the manufacturing and the accounting departments to keep
their own records of vendors, then most likely these records are kept in somewhat different forms (one department
may enter the vendor name as IBM, the other as International Business Machines or even IBM Corp., all of which
make it difficult to integrate the databases). Making matters worse, a simple data item’s name itself might be stored
differently in different systems. In one system, it might be named Phone_No, but in another, it might be simply
Phone. Such inconsistencies in data items and values must be recognized and fixed so that the enterprise system
can provide optimal advantage.
Moreover, even though enterprise systems are flexible and customizable to a point, most also require business
processes to be redesigned to achieve optimal performance of the integrated modules. It is rare that an off‐the‐
shelf system is perfectly harmonious with an existing business process; the software usually requires significant
modification or customization to fit with the existing processes, or the processes must change to fit the software.
c05.indd 116 11/26/2015 6:25:56 PM
117Enterprise Systems
In most installations of enterprise systems, both take place. The system is usually customized when it is installed
in a business by setting a number of parameters. Many ERP projects are massive undertakings, requiring formal,
structured project management tools (as discussed in Chapter 11).
All systems make assumptions about how the business processes work, and at some level, customization is not
possible. For example, one major Fortune 500 company refused to implement a vendor’s enterprise system because
the company manufactured products in lots of “one,” and the vendor’s system would not handle the volume this
company generated. If the company had decided to use the ERP, a complete overhaul of its manufacturing process
in a way that executives were unwilling to do would have been necessary.
Implementing enterprise systems requires organizations to make changes beyond just the processes, but also in
their organization structure. Recall from Chapter 1 that the Information Systems Strategy Triangle suggests that
implementing an information system must be accompanied with appropriate organizational changes to be effective.
Implementing an enterprise system is no different; a 2014 Panorama report stated directly that only firms that allo-
cate enough of the project budget to organizational change management will achieve the best results.14 For example,
who will now be responsible for entering the vendor information that was formerly kept in two locations? How
will that information be entered into the enterprise system? The answer to such simple operational questions often
requires managers minimally to modify business processes and more likely to redesign them completely to accom-
modate the information system.
Enterprise systems are also risky. The number of enterprise system horror stories demonstrates this risk. For
example, Kmart wrote off its $130 million ERP investment. American LaFrance (ALF), the manufacturer of highly
customized emergency vehicles, declared bankruptcy, blaming its IT vendor and its ERP implementation. The
problems with the implementation kept ALF from being able to manufacture many preordered vehicles.15 Two
months after the installation of a new ERP system, the Fort Worth Police Officers Association complained that pay-
checks were not being received correctly or on a timely basis by officers. Some officers had not been paid since the
installation, and others were shortchanged in their paychecks because the new system was not able to handle odd
hours and shift work.
Furthermore, enterprise systems and the organizational changes they induce tend to come with a hefty price tag.
In a study of the initial acquisition and implementation costs of ERP systems in primarily midsize companies (with
$100 million to $1 billion in annual revenues), half of the responding 157 chief financial officers (CFOs) admitted
spending more than $1 million for the license, service, and first year’s maintenance on their current ERP systems. Nine of 10 respondents said they spent a minimum of $250,000. Unreported were additional hidden costs in the
form of technical and business changes, likely to be necessary when implementing an enterprise system. These
include project management, user training, and IT support costs.16 Some surveys uncover negative impacts on
performance. For instance, in 2014, overruns in costs were found to plague 54% of ERP projects, and 72% of the
firms reporting encountered implementation delays. Perhaps more important were disruptions in service such as
difficulties in shipping products, experienced by 51% of the firms surveyed.17
One of the reasons that ERP systems are so expensive is that they are sold as a suite, such as financials or manu-
facturing, and not as individual modules. Because buying modules separately is difficult, companies implementing
ERP software often find the price of modules they won’t use hidden in the cost of the suite.
Seventy percent of survey respondents report that they are satisfied with their ERP systems in spite of the large
expense, overruns, delays, and disruptions experienced, largely due to the capabilities of ERP systems. However,
only 63% considered the project a “success,” perhaps due to overruns.18 A set of advantages and disadvantages of
enterprise systems is provided in Figure 5.9.
14 Panorama Consulting, “Organizational Issues Number One Reason for Extended Durations,” http://panorama‐consulting.com/company/press‐releases/
panorama‐consulting‐solutions‐releases‐2014‐erp‐report/ (accessed February 26, 2015). 15 For additional examples of IT failures in general and enterprise systems failures in particular, please visit the blog written by Michael Krigsman, http://
blogs.zdnet.com/projectfailures/. 16 T. Wailgum, “Why CEOs and CFOs Hate It: ERP” (April 8, 2009), http://advice.cio.com/thomas_wailgum/why_cfos_and_ceos_hate_it_erp (accessed
February 14, 2012). 17 Panorama Consulting 2014 Report. 18 Ibid.
c05.indd 117 11/26/2015 6:25:56 PM
118 Information Systems and Business Transformation
When the System Drives the Transformation
When is it appropriate to use the enterprise system to drive transformation and business process redesign, and when
is it appropriate to redesign the process fi rst and then implement an enterprise system? Although it may seem like
the process should be redesigned fi rst and then the information system aligned to the new design, there are times
when it is appropriate to let the enterprise system drive business process redesign. First, when an organization is just
starting out and processes do not yet exist, it is appropriate to begin with an enterprise system as a way to structure
operational business processes. After all, most processes embedded in the “plain vanilla” enterprise system from
a top vendor are based on the best practices of corporations that have been in business for years. Second, when an
organization does not rely on its operational business processes as a source of competitive advantage, then using an
enterprise system to redesign these processes is appropriate. Third, it is reasonable when the current systems are in
Social Business Lens: Crowdsourcing Changes Innovation Processes
One business process that has been radically changed by the use of social IT is the way innovation is managed
using crowdsourcing. Enterprises have found ways to use a social IT platform to solicit, discuss, and prioritize new
ideas. Anyone in the community can add an idea, and then the entire community can discuss, comment on, and
rate the idea. Managers then have a wealth of ideas along with community input to use as input into the innova-
tion process.
One of the original examples of this is Dell ’ s Ideastorm. Anyone in the community can access Ideastorm to
view ideas posted by the community, post an idea for Dell products or services, vote on the ideas presented,
and see what Dell managers have decided to do with the ideas presented. Ideas presented by the community
range from suggestions for new features on existing systems to new products and services Dell might offer. By
allowing the community to comment and vote on ideas, managers get a sense of the importance and viability of
implementing the innovation.
Similar social platforms have been implemented by numerous other companies including Starbucks ’ mystar-
bucksidea.com and Best Buy ’ s IdeaX. Companies have also taken this idea inside the corporation to solicit ideas
and innovations about processes, products, and other enterprise issues. Dell ’ s EmployeeStorm and the City of
New York ’ s Simplicity are two social IT examples of soliciting ideas to improve processes and effi ciencies from
employees.
Companies have also embraced the crowd for individual projects; Sam Adams , the beer company, used a
Facebook application for crowdsourcing the next fl avor of beer. The application let fans select the color, clar-
ity, body, malt, hops, and yeast components of a recipe. For each component, the crowdsourcing application
educated fans about the contribution each component made to the resulting beer. The company collected the
crowd ’ s preferences, sharing them along the way for comment and discussion. The results not only gave Sam
Adams managers information about preferences of their fans but also prioritized ideas about the next product to
create with a high probability that it will have a large fan base to get it started.
Sources: https://gigaom.com/2011/01/19/new‐york‐city‐crowdsourcing/ (accessed August 27, 2015) ; http://www.facebook.com/ SamuelAdams?sk=app_299970113373932 (accessed January 19, 2012); http://www.ideastorm.com (accessed on August 30, 2015).
FIGURE 5.9 Advantages and disadvantages of enterprise systems.
Advantages Disadvantages
• Represent “best practices” • Allow modules throughout the organization to
communicate with each other • Enable centralized decision making • Eliminate redundant data entry • Enable standardized procedures in different locations
• Require enormous amount of work • Require redesign of business practices for maximum
benefi t • Have very high cost • Are sold as a suite, not individual modules • Require organizational changes • Have high risk of failure
c05.indd 118 11/26/2015 6:25:56 PM
119Summary
crisis and there is not enough time, resources, or knowledge in the firm to fix them. Even though it is not an optimal
situation, managers must make tough decisions about how to fix the problems. A business must have working oper-
ational processes; therefore, using an enterprise system as the basis for process design may be the only workable
plan. It was precisely this situation that many companies faced with Y2K.
Likewise, it is sometimes inappropriate to let an enterprise system drive business process change. When an
organization derives a strategic advantage through its operational business processes, it is usually not advisable
for it to buy a vendor’s enterprise system. Using a standard, publicly available information system that both the
company and its competitors can buy from a vendor may mean that any system‐related competitive advantage is
lost. For example, consider a major computer manufacturer that relied on its ability to process orders faster than
its competitors to gain strategic advantage. Adopting an enterprise system’s approach would result in a loss of that
advantage. Furthermore, the manufacturer might find that relying on a third party as the provider of such a strategic
system would be a mistake in the long run because any problems with the system due to bugs or changed business
needs would require negotiating with the ERP vendor for the needed changes. With a system designed in house, the
manufacturer was able to ensure complete control over the IS that drives its critical processes.
Another situation in which it would be inappropriate to let an enterprise system drive business process change
is when the features of available packages and the needs of the business do not fit. An organization may use spe-
cialized processes that cannot be accommodated by the available enterprise systems. For example, many ERPs
were developed for discrete part manufacturing and do not support some processes in paper, food, or other process
industries.19
A third situation would result from lack of top management support, company growth, a desire for strategic flex-
ibility, or decentralized decision making that render the enterprise system inappropriate. For example, Dell stopped
the full implementation of SAP R/3 after only the human resources module had been installed because the CIO did
not think that the software would be able to keep pace with Dell’s extraordinary growth. Enterprise systems were
also viewed as culturally inappropriate at the highly decentralized Kraft Foods.
Challenges for Integrating Enterprise Systems Between Companies
With the widespread use of enterprise systems, the issue of linking supplier and customer systems to the business’s
systems brings many challenges. As with integrated supply chains, there are issues of deciding what to share, how
to share it, and what to do with it when the sharing takes place. There are also issues of security and agreement on
encryption or other measures to protect data integrity as well as to ensure that only authorized parties have access.
Some companies have tried to reduce the complexity of this integration by insisting on standards either at the
industry level or at the system level. An example of an industry‐level standard is the bar coding used by all who do
business in the consumer products industry. An example of a system‐level standard is the use of SAP or Oracle to
provide the ERP system used by both supplier and customer. And the increasing use of cloud‐based systems with
standard interfaces makes the integration easier.
S U M M A R Y
• Most business processes today have a significant information systems component to them. Either the process is com- pletely executed through software or an important information component complements the physical execution of the
process. Transforming business, therefore, involves rethinking the information systems that support business processes.
• IS can enable or impede business process change. IS enables change by providing both the tools to implement the change and the tools on which the change is based. IS can impede change, particularly when the process flow is mis-
matched with the capabilities of the IS.
• To understand the role IS plays in business transformation, one must take a business process rather than a functional (silo) perspective. Business processes are well‐defined, ordered sets of tasks characterized by a beginning and an end,
19 Markus and Tanis, “The Enterprise System Experience,” 176–79.
c05.indd 119 11/26/2015 6:25:56 PM
120 Information Systems and Business Transformation
sets of associated metrics, and cross‐functional boundaries. Most businesses operate business processes even if their
organization charts are structured by functions rather than by processes.
• Agile business processes are processes that are designed to be easily reconfigurable. Dynamic processes are designed to automatically update themselves as conditions change. Both types of processes require a high degree of information
systems, which makes the task of changing the process a software activity rather than a physical activity.
• Making changes in business processes typically involves either incremental or radical change. Incremental change with TQM and Six Sigma implies an evolutionary approach. Radical change with a BPR approach, on the other hand, is more sudden.
Either approach can be disruptive to the normal flow of the business; hence, strong project management skills are needed.
• BPM systems are used to help managers design, control, and document business processes and ultimately the workflow in an organization.
• An enterprise system is a large information system that provides the core functionality needed to run a business. These systems are typically implemented to help organizations share data between divisions. However, in some cases,
enterprise systems are used to effect organizational transformation by imposing a set of assumptions on the business
processes they manage.
• An ERP system is a type of enterprise system used to manage resources including financial, human resources, and operations.
• A CRM system is a type of enterprise system used to manage the processes related to customers and the relationships developed with customers.
• An integrated supply chain is often managed using an SCM system, an enterprise system that crosses company bound- aries and connects vendors and suppliers with organizations to synchronize and streamline planning and deliver products
to all members of the supply chain.
• A PLM system is a type of enterprise system support product development from its first idea up through its end.
• Information systems are useful as tools to both enable and manage business transformation. The general manager must take care to ensure that consequences of the tools themselves are well understood and well managed.
D I S C U S S I O N Q U E S T I O N S
1. Why was radical design of business processes embraced so quickly and so deeply by senior managers of so many com- panies? In your opinion, and using hindsight, was its popularity a benefit for businesses? Why or why not?
2. Off‐the‐shelf enterprise IS often forces an organization to redesign its business processes. What are the critical success factors to make sure the implementation of an enterprise system is successful?
3. ERP systems are usually designed around best practices. But whose best practices are the right ones? A Western bias is common; practices found in North America or Europe are often the foundation. When transferred to Asia, however, the
K E Y T E R M S
agile business processes (p. 104)
business process management
(BPM) (p. 107)
business process
perspective (p. 102)
business process reengineering
(BPR) (p. 105)
customer relationship management
(CRM) (p. 113)
cycle time (p. 102)
dynamic business processes (p. 104)
Enterprise Information Systems
(EIS) (p. 110)
enterprise resource planning
(ERP) (p. 110)
enterprise systems (p. 110)
middleware (p. 112)
process (p. 102)
process perspective (p. 102)
product life cycle management
(PLM) (p. 116)
silo perspective (p.103)
Six Sigma (p. 105)
supply chain management
(SCM) (p. 114)
throughput (p. 102)
total quality management
(TQM) (p. 105)
workflow (p. 107)
workflow diagram (p. 107)
c05.indd 120 11/26/2015 6:25:56 PM
121Case Study
Bicycle enthusiasts not only love the ride their bikes provide but also are often willing to pay for newer technology, espe-
cially when it will increase their speed or comfort. Innovating new technologies for bikes is only half the battle for bike
manufacturers. Designing the process to manufacture the bikes is often the more daunting challenge.
Consider the case of Santa Cruz Bicycles . It digitally designs and builds mountain bikes and tests them under the most
extreme conditions to bring the best possible product to its customers. A few years back, the company designed and patented
the Virtual Pivot Point (VPP) suspension system, a means to absorb the shocks that mountain bikers encounter when on the
rough terrain of the off‐road ride. One feature of the new design allowed the rear wheel to bounce 10 inches without hitting
the frame or seat, providing shock absorption without feeling like the rider was sitting on a coiled spring.
The fi rst few prototypes did not work well; in one case, the VPP joint ’ s upper link snapped after a quick jump. The expe-
rience was motivation for a complete overhaul of the design and engineering process to fi nd a way to go from design to
prototype faster. The 25‐person company adopted a similar system used by large, global manufacturers: product life cycle
management (PLM) software.
The research and development team had been using computer‐aided‐design (CAD) software, but it took seven months to
develop a new design, and if the design failed, starting over would be the only solution. This design approach was a drain
not only on the company ’ s time but also on its fi nances. The design team found a PLM system that helped members analyze
and model capabilities in a much more robust manner. The team used simulation capabilities to watch the impact of the
new designs on rough mountain terrain. The software tracks all the variables the designers and engineers need so they can
quickly and easily make adjustments to the design. The new system allows the team to run a simulation in a few minutes,
representing a very large improvement over their previous design software, which took seven hours to run a simulation.
The software was just one component of the new process design. The company also hired a new master frame builder to
build and test prototypes in house and invested in a van‐size machine that can fabricate intricate parts for the prototypes, a
process the company previously outsourced. The result was a signifi cant decrease in its design‐to‐prototype process. What
once averaged about 28 months from start of design to shipping of the new bike now takes 12 to 14 months.
■ CASE STUDY 5‐1 Santa Cruz Bicycles
resulting systems may be problematic. Why do you think this is the case? What might be different in the way different coun-
tries use processes (besides the standard “language” difference)?
4. Have you been involved with a company doing a redesign of its business processes? If so, what were the key things that went right? What went wrong? What could have been done better to minimize the risk of failure?
5. What do you think the former CIO of Dell , Jerry Gregoire, meant when he said, “Don ’ t automate broken business processes”? 20
6. What might an integrated supply chain look like for a financial services company such as an insurance provider or a bank? What are the components of the process? What would the customer relationship management process look like for this
same firm?
7. Tesco , the U.K. retail grocery chain, used its CRM system to generate annual incremental sales of £100 million. Using a fre- quent shopper card, a customer got discounts at the time of purchase, and the company got information about the customer ’ s
purchases, creating a detailed database of customer preferences. Tesco then categorized customers and customized dis-
counts and mailings, generating increased sales and identifying new products to expand the organization ’ s offerings. At the
individual stores, data showed which products must be priced below competitors, which products had fewer price‐sensitive
customers, and which products must have regular low prices to be successful. In some cases, prices were store specific,
based on the customer information. The information system has enabled Tesco to expand beyond groceries to books, DVDs,
consumer electronics, flowers, and wine. The chain also offers services such as loans, credit cards, savings accounts, and
travel planning. What can Tesco management do now that the company has a CRM that it could not do prior to the CRM
implementation? How does this system enable Tesco to increase the value provided to customers?
20 “Technology: How Much? How Fast? How Revolutionary? How Expensive?” Fast Company 56, no. 62, http://www.fastcompany.com/online/56/ fasttalk.html (accessed May 30, 2002).
c05.indd 121 11/26/2015 6:25:56 PM
122 Information Systems and Business Transformation
The fi rst Boeing 787 Dreamliner was delivered to Japan ’ s ANA in the third quarter of 2011, more than three years after the
initial planned delivery date. Its complicated, unique design (including a one‐piece fuselage that eliminated the need for
1,500 aluminum sheets and 50,000 fasteners and reduced the resulting weight of the plane proportionally) promised both
a reduction in out‐of‐service maintenance time and a 20% increase in fuel economy, but problems with early testing of
the new design contributed to the giant project ’ s troubles. Even after those delays, the 787 was grounded in January 2013
because the main battery had problems of overheating and subsequently burning. The problems were fi nally reported solved
in December 2014.
Delivery of Boeing ’ s 787 Dreamliner project was delayed, in part, because of the company ’ s global supply chain net-
work, which was touted to reduce cost and development time. In reality, the network turned out to be a major cause for
problems. Boeing decided to change the rules of the way large passenger aircraft were developed through its Dreamliner
program; rather than simply relying on technological know‐how, it decided to use collaboration as a competitive tool embed-
ded in a new global supply chain process.
With the Dreamliner project, Boeing not only attempted to create a new aircraft through the innovative design and
new material but also radically changed the production process. It built an incredibly complex supply chain involving
over 50 partners scattered in 103 locations all over the world. The goal was to reduce both the fi nancial risks involved in a
$10 billion‐plus project for designing and developing a new aircraft and the new product development cycle time. Boeing
tapped the expertise of various fi rms in different areas such as composite materials , aerodynamics, and IT infrastructure to
create a network in which partners ’ skills complement each other. This changed the basis of competition to skill set rather
than the traditional basis of low cost. In addition, this was the fi rst time Boeing had outsourced the production on the two
most critical parts of the plane—the wings and the fuselage.
The fi rst sign of problems showed up just six months into the trial production. Engineers discovered unexpected bubbles
in the skin of the fuselage during baking of the composite material. This delayed the project a month. Boeing offi cials in-
sisted that they could make up the time and all things were under control. But next to fail was the test version of the nose
section. This time, a problem was found in the software programs, which were designed by various manufacturers. They
failed to communicate with each other, leading to a breakdown in the integrated supply chain. Then problems popped up in
the integration of electronics. The Dreamliner program entered the danger zone when Boeing declared that it was having
trouble getting enough permanent titanium fasteners to hold together various parts of the aircraft. The global supply network
did not integrate well for Boeing and left it highly dependent on a few suppliers.
The battery problems involved lithium‐ion batteries that could not recover from a situation involving a rare but serious
internal short circuit that would cause fl ames to spread from one cell to another. Lithium‐ion batteries had not previously
been used in an airplane and had not been tested under an assumption of a short circuit.
This case clearly underscores the hazards in relying on an extensive supply chain, failing to expect the worst case with
critical new parts, and encountering information exchange problems that caused long delays and seriously compromised a
company ’ s ability to carry out business as planned. Creating a radically different process can mean encountering unexpected
problems. In some cases, it would put a company so far behind its competition that it was doomed to fail. However, in this
case, the major competitor to the Dreamliner, the Airbus 380 program, was also using a global supply chain model, and its
program was delayed by a couple of years. The result for Boeing was a much‐anticipated plane with fuel economy and out-
standing design that made the wait worth it. However, because of compromises in design, the Dreamliner holds only up to
250 passengers, compared to the A380, which has a seating capacity between 525 and 853.
■ CASE STUDY 5‐2 Boeing 787 Dreamliner
Discussion Questions
1. Would you consider this transformation to be incremental or radical? Why?
2. What, in your opinion, was the key factor in Santa Cruz Bicycles ’ successful process redesign? Why was that factor
the key?
3. What outside factors had to come together for Santa Cruz Bicycles to be able to make the changes it did?
4. Why is this story more about change management than software implementation?
Source: Adapted from Mel Duvall, “Santa Cruz Bicycles,” www.baselinemag.com (accessed February 24, 2008).
c05.indd 122 11/26/2015 6:25:56 PM
123Case Study
Discussion Questions
1. Why did Boeing adopt the radical change approach for designing and developing the 787 Dreamliner? What were the
risks? In your opinion, was it a good move? Defend your choice.
2. Using the silo perspective versus business process perspective, analyze the Dreamliner program.
3. What are your conclusions about the design of the integrated supply chain? Give some specific ideas about what could
have been done to integrate it better.
4. If you were the program manager, what would you have done differently to avoid the problems faced by the Dreamliner
program?
Sources: Adapted from J. Lynn Lunsford , “ Boeing Scrambles to Repair Problems with New Plane ,” The Wall Street Journal (December 7, 2007 ), A1, 13 ; Stanley Holmes , “ The 787 Encounters Turbulence ,” Businessweek ( June 19 , 2006 ), 38 – 40 ; Zach Honig , “ Boeing 787 Review: ANA ’ s Dreamliner Flies Across Japan, We Join for the Ride ” (December 16, 2011 ), http://www.engadget.com/2011/12/16/boeing‐787‐ review‐anas‐dreamliner‐fl ies‐across‐japan‐we‐join/ (accessed August 27, 2015) ; J. Mouawad , “ Report on Boeing 787 Dreamliner Battery Flaws Finds Lapses at Multiple Points ,” The New York Times (December 1, 2014 ), http://www.nytimes.com/2014/12/02/business/report‐ on‐boeing‐787‐dreamliner‐batteries‐assigns‐some‐blame‐for‐fl aws.html?
c05.indd 123 11/26/2015 6:25:56 PM
124
6 chapter
Mohawk , 1 a paper mill in upstate New York, was established in 1931. Contrary to a common assump-
tion that information technology is not critical to old technology industry players facing a declining
market, the fi rm has not only embraced cloud computing but also has been able to transform its
business because of the cloud in three ways: (1) moving from manufacturing as its primary focus to
providing service, (2) shifting from a self‐suffi cient model to one of collaboration with a network
of partners, and (3) ensuring that the partner network is fl exible and its capabilities are integrated
with those of Mohawk . Mohawk accomplished this fl exibility by using service‐oriented architecture
(SOA) tools, which enable a fi rm to scale technology services (and expenses) up and down instanta-
neously according to its needs. 2 Also, applications under SOA can be added or subtracted as needed.
Mohawk ’ s new envelope manufacturing facility serves as a vivid example to illustrate the ben-
efi ts of fl exibility. Along the way, the company learned of the anticipated bankruptcy of the largest
envelope manufacturing fi rm in the United States and developed a list of six outsourced fi rms to
turn its premium papers into envelopes. After six months of using those suppliers and investing
in building its own in‐house envelope manufacturing capabilities, Mohawk was able to shift to an
insourcing model for 90% of its volume. The cloud services approach avoided the information sys-
tems diffi culties usually inherent in such a transformation.
There are also benefi ts to internal fl exibility as well. As processing volumes increase and decrease,
sometimes on a seasonal basis and sometimes due to new or discontinued lines of business, Mohawk
experiences corresponding increases and decreases in its requirements for space, servers, and
processing. Its cloud approach allows the company to set up or dismantle servers quickly.
This chapter provides managers with an overview of IT architecture and infrastructure issues and designs. It begins by translating a business into IT architecture and then from the architecture into infrastructure. The manager ’ s role is then discussed, and an example of a fi cti- tious company, GiantCo.com, is used to show how strategy leads to infrastructure. The frame- work used to describe the basic components of architecture and infrastructure, introduced in Chapter 1 , is revisited here, providing a language and structure for describing hardware, soft- ware, network, and data considerations. Common architectures are then presented, including centralized, decentralized and Web‐based service‐oriented architecture (SOA). Architectural principles are covered, followed by a discussion of enterprise architecture. Virtualization and cloud computing, two current architectural considerations, are reviewed. The chapter con- cludes with a discussion of managerial considerations that apply to any architecture.
Architecture and Infrastructure
1 Adapted from Paul J. Stamas , Michelle L. Kaarst‐Brown , and Scott A. Bernard , “ The Business Transformation Payoffs of Cloud
Services at Mohawk ,” MIS Quarterly Executive 13 , no. 4 ( 2014 ) . 2 Christopher Hale : “ Liaison Technologies to Deliver SOA‐in‐the‐Cloud Services to Mohawk Papers ,” Business Wire (February 24, 2010 ), http://www.businesswire.com/news/home/20100224006065/en/Liaison‐Technologies‐Deliver‐SOA‐in‐the‐Cloud‐ Services‐
Mohawk‐Papers#.VYFh_0ZZWjs (accessed June 17, 2015) .
c06.indd 124 11/26/2015 7:23:18 PM
125From Vision to Implementation
Mohawk’s experience shows that cloud computing is not just a mechanism to avoid or reduce costs or to gain
operational benefits. The cloud can enable transformation of the business itself. Mohawk’s mission changed from
“making paper” to “making connections,” which involves being able to sell directly to consumers five times the
number of products than in the pre‐2011 period when it mainly sold a few lines of paper to 10–15 large distributors.
Partners now offer many of those products, and the system provides the capabilities to sell from Mohawk’s own
inventory or from the partners in a seamless way directly to many thousands of small businesses and consumers
via its Web site.
Mohawk was able to make the changes it believed were necessary by shifting from an electronic data interchange
(EDI) approach to a simpler, more interchangeable format using XML and other tools. Liaison Technologies, its
integration consulting firm, enabled these changes by first developing what it calls a cloud integration platform and
building upon that platform in several stages to ultimately arrive at an enhanced Web services platform that enabled
other organizations and customers to request information, inquire about freight charges and pricing, place orders,
and pay for their orders through connections with banks. The platform enables designers to “mash up” (combine)
applications as needed on Web sites that can be built rather quickly. Each feature “plugs in” using tools that make
it easy to connect the Web sites to existing databases.
Payoffs to Mohawk included:
• Shaking the precloud annual earnings decreases of 2%–5% per year to tripling its earnings in two years
• Automating its transaction processes, saving $1 million to $2 million annually in staff costs
• Increasing its product variety fivefold
• Increasing its customer base from 10–15 distributors to 100 business partners and many thousands of direct customers
Not all firms can base their entire operations on a cloud platform that permits integration with other organiza-
tions. Mohawk’s experiences can be considered to be “cutting edge,” and integration consulting is a rather new
phenomenon. Further, even if firms use a cloud approach, they will need to estimate the extent of services they
will need to purchase up front. The Mohawk story illustrates how infrastructure can enable the strategic objectives
of a firm. However, building such an infrastructure cannot come first. Firms must begin by determining a strate-
gic vision, determining the IS architecture needed to fulfill that vision, and then making it all tangible by putting
together an IS infrastructure.
This chapter examines the mechanisms by which business strategy is transformed into tangible IS architecture
and infrastructure. The terms architecture and infrastructure are often used interchangeably in the context of IS. This chapter discusses how the two differ and the important role each plays in realizing a business strategy. Then
this chapter examines some common architectural components for IS today.
From Vision to Implementation As shown in Figure 6.1, architecture translates strategy into infrastructure. Building a house is similar: The owner
has a vision of how the final product should look and function. The owner must decide on a strategy about where to
live—in an apartment or in a house. The owner’s strategy also includes deciding how to live in the house in terms of
taking advantage of a beautiful view, having an open floor plan, or planning for special interests by designing such
special areas as a game room, study, music room, or other amenities. The architect develops plans based on this vision.
These plans, or blueprints, provide a guide—unchangeable in some areas but subject to interpretation in others—for
the carpenters, plumbers, and electricians who actually construct the house. Guided by past experience and by industry
standards, these builders select the materials and construction techniques best suited to the plan. The plan helps them
determine where to put the plumbing and wiring, important parts of the home’s infrastructure. When the process works,
the completed house fulfills its owner’s vision, even though he or she did not participate in the actual construction.
An IT architecture provides a blueprint for translating business strategy into a plan for IS. An IT infrastructure is everything that supports the flow and processing of information in an organization, including hardware, software,
data, and network components. It consists of components, chosen and assembled in a manner that best suits the
c06.indd 125 11/26/2015 7:23:18 PM
126 Architecture and Infrastructure
plan and therefore best enables the overarching business strategy.3 Infrastructure in an organization is similar to the
beams, plumbing, and wiring in a house; it’s the actual hardware, software, network, and data used to create the
information system.
The Manager’s Role
Even though he or she is not drawing up plans or pounding nails, the homeowner in this example needs to know
what to reasonably expect from the architect and builders. The homeowner must know enough about architecture,
specifically about styling and layout, to work effectively with the architect who draws up the plans. Similarly, the
homeowner must know enough about construction details such as the benefits of various types of siding, windows,
and insulation to set reasonable expectations for the builders.
Like the homeowner, managers must understand what to expect from IT architecture and infrastructure to be
able to make full and realistic use of them. The manager must effectively communicate his or her business vision
to IT architects and implementers and, if necessary, modify the plans if IT cannot realistically create or support
those plans. Without the involvement of the manager, IT architects could inadvertently make decisions that limit
the manager’s business options in the future.
For example, a sales manager for a large distribution company did not want to partake in discussions about
providing sales force automation systems for his group. He felt that a standard package offered by a well‐known
vendor would work fine. After all, it worked for many other companies, he rationalized, so it would be fine for
his company. No architecture was designed, and no long‐range thought was given to how the application might
support or inhibit the sales group. After implementation, it became clear that the application had limitations and
did not support the type of sales process in use at this company. He approached the IT department for help, and in
the discussions that ensued, he learned that earlier infrastructure decisions now made it prohibitively expensive to
implement the capability he wanted. Involvement with earlier decisions and the ability to convey his vision of what
the sales group wanted to do might have resulted in an IT infrastructure that provided a platform for the changes the
manager now wanted to make. Instead, the infrastructure lacked an architecture that met the business objectives of
the sales and marketing departments.
The Leap from Strategy to Architecture to Infrastructure The huge number of IT choices available coupled with the incredible speed of technology advances makes the
manager’s task of designing an IT infrastructure seem nearly impossible. However, in this chapter, the task is bro-
ken down into two major steps: first, translating strategy into architecture and second, translating architecture into
Owner’s
Vision
Architect’s
Plans
Builder’s
Implementation
Strategy Architecture Infrastructure
Abstract Concrete
Building
Information
Technology
FIGURE 6.1 From the abstract to the concrete—building versus IT.
3 Gordon Hay and Rick Muñoz, “Establishing an IT Architecture Strategy,” Information Systems Management 14, no. 3 (Summer 1997), 67–69.
c06.indd 126 11/26/2015 7:23:18 PM
127The Leap from Strategy to Architecture to Infrastructure
infrastructure. This chapter describes a simple framework to help managers sort through IT issues. This framework
stresses the need to consider business strategy when defining an organization’s IT building blocks. Although this
framework may not cover every possible architectural issue, it does highlight major issues associated with effec-
tively defining IT architecture and infrastructure.
From Strategy to Architecture
The manager must start out with a strategy and then use the strategy to develop more specific goals as shown in
Figure 6.2. Then detailed business requirements are derived from each goal. In the Mohawk case, the business
strategy was to integrate its own product offerings with those from partners and to present the larger product line
directly to a large number of customers as well as an expanded list of wholesalers. The business requirements
were to integrate the disparate functionality into a modular, flexible system. By outlining the overarching business
strategy and then fleshing out the business requirements associated with each goal, the manager can provide the
architect with a clear picture of what IS must accomplish and the governance arrangements needed to ensure their
smooth development, implementation, and use. The governance arrangements specify who in the company retains
control of and responsibility for the IS. Preferably this is somebody in upper management.
Of course, the manager’s job is not finished here. Continuing with Figure 6.2, the manager must work with the
IT architect to translate these business requirements into a more detailed view of the systems requirements, stan-
dards, and processes that shape an IT architecture. This more detailed view, the architectural requirements, includes
consideration of such things as data and process demands as well as security objectives. These are the architectural
requirements. The IT architect takes the architectural requirements and designs the IT architecture.
From Architecture to Infrastructure
Mohawk’s decision to use a service‐oriented architecture led to the design of a number of services and composite
applications. This illustrates the next step, translating the architecture into infrastructure. This task entails add-
ing yet more detail to the architectural plan that emerged in the previous phase. Now the detail comprises actual
hardware, data, networking, and software. Details extend to location of data and access procedures, location of
firewalls, link specifications, interconnection design, and so on. This phase is also illustrated in Figure 6.2 where
the architecture is translated into functional specifications. The functional specifications can be broken down into
hardware specifications, software specifications, storage specifications, interface specifications, network specifica-
tions, and so on. Then decisions are made about how to implement these specifications: what hardware, software,
storage, interface, network, and so forth to use in the infrastructure.
When we speak about infrastructure, we are referring to more than the components. Plumbing, electrical wiring,
walls, and a roof do not make a house. Rather, these components must be assembled according to the blueprint to
create a structure in which people can live. Similarly, hardware, software, data, and networks must be combined
in a coherent pattern to have a viable infrastructure. This infrastructure can be considered at several levels. At the
most global level, the term may be focused on the enterprise and refer to the infrastructure for the entire organi-
zation. The term may also focus on the interorganizational level by laying the foundation for communicating with
customers, suppliers, or other stakeholders across organizational boundaries. Sometimes infrastructure refers to those components needed for an individual application. When considering the structure of a particular application,
it is important to consider databases and program components, as well as the devices and operating environments
on which they run.
Often when referring to an infrastructure, the underlying computer system is called the platform. The term has
been used in a variety of ways: to identify the hardware and operating system of a computer, such as Microsoft Win-
dows, Apple OSX, or Linux, or smartphone and tablet operating systems, such as Android and iOS. Vendors need to
provide an entirely separate version of their software on each chosen platform, and they often have tools that allow
their programs to produce, nearly automatically, versions that run on multiple platforms.
A platform can also refer to a firm’s collection of cloud‐based, modular tools as the example from Mohawk
illustrated. Such platforms use open standards for easy “plugging‐in” of components, enabling “mashing‐up” of a
c06.indd 127 11/26/2015 7:23:18 PM
128
c06.indd 128 11/26/2015 7:23:19 PM
Functional
Spec
Functional
Spec
Architectural
Requirement
Architectural
Requirement
Business
Requirement
Business
Requirement
Goal
Interface
Spec Infrastructure
Data
Protocol
SWb
Spec
HWa
Spec
Architecture Strategy Goal
Goal
a Hardware. b Software.
FIGURE 6.2 From strategy to architecture to infrastructure.
129The Leap from Strategy to Architecture to Infrastructure
variety of resources at once. Google Maps is an excellent example of a standardized resource that can be accessed
by any platform that provides the proper requests.
Framework for the Infrastructure and Architecture Analysis
When developing a framework for transforming business strategy into architecture and then into infrastructure,
these basic components should be considered:
• Hardware: The physical components that handle computation, storage, or transmission of data (e.g., personal computers, servers, mainframes, hard drives, RAM, fiber‐optic cabling, modems, and telephone lines).
• Software: The programs that run on the hardware to enable work to be performed (e.g., operating systems, databases, accounting packages, word processors, sales force automation, and enterprise resource planning
systems). Software is usually divided into two groups: system software, such as Microsoft Windows, Apple OSX, and Linux, and applications, such as word processors, spreadsheets, and digital photo editors. Sys- tem software is often referred to as a platform because application software runs upon it, sometimes only on a particular version.
• Network: Software and hardware components for local or long‐distance networking. Local networking com- ponents include switches, hubs, and routers; long‐distance networking components include cable, fiber, and
microwave paths for communication and data sharing. All work according to a common protocol, most often
Internet protocol (IP). Some networks are private, requiring credentials to connect. Others, like the Internet,
are public.
• Data: The electronic representation of the numbers and text. Here, the main concern is the quantity and format of data and how often it must be transferred from one piece of hardware to another or translated from
one format to another.
The framework that guides the analysis of these components was introduced in the first chapter in Figure 1.6
This framework is simplified to make the point that initially understanding an organization’s infrastructure is not
difficult. Understanding the technology behind each component of the infrastructure and the technical requirements
of the architecture is a much more complex task. The main point is that the general manager must begin with an
overview that is complete and that delivers a big picture.
This framework asks three types of questions that must be answered for each infrastructure component: what,
who, and where. The “what” questions are those most commonly asked and that identify the specific type of tech-
nology. The “who” questions seek to understand what individuals, groups, and departments are involved. In most
cases, the individual user is not the owner of the system or even the person who maintains it. In many cases, the
systems are leased, not owned, by the company, making the owner a party completely outside the organization. In
understanding the infrastructure, it is important to get a picture of the people involved. The third set of questions
addresses “where” issues. With the proliferation of networks, many IS are designed and built with components in
multiple locations, often even crossing oceans. Learning about infrastructure means understanding where every-
thing is located.
We can expand the use of this framework to also understand architecture. To illustrate the connections between
strategy and systems, the table in Figure 6.3 has been populated with questions that typify those asked in addressing
architecture and infrastructure issues associated with each component.
The questions shown in Figure 6.3 are only representative of many that would need to be addressed; the specific
questions depend on the business strategy the organizations are following. However, this framework can help IT
staff ask managers to provide further information as they seek to translate business strategy into architecture and ul-
timately into infrastructure in their organizations. The answers derived with IT architects and implementers should
provide a robust picture of the IT environment. That means that the IT architecture includes plans for the data and
information, the technology (the standards to be followed and the infrastructure that provides the foundation), and
the applications to be accessed via the company’s IT system.
c06.indd 129 11/26/2015 7:23:19 PM
130 Architecture and Infrastructure
FIGURE 6.3 Infrastructure and architecture analysis framework with sample questions.
Component What Who Where
Architecture Infrastructure Architecture Infrastructure Architecture Infrastructure
Hardware What type of personal device will our users use?
What size hard drives do we equip our laptops with?
Who knows the most about servers in our organization?
Who will operate the server?
Does our architecture require centralized or distributed servers?
What specific computers will we put in our Tokyo data center?
Software Does fulfillment of our strategy require ERP software?
Shall we go with SAP or Oracle applications?
Who is affected by a move to SAP?
Who will need SAP training?
Does our geographical organization require multiple database instances?
Can we use a cloud instance of Oracle for our database?
Network How should the network be structured to fulfill our strategy?
Will a particular Cisco switch be fast enough for what we need?
Who needs a connection to the network?
Who provides our wireless network?
Will we let each user’s phone be a hotspot?
Shall we lease a cable or use satellite?
Data What data do we need for our sales management system?
What format will we store our data in?
Who needs access to sensitive data?
How will authorized users identify themselves?
Will backups be stored on‐site or off‐site?
Will data be in the cloud or in our data center?
Traditionally, there are three common configurations of IT architecture as shown in Figure 6.4. Enterprises
sometimes like the idea of a centralized architecture with everything purchased, supported, and managed cen- trally, usually in a data center, to eliminate the difficulties that come with managing a distributed infrastructure. In addition, almost every sizable enterprise has a large data center with servers and/or large mainframe computers that support many simultaneous users. Because of that history, there are a significant number of legacy mainframe
environments still in operation today. However, one large computer at the center of the IT architecture is not used
as regularly today as it was in the past. Instead, many smaller computers are linked together to form a centralized
IT core that operates very much like the mainframe, providing the bulk of IT services necessary for the business.
A more common configuration is a decentralized architecture. The hardware, software, networking, and data are arranged in a way that distributes the processing and functionality between multiple small computers, servers,
and devices, and they rely heavily on a network to connect them together. Typically, a decentralized architecture
uses numerous servers, often located in different physical locations, at the backbone of the infrastructure, called a
server‐based architecture. A third increasingly common configuration is service‐oriented architecture (SOA), the architecture that
Mohawk, in this chapter’s opening case, decided to use. An example of a service is an online employment form that,
when completed, generates a file with the data for use in another service. Another example is a ticket‐processing
service that identifies available concert seats and allocates them. These relatively small chunks of functionality are
available for many applications through reuse. The type of software used in an SOA architecture is often referred to as software‐as‐a‐service, or SaaS. Another term for these applications when delivered over the Internet is Web services.
A cutting‐edge type of configuration is one that can allocate or remove resources by itself, referred to as a
software‐defined architecture.4 Two illustrations can provide an idea of this trend. The first is a true story of a
4 See K. Pearlson, “Software Defined Future: Instant Provisioning of IT Services,” Connect-Converge (Fall 2014), http://connect‐converge.com/ issues/2014_fall/A1767E8395A03D54262BE6F0B892F986/Converge%20C2‐2014‐Fall.pdf (accessed August 27, 2015).
c06.indd 130 11/26/2015 7:23:20 PM
131The Leap from Strategy to Architecture to Infrastructure
FIGURE 6.4 Common architectures.
Architecture Description Other Terms When to Use?
Centralized Architecture
• A large central computer system runs all applications and stores all data.
• Typically, the computer is housed in a data center and managed directly by the IT department.
• Networking allows users to access remotely.
Mainframe architecture
• To make it easier to manage— all functionality is located in one place
• When the business is highly centralized
Decentralized Architecture
• Computing power is spread out among a number of devices in different locations.
• Servers in different locations, personal computers, laptops, smartphones, and tablets are also included.
• The “client” devices can perform many of the services needed with only occasional requests to central servers for data and services.
Server‐based architecture
• To modularize and address concerns about scalability
• When the business is primarily decentralized
Service‐Oriented Architecture (SOA)
• Software is broken down into services “orchestrated” and connected to each other.
• Together those services form an application for an entire business process.
• The services are often offered from multiple vendors on the Internet and are combined to form applications.
Cloud‐based architecture
• To be agile—reusability and componentization can create new apps
• When the business is new and rapid app design is important
Software‐Defined Architecture
• Infrastructure reconfigures based on load or time of day.
• Infrastructure can be reconfigured autonomously based on rules.
Software‐defined network, network virtualization
• When resources need to be flexible and reconfigured often
• When usage varies dramatically depending on time of day
company selling 10 bird baths per month. It had a Web site for its small family business. For a while, the site was
adequate for its needs. However, when Oprah Winfrey featured the company’s high‐quality designs on her show, the
number of monthly orders jumped to 80,000. Fortunately, the firm’s IT consultants were able to create a software‐
defined network that adapted to the increase in orders. It was able to sense a change in the volume of orders and
allocate additional resources such as storage and processing power to keep the Web site working. A typical hosting
provider would have treated a monthly 8,000‐fold volume increase as an attack and would shut down the site to
protect it. Also, a typical provider would not have enough storage allocated for the orders. The software‐defined
network saved thousands of sales (and hundreds of thousands of dollars) from being lost.
Sometimes software‐defined networks can even change the architecture on the fly. For example, many fast‐food
restaurants and coffee shops offer free WiFi to customers. This capability requires more than one connection to the
Internet in very busy locations, and the shop itself needs its own secure, dedicated connection to record sales trans-
actions and inventory updates from individual restaurant and shop operations. If that operation connection fails, a
software‐defined network could automatically reconfigure to switch one of the customer connections to become
a substitute operations connection. Customers might find their WiFi connections to be a little slower until the
situation returns to normal, but the automatic reconfiguration prevents the restaurant or shop from having to close
c06.indd 131 11/26/2015 7:23:20 PM
132 Architecture and Infrastructure
or revert to a very clumsy manual system. Even without a catastrophe, customer traffic on the WiFi system and the
need for operations capacity can fluctuate as well. After closing, the WiFi system for customers is not needed, but
during busy times, it might be saturated. When software updates are performed or large volumes of transactions are
transmitted, the operations connection might be overwhelmed. Shifting resources automatically from one separate
architectural component to another is a powerful way to reduce costs.
A manager must be aware of the trade‐offs when considering architectural decisions. For example, decentralized
architectures are more modular than centralized architectures, allowing other servers to be added with relative ease
and provide increased flexibility for adding clients with specific functionality for specific users. Decentralized orga-
nizational governance, such as that associated with the networked organization structure (discussed in Chapter 3), is
consistent with decentralized architectures. In contrast, a centralized architecture is easier to manage in some ways
because all functionality is centralized in the main computer instead of distributed throughout all the devices and
servers. A centralized architecture tends to be a better match in companies with highly centralized governance, for
example, those with hierarchical organization structures. SOA is increasingly popular because the design enables
large units of functionality to be built almost entirely from existing software service components. SOA is useful
for building applications quickly because it offers managers a modular and componentized design and, therefore, a
more easily modifiable approach to building applications. Software‐defined architectures are even easier to man- age because they self‐manage many of their features. However, each self‐managing feature must be imagined and
defined; the systems are not autonomous beyond those features.
An example of an organization making these trade‐offs is the Veterans Health Administration (VHA), a part of
the Department of Veterans Affairs of the U.S. federal government.5 The organization included 14 different business
units that served various administrative and organizational needs. The primary objective of the organization was to
provide health care for veterans and their families. In addition, the VHA was a major contributor to medical research,
allowing medical students to train at VHA hospitals. The medical centers operated independently and sometimes
competed against each other. When the U.S. Congress passed an act that enabled the VHA to restructure itself from
a system of hospitals to a single health care system, the IT architecture was reconfigured from a very centralized
design, which enabled the Office of Data Management and Telecommunications to retain control, to a decentral-
ized hospital‐based architecture that gave local physicians and administrators the opportunity to deploy applications
addressing local needs while ensuring that standards were developed across the different locations. The VA then
introduced the “One‐VA” architecture to unify the decentralized systems and “to provide an accessible source of con-
sistent, reliable, accurate, useful, and secure information and knowledge to veterans and their families. . . .”6 Efforts
were made to encrypt, secure, and account for every piece of computer hardware in the system, and a national and
regional data warehouse initiative was launched to standardize business data storage and management.
Technological advances such as peer‐to‐peer architecture and wireless or mobile infrastructure make possible
a wide variety of options. These designs can either augment a firm’s existing way of operating or become its main
focus. For example, a peer‐to‐peer architecture allows networked computers to share resources without needing a central server to play a dominant role. ThePirateBay.org, the Web site for sharing music, movies, games, and more,
and Skype, a site for teleconferencing, texting, and telephoning, are examples of businesses that use a peer‐to‐peer
architecture. Wireless (mobile) infrastructures allow communication from remote locations using a variety of wireless technologies (e.g., fixed microwave links; wireless LANs; data over cellular networks; wireless WANs;
satellite links; digital dispatch networks; one‐way and two‐way paging networks; diffuse infrared, laser‐based com-
munications; keyless car entry; and global positioning systems).
Web‐based and cloud architectures locate significant hardware, software, and possibly even data elements on the Internet. Web‐based architectures offers greater flexibility when used as a source for capacity‐on‐demand, or the availability of additional processing capability for a fee. IT managers like the concept of capacity on demand to
help manage peak processing periods when additional capacity is needed. It allows them to use the Web‐available
capacity as needed, rather than purchasing additional computers to handle the larger loads.
5 Adapted from V. Venkatesh, H. Bala, S. Venkatraman, and J. Bates, “Enterprise Architecture Maturity: The Story of the Veterans Health Administration,”
MIS Quarterly Executive 6, no. 2 (June 2007),79–90; and J. Walters, “IBM Transformation Series, 2009,” http://www.businessofgovernment.org/report/ transforming‐information‐technology‐department‐veterans‐affairs (accessed August 27, 2015). 6 Venkatesh, Venkatraman, and Bates, “Enterprise Architecture Maturity,” p. 86.
c06.indd 132 11/26/2015 7:23:20 PM
133From Strategy to Architecture to Infrastructure: An Example
With the proliferation of smartphones and tablets, enterprises increasingly have employees who want to bring
their own devices and connect to enterprise systems. Some call this Bring Your Own Device (BYOD), and it raises some important managerial considerations. When employees connect their own devices to the corporate
network, issues such as capacity, security, and compatibility arise. For example, many corporate applications are
not designed to function on the small screen of a smartphone. Redesigning them for personal devices may require
significant investment to accommodate the smartphone platform. And not all smartphone platforms are the same.
Designing for an iPhone is different than for an Android phone. Even if a system were redesigned for these two
platforms, the resources required to maintain the system increase because each platform evolves at a different rate
and the applications need to appear similar on each device. In some circles, the drive to port applications to personal
devices and the ensuing issues to make them work is referred to as the consumerization of IT. Consumerization of IT is a growing phenomenon. Not only do employees want to use their own devices to
access corporate systems but also customers increasingly expect to access company systems from their mobile
devices. Making applications robust yet simple enough for customers to use from virtually any mobile device over
the Web is a challenge for many information systems departments. Companies such as Good Technology have been
created to provide services that allow enterprise employees to connect, communicate, and collaborate using their
own devices, supplementing the IT organization’s ability to meet this new demand. Websites are designed with the
philosophy of “responsive design,” permitting them to adapt to screens of any size.
From Strategy to Architecture to Infrastructure: An Example This section7 considers a simple example to illustrate the process of converting strategy to architecture to infra-
structure: We introduce GiantCo.com, a fictitious competitor of Amazon and Wal‐Mart, which sells a wide variety
of products online.
Define the Strategic Goals
The managers at GiantCo.com recognize that they have a large amount of competition, so they have decided to try
to provide outstanding customer service. In fact, their strategy is to become highly customer focused. Among their
immediate strategic goals are the following:
• To increase the period of a money‐back guarantee from one week to a month
• To provide cross‐selling opportunities by temporarily discounting accessories or items that complement those purchased within the previous year
• To provide a return shipping label with every purchase
• To decrease out‐of‐stock occurrences by 20%
• To answer emails within 24 hours
Translate Strategic Goals to Business Requirements
To keep things simple, consider more closely only the first two of GiantCo.com’s strategic goals: to increase the
period of a money‐back guarantee from one week to a month and to suggest goods that complement all those sold
to a customer in the past year. How can GiantCo.com’s architecture enable this goal? Its goal must be translated into
business requirements. A few of the business requirements that address these two goals are to track
• At least a year’s worth of sales for all customers
• All refunds provided to customers
7 Only a few questions raised from the framework are provided; a comprehensive, detailed treatment of this situation would require more information
than provided in this simple example.
c06.indd 133 11/26/2015 7:23:20 PM
134 Architecture and Infrastructure
• Return patterns by customer to detect excesses
• Sales of complementary goods to provide advice for future potential purchasers
Translate Business Requirements into Architecture
To support the business requirements, architectural requirements are specified that dictate the architecture to be
established. One major component of the architecture deals with how to obtain, store, and use data to support the
business requirements.
The database needs to store the sales data for all customers for more than an entire year. The data can be used for
many purposes, including summarizing for an annual report and identifying whether customers who wish to return
goods are within the 30‐day period. It also provides the foundation for suggesting complementary goods when cou-
pled with data pinpointing goods that are related. As customers use the Web site, the sales data can be very useful
for their own decision making.
Translate Architecture to Infrastructure
With the architecture goals in hand, the framework presented in Figure 6.2 outlines how to build the infrastructure.
The architecture outlines the functions needed by the infrastructure, enabling a functional specification to be cre-
ated. Those specs are then translated into hardware, software, data protocols, interface designs, and other compo-
nents that will make up the infrastructure. For GiantCo.com’s database, the functional specification would include
details such as how big it should be, how fast data access should be, what the format of the data will be, and more.
These functional specifications then help narrow the technical specifications, which answer these questions. For
example, after considering the current customer base and forecasts for growth, GiantCo.com’s database might need
the following:
• Sample functional specifications for a year’s worth of activity
• Space to fit transaction data for 22,500 customers who purchase 25 items a year on average with 30 facts (date, price, quantity, item number, customer number, address shipped, credit card billed, and so on)
recorded for each. On average, each fact occupies 10 characters of storage.
• Ability to insert 1,070 records per minute. One server can handle one update per second, or 60 per min- ute, suggesting the need for 18 servers to handle online sales. Accounting information will be placed on
its own server. That totals 168,750,000,000 characters of storage for the year, indicating that 200 giga-
bytes will be needed for this information alone. An analysis of vendors’ products and pricing indicates
that one terabyte is considered more than adequate for each server given that 18 will be purchased.
• Software to do the required tracking for suggesting complementary goods because the current system does not have that functionality.
• Hardware specifications
• One terabyte RAID (redundant array) level 3 hard drive space.
• Nineteen 3‐gigahertz Core 2 duo servers.
• Software specifications
• Apache operating system.
• My SQL database.
c06.indd 134 11/26/2015 7:23:20 PM
135Architectural Principles
Additional technical specifications would be created until the entire infrastructure is designed. Then GiantCo.
com’s IT department is ready to pick specific hardware, software, network, data, etc., to put into its infrastructure.
Figure 6.5 lists possible infrastructure components needed by GiantCo.com.
Architectural Principles Any good architecture is based on a set of principles, or fundamental beliefs about how the architecture should
function. Architectural principles must be consistent with both the values of the enterprise as well as with the
technology used in the infrastructure. The principles are designed by considering the key objectives of the orga-
nization and then translated into principles to apply to the design of the IT architecture. The number of principles
vary widely, and there is no set list of what must be included in a set of architectural principles. However, a guide-
line for developing architectural principles is to make sure they are directly related to the operating model of the
enterprise and IS organization. Principles should define the desirable behaviors of the IT systems and the role of the
organization(s) that support it. A sample of architectural principles is shown in Figure 6.6.
FIGURE 6.5 GiantCo.com’s infrastructure components.
Hardware Software Network Data
19 servers:
• 18 for sales • 1 for accounting
LaCie 10‐GB Thunderbolt RAID hard drive storage system
ERP system with modules for
• Sales • Accounting • Inventory
Enterprise application integration (EAI) software
Apache operating system
MySQL database software
• Cable modem to ISP • Dial‐up lines for backup • Cicso routers, hubs, and
switches • Firewalls from CheckPoint
Database
• Sales • Inventory • Accounting • Complementary items
FIGURE 6.6 Sample architectural principles. Source: Adapted from examples of IT architecture from IBM, The Open Group Architecture Framework, the U.S. Government, and the State of Wisconsin.
Principle Description of What the Architecture Should Promote
Ease of use Ease of use in building and supporting the architecture and solutions based on the architecture
Single point of view A consistent, integrated view of the business regardless of how it is accessed
Buy rather than build Purchase of applications, components, and enabling frameworks unless there is a competitive reason to develop them internally
Speed and quality Acceleration of time to market for solutions while still maintaining required quality levels
Flexibility and agility Flexibility to support changing business needs while enabling evolution of the architecture and the solutions built on it
Innovation Incorporation of new technologies, facilitating innovation
Data security Data protection from unauthorized use and disclosure
Common data vocabulary Consistent definitions of data throughout the enterprise, which are understandable and available to all users
Data quality Accountability of each data element through a trustee responsible for data quality
Data asset Management of data like other valuable assets
c06.indd 135 11/26/2015 7:23:20 PM
136 Architecture and Infrastructure
Enterprise Architecture Many companies apply even more complex and comprehensive frameworks than those described earlier for devel-
oping an IT architecture and infrastructure than those described earlier. They employ an enterprise architecture (EA), or the “blueprint” for all IS and their interrelationships in the firm. EA is the term used for the organizing logic for the entire organization. It often specifies how information technologies support business processes. EA
differs from an IT architecture in its level of analysis, although it shares some design principles of the lower‐level
architectures. It identifies the core processes of the company and how they will work together, how the IT sys-
tems will support the processes, the standard technical capabilities and activities for all parts of the enterprise, and
guidelines for making choices. As experts Jeanne Ross, Peter Weill, and David Robertson describe in their book,
Enterprise Architecture as Strategy,
Top‐performing companies define how they will do business (an operating model) and design the processes and infra-
structure critical to their current and future operations (enterprise architecture). . . . Then these smart companies exploit
their foundation, embedding new initiatives and using it as a competitive weapon to seize new business opportunities.8
The components of an enterprise architecture typically include four key elements:
• Core business processes: The key enterprise processes that create the capabilities the company uses to exe- cute its operating model and create market opportunities
• Shared data: The data that drive the core processes
• Linking and automation technologies: The software, hardware, and networking technologies that provide the links between applications (applications themselves are part of the IT architecture, but the way applica-
tions link together is part of the bigger picture of the enterprise architecture)
• Customer groups: Key customers to be served by the architecture9
One example of an enterprise architecture framework is the TOGAF (The Open Group Architecture Frame- work).10 TOGAF includes a methodology and set of resources for developing an enterprise architecture. It is based
on the idea of an open architecture, one whose specifications are public (as compared to a proprietary architecture
whose specifications are not made public). It is based on the U.S. Department of Defense frameworks and has
been developing and continuously evolving since the mid‐1990s. It provides a practical, standardized methodology
(called Architecture Development Methodology) to successfully implement an enterprise architecture for an organi- zation. Although there is no well‐accepted standard for enterprise architecture, architects who understand and use
TOGAF speak a common language and use the same basic framework and processes to build their company’s IS
architecture. TOGAF is designed to translate strategy into architecture and then into a detailed infrastructure; how-
ever, it supports a much higher level of architecture that includes more components of the enterprise.11
Another example of enterprise architecture frameworks is the Zachman framework, which determines archi- tectural requirements by providing a broad view that helps guide the analysis of the detailed view. This framework’s
perspectives range from the company’s scope, to its critical models and, finally, to very detailed representations of
the data, programs, networks, security, and so on. The models it uses are the conceptual business model, the logical
system model, and the physical technical model.12
Enterprise architectures mature as firms invest resources in technologies that support their strategy. Jeanne
Ross13 theorized that enterprise architecture moves from compartmentalized “silos” to standardized technologies to
enterprisewide software to business modularity. A recent study14 shows a dramatic increase in perceived IT effec-
tiveness as the architecture matures through those four stages.
8 Jeanne W. Ross, Peter Weill, and David C. Robertson, Enterprise Architecture as Strategy (Boston, MA: Harvard Business School Press, 2006), viii–ix. 9 Ibid., 50–52. 10 The Open Group, http://www.opengroup.org. 11 For more information on the TOGAF framework, visit the Open Group’s Web site at www.opengroup.org/togaf/. 12 For more information on the Zachman framework, visit Zachman International’s Web site at www.zachman.com. 13 J. W. Ross, “Creating a Strategic IT Architecture Competency: Learning in Stages,” MIS Quarterly Executive 2, no. 1 (2003), 31–43. 14 Randy V.Bradley, Renée M. E. Pratt, Terry Anthony Byrd, and Lakisha L. Simmons, “The Role of Enterprise Architecture in the Quest for IT Value,”
MIS Quarterly Executive 10, no. 2 (2011), 19–27.
c06.indd 136 11/26/2015 7:23:20 PM
137Virtualization and Cloud Computing
Because enterprise architecture is more about how the company operates than how the technology is designed,
building an EA is a joint exercise to be done with business leaders and IT leaders. IT leaders cannot and should
not do this alone. Because virtually all business processes today involve some component of IT, the idea of trying
to align IT with business processes would merely automate or update processes already in place. Instead, business
processes are designed concurrently with IT systems. The Mohawk case at the beginning of this chapter illustrates
this very well; if Mohawk had simply continued its existing business processes or had made them faster with newer
technology, its profitability would have merely continued to decline. They company was able to reverse this trend
only by redesigning or redirecting its business processes, an effort that was enabled by IT.
As Mohawk found, building an enterprise architecture is more than just linking the business processes to IT.
It starts with organizational clarity of vision and strategy and places a high value on consistency in approach as a
means of optimal effectiveness. The consistency manifests itself as some level of standardization—standardization
of processes, deliverables, roles, and/or data. Every EA has elements of all these types of standardization; however,
the degree and proportion of each vary with organizational needs, making it dynamic. A good enterprise architect
understands this and looks for the right blend for each activity the business undertakes. That means that because
organizational groups and individuals are resources for business processes, the organizational design decisions
should be part of the enterprise architecture. However, this is a sophisticated approach, and new enterprise archi-
tects often seek to put more rigid standards in place and do not attempt to tackle the more complex organizational
design issues.
Barclay’s Bank,15 which services more than 48 million customers worldwide, had an IT architecture that
included more than 2,000 applications and spent in excess of £1 billion annually on IT. The resulting complexity
was managed with an EA that specified frameworks, tools, and processes that created a common language and for-
mat. The EA governance model dictated that both business and technology executives sign off on projects to ensure
accountability and ownership. Roadmaps helped clarify the enterprise architecture design and direction, which
informed planning and portfolio management and created a common vision and a repeatable mechanism for future
investments. The EA ensured appropriate linkages between IT investment and business needs.
Virtualization and Cloud Computing Physical corporate data centers are rapidly being replaced by virtual infrastructure called virtualization. Virtual infrastructure originally meant one in which software replaced hardware in a way that a “virtual machine” or a “virtual desktop system” was accessible to provide computing power. Typically, computing capabilities, storage,
and networking are provided by a third party or group of vendors, usually over the Internet or through a private
network. In most virtual architectures, the five core components available virtually are servers, storage, backup,
network, and disaster recovery. Virtualizing the desktop is a common virtualization application. In a virtual-
ized desktop, the user’s device locally accesses desktop software on a remote server, essentially separating the
operating system from the applications. Virtualization is a useful way to design architecture because it enables
resources to be shared and allocated as needed by the user and makes maintenance easier because resources are
centralized.
Cloud computing is another term used to describe an architecture based on services provided over the Internet. It is based on the concept of a virtual infrastructure. Entire computing infrastructures are available “in the cloud.”
Using the cloud to provide infrastructure means that the cloud is essentially a large cluster of virtual servers or
storage devices. This is called infrastructure as a service (IaaS). In addition to IaaS, software as a service (Saas) and platform as a service (PaaS) are typical services found in
cloud computing. These are described more fully in Chapter 10. Using the cloud for a platform means that the man-
ager will use an environment with the basic software available, such as Web software, applications, database, and
collaboration tools. Using the cloud for an entire application generally means that the software is custom designed
or custom configured for the business but resides in the cloud.
15 Adapted from Phil LeClare and Eric Knorr, “The 2010 Enterprise Architecture Awards” (September 10, 2010), http://www.infoworld.com/d/
architecture/the‐2010‐enterprise‐architecture‐awards‐823 (accessed August 27, 2015).
c06.indd 137 11/26/2015 7:23:20 PM
138 Architecture and Infrastructure
Consumers of cloud computing purchase capacity on demand and are not generally concerned with the under-
lying technologies. It’s the next step in utility computing, or purchasing any part of the consumers’ storage or processing infrastructure they need when they need it. Much like the distribution of electricity, the vision of utility
computing is that computing infrastructure would be available when needed in as much quantity as needed. When
the lights and appliances are turned off in a home, the electricity is not consumed. Ultimately, the customer is
billed only for what is used. In utility computing, a company uses a third‐party infrastructure to do their processing
or transactions and pay only for what they use. And as in the case of the electrical utility, the economies of scale
enjoyed by the computing utility enable very attractive financial models for their customers. As the cost of connec-
tivity falls, models of cloud computing emerge.
Salesforce.com, Facebook, Gmail, Windows Azure, Apple iTunes, and LinkedIn are examples of applications
in the cloud. Users access LinkedIn through the Web and build networks of business professionals on the site. But
LinkedIn provides additional services, such as linking a user’s blog to her or his profile, sharing and storing doc-
uments among group’s members, and accessing applications such as GoodReads to see what network peers are
reading and Tripit to learn about their travel plans.
Benefits of virtualization and cloud computing are many. Businesses that embrace a virtual infrastructure can
consolidate physical servers and possibly eliminate many of them, greatly reducing the physical costs of the data
center. Fees can be based on transaction volumes rather than large up‐front investments. There is no separate cost
for upgrade, maintenance, and electricity. Nor is there a need to devote physical space or to guess how many storage
servers are required. Typically, the network is much simpler, too, because the virtual infrastructure mainly requires
Internet connections for all applications and devices.
But the biggest benefit of virtualization and cloud computing is the speed at which additional capacity, or pro-
visioning, can be done. In a traditional data center, additional capacity is often a matter of purchasing additional
hardware, waiting for its delivery, physically installing it, and ensuring its compatibility with the existing systems.
It can take weeks. In a virtual infrastructure, the nature of the architecture is dynamic by design, making adding
capacity relatively easy and quick.
For example, The New York Times decided to make all public domain articles from 1851 to 1922 available on the Internet. To do that, the company decided to create PDF files of all the articles from the original papers in its
archives. This required scanning each column of the story, creating a series of graphic pictures of the scanned
image, and then cobbling them together to create the single PDF for each story. This was a lot of work and required
significant computing power. Once this batch of articles was converted and added to the company’s existing library,
the 11 million New York Times stories from 1851 to 1989 were accessible on the Internet. The manager of this project had an idea to use the cloud. He selected a service offered by Amazon.com, Amazon
EC2, wrote some code to do the project he envisioned, and tested it on the Amazon servers. He used his credit card
to charge the $240 it cost him to do this conversion. He calculated it would have taken him at least a month to do
the conversion if he used only the few servers available to him in The New York Times network. However, using the Amazon cloud services, he was able to use a virtual server cluster of 100 servers, and it took just under 24 hours to
process the entire 11 million articles.16
But managers considering virtualization and cloud computing must also understand the risks. First is the
dependence on the third‐party supplier. Building applications that work in the cloud may mean retooling exist-
ing applications for the cloud’s infrastructure. The dominant vendor, as of the writing of this text, is VMware, a
company that offers software for workstations, virtual desktop infrastructures, and servers. However, because there
are no standards for virtual infrastructure, applications running on one vendor’s infrastructure may not port easily
to another vendor’s environment.
Architectures are increasingly providing cloud computing and virtualization as alternatives to in‐house infra-
structures. As coordination costs drop and new platforms in the cloud are introduced, cloud computing utilization
will increase.
16 Galen Gruman, “Early Experiments in Cloud Computing,” InfoWorld (April 7, 2008), http://www.infoworld.com/article/2649759/operating‐systems/ early‐experiments‐in‐cloud‐computing.html (accessed July 28, 2015); Derek Gottfrid, “Self‐Service, Prorated Supercomputing Fun!” (November 1,
2007), http://open.blogs.nytimes.com/2007/11/01/self‐service‐prorated‐super‐computing‐fun/ (accessed July 28, 2015).
c06.indd 138 11/26/2015 7:23:20 PM
139Other Managerial Considerations
Other Managerial Considerations The infrastructure and architecture framework shown in Figure 6.3 guides the manager toward the design and
implementation of an appropriate infrastructure. Defining an IT architecture that fulfills an organization’s needs
today is relatively simple; the problem is that by the time it is installed, those needs can change. The primary rea-
son to base an architecture on an organization’s strategic goals is to allow for inevitable future changes—changes
in the business environment, organization, IT requirements, and technology itself. Considering future impacts
should include analyzing the existing architecture, the strategic time frame, technological advances, and financial
constraints.
Understanding Existing Architecture
At the beginning of any project, the first step is to assess the current situation. Understanding existing IT architecture
allows the manager to evaluate the IT requirements of an evolving business strategy against current IT capacity. The
architecture, rather than the infrastructure, is the basis for this evaluation because the specific technologies used to
build the infrastructure are chosen based on the overall plan, or architecture. As previously discussed, these archi-
tectural plans support the business strategy. Assuming that some overlap is found, the manager can then evaluate
the associated infrastructure and the degree to which it can be utilized going forward.
Relevant questions for managers to ask include the following:
• What IT architecture is already in place?
• Is the company developing the IT architecture from scratch?
• Is the company replacing an existing architecture?
• Does the company need to work within the confines of an existing architecture?
• Is the company expanding an existing architecture?
Starting from scratch allows the most flexibility in determining how architecture can enable a new business strat-
egy, and a clean architectural slate generally translates into a clean infrastructure slate. However, planning effec-
tively even when starting from scratch can be a challenge. For example, in a resource‐starved start‐up environment,
it is far too easy to let effective IT planning fall by the wayside. Sometimes the problem is less a shortcoming in IT
management and more one of poorly devised business strategy. A strong business strategy is a prerequisite for IT
architecture design, which is in turn a prerequisite for infrastructure design.
Of course, managers seldom enjoy the relative luxury of starting with a clean IT slate. More often, they must
deal in some way with an existing architecture, infrastructure, and legacy systems already in place. In this case,
they encounter both opportunity—to leverage the existing architecture and infrastructure and their attendant human
resource experience pool—and the challenge of overcoming or working within the old system’s shortcomings. By
implementing the following steps, managers can derive the most value and suffer the least pain when working with
legacy architectures and infrastructures.
1. Objectively analyze the existing architecture and infrastructure: Remember that architecture and infrastruc- ture are separate entities; managers must assess the capability, capacity, reliability, and expandability of
each.
2. Objectively analyze the strategy served by the existing architecture: What were the strategic goals it was designed to attain? To what extent do those goals align with current strategic goals?
3. Objectively analyze the ability of the existing architecture and infrastructure to further the current strategic goals: In what areas is alignment present? What parts of the existing architecture or infrastructure must be modified? Replaced?
c06.indd 139 11/26/2015 7:23:20 PM
140 Architecture and Infrastructure
Whether managers are facing a fresh start or an existing architecture, they must ensure that the architecture will
satisfy their strategic requirements and that the associated infrastructure is modern and efficient. The following
sections describe evaluation criteria including strategic time frame, technical issues (adaptability, scalability, stan-
dardization, maintainability), and financial issues.
Assessing Strategic Timeframe
Understanding the life span of an IT infrastructure and architecture is critical. How far into the future does the strat-
egy extend? How long can the architecture and its associated infrastructure fulfill strategic goals? What issues could
arise and change these assumptions?
Answers to these questions vary widely from industry to industry. Strategic time frames depend on indus-
try‐wide factors such as level of commitment to fixed resources, maturity of the industry, cyclicality, and barriers
to entry. The competitive environment has increased the pace of change to the point that requires any strategic
decision be viewed as temporary.
Architectural longevity depends not only on the strategic planning horizon, but also on the nature of a man-
ager’s reliance on IT and on the specific rate of advances affecting the information technologies on which he or
she depends. Today’s architectures must be designed with maximum flexibility and scalability to ensure they can
handle imminent business changes. Imagine the planning horizon for a dot‐com company in an industry in which
Internet technologies and applications are changing daily, if not more often. You might remember the importance
of flexibility and agility to Mohawk’s new business strategy and that the firm’s IT architecture was created to
support it.
Assessing Technical Issues: Adaptability
With the rapid pace of business, it is no longer possible to build a static information system to support businesses.
Instead, adaptability is a core design principle of every IT architecture and one reason why cloud computing and
virtualization are increasingly popular. A manager may think of technological advances as primarily affecting IT
infrastructure, but the architecture must be able to support any such advance. Can the architecture adapt to emerg-
ing technologies? Can a manager delay the implementation of certain components until he or she can evaluate the
potential of new technologies?
At a minimum, the architecture should be able to handle expected technological advances, such as innovations in
storage capacity and computing power. An exceptional architecture also has the capacity to absorb unexpected tech-
nological leaps. Both hardware and software should be considered when promoting adaptability. For example, new
Web‐based applications that may benefit the corporation emerge daily. The architecture must be able to integrate
these new technologies without violating the architecture principles or significantly disrupting business operations.
The following are guidelines for planning adaptable IT architecture and infrastructure. At this point, these two
terms are used together because in most IT planning, they are discussed together. These guidelines are derived from
work by Meta Group.17
• Plan for applications and systems that are independent and loosely coupled rather than monolithic: This approach allows managers to modify or replace only those applications affected by a change in the state of
technology.
• Set clear boundaries between infrastructure components: If one component changes, others are minimally affected, or if effects are unavoidable, the impact is easily identifiable and quantifiable.
• When designing a network architecture, provide access to all users when it makes sense to do so (i.e., when security concerns allow it): A robust and consistent network architecture simplifies training and knowledge
17 Larry R. DeBoever and Richard D. Buchanan, “Three Architectural Sins,” CIO (May 1, 1997), 124, 126.
c06.indd 140 11/26/2015 7:23:20 PM
141Other Managerial Considerations
sharing and provides some resource redundancy. An example is an architecture that allows employees to use
a different server or printer if their local one goes down.
Note that requirements concerning reliability may conflict with the need for technological adaptability under
certain circumstances. If the architecture requires high reliability, a manager seldom is tempted by bleeding‐edge
technologies. The competitive advantage offered by bleeding‐edge technologies is often eroded by downtime and
problems resulting from pioneering efforts with the technology.
Assessing Technical Issues: Scalability
A large number of other technical issues should also be considered when selecting an architecture or infrastructure.
A frequently used criterion is scalability. To be scalable refers to how well an infrastructure component can adapt to increased, or in some cases decreased, demands. A scalable network system, for instance, could start with just a
few nodes but could easily be expanded to include thousands of nodes. Scalability is an important technical feature
because it means that an investment can be made in an infrastructure or architecture with confidence that the firm
will not outgrow it.
What is the company’s projected growth? What must the architecture do to support it? How will it respond if the
company greatly exceeds its growth goals? What if the projected growth never materializes? These questions help
define scalability needs.
Consider a case in which capacity requirements were poorly anticipated. In early 2007, an ice storm on the
East Coast of the United States forced JetBlue Airlines to scramble to take care of stranded customers, grounded
planes, checked luggage, and canceled flights. In the aftermath, executives told investors that the computers didn’t
fail. Indeed, they did not fail, but the system failed to scale as needed. The system was set up to accommodate
650 agents and was able to be increased to 950 but no more.18 It is unlikely that JetBlue or its software provider
would have had to do any serious systems redesign to respond to the increase in demand; it simply needed to
increase its infrastructure capacity. Ultimately, recovery from this planning failure cost JetBlue millions and even
more in defending its image, which suffered severe negative word of mouth from the poor service that resulted.
The company subsequently contracted with Verizon to manage its infrastructure as a way of responding to the scal-
ability issue. JetBlue’s plight underscores the importance of analyzing the impact of strategic business decisions
on IT architecture and infrastructure and at least ensuring that a contingency plan exists for potential unexpected
effects of a strategy change.
Assessing Technical Issues: Standardization
Another important feature deals with commonly used standards. Hardware and software that use a common stan- dard as opposed to a proprietary approach are easier to plug into an existing or future infrastructure or architecture
because interfaces often accompany the standard. For example, many companies use Microsoft Office software,
making it an almost de facto standard. Therefore, a number of additional packages come with translators to the sys-
tems in the Office suite to make it easy to move data between systems.
Assessing Technical Issues: Maintainability
How easy is the infrastructure to maintain? Are replacement parts available? Is service available? Maintainability
is a key technical consideration because the complexity of these systems increases the number of things that can go
wrong, need fixing, or simply need replacing. In addition to availability of parts and service people, maintenance
considerations include issues such as the length of time the system might be out of commission for maintenance,
18 Mel Duvall, “What Really Happened to JetBlue,” http://www.cioinsight.com/c/a/Past‐News/What‐Really‐Happened‐At‐JetBlue www.cioinsight.com
(April 5, 2007) (accessed August 27, 2015).
c06.indd 141 11/26/2015 7:23:20 PM
142 Architecture and Infrastructure
how expensive and how local the parts are, and obsolescence. Should a technology become obsolete, costs for parts
and expertise skyrocket. Architectures have different inherent security profiles.
Assessing Technical Issues: Security
Securing assets in a highly centralized, mainframe architecture means building protection around the centralized
core. Because data and software are stored and executed on the mainframe computer, methods of protecting these
assets revolve around protecting the mainframe itself. Decentralized, server‐based architecture is more difficult to
secure due to the dispersion of servers. Security is a matter of protecting every server instead of one centralized
system. A Web‐based SOA architecture that utilizes SaaS and capacity on demand raises a whole new set of secu-
rity issues. The data and applications not only reside on servers in the various vendor systems around the Web, but
also the linking mechanism, the network that ties the Web together, introduces another level of security concerns.
Security is discussed in more detail in Chapter 7.
Assessing Financial and Managerial Issues
Like any business investment, IT infrastructure components should be evaluated based on their expected finan-
cial value. Unfortunately, payback from IT investments is often difficult to quantify; it can come in the form of
increased productivity, increased interoperability with business partners, improved service for customers, or yet
more abstract improvements. This suggests focusing on how IT investments enable business objectives rather than
on their quantitative returns.
Still, some effort can and should be made to quantify the return on infrastructure investments. This effort can be
simplified if a manager works through the following steps with the IT staff.
1. Quantify costs: The easy part is costing out the proposed infrastructure components and estimating the total investment necessary. Work with the IT staff to identify cost trends in the equipment the company proposes
to acquire. Don’t forget to include installation and training costs in the total.
2. Determine the anticipated life cycles of system components: Experienced IT staff or consultants can help establish life cycle trends for both a company and an industry to estimate the useful life of various
systems.
3. Quantify benefits: The hard part is getting input from all affected user groups as well as the IT group, which presumably knows most about the equipment’s capabilities. If possible, form a team with representatives
from each of these groups and work together to identify all potential areas in which the new IT system may
bring value.
4. Quantify risks: Assess any risk that might be attributable to delaying acquisition as opposed to paying more to get the latest technology now.
5. Consider ongoing dollar costs and benefits: Examine how the new equipment affects maintenance and upgrade costs associated with the current infrastructure.
Once this analysis is complete, the manager can calculate the company’s preferred discounted cash flow (i.e., net
present value or internal rate of return computation) and the payback period. Approaches to evaluating IT invest-
ments are discussed in greater detail in Chapter 8.
Applying these considerations to the fictitious GiantCo.com company, the last task is to weigh the managerial
considerations against the architectural goals that were used to determine infrastructure requirements. Figure 6.7
shows how these considerations could apply to GiantCo.com’s situation.
Again, note that the criteria evaluated in Figure 6.7 do not address every possible issue for GiantCo.com, but this
example shows a broad sample of the issues that will arise.
c06.indd 142 11/26/2015 7:23:20 PM
143Other Managerial Considerations
FIGURE 6.7 GiantCo.com ’ s managerial considerations.
Criteria Architecture Infrastructure
Strategic time frame Indefi nite: GiantCo.com ’ s strategic goal is to be able to respond to customer needs.
NA
Technology advances Database technology is fairly stable, but transaction capacity needs to be assessed and links with smaller suppliers and customers verifi ed.
NA
Financial Issues
NPV of investment NA GiantCo.com will analyze NPV of various hardware and software solutions and ongoing costs before investing.
Payback analysis GiantCo.com expects the new architecture to pay for itself within three years.
Specifi c options will be evaluated using conservative sales growth projections to see how they match the three‐year goal.
Incidental investments The new architecture represents a moderate shift in the way GiantCo.com does business and will require some training and workforce adjustment.
Training costs for each option will be analyzed. Redeployment costs for employees displaced by any outsourcing must also be considered.
Growth requirements/ scalability
Outsourcing could provide more scalability than GiantCo.com ’ s current model, which is constrained by IT capacity. New innovations will be identifi ed to provide scalability of volume.
The scalability required of various new hardware and software components is not signifi cant, but options will be evaluated based on their ability to meet scalability requirements.
Standardization NA GiantCo.com will adopt the MySQL standard and make it a requirement of all developers for consistency.
Maintainability The new architecture raises some maintenance issues, and new product introductions will mandate constant updates to the rules of complementary goods.
Various options will be evaluated for their maintenance and repair costs.
Staff experience The new model will require new skills and expertise.
Current staff is not familiar with MySQL. Training and workforce adjustment will be needed. Some new staff will be hired.
Security GiantCo.com will lock down resources for traveling personnel.
GiantCo.com will adopt a Pulse Secure VPN for securely connecting traveling personnel with network resources.
Social Business Lens: Building Social Mobile Applications
As companies adopt social IT, they are fi nding that it is closely intertwined with mobile platforms. Employees want,
and in some cases expect, to be able to access their social IT from their smartphones, tablets, and more. As com-
panies look globally, in some countries the mobile screen is the only screen used.
In 2011, more than one‐third of the U.S. population used the mobile Internet. In 2014, that number grew to such
an extent that 52% of device owners consider smartphones and tablets the most important devices for Internet
access, while only 46% consider desktops and laptops the most important devices. Tablets have surpassed all
other devices in importance.
Social business requires that companies extend their architecture to include mobile functions, called social
mobile . Social mobile functions began to take off with the widespread adoption of smartphones. The fi rst devices
combined features of a personal digital assistant with a mobile phone, giving developers the opportunity to link
applications to the Web instantly. RIM ’ s BlackBerry was one of the fi rst to give users mobile access to communication
c06.indd 143 11/26/2015 7:23:20 PM
144 Architecture and Infrastructure
tools such as their e‐mail. More recent devices, such as Apple’s iOS, Google’s Android, Microsoft’s Windows Phone,
Nokia’s Symbian, and RIM’s BlackBerry OS, use a mobile operating system.
Initial social mobile apps were social networks either ported to the mobile platform, like LinkedIn and
Facebook, or designed just for the mobile platform, like Foursquare and Gowalla, social network sites linking
community members who “check in” at physical locations and sometimes earn virtual rewards for doing so.
Social mobile applications have extended to many other types of applications as software designers realize the
large market available to them if their applications run on mobile platforms and as device users demand increas-
ing functionality for their mobile devices.
Source: Amy Gahran, “Survey: U.S. Mobile Web Access Growing Fast” (July 8, 2010), http://articles.cnn.com/2010‐07‐08/tech/ mobile.internet.access.pew_1_cell‐phone‐users‐feature‐phones‐mobile‐internet (accessed August 27, 2015); Danyl Bosomworth, “Mobile Marketing Statistics 2015,” Smart Insights (July 22, 2015), http://www.smartinsights.com/mobile‐marketing/mobile‐ marketing‐analytics/mobile‐marketing‐statistics/ (accessed August 27, 2015).
S U M M A R Y
• Strategy drives architecture, which drives infrastructure. Strategic business goals dictate IT architecture requirements. These requirements provide an extensible blueprint suggesting which infrastructure components will best facilitate the
realization of the strategic goals.
• Enterprise architecture is the broad design that includes both the information systems architecture and the interrelation- ships in the enterprise. Often this plan specifies the logic for the entire organization. It identifies core processes, how they
work together, how IT systems will support them, and the capabilities necessary to create, execute, and manage them.
• Four configurations for IT architecture are centralized, decentralized, SOA (or Web‐based), and software‐defined archi- tectures. Applications are increasingly being offered as services, reducing the cost and maintenance requirements for
clients. Virtualization and cloud computing provide architectures for Web‐based delivery of services.
• The manager’s role is to understand how to plan IT to realize business goals. With this knowledge, he or she can facilitate the process of translating business goals to IT architecture and then modify the selection of infrastructure components as necessary.
• Frameworks guide the translation from business strategy to IS design. This translation can be simplified by categorizing components into broad classes (hardware, software, network, data), which make up both IT architecture and infrastructure.
• Enterprise leaders increasingly have requests for new devices that employees want to connect to the corporate network. The consumerization of IT describes the trend to redesign corporate systems for smartphones, tablets, and other consumer‐
oriented devices.
• While translating strategy into architecture and then infrastructure, it is important to know the state of any existing architecture and infrastructure, to weigh current against future architectural requirements and strategic time frame, and
to analyze the financial consequences of the various systems options under consideration. Systems performance should
be monitored on an ongoing basis.
K E Y T E R M S
applications (p. 129)
architecture (p. 125)
bring‐your‐own‐device
(BYOD) (p. 133)
capacity‐on‐demand (p. 132)
centralized architecture (p. 130)
cloud architecture (p. 132)
cloud computing (p. 137)
consumerization of IT (p. 133)
data center (p. 130)
decentralized architecture (p. 130)
enterprise architecture (p. 136)
infrastructure (p. 125)
mainframe (p. 130)
peer‐to‐peer (p. 132)
platform (p. 129)
reuse (p. 130)
scalable (p. 141)
server‐based architecture (p. 130)
service‐oriented architecture
(SOA) (p. 130)
software‐as‐a‐service (p. 130)
software‐defined architecture (p. 130)
standards (p. 141)
system software (p. 129)
TOGAF (p. 136)
utility computing (p. 138)
virtualization (p. 137)
Web‐based architectures (p. 132)
Web services (p. 130)
wireless (mobile)
infrastructures (p. 132)
infrastructures (p. 125)
Zachman framework (p. 136)
c06.indd 144 11/26/2015 7:23:21 PM
145Case Study
Enterprise architecture (EA) at American Express was the framework the organization used to align IT and the business. EA
provided a common language for leaders to use to collaborate and transform the business. At American Express , enterprise
architects were the change agents who streamlined processes and designed ways to more effectively do business using IT
resources. In 2011, American Express was named an InfoWorld/Forrester Enterprise Architecture Award recipient for its EA
practices. As American Express leaders considered new payment methods using mobile devices, the EA guided their progress.
Mobile payments were forcing the payments industry to review their practices and signifi cantly transform the way
business was done. The new business environment introduced additional complexity with the addition of new delivery chan-
nels and the need for shorter time‐to‐market of payment products and services. American Express ’ s business strategy for its
payments products focused on delivering a “consistent, global, integrated customer experience based on services running
on a common application platform.”
To achieve this goal, the EA team created reference architectures and road maps for standardized applications across the
fi rm. This team then worked with multiple business solution delivery teams to create and manage the common application
architecture and create strategies that facilitated each business ’ s objectives. Each strategy included a road map of initiatives
that included a set of actions, the metrics to evaluate the success of these actions, and the commitments IT and the businesses
made to make it happen. The road map was American Express ’ s way to standardize language, tools, life cycle management
of the applications, and architecture and governance processes. The elements of the road map included technology, reference
architecture, and capabilities for the business.
The next steps for American Express were to extend the road maps to cover the maturing of SOA and to develop new
reference architectures and a new taxonomy to increasingly align IT with the needs of the business. As new technologies
emerged and new ways of doing business over social tools created opportunities for new payment products and services,
American Express expected to continually evolve its EA.
Discussion Questions
1. What are the key components of the architecture American Express has created?
2. Why was it important to standardize so much of the architecture? What are the advantages and disadvantages of a stan-
dard EA for American Express ?
■ CASE STUDY 6‐1 Enterprise Architecture at American Express
D I S C U S S I O N Q U E S T I O N S
1. Think about a company you know well. What would be an example of IT architecture at that company? An example of the IT infrastructure?
2. What, in your opinion, is the difference between a decentralized architecture and a centralized architecture? What is an example of a business decision that would be affected by the choice of the architecture?
3. From your personal experience, what is an example of software as a service? Of BYOD?
4. Each of the following companies would benefit from either software‐defined architecture or conventional, owned hardware and software. State which you would advise each of the following fictitious firms (plus the IRS) to adopt and explain why.
a. StableCo is a firm that sells industrial paper shredders. Its business has remained steady for two decades and it has a strong and diverse customer base.
b. DynamicCo is a fast‐growing six‐year old firm that has relied on three to five key wholesale customers for its entire existence. However, the list of key customers changes every year, and during two of the years, sales declined sharply.
c. Plastics3000 is an old, stable plastics manufacturing firm that has kept its sales steady in the face of competitors as the result of an active research and development team that uses advanced software to analyze large amounts of data to
develop new compounds. Once or twice a week, office personnel complain of the network becoming very slow.
d. A downtown Las Vegas casino monitors each slot machine continuously for early detection of malfunctions such as win- nings or losses trending beyond their threshold limits.
e. CallPerfect provides call center services to pharmacies. Phone calls are routed to the company after hours and messages are delivered to the pharmacy manager the next morning.
f. At the IRS, tax forms are available online for citizens to complete and file with the IRS electronically by April 15. A call center routes calls to agents who answer taxpayers ’ questions.
g. At LittlePeople, Inc., a day care center, parents are called using software on the administrator ’ s computer when there is a weather emergency. The school has averaged 120 families for many years.
c06.indd 145 11/26/2015 7:23:21 PM
146 Architecture and Infrastructure
3. Describe how the new architecture supports the goals and strategy of American Express.
4. What types of future payment products and services should be anticipated and prepared for by the EA group? What is
your vision of how payments might work? If you were advising the CIO of American Express , what would you suggest
his group prepare for?
Source: Adapted from Phil LeClare and Eric Knorr , “ The 2011 Enterprise Architecture Awards ” (September 19, 2011 ), http://www. infoworld.com/d/enterprise‐architecture/the‐2011‐enterprise‐architecture‐awards‐173372 (accessed August 27, 2015) .
Scientists doing research often need serious computing capability to run simulations and crunch data. Often that meant
working for a large company that could provide the signifi cant investment in information systems infrastructure. But cloud
computing changed all that. Consider the case of biologist Dr. Eric Schadt, a researcher who claims that approaches to
studying the complexity of living systems have failed. Studying one gene at a time doesn ’ t explain what causes diseases,
making it impossible to fi nd the cures sought by the scientifi c and pharmacology communities. Dr. Schadt ’ s vision is to
manage this area of research, and the large amount of data generated, which appears to be too much for any one individual
or company to manage, by creating a human social network. He believes that this organization refl ects the complexity of the
living systems he studies and therefore it ’ s necessary to understand it.
Dr. Schadt cofounded a nonprofi t organization dedicated to biological research using an open‐source sharing of data,
Sage Bionetworks . He deeply believes that sharing is the key to fi nding cures and creating drugs that will combat diseases.
And his company has millions of dollars worth of data from some of the major pharmaceutical companies to use to begin the
research. But by day, he ’ s the Chief Scientifi c Offi cer of a start‐up, Pacifi c Biosciences (PacBio), whose technology helps
biologists look at individual molecules of DNA in real time. His job is to work on how to use this technology for PacBio and
to collaborate with others who want to use it for their research. So he travels a lot. But to do his research, he needs access to
the capacity of a supercomputer because the amount of data he needs to use for his research is very large.
With the use of the Web, Dr. Schadt is able to do his work anyplace. Planes are especially favored because he has
signifi cant uninterrupted time. According to one article about him,
He has the same access to supercomputers that every other American with an Internet connection and a credit card has. He
waits till the plane climbs to a cruising altitude, then when allowed to use electronic devices, he uses the plane ’ s WiFi to
get on Amazon .
Dr. Schadt is able to initiate a complex analysis of his data using Amazon ’ s services, which crunch the data while he fl ies
across the country. When he lands, the analysis is done and he has the results. This would be equivalent to the computing
power of a scientist working on his company ’ s multimillion‐dollar supercomputer, but in this case, the cost is just a few
hundred dollars.
Companies like Amazon .com have become vendors of extreme computing power. Some have compared the amount of
computing power Dr. Schadt uses while fl ying on an airplane to the amount of computing power available to a scientist at
major pharmaceutical companies that have multimillion‐dollar supercomputers. With services like the computing power
available in the cloud, Dr. Schadt may even have more power available to him than that scientist.
Discussion Questions
1. How would you describe the architecture Dr. Schadt uses to do his research?
2. What are the risks Dr. Schadt faces by using Amazon for his supercomputing? What are the benefits?
3. If you were advising a company trying to make a decision about using cloud computing for key business applications,
what would you advise and why?
Source: Adapted from Tom Junod , “ Adventures in Extreme Science ” (March 22, 2011 ), http://www.esquire.com/features/eric‐schadt‐ profi le‐0411‐4 (accessed August 27, 2015) .
■ CASE STUDY 6‐2 The Case of Extreme Scientists
c06.indd 146 11/26/2015 7:23:21 PM
147
7 chapter
I nformation technology (IT) security is one of the top issues of concern to businesses— hacked systems or stolen data can put a company out of business. General managers must understand the basics to ensure continuance of operations. This chapter explores managing security in fi ve areas: strategy, infrastructure, policies, training, and investments. Lessons from some of the largest and most well‐known breaches are covered as well as how they occurred according to security experts. The chapter also discusses common tools that aim to secure access, data storage, and data transmission to prevent these breaches and their advantages and disadvantages. Policies general managers can implement to decrease risk of security issues and economic damage are presented followed by a discussion of edu- cation, training, and awareness issues.
Security
During lunchtime on June 6, 2015, a white van pulled in front of the U.S. Offi ce of Personnel
Management in Washington, D.C. A team of three expert hackers entered the front door, displaying
the credentials of three janitors who were bound and gagged back at their offi ce. As the hackers
stood at a supply room door next to a highly secure server room, the target of their attack, one
feigned having to crouch to tie his shoe, the other two stood in the way of the security cameras,
and the crouching bandit used a lock‐picking tool to gain access to the supply room. They fi gured
they had only a few minutes to clip a monitoring device to the network wires that led to the servers
containing security clearance information for millions of employees and past employees. The device
monitored electrical activity right through the insulation and transmitted it to the van.
The hackers closed and relocked the supply room door, exited the building, and re‐entered the
van just as the clock struck 1 p.m . The tallest of the three declared “right on schedule!” and set a
timer for 10 minutes. He tuned his laptop into the monitoring device and the other two did the same.
They watched communications to and from the server, waiting for an employee, any employee,
returning from lunch to log‐in. Monitoring was risky due to random sweeps for rogue wireless con-
nections, so after 10 minutes they would abort the mission.
The three typed frantically at their keyboards but nothing seemed to work for several agonizing
minutes. Ten seconds before their time was up, one of the perpetrators hastily wrote some computer
code and then smiled. He was just in time to reveal a log‐in conversation complete with password.
The hackers set the timer for another 10 minutes, which they had budgeted for the next phase.
The hackers searched frantically for large fi les that might contain the security clearance
information they were hired to obtain. One of them found a large fi le called “SecurClearRecs,” and
the three cursed when they saw that the fi le was larger than anticipated. They immediately typed
commands to upload the fi le through the Internet to a server in Shanghai, China. They kept one
eye on the building and the other eye on the red “progress bar” that indicated “5% complete” for
20 full seconds before it changed to “10% complete.” The time required for each 5% seemed to vary
widely; moving from 15% to 20% took almost an entire minute. They realized it would take the
entire 10 minutes they had allocated or more. They could almost hear their own pulses pounding as
c07.indd 147 11/26/2015 7:31:38 PM
148 Security
they anticipated the million dollar reward that awaited them if they were successful but also dreaded the fact that
their overall budgeted 20 minutes might not be quite enough. Maybe they could chance it and go just a little longer.
A few terror‐filled minutes past the budgeted 20 minutes, at 90% complete, they saw a guard step outside of the
building and point at the van. Another officer joined him, and the pair started walking cautiously toward the van,
trying to talk into his radio. The hackers had wisely jammed police channel communications and flattened the patrol
cars’ tires, but they wanted to avoid physical contact as much as possible. Trouble was certain to loom ahead; one
of the officers turned to run back to the building. The tallest hacker jumped into the driver’s seat and started the van.
The hackers looked down at the progress bar, which said “99% complete,” just as an alarm sounded. The remaining
guard began running to the van. Four flat tires would mean a 10‐minute delay waiting for another officer from the
security firm’s headquarters. The hackers waited 5 more seconds for “100% complete” and then screeched away to
a secluded clearing a one‐half mile away in the woods where a blue turbocharged Hyundai Sonata awaited them.
They pushed a red “self‐destruct” button in the van to start a timer, jumped in the Hyundai, and sped down back
roads as distant sirens blared and the van exploded. Two weeks later, on June 20, 2015, an article in Computerworld stated that “The U.S. government still isn’t saying how much data it fears was stolen.”1
This story is notable for two reasons: (1) It is exactly the type of story that we would all imagine when hearing
about data breaches, largely thanks to big‐budget Hollywood movies. However, (2) the story is almost completely
false; the only true parts are that a large number of private security clearance files were indeed stolen from the
Office of Personnel Management, and the June 20 article in Computerworld did display the preceding quote. If managers expect only such “urgent and frantic” physical attacks, they will focus their attention on the wrong
threats. It is important to learn the true story of this very real breach.
Governmental officials learned in May 2015 that at least 4 million records likely had been stolen several months
earlier. Subsequent estimates placed the number at 14 million records.2 The records contained much more than
names, addresses, and social security numbers of current and former employees, possibly as far back as the 1980s.
The 127‐page dossier for each person also included information on alcohol and drug use, financial, psychological,
employment, and criminal history as well as sensitive personal information about contacts and relatives. There
were even comments from acquaintances, which could include neighbors, enemies, and potential enemies of each
person.3 In short, according to the International Business Times, the stolen information was “invasive enough to ruin potentially millions of American lives.”4 As a consequence, the Chairman of the U.S. House Oversight
Committee asked for the resignation of the person in charge, the Director of the Office of Personnel Management.5
In reality, the following important issues are true for this case as well as many others:
1. The hackers were far away and did not need any physical contact or any escape plan.
2. They were able to spend an extended period of time—possibly over a year—to carry out their attack.6
3. It took the victim organization months to discover the breach, which enabled the hackers to cover their tracks. In fact, a 2015 report from consulting firm Mandiant revealed that the median time that it took in
2014 for firms to detect a threat group’s presence was 205 days, and the maximum was a whopping 2,982
days (11 years).7
4. The hackers exploited a stolen password, likely obtained by various means described later in this chapter.
1 O’Connor, Fred, “Hackers Had Access to Security Clearance Data for a Year,” Computerworld (June 20, 2015), http://www.computerworld.com/ article/2938654/cybercrime‐hacking/hackers‐had‐access‐to‐security‐clearance‐data‐for‐a‐year.html (last accessed June 22, 2015). 2 Kim Zetter and Andy Greenberg, “Why the OPM Breach Is Such a Security and Privacy Debacle,” Wired (June 11, 2015), http://www.wired. com/2015/06/opm‐breach‐security‐privacy‐debacle/ (accessed June 22, 2015). 3 Ibid. 4 Jeff Stone “Hacked US Security Clearances Are Giving Beijing Insanely Personal Information about American Citizens” (June 12, 2015), http://www.
ibtimes.com/hacked‐us‐security‐clearances‐are‐giving‐beijing‐insanely‐personal‐information‐about‐1964882 (last accessed August 25, 2015). 5 Erin Kelly, “House Oversight to OPM Chief: ‘Time for You to Go,’” In Brief (June 26, 2015), 2A. 6 “Blackmail Looms after Government Cyber Breaches,” WND.com (June 13, 2015). http://www.wnd.com/2015/06/blackmail‐looms‐after‐government‐
cyber‐breaches/ (accessed June 22, 2015). 7 “M‐Trends: A View from the Front Lines,” Fireeye.com, https://www2.fireeye.com/rs/fireye/images/rpt‐m‐trends‐2015.pdf (last accessed June 24, 2015).
c07.indd 148 11/26/2015 7:31:39 PM
149IT Security Decision Framework
Many other firms have been victimized, and hundreds of millions of records filled with personal information
have been stolen just over the last two years. Security consulting firm FireEye estimates that 97% of all firms have
been breached.8 Managers must understand how large breaches occur to clarify the picture of what is going on out
in the wild frontier and to protect their own company from similar fates. Only when threats are more fully under-
stood can management begin to formulate and implement effective security plans.
IT Security Decision Framework The first step on the road to an effective security plan is for management to adopt a broad view of security. This
can be done by establishing an information security strategy and then putting the infrastructure (tools) and policies
(tactics) in place that can help the organization realize its strategy. To round out the picture, users need to become
familiar with security, and investments need to be made. The whole security picture can be reflected in five key
information security decisions. Understanding these decisions and who is responsible for them (that is, who has
the decision rights for them) is presented in Figure 7.1. We introduced decision rights in Chapter 3, and we use
the concept to illustrate appropriate roles of business and IT managers in making a company’s security decisions.
FIGURE 7.1 Key information security decisions. Sources: Adapted from Yu Wu, “What Color is Your Archetype? Governance Patterns for Information Security,” (Ph.D. Dissertation, University of Central Florida, 2007); Yu Wu and Carol Saunders, “Governing Information Security: Governance Domains and Decision Rights Allocation Patterns,” Information Resources Management Journal 24, no. 1 (January–March 2011), 28–45.
Information Security Decision
Who Is Responsible
Rationale Major Symptoms of Improper Decision Rights Allocation
Security Strategy Business leaders Business leaders have the knowledge of the company’s strategies on which security strategy should be based. No detailed technical knowledge is required.
Security is an afterthought and patched on to processes and products.
Infrastructure IT leaders (CISO) In‐depth technical knowledge and expertise are needed.
There is a misspecification of security and network typologies or a misconfiguration of infrastructure. Technical security control is ineffective.
Security Policy Shared: IT and business leaders
Technical and security implications of behaviors and processes need to be analyzed, and trade‐offs between security and productivity need to be made. The particulars of a company’s IT infrastructure need to be known.
Security policies are written based on theory and generic templates. They are unenforceable due to a misfit with the company’s specific IT and users.
Security Education, Training, and Awareness
Shared: IT and business leaders
Business buy in and understanding are needed to design programs. Technical expertise and knowledge of critical security issues are needed to build them.
Users are insufficiently trained, bypass security measures, or do not know how to react properly when security breaches occur.
Investments Shared: IT and business leaders
They require financial (quantitative) and qualitative evaluation of business impacts of security investments. A business case has to be presented for rivaling projects. Infrastructure impacts of funding decisions need to be evaluated.
Under‐ or overinvestment in information security occurs. The human or technical security resources are insufficient or wasted.
8 Bill Whitaker, “What Happens When You Swipe Your Card?” 60 Minutes (November 30, 2014), transcript, http://www.cbsnews.com/news/swiping‐ your‐credit‐card‐and‐hacking‐and‐cybercrime/ (accessed June 24, 2015).
c07.indd 149 11/26/2015 7:31:39 PM
150 Security
1. Information security strategy: A company’s information security strategy is based on such IT principles as protecting the confidentiality of customer information, strict compliance with regulations, and maintain-
ing a security baseline that is above the industry benchmark. Security strategy is not a technical decision.
Rather, it should reflect the company’s mission, overall strategy, business model, and business environment.
Deciding on the security strategy requires decision makers who are knowledgeable about the company’s
strategy and management systems. An organization’s information systems (IS) likely need to provide the
required technical input for supporting the decision.
2. Information security infrastructure: Information security infrastructure decisions involve selecting and configuring the right tools. Common objectives are to achieve consistency in protection, economies of
scale, and synergy among the components. Top business executives typically lack the experience or exper-
tise to make these decisions. For these reasons, corporate IT typically is responsible for managing the
dedicated security mechanisms and general IT infrastructure, such as enterprise network devices. Thus,
corporate IT should take the lead and make sure that the technology tools in the infrastructure are correctly
specified and configured.
3. Information security policy: Security policies encourage standardization and integration. Following best practices, they broadly define the scope of and overall expectations for the company’s information security
program. From these security policies, lower‐level tactics are developed to control specific security areas
(e.g., Internet use, access control) and/or individual applications (e.g., payroll systems, telecom systems).
Policies must reflect the delicate balance between the enhanced information security gained from follow-
ing them versus productivity losses and user inconvenience. As security attacks become more sophisti-
cated, obeying security measures to deflect those attacks places cognitive demands on users. For example,
they may need a different password for every account, and these passwords must often be long and hard to
remember because they must have special characters. Productivity of users is often sacrificed when they
have to come up with new passwords every month or when they have to spend time judging the legitimacy
of dozens of e‐mails each day. Not surprisingly, both IT and business perspectives are important in setting
policies. Business users must be able to say what they want from the information security program and
how they expect the security function to support their business activities. On the other hand, IT leaders
should be consulted for two reasons: (1) their judgment prevents unrealistic goals for standardization and
integration and (2) policy decisions require the ability to analyze the technical and security implications of
user behaviors and business processes. If either users or IT leaders are not consulted, unenforceable pol-
icies will probably result.
4. Information security education, training, and awareness (SETA): It is very important to make business users aware of security policies and practices and to provide information security education, training, and awareness (SETA). Training and awareness programs build a security‐conscious culture. To promote effectiveness and post‐training retention, training and awareness programs must be linked to the unique
requirements of individual business processes. Business user participation in planning and implementing
training and awareness programs helps gain acceptance of security initiatives. However, IT security person-
nel are in the best position to know critical issues. Thus, both IT security managers and business users must
be actively involved in planning SETA activities.
5. Information security investments: The fear, uncertainty, and doubt (“FUD”) factor once was all that was needed to get top management to invest in information security. As information security becomes a routine
concern in daily operations, security managers increasingly must justify their budget requests financially.
But it is difficult to show how important security is until there has been a breach—and even then it is hard to
put a dollar amount on the value of security. As when determining business needs, different units within the
company may have rival or conflicting “wish lists” for information security‐related purchases that benefit
their unique needs. The IS organization also should have a significant say in these decisions because it is in
the best position to assess whether and how the investments may fit with the company’s current IT infra-
structure and application portfolio. Thus, both IT and business leaders should participate in investment and
prioritization decisions. One way to ensure this joint participation is to use executive committees/councils
c07.indd 150 11/26/2015 7:31:39 PM
151Breaches and How They Occurred
composed of business and IT executives, such as the IT steering committee and budget committee, with the
CIO having overlapping memberships in both. These committees are where IT and business leaders make
business cases for their proposed investments and debate the merit and priorities of the investments. These
decisions about the appropriate level of investment are made with the company’s best interests in mind.
Breaches and How They Occurred In 2013 and 2014, before the Office of Personnel Management’s attack, the most famous breaches infiltrated the
systems at EBay (twice), Target, Home Depot, and Anthem Blue Cross. See Figure 7.2 for the magnitude and cause
of each breach.
Password Breaches
It is important to emphasize the damage that can be done by password breaches. As the following descriptions
indicate, trusting and trustworthy users might have no idea they are opening a security hole by clicking on an
attachment, using public WiFi, or following a link to an authentic‐looking site. Executives should not believe that
employees who use their personal laptops away from the office are harmless to the firm. When employees whose
systems are infected log onto work e‐mail systems or intranets, a hacker can gain access to the firm.
60 Minutes reported in 2015 that 80% of breaches are conducted by stealing a password.9 There are many ways to steal a person’s password. One common method is to conduct a successful phishing attack,10 which sends a person a counterfeit e‐mail that purports to be from a known entity. The e‐mail includes either a virus‐laden
FIGURE 7.2 Well‐known breaches, what was stolen, and how.
Date Detected Company What Was Stolen How
November 2013 Target 40 million debit and credit card account numbersa
Contractor’s opening of an e-mail attachment containing a virus, revealing a passwordb
May 2014 EBay #1 145 million user names, e‐mails, physical addresses, phone numbers, birth dates, encrypted passwordsc
Obtaining an employee’s passwordd
September 2014 EBay #2 Small but unknown Cross‐site scripting
September 2014 Home Depot 56 million credit card numbers
53 million e-mail addresses
Obtaining a vendor’s password and exploiting an operating system’s vulnerabilitye
January 2015 Anthem Blue Cross 80 million names, birthdays, e‐mails, social security numbers, addresses, and employment data (including income)f
Obtaining passwords of at least five high‐level employeesg
a Brian Krebs, “Target Hackers Broke in Via HVAC Company,” Krebs on Security (February 14, 2014), http://krebsonsecurity.com/2014/02/target‐hackers‐broke‐in‐ via‐hvac‐company/ (accessed June 22, 2015). b Brian Krebs, “Home Depot: Hackers Stole 53M Email Addresses,” Krebs on Security (November 14, 2014), http://krebsonsecurity.com/2014/11/home‐depot‐ hackers‐stole‐53m‐email‐addreses/ (accessed June 28, 2015). c Andy Greenberg, “EBay Demonstrates How Not to Respond to a Huge Data Breach, Wired (May 23, 2014), http://www.wired.com/2014/05/ebay‐demonstrates‐ how‐not‐to‐respond‐to‐a‐huge‐data‐breach/(accessed June 22, 2015). d Bill Whitaker, “What Happens When You Swipe Your Card?” 60 Minutes (November 30, 2014), transcript, http://www.cbsnews.com/news/swiping‐your‐credit‐ card‐and‐hacking‐and‐cybercrime/ (accessed June 24, 2015). e Ashley Carman, “Windows Vulnerability Identified as Root Cause in Home Depot breach,” SC Magazine (November 10, 2014), http://www.scmagazine.com/ home‐depot‐breach‐caused‐by‐windows‐vulnerability/article/382450/ (accessed June 28, 2015). f Michael Hiltzik, “Anthem Is Warning Consumers about Its Huge Data Breach. Here’s a Translation,” LA Times (March 6, 2015), http://www.latimes.com/business/ hiltzik/la‐fi‐mh‐anthem‐is‐warning‐consumers‐20150306‐column.html#page=1 (accessed June 28, 2015). g Ibid.
9 Ibid. 10 Brian Honan, “Reactions to the EBay Breach,” http://www.net‐security.org/secworld.php?id=16905 (accessed June 22, 2015).
c07.indd 151 11/26/2015 7:31:39 PM
152 Security
attachment or a link that invites the user to click and visit a page to either solve a problem or accomplish a task (as
described in detail at the end of this chapter).
The only limit is the phisher’s imagination to create a scenario that would motivate a user to click on a link. The
attachment or link in a phishing message often initiates a key logger, or software that traps keystrokes and stores them for hackers to inspect later. A key logger can even be hidden on a thumb drive plugged into a public computer
in a hotel’s business center. A key logger might also be triggered by visiting an unfamiliar Web site. Just by click-
ing on a search result, a user might inadvertently download and install the key logging software. Asking the user to
log‐in will reveal his or her user name and password, opening a world of opportunity for the hacker.
Another way to obtain a password is simply to guess it. Experts warn that large breaches can be caused by using
a weak password, such as “123456,” which, incredibly, won again as the most common password of all in 2014.11 Passwords can be troublesome. Creating a strong password that cannot be guessed results in a hard‐to‐remember
string of nonsense characters. The name of a hometown, a team, an employer, or a family member would be among
the first guesses of a hacker. Also, even if it is difficult to guess, many people use the same password for multiple
purposes, and if one account is breached, all of their other accounts are then wide open. It is challenging to keep
track of difficult passwords that are different for every account. Tools such as LastPass, Dashlane, and Sticky
Password allow access with one password to a set of highly complex and impossible‐to‐remember passwords
synchronized across Windows and Mac computers as well as Android and iOS smartphones.12
Yet another way to open a firm to a large breach is for employees to use an unsecured network at a coffee shop,
hotel, or airport.13 Many users do not realize that, even if the network’s name matches the coffee shop’s name,
someone in the shop might have set up a so‐called evil twin connection WiFi connection and that all incoming and outgoing Internet traffic becomes routed through the perpetrator’s system. Without the proper tools or training,
most users can’t validate a public WiFi connection. Once connected, the unwitting users’ keystrokes, including
their user names and passwords, are captured as they shop online, do Internet banking, or log into their company’s
intranet site.14 The only solution might be for companies to establish policies forbidding their employees to use
public WiFi and use their smartphones as their PC’s sole Internet connection even when tempted by free WiFi in
public places.
Other Attack Approaches
Cross‐Site Scripting
As shown in Figure 7.2, a second EBay breach is another important attack for management to understand. It was
discovered in September 2014 by an astute user who nagged EBay to fix the problem for over a year.15 He even
created a surprising YouTube video to show how it worked.16 The damage is unclear, affecting only the users who
clicked on one particular search result that was eventually removed. However, the cause is clear in this case:17
cross‐site scripting (XSS), which involves booby traps that appear to lead users to their goal, but in reality, they lead to a fraudulent site that requires a log‐in. EBay permits users to install some computer code in their listings to
make their items in EBay search results grab shoppers’ attention. It is intended to allow animation in listings, but
malicious code was inserted instead, designed for a nefarious purpose: to alter the listing’s address to point to a
bogus log‐in screen. Users assumed they needed to log‐in once again for security purposes, but in reality everyone
who “logged‐in” that second time provided the crooks with user names and passwords.
11 Jamie Condliff, “The 25 Most Popular Passwords of 2014: We’re All Doomed,” Gizmodo (January 20, 2015), http://gizmodo.com/the‐25‐most‐ popular‐passwords‐of‐2014‐were‐all‐doomed‐1680596951 (accessed June 22, 2015). 12 Neil J. Rubenking. “The Best Password Managers for 2015,” PC Magazine (June 2, 2015), http://www.pcmag.com/article2/0,2817,2407168,00.asp (accessed June 25, 2015). 13 Sergio Galindo. “Reactions to the EBay breach,” http://www.net‐security.org/secworld.php?id=16905 (accessed June 22, 2015). 14 Andrew Smith, “Strange Wi‐Fi Spots May Harbor Hackers: ID Thieves May Lurk Behind a Hot Spot with a Friendly Name,” Dallas Morning News (May 9, 2007), http://cloud‐computing.tmcnet.com/news/2007/05/09/2597106.htm (accessed August 25, 2015). 15 Chris Brook, “A Year Later, XSS Vulnerability Still Exists in EBay,” Threatpost (April 29, 2015), https://threatpost.com/a‐year‐later‐xss‐vulnerability‐ still‐exists‐in‐ebay/112493 (accessed August 27, 2015). 16 Paul Kerr, “Ebay Hacked Proof!” (September 16, 2014), https://www.youtube.com/watch?v=WT5TG_LvZz4&feature=youtu.be (accessed June 22, 2015). 17 Phil Muncaster, “EBay Under Fire After Cross‐Site Scripting Attack,” Infosecurity (undated), http://www.infosecurity‐magazine.com/news/ebay‐ under‐fire‐after‐cross‐site/ (accessed June 22, 2015).
c07.indd 152 11/26/2015 7:31:39 PM
153Breaches and How They Occurred
Third Parties
Several breaches have involved third parties. The Target attackers broke into the network using credentials stolen
from a heating, ventilation, and air conditioning (HVAC) contractor and installed malware on the retail sales
system. The malware captured and copied the magnetic stripe card data right from the computer’s memory before
the system could encrypt and store it. Why would an HVAC contractor have access? Security expert and blog-
ger Brian Krebs reports that it is common for large retailers to install on their systems temperature and energy‐
monitoring software provided by contractors. HVAC companies need to update and maintain their software, and
are given access to their main systems so they don’t have to endure delays in those updates. Access to the retailing
system enabled the malware to spread to a majority of Target’s cash registers, collecting information from debit and
credit cards and sending it to various drop points in Miami and Brazil to be picked up later by hackers in Eastern
Europe and Russia.18
Home Depot’s story echoed that of Target from a year earlier. Logon credentials were stolen from a vendor
that had access to Home Depot’s system, and the same malware was unleashed to cash registers. Target’s story
motivated Home Depot to update its system but the attack occurred before the company could complete all of the
improvements.19
The attack at Anthem Blue Cross demonstrates that stealing high‐level user names and passwords can pro-
vide quick access to large and important files. Target and Home Depot hackers had to wait until transactions were
recorded to gain valuable information, which takes several days. But at Anthem, being able to download important
employment and identity information from 80 million people at one pass was easy with the high‐level passwords.
Log‐in credentials of lower‐level employees would involve transaction‐by‐transaction data collection. Therefore,
log‐in accounts of executives need special attention, and their activities should be monitored regularly.
System Logs and Alerts
Early news reports of Target’s hack outraged customers when it was revealed that the newly installed, state‐of‐the‐
art $1.6 million security system detected what was going on. It sent several warnings to the IT department, even
before the first files were transferred, but those alerts were unheeded.20 However, some security experts explain that
there are perhaps hundreds of generic alerts each day, and it is difficult to follow up on every one. One expert was
quoted aptly: “it is completely understandable how this happened.”21
The Cost of Breaches
A Ponemon study places the cost of a data breach in 2015 to be at an all‐time high, between $145 and $154 per each
lost or stolen record containing sensitive information.22 If a breach exposes 100 million records, the costs could
escalate to about $15 billion. Many firms facing such costs would be put in serious jeopardy. The Target breach cost
$61 million in just two months,23 $162 million a year later,24 and potentially billions of dollars in damage control
over the long run.25 The CIO resigned, fourth quarter profit fell 46%, and revenue declined 5.3%.26 The Home Depot
18 Brian Krebs, “Target Hackers Broke in Via HVAC Company,” Krebs on Security (February 14, 2014), http://krebsonsecurity.com/2014/02/target‐
hackers‐broke‐in‐via‐hvac‐company/ (accessed June 22, 2015). 19 Shelly Banjo, “Home Depot Hackers Exposed 53 Million Email Addresses,” The Wall Street Journal (November 6, 2014), http://www.wsj.com/ articles/home‐depot‐hackers‐used‐password‐stolen‐from‐vendor‐1415309282 (accessed June 22, 2015). 20 Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack, “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew
It,” Bloomberg Business (March 13, 2014), http://www.bloomberg.com/bw/articles/2014‐03‐13/target‐missed‐alarms‐in‐epic‐hack‐of‐credit‐card‐data (accessed August 25, 2015). 21 Joel Christie, “Target Ignored High‐Tech Security Sirens Warning Them of a Data Hack Operation BEFORE Cyber‐Criminals in Russia Made Off
with 40 Million Stolen Credit Cards,” http://www.dailymail.co.uk/news/article‐2581314/Target‐ignored‐high‐tech‐security‐sirens‐warning‐data‐hack‐
operation‐BEFORE‐cyber‐criminals‐Russia‐40‐million‐stolen‐credit‐cards.html (last accessed June 24, 2015). 22 Ponemon Institute, “2015 Cost of Data Breach Study,” IBM, http://www‐03.ibm.com/security/data‐breach/ (accessed June 23, 2015). 23 Riley, Elgin, Lawrence, and Matlack, “Missed Alarms and 40 Million Stolen Credit Card Numbers.” 24 PYMNTS@pymnts, “How Much Did the Target, Home Depot Breaches Really Cost?” PYMNTS.com (February 26, 2015), http://www.pymnts.com/
news/2015/target‐home‐depot‐reveal‐full‐breach‐costs/#.VYr_6EZZV34 (accessed June 24, 2015). 25 Christie, “Target Ignored High‐Tech Security Sirens.” 26 Associated Press. “Target’s Tech Boss Resigns as Retailer Overhauls Security in Wake of Massive Payment Card Breach,” Financial Post (March 5, 2014), http://business.financialpost.com/fp‐tech‐desk/cio/target‐cio‐resigns?__lsa=011c‐8001 (accessed August 27, 2015).
c07.indd 153 11/26/2015 7:31:39 PM
154 Security
breach cost $33 million (after insurance proceeds of $30 million reduced the initial outlays of $63 million),27 and
the company’s stock price fell 2.1% the day after the breach was announced.28 Sales were not affected, however,
which might indicate that customers have become numb to these announcements.29
The Impossibility of 100% Security To obtain 100% security for an organization, a first step would be to list all of the potential threats, and the second
step would be to obtain tools that would guard against them. However, as in our personal lives, the challenge would
be overwhelming and the solution untenable. To keep ourselves completely safe and injury free, we would need
thick steel walls and air bags around us not only when we drive but also when we run, walk, and even just sit at
home. We would avoid germs by spraying disinfectants on all surfaces, including our own skin before touching
anything. But paradoxes exist that make it impossible to be completely safe: We would want to be high on a hill to
avoid floods but low in a valley to avoid lightning strikes—an impossible paradox. We learn quickly that it is per-
haps impossible to be 100% safe, 24/7.
Likewise, data stored in a firm would be easier to protect if they would just “stay still” as well and not be
connected to the Internet. Although some paradoxes exist in locating the data, the security closest to 100% would
be to place them in a remote area, removed from Internet access, and under several locks without any keys at all. In
short, the closest we can get to perfect safety is to make data inaccessible. But this is not feasible.
Just as we accept some degree of risk to our safety even when we move from the living room to the kitchen,
management must accept some level of risk as well when it makes any part of its treasure trove of data accessible
to even a single person inside or outside an organization. Wider data accessibility entails great risk.
Back in 1995, the late L. Dain Gary, former manager of the U.S. Computer Emergency Response Team (CERT)
in Pittsburgh appeared on an episode of 60 Minutes and let the public in on a unpleasant fact with a sobering state- ment: “You cannot make a computer secure. You can reduce the risk, but you can’t guarantee security.”30 Because of
the futility of seeking 100% security, many companies take out insurance policies to mitigate the financial impacts
of a breach. It is important to also consider the so‐called “Poulsen’s law” that states that information is secure when
it costs more to get it than it’s worth.31 This is a good rule to remember, and the role of management is to work with
the IT function to make it harder to break in than it is worth.
And stolen information is worth a lot. A security expert reported that in 2014, stolen credit cards sold for bet-
ween $1 and $50 each, depending on the type of card (e.g., platinum, silver, suggesting its credit limit) and expira-
tion date. Of the 40 million Target credit card numbers stolen, about 2 million (5%) were sold at an average price
of $20, yielding $4 million to the hackers. A member of a street gang who bought one of those credit cards for $20
was likely to yield $400 in purchases of gift cards and electronics.32
Further, a complete identity‐theft “kit” containing not only a card but social security number and medical
information is worth far more—between $100 and $1,000 each on the black market.33 The value is high because
identity‐theft information can be used to open new credit cards again and again, generating quite a bit of revenue.
The hackers do not keep stolen credit cards or identity theft information for their own use, given the stagger-
ing volume they acquire. They quickly sell them online to others all over the world who use them before they are
27 PYMNTS@pymnts, “How Much Did the Target, Home Depot Breaches Really Cost?” 28 Hiroko Tabuchi, “Home Depot Posts a Strong 3rd Quarter Despite a Data Breach Disclosure,” The New York Times (November 18, 2014), http://www. nytimes.com/2014/11/19/business/home‐depot‐reports‐strong‐third‐quarter‐growth‐despite‐data‐breach‐disclosure.html (accessed June 23, 2015). 29 Anne D’Innocenzio, “4 Reasons Shoppers Will Shrug Off Home Depot Hack,” USA Today (September 11, 2014), http://www.usatoday.com/story/ money/business/2014/09/11/4‐reasons‐shoppers‐will‐shrug‐off‐home‐depot‐hack/15460461/ (accessed June 23, 2015). 30 60 Minutes, “E‐Systems” (February 26, 1995). 31 “Anything Made by a Man Can Be Hacked,” DSL Reports (March 6, 2006), http://www.dslreports.com/forum/remark,15623829 (accessed September 15, 2015). 32 Whitaker, “What Happens When You Swipe Your Card?” 33 Tim Greene, “Anthem Hack: Personal Data Stolen Sells for 10x Price of Stolen Credit Card Numbers,” Networkworld (February 6, 2015), http://www. networkworld.com/article/2880366/security0/anthem‐hack‐personal‐data‐stolen‐sells‐for‐10x‐price‐of‐stolen‐credit‐card‐numbers.html (accessed June
24, 2015).
c07.indd 154 11/26/2015 7:31:39 PM
155What Should Management Do?
reported as stolen. Those cards even come with a return policy in case they are declined, because the black market
shops need to maintain their reputations. However, the guarantees come with a warning that they run out after only
a few hours.34
One final discouraging word is important. A study by the Software Engineering Institute in 2002 revealed that
over time, the knowledge needed by an intruder for an attack reached an all‐time low whereas the potential impact
of the intruders’ attack reached an all‐time high.35 The intruders’ tools have not only become more sophisticated
but also have actually become user friendly. Automated tools can be purchased on the Deep Web, which is a part of the Internet that is reputed to be 400 times larger than the public Web. The Deep Web includes unindexed Web
sites that are accessible only by a browser named “Tor,” which guarantees anonymity and provides access to sites
offering both legal and illegal items. Examples of illegal items offered are passports, citizenship, and even murders
for hire.36 Also for sale are tools that can scan for vulnerable systems, exploit the weaknesses found, and even gen-
erate viruses. Payment could reach hundreds of thousands of dollars, usually made through Bitcoin, an electronic currency that is difficult to track.
The outlook is certainly grim, but some of the clues in the stories told here can provide some prescriptions for
management.
What Should Management Do? Five critical elements to build security described earlier include security strategy, infrastructure, policies, training,
and investments. Security strategy needs to come first, and top management must determine the general strategy as
well as investments that are needed. Infrastructure, policy, and training decisions have to be made in more detail,
and these three areas will now be discussed. Fortunately, general managers can easily understand key issues for
each of these elements and participate fully in design and implementation of the resulting security plans.
Infrastructure
Hackers have significant tools to breach security barriers as previously described. In this rapidly escalating cyber
war, management must use its own set of technologies and specialists to reduce risk and increase security. Many
firms employ a chief information security officer (CISO), described in Chapter 8, to keep abreast of new threats that
emerge and manage the policies and education necessary to reduce risk. In other firms, this responsibility falls to
the CIO or simply the facilities security staff. Even with specialists, managers need to have a broad understanding
of these tools to communicate effectively with them.
Tools can be divided into two categories: those that provide protection from access by undesired intruders and
those that provide protection for storage and transmission. See Figure 7.3 for a list of common system tools to pre-
vent access and their advantages and disadvantages and Figure 7.4 for a list of common storage and transmission
tools and their advantages and disadvantages.
Passwords are by far the most popular security tool even though they have proven to be the cause of most
breaches. Some security specialists claim that passwords are obsolete and should be discontinued.37 Also, all access
protection tools have the disadvantage of requiring an additional access method if it fails. For instance, because
users often forget a password, firms need to make additional investments to create an automated resetting mecha-
nism through an alternate method, such as an e‐mail to a known address or a text message to a mobile phone.
34 Aaron Sankin, “Inside the Black Markets for Your Stolen Credit Cards,” The Kernel (September 28, 2014), http://kernelmag.dailydot.com/issue‐ sections/features‐issue‐sections/10362/inside‐the‐black‐markets‐for‐your‐stolen‐credit‐cards/ (accessed August 27, 2015). 35 Howard F. Lipson, “Tracking and Tracing Cyber‐Attacks: Technical Challenges and Global Policy Issues,” Special Report CMU/SEI‐2002‐SR‐009,
http://www.sei.cmu.edu/reports/02sr009.pdf (accessed August 27, 2015). 36 Nyshka Chandran, “From Drugs to Killers: Exploring the Deep Web,” CNBC Technology (June, 2015), http://www.cnbc.com/id/102782903 (accessed
June 25, 2015). 37 Justin Balthrop, “Passwords Are Obsolete,” Medium.com (April 12, 2014), https://medium.com/@ninjudd/passwords‐are‐obsolete‐9ed56d483eb
(accessed June 24, 2015).
c07.indd 155 11/26/2015 7:31:39 PM
156 Security
FIGURE 7.3 Common system access security tools and their advantages and disadvantages.
Access Tool Concept Ubiquity Notable Advantages Notable Disadvantages
Physical locks Physically protect computing resources
Very high • They are excellent as long as the lock is highly secure and guarded
• Few criminals can access physical devices
• Many popular locks can be picked with tools sold online
• Most information resources do not require physical access
• Users often lose keys or combinations
Passwords Invent a set of characters known only by the user
Very high • They have very high acceptance and familiarity
• They are easy to use unless forgotten
• Mature best practices replace forgotten passwords (no longer a need to call the help line to reset)
• They prove to be poor by themselves
• They are sometimes forgotten • They are sometimes derived
from key loggers or social engineering
• They can be guessed by “brute force” software
Biometrics Scan a body characteristic, such as fingerprint, voice, iris, head, or hand geometry
Medium overall; popularized by iPhone
• It is somewhat better than passwords
• It can be very reliable (e.g., iris scanning)
• It cannot be forgotten • It cannot be derived from
key loggers or social engineering
• It can be quite inexpensive (e.g., voice, fingerprint)
• It can present false positives and false negatives (e.g., voice; facial recognition)
• It can be relatively expensive and intrusive techniques (e.g., iris scanning)
• It is possible to change characteristics over time, such as voice
• It can result in lost limbs • It can create “loopholes” such
as using a photo of a face or fingerprint on paper
Challenge questions
Prompt with a follow‐up question such as “model of first car?”
Medium overall; very high in banking
• The answers are usually not forgotten
• Shuffling through several different questions can enhance security
• Some answers can be derived from social network sites
• Some answers can be derived by those who know the user
• Spelling inconsistencies can be a nuisance
Token Use small electronic device that generates a new supplementary passkey at frequent intervals
Low overall; very high in highly secure environments
• Even if passkey is stolen, the system is still secure when the passkey changes
• Access requires physical possession of token device
• If the device is lost, access is lost until a new one is obtained
• Alternative access control (e.g., password) is essential if token device is stolen
Text message Send a text message with a passkey
Medium • Even if a password is stolen, the system is still secure
• Mobile phone saturation is very high; no additional equipment is needed
• It is very useful when password is forgotten
• It requires mobile phone from all users
• Home phone option requires text to speech hardware/ software
• Alternative access control (e.g., password) is essential if mobile device is stolen
c07.indd 156 11/26/2015 7:31:39 PM
157What Should Management Do?
FIGURE 7.4 Common storage and transmission security tools.
FIGURE 7.3 (Continued)
Access Tool Concept Ubiquity Notable Advantages Notable Disadvantages
Multifactor authentication
Couple two or more access techniques, for instance
• Passwords and tokens
• Biometrics and follow‐up questions
• Passwords and text messaging
Medium overall; very high in banking and other high‐security environments
• It enhances security greatly
• Even if a password is stolen, the system is still secure
• It requires an additional access authentication technique if one or more of the techniques fails
• Users might be tempted to use an easy password, which removes the advantage of a second factor
Storage and/or Transmission Tool
Concept Ubiquity Notable Advantages Notable Disadvantages
Antivirus/ antispyware
Software scans incoming data and evaluates the periodic state of the whole system to detect threats of secret software that can either destroy data or inform a server of your activity
Very high • Products block known threats very effectively
• Products have a large database and can detect hundreds of thousands of patterns that reveal a virus
• Some products reveal a limited set of zero‐day threats (brand‐new outbreaks) by tracking suspicious behavior
• Products sometimes slow down the device
• Products are not as effective for a clever zero-day threat (brand‐new outbreak)
Firewall Software and sometimes hardware‐based filter prevent or allow outside traffic from accessing the network
High • Is flexible and can prevent traffic from a particular user, device, method, or geography
• It can filter only known threats
• It can have well‐known “holes”
System logs They keep track of system activity, such as successful or failed login attempts, file alterations, file copying, file deletion, or software installation
Very high • If an irregularity occurs, the IP address of the attacker could be discovered
• The extent of the irregularity can be estimated
• Some anonymizing software can hide the true IP address of the attacker
• Some attackers erase or disable the logs
• Logs can be huge and difficult to wade through
• Some firms fail to inspect logs regularly
System alerts System detects unusual activity, such as scores of unsuccessful log‐in attempts, log‐ins from countries without any branches, alterations of files, or copying of files
High • They can aid in combing through logs more quickly
• Administrators can be alerted to an irregularity while it is occurring
• Many breaches can be detected this waya (high sensitivity)
• Many firms receive hundreds of alerts each day
• It is difficult to discern real attacks from false alarms (low selectivity)
c07.indd 157 11/26/2015 7:31:40 PM
158 Security
A study in the United Kingdom found that 39% of IT professionals admit that passwords are the only IT security
measure in their firms, and one‐third believes that biometrics are likely to be used in five years.38 There is a general
trend toward multifactor authentication, or the use of two or more authorization methods to gain access. Exam- ples are use of a password followed by a passkey sent to a mobile phone as a text message or a password followed
by a challenge question. Between 2013 and 2014, the organizations around the world using multifactor authenti- cation increased from 30% to 37%, and this number continues to increase rapidly.39
Fears of making passwords intrusive or lowering convenience are likely to factor into IT’s reluctance to adopt
multifactor authentication. For instance, in Apple’s “I’m a Mac” campaign in 2008, Apple poked fun at Micro-
soft Vista’s “Cancel or Allow” messages,40 emphasizing the diminished convenience caused by security warnings.
Security and convenience are indeed generally at odds with each other,41 but our current state of convenience is
untenable over the long run, and the days of single‐factor authentication using a password are undoubtedly going
to become a distant memory.
Not only access controls are important, but also the way that information is stored and transmitted requires
security tools. Figure 7.4 provides a representative list of those tools. Although these tools are likely to help limit
security problems, managers also need to provide a strong security policy as described in the next section.
Storage and/or Transmission Tool
Concept Ubiquity Notable Advantages Notable Disadvantages
Encryption System follows a complex formula, using a unique key (set of characters) to convert plain text into what looks like unreadable nonsense and then to decode back to plain text when presented with the decoding key
Very high • It is very difficult to use or read a stolen computer file without the key
• Long and complex keys would take years of computer time to break
• The key can be unnecessary if access password is known
• If the key is not strong, hackers can uncover it by trial and error
WEP/WPA
(wired equivalent privacy and wireless protected access)
Encryption is used in a wireless network
Very high • It is same as encryption • Nearly all modern user
devices have capabilities • It provides a secure
connection between the user’s device and the WiFi router
• It is same as encryption • Some older devices
might not be able to be connected
• WEP is not secure yet is still provided for compatibility
Virtual private network
Software provides a trusted, encrypted connection between your site and a particular server
Medium • Trusted connection works as if you are connected at your office; it is useful for mobile workers
• Eavesdroppers cannot easily decrypt VPN communications
• If the device is stolen while connected, the hacker has access to all resources
• It sometimes slows the connection or complicates use
a Vinod Khosia, “Behavioral Analysis Could Have Prevented the Anthem Breach,” Forbes.com (February 24, 2015), http://www. forbes.com/sites/frontline/2015/02/24/behavioral‐analysis‐could‐have‐prevented‐the‐anthem‐breach/ (accessed June 28, 2015).
FIGURE 7.4 (Continued)
38 SecureAuth, “The Password’s Pulse Beats On. Hackers Still One Step away from Your Information,” SecureAuth.com (March 18, 2015), https://www.
secureauth.com/Company/News/March‐2015/The‐Password%E2%80%99s‐Pulse‐Beats‐On‐Hackers‐Still‐One‐St.aspx (accessed June 24, 2015). 39 SafeNet, “More Enterprises Plan to Strengthen Access Security with Multi‐Factor Authentication,” SafeNet Survey Report (May 21, 2014), http://
www.safenet‐inc.com/news/2014/authentication‐survey‐2014‐reveals‐more‐enterprises‐adopting‐multi‐factor‐authentication/ (accessed June 24, 2015). 40 Renee Quinn, “Comparative Advertising: Mac vs. PC,” IP Watchdog (November 16, 2008), http://www.ipwatchdog.com/2008/11/16/comparative‐
advertising‐mac‐vs‐pc/id=268/ (accessed June 24, 2015). 41 David Jeffers, “Why Convenience Is the Enemy of Security,” PC World (June 18, 2012), http://www.pcworld.com/article/257793/why_convenience_
is_the_enemy_of_security.html (accessed June 25, 2015).
c07.indd 158 11/26/2015 7:31:40 PM
159What Should Management Do?
Security Policy
Management needs to approach security in a way that expresses its importance and instructs users on what they
need to do to achieve safety. Without sound management policy, access and storage technologies will be useless. If
employees write their passwords on sticky notes and put them near their workstations, passwords will be ineffective
from the start. Figure 7.5 provides a list of management policy tactics to prevent security weaknesses.
Several of these policy areas are quite interesting. For instance, some managed security services provider (MSSP)
firms offer the services of white hat hackers who break into a firm’s systems to help it uncover weaknesses. White hat hackers lie in sharp contrast to black hat hackers, who break in for their own gain or to wreak havoc on a firm. Grey hat hackers test organizational systems without any authorization and notify a company when they find a weakness. Although they can be helpful, what they do is nevertheless illegal.
Another interesting area is that of social media. We are still in the early stages of understanding the impacts of
being on social media for employees and firms themselves. Companies continue to set up policies about accept-
able behavior on social media including the appropriateness of sharing company secrets, security procedures, and
FIGURE 7.5 Commonly used management security policies.
Policy Concept Notable Advantages Notable Disadvantages
Perform security updates promptly
Make sure all security updates are applied as soon as possible
• Most operating systems have automatic updates
• Sometimes the added security causes some older applications to “break”
• There is an option to prevent automatic updates
Separate unrelated networks
Disconnect distinct and unrelated parts of the network. For instance, Target’s HVAC system should have been disconnected from the financial system
• Protect one part of the system when the other part is attacked
• Sometimes there are connections that are unknown or unexpected
• Each requires different log‐in credentials, complicating its usage
Keep passwords secret Forbid users from sharing passwords
• If everyone complies, any activities on the site will be traceable to one user’s access
• It will be harder if the user is on the road and needs an assistant to help with something
Perform mobile device management
Provide a BYOD (bring your own device) policy on permitted products and required connection methods
• It will prevent, or at least allow IT to trace, potential security problems
• It will restrict users to apps they might not wish to use
• It might restrict users to certain devices they might not desire to use
Data policies Require disposal of e-mails and other documents of a certain age
• Data that are not owned cannot be stolen
• Legal liability is dramatically reduced by destroying memos and e-mails that can be taken out of context
• Workers might be unable to refer back to the details of a previous successful assignment for guidance
Social media management
Provide rules about what can be disclosed on social media, who can Tweet, and how employees can identify themselves
• It will prevent misrepresentation and confusion
• It will limit liability by avoiding errors
• It might appear restrictive to workers
• It might appear to be meddling in workers’ personal use of social media
Managed security services providers (MSSP)
Consultants who bring their expertise and checklists, most often to medium and large enterprises
• It can help build a comprehensive security plan
• It can be too expensive for a very small company
• It can provide a bewildering set of options
c07.indd 159 11/26/2015 7:31:40 PM
160 Security
personal information that could be linked back to a company. Given the large size of some firms, it is difficult to
control personal behavior. But lacking policy, devastating impacts of uncontrolled behavior can be high.
Education, Training, and Awareness
Users’ behavior cannot be expected to change unless they are aware of security policy and tools, understand them,
and know what to do. Merely dictating rules to employees and providing the required tools will not guarantee
compliance. Security education, training, and awareness (SETA) can provide well‐rounded preparation to users.
Because 50%–75% of security incidents originate from within an organization, researchers have found that SETA
was effective in reducing IS misuse and that severity of punishment was more potent than certainty of punishment if
users were caught. As one might expect, the researchers also found that monitoring behavior was quite important.42
Each component of SETA is discussed next.
Awareness
Although awareness comes at the end of the SETA acronym, it is an important first step merely to let users know
that security is a complex but important issue and that there are consequences when policies are not followed. Users
must see the importance of the security policies and the need to use the appropriate tools. Awareness includes an
explanation of what might occur if users are relaxed about security, such as in the cases discussed in this chapter.
Awareness creates attitudes, and researchers note that attitudes are important in predicting compliance. Impor-
tantly, users’ feelings of efficacy (ability to comply) and normative beliefs (social pressure to comply) are both
important for forming favorable attitudes toward compliance,43 suggesting that the awareness stage is crucial for
security success. Managers should be cautious not to overwhelm users all at once; this is where education programs
can help.
Education and Training
Education provides frameworks, reveals concepts, and builds understanding. Training usually provides procedures
to follow and practice in following them. For example, 69% of company breaches have been discovered by out-
siders, not insiders.44 In some cases, customers complain of irregularities in their accounts, such as unauthorized
charges. However, it takes time for that information to reach the breached firm, if ever, as the unsettling recent
60 Minutes interview revealed; after hacking, Visa and MasterCard do not reveal which retailer was involved.
Further, in the case of Home Depot, it took Brian Krebs to notify the firm after seeing credit cards for sale on Deep
Web sites. He says he did some “detective work” and tracked the stolen cards to Home Depot.45
Apparently, insiders do not always notice signals that might indicate a problem. Some of that can be alleviated
through education. Users need to be educated about the potential for different types of suspicious activities, such
as strange cars parked with the motor running, which might indicate tapping into a company’s WiFi, or strangers
standing near active equipment, which might indicate surveillance or potential invasive action. Employees must be
trained to make sure active equipment is watched and suspicious activity reported. Training also instructs on power-
ing down equipment, logging users out of systems, closing browser windows, and frequently updating passwords.
In a recent alarming situation, a security researcher claimed on Twitter to have tapped into the avionics system
through the entertainment system on an airplane, causing the plane to go into a brief, unscheduled climb. While
on the plane, the person bent over and wiggled and squeezed the under‐seat electronic box’s cover to pry it off.46
The person then attached a modified Ethernet cable to an open port in the entertainment equipment below two
passenger seats. Although pilots were able to quickly take over in this situation, the FBI took his Tweet seriously.
42 John D’Arcy, Anat Hovav, and Dennis Galletta, “Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence
Approach,” Information Systems Research 20, no. 1 (March 2009), 79–98. 43 Burcu Bulgurcu, Hasan Cavusoglu, and Izak Benbasat, “Information Security Policy Compliance: An Empirical Study of Rationality‐Based Beliefs
and Information Security Awareness,” MIS Quarterly 34, no. 3 (2010), 523–48. 44 Mandiant, “M‐Trends 2015: A View from the Front Lines,” https://www2.fireeye.com/rs/fireye/images/rpt‐m‐trends‐2015.pdf (accessed June 24,
2015). 45 Whitaker, “What Happens When You Swipe Your Card?” 46 Kim Zetter, “Is It Possible for Passengers to Hack Commercial Aircraft?” Wired (May 26, 2015), http://www.wired.com/2015/05/possible‐passengers‐
hack‐commercial‐aircraft/ (accessed June 25, 2015).
c07.indd 160 11/26/2015 7:31:40 PM
161What Should Management Do?
Agents seized the plane’s equipment to investigate his claims and found evidence that boxes under his seat and
under the seat in front of him on one of his flights had indeed been tampered with.47 Had flight attendants been edu-
cated that this was the possible action of a hacker and been trained to notice passengers preoccupied with something
below the seat, the hack might have been stopped earlier. See Figure 7.6 for a list of areas for education and training
along with possible activities for each.
New employee onboarding processes include education in security policies including vulnerabilities and the
tools and practices used to avoid problems. Types and levels of passwords or other access tools should be described
to employees. “Dos” and “Don’ts” of social media should be presented in a well‐organized manner so they are
understood. And these policies must be reinforced at regular intervals to ensure compliance.
The goal of education is to avoid the consequences of phishing by helping individuals identify ways to recognize
these scams. There are certain “classic” signs of a phishing message:
• An e‐mail or bank account is closed, and the user needs to click to log‐in and reactivate it.
• An e‐mail inbox is too full, and the user is asked to click to increase storage.
• The user just won a contest or lottery and is asked to click to claim the prize.
• A user just inherited a fortune or will receive a commission to administer an inheritance after clicking to claim it.
• A product delivery failed, and the user needs to click to retry.
• An odd or unexpected Web address shows up when hovering a mouse pointer over a link in an e‐mail.
• A familiar name in the “from” box is followed by an odd e‐mail address.
• Poor grammar and spelling are in a note that purports to be from a large company.
• Goods or services are offered at an impossibly low price.
• An attachment is executable, often with an extension such of ZIP, EXE, or BAT.
FIGURE 7.6 Major areas for education and training, with examples.
Subject Sample Educational Activities Sample Training Activities
Access tools Advantages and limitations of passwords
Why passwords should be complex and long
How often passwords should be changed
Strengths of multifactor authentication
How to choose a password
How to change your password
How to use multifactor authentication
How to use a password manager
Bringing your own devices (BYOD)
Why there are rules
What the rules are
How to follow the rules
What to do if something goes wrong
Social media Why there are rules
Examples of issues that have occurred in the past
How those issues could have been avoided
What to do in particular situations on social media
What to do if you need help or clarification on an issue
Vigilance What signals you might see under certain situations (warning messages; phishing e‐mails; customer complaints)
What physical intrusions look like
What the signals mean
Which pieces of equipment have ports (USB, ethernet)
Where and how to look for warning signs
What to do when you see the various signals (for instance, a number to call or way to shut down)
How to protect your laptop when traveling
47 Even Perez, “FBI: Hacker Claimed to Have Taken Over Flight’s Engine Controls,” CNN.com (May 18, 2015), http://www.cnn.com/2015/05/17/us/
fbi‐hacker‐flight‐computer‐systems/ (accessed June 25, 2015).
c07.indd 161 11/26/2015 7:31:40 PM
162 Security
Even if the signals are not present, security experts recommend not to click on any link or open any attachment
in an e‐mail unless it was requested and expected from a known source. Unexpected e‐mail, even from a known
source could breed viruses because of any one of the following: (1) The e‐mail might not really be from the known
source, and someone is spoofing (counterfeiting) the address, (2) the e‐mail might be from a known source’s com- puter but the e‐mail had a virus, which will infect the recipient’s computer, or (3) the e‐mail might have been sent
from a familiar person who doesn’t know that a virus is attached. Opening the attachment or clicking the link would
likely infect the recipient’s computer and continue the spread of the virus to her or his contacts.
An actual phishing message received by one of the authors of this text on November 21, 2014, had the subject
header of “PAYMENT OF A CONTRACT/INHERITANCE FUNDS” (all caps in the original), and the first sen-
tence was “We have expected receiving you in the office, but no one has ever head from you” (italics added to high- light errors). Another recent phishing message (Figure 7.7) was more believable, but had some minor grammatical
issues. Some messages are nearly flawless, looking identical to genuine ones from the named company, and making
it critical to suspect every link or attachment in any e‐mail.
Education programs describe phishing and spoofing and how to guard against clicking on dangerous links.
Users must understand that opening a virus‐laden Web page or file leads to “catching” the virus. Education pro-
grams might also include the different types of threats and include training on how to avoid scams, the loading of
key‐logging software on unsuspecting users’ systems, and the breach of security measures already put in place.
Training would demonstrate how to examine a link, what cues to evaluate, and what to do if a site is suspicious.
S U M M A R Y
• Five key IT security decisions focus on security strategy, infrastructure, policies, training, and investments.
• Perpetrators (hackers) most often work from a great distance, over long periods of time, and not by accessing data center buildings in person.
• Of breaches, 80% are enabled by stolen passwords. Those passwords are obtained from phishing messages, cross‐site scripting, weak passwords, key loggers, and evil‐twin connections.
• The statistics are staggering: It takes 205 days for the average breach to be detected, and the longest breach recorded took 11 years to detect. The message is that hackers have plenty of time to figure out how to steal files. Also, 97% of all
firms have been hacked, and the average cost of a data breach is estimated to range from $145–$154 per stolen record
containing sensitive information. Many breaches involve tens of millions of records.
Paypal customer View online
We Need Your Help
Dear Customer,
We need your help resolving an issue with your account. To give us time to work together on this, we've temporarily Iimited what you can do with your account until the issue is resolved.
We understand it may be frustrating not to have full access to your PayPaI account. We want to work with you to get your account back to normal as quickly as possible.
Why my PayPaI™ account is Iimited?
We recently noticed a pattern of account activity that, in our experience, is usually high risk. For more information, see Restricted Activities identified in our User Agreement.
What can I do to resolve the problem?
It's usually pretty easy to take care of things like this. Most of the time, we just need you to verify your account. Click the link below
Please mark this email as "Not Spam" to enable link, if this email appears in your spam or junk mail .
Verify your Account
FIGURE 7.7 Actual phishing message received February 21, 2015.
c07.indd 162 11/26/2015 7:31:40 PM
163Case Study
• Perfect security of data and digital assets is not possible. However, there are best practices for reducing risks by using tools, implementing tactics (policies) and providing training (and education).
• Infrastructure technologies can limit access to authorized people and protect data storage and transmission.
• Policies need to be created to cover the need to install updates, separate unrelated networks, keep passwords secret, manage mobile devices, destroy data at the proper time, manage social media, and properly use managed security services providers.
• SETA refers to security education, training, and awareness, each of which has a specialized purpose.
On June 22, 2015, LOT , the state‐owned Polish airline had to ground at least 10 national and international fl ights because
hackers breached the network at Warsaw ’ s Chopin airport and intercepted the fl ight plans that pilots need before taking off.
The grounding affected about 1,400 passengers and lasted over fi ve hours before the problem was solved. A month earlier,
United Airlines was reported to have experienced the same problem in the United States, and pilots reported bogus fl ight
plans repeatedly popping up on the system.
A consultant explained that the radio network that carried fl ight plans did not need authentication and was designed to
trust the communications. A committee was then set up to develop a proposed standard for fl ight plan security.
Fortunately, the fl ight plan did not control the plane, and a pilot had to accept and enter the plan. A strange result, such as
heading to a distant city in the wrong direction, would not be entered or accepted. Even if the bogus plan were entered and
accepted by the pilot, there was no danger of collision or crash because of the fraudulent plans.
Any changes received to the plan while in fl ight had to be confi rmed with air traffi c controllers, who analyzed the new
plan for safety. Alarms would also indicate a possible collision.
■ CASE STUDY 7-1 The Aircraft Communications Addressing and Reporting System (ACARS)
K E Y T E R M S
antivirus/antispyware (p. 157)
biometrics (p. 156)
black hat hacker (p. 159)
challenge question (p. 158)
cross‐site scripting ( XSS ) (p. 152)
deep Web (p. 155)
encryption (p. 158)
evil twin connection (p. 152)
fi rewall (p. 157)
grey hat hacker (p. 159)
key logger (p. 152)
mobile device management (p. 159)
multifactor authentication (p. 158)
phishing attack (p. 151)
security education training and
awareness ( SETA ) (p. 150)
social media management (p. 159)
spoofi ng (p. 162)
token (p. 156)
weak password (p. 152)
white hat hacker (p. 159)
zero‐day threat (p. 157)
D I S C U S S I O N Q U E S T I O N S
1. Did you change your shopping habits after hearing of the widespread breaches at Target , Home Depot , and dozens of other stores during 2013–2015? Why or why not?
2. Evaluate your password habits and describe a plan for new ones. Explain why you chose the new habits and how they reduce the risk of compromising your system ’ s security.
3. Across all access tools listed in Figure 7.3 which have the most compelling advantages? What are the most concerning weaknesses? Provide support for your choices.
4. What is the likely future of access tools? Will they continue to be useful security measures? In your discussion, predict what you believe is the future of passwords.
5. What is an evil twin WiFi connection? What should you do to increase your security in a coffee shop the next time you want to connect?
6. Name three commonly used management security policy areas and describe an example policy for each area.
7. Create an outline for a training session to help your team avoid phishing. What would you include in that training session? What are some typical signs that an e‐mail might be fraudulent?
c07.indd 163 11/26/2015 7:31:40 PM
164 Security
The Tech section in Forbes magazine reported that the “criminals won” in the Sony pictures breach. An anonymous threat posted on an obscure site warned that people who watch the to‐be‐released movie The Interview would be “doomed” to a “bitter fate” and recalled the tragic events of September 11. The threat said that the movie inappropriately made light of
North Korean offi cials.
As a result of the threat, fi ve large theater chains in the United States and Canada canceled plans to include the fi lm on
their screens. Ultimately, Sony had no choice but to cancel the theater release of the fi lm for reasons that are both economic
and legal. The former was due to a lack of revenue given the small number of remaining theaters that might go ahead and
run the fi lm. The latter was driven by what would happen if an attack was carried out. A Steve Carell project that featured
North Korea was also canceled.
The Guardian reported that a group named the Guardians of Peace retaliated against Sony . They hacked into Sony ’ s systems and stole over 100 terabytes of fi les, including unreleased movies, social security numbers for thousands of Sony
employees, and internal e‐mails, some of which show embarrassing conversations between Sony employees. The hackers
began distributing the fi les in various locations online, making them free for the taking.
The offi cials of that government denied any involvement in the hack but said that it might have been a “righteous deed”
of those who support the government.
North Korean offi cials demanded some changes to the movie, including taming down a death scene of its leader. Sony
initially refused but then decided to go ahead and edit the scene. The movie eventually opened without incident on a limited
basis in some cinemas on Christmas Day and then was made available via online rental.
According to the Mirror in the United Kingdom, neither the Department of Homeland Security nor the FBI could fi nd evidence that the violence was a credible threat, but the FBI believed North Korea was behind the hacking. In turn, North
Korea claimed that the U.S. government was responsible for creation of the movie.
Discussion Questions
1. Setting aside the political issues between North Korea and the United States, is there a reasonable way to respond to an
anonymous threat found on the Internet somewhere? What elements would you require before canceling the film if you
were CEO of Sony ? If you were CEO of a chain of theaters?
2. What access and data protection controls would you recommend Sony use to provide better security for unreleased
digital films and e‐mails?
3. If you were a hacker, what approach would you have used to break into Sony ’ s system? What do you think the most
important SETA elements would be to prevent future hacker attacks against Sony or other media firms?
Sources: Dave Lewis , “ Sony Pictures: The Data Breach and How the Criminals Won ,” Forbes Tech (December 17, 2014 ), http://www. forbes.com/sites/davelewis/2014/12/17/sony‐pictures‐how‐the‐criminal‐hackers‐won/ (accessed June 25, 2015) ; Oliver Laughland , “ The Interview: Film at Center of Shocking Data Breach Scandal Opens in LA ,” The Guardian (December 12, 2014 ) http://www.theguardian. com/fi lm/2014/dec/12/the‐interview‐sony‐data‐hack (accessed June 25, 2015) ; and Anthony Bond , “ Sony Hack: The Interview WILL Be Released Despite Huge Cyber Attack Against Film Maker ,” Mirror (December 23, 2014 ), http://www.mirror.co.uk/news/world‐news/ sony‐hack‐interview‐released‐despite‐4868965 (accessed June 25, 2015) .
■ CASE STUDY 7-2 Sony Pictures: The Criminals Won
Discussion Questions
1. Which of the two aircraft breaches is more serious: the breach described here or the breach created by the hacker
(described earlier in the chapter) who took control of a plane ’ s throttle briefly through the entertainment system and
then tweeted about it? Why?
2. Which of the access controls and storage/transmission controls would be most helpful for the ACARS problem? The
entertainment system problem? Why?
3. If password control is used to solve the ACARS weakness, what might hackers do next?
Sources: Kim Zetter , “ All Airlines Have The Security Hole That Grounded Polish Planes ,” Wired (June 22, 2015 ), http://www.wired. com/2015/06/airlines‐security‐hole‐grounded‐polish‐planes/ (accessed August 25, 2015) ; and “ Hackers Ground 1,400 Passengers at Warsaw in Attack on Airline ’ s Computers ,” The Guardian (June 21, 2015 ), http://www.theguardian.com/business/2015/jun/21/hackers‐ 1400‐passengers‐warsaw‐lot (accessed June 26, 2015) .
c07.indd 164 11/26/2015 7:31:41 PM
165
8 chapter
This chapter explores the business of information technology (IT) and the customers it serves. Beginning with the introduction of a maturity model to understand the balancing act between the supply and business demand for information systems (IS), the chapter describes key IT organization activities and relates them to one of three maturity levels. The chapter continues with a discussion about the work done by the IT organization and how the leadership within the IT organization ensures that activities are conducted effi ciently and effectively, both domestically and globally. We then examine business processes within the IT department, including building a business case, managing the IT portfolio, and valuing and monitoring IT investments. The remainder of the chapter focuses on funding models and total cost of ownership.
The Business of Information Technology
After several months in the job of chief information offi cer (CIO) of Alcoa ’ s Industrial Chemicals
Business, Kevin Horner received a wake‐up call from the president of the business: 1
We chose you because you were the best of the IT group, and you are doing a great job complet-
ing IT projects and managing the IT organization. But I am afraid that you don ’ t know the business of
your business. You haven ’ t thoroughly answered my repeated questions about how much IT costs the
business! Furthermore, you can ’ t communicate with the people running the business in words they
understand!
As a high‐achieving math major in college with minors in computer science and business, Horner
was quite savvy about his craft and did not expect to hear these remarks. When he protested that
the structure of the fi nancial information in European and Asian subsidiaries made it really diffi cult
to fi nd the answer, his boss ’ s response surprised him: “If it wasn ’ t a hard problem, I wouldn ’ t need
you here!”
Interpreting this unpleasant meeting as his being “under review” for possible ouster, Horner
saw this as a wake‐up call to the true meaning of being a C‐level executive. He had found some
answers about cost issues, but many of the fi nancial numbers were “buried”—inextricably inter-
twined in general categories of fi nancial statements in Europe and Asia. He had some early results,
but managing the IT group took most of his time and effort.
Further, his early presentations were heavy with technical details and were often met with glazed
eyes and yawns. Horner reported that he began to realize that this audience did not want to hear
about the technology. “They certainly wanted me to handle technology issues, but they wanted me
to communicate with them in words they understood . . . people, time, money and the possibilities
technology created for them in their businesses. Most importantly they wanted me to help them to
use IT to grow the business at either the top line (sales) or bottom line (net income).”
1 This story and all the quotes are based on a personal interview with Kevin Horner and one of our authors, March 23, 2015.
c08.indd 165 11/26/2015 6:27:59 PM
166 The Business of Information Technology
Horner embarked on a re‐energized mission to answer all of the president’s concerns in a more complete way,
and that mission ultimately paid handsome dividends both to him and Alcoa. If success can be measured by promo-
tions, he went far beyond redeeming himself. After five years as CIO of Alcoa Chemical, he had many promotions
until he ultimately became CIO of Alcoa Global. In 2011, he took an opportunity to become chief executive officer
(CEO) of Mastech, a $100 million publicly traded IT staffing firm where he remains.
How did he achieve such resounding success? The first thing he did was to partner with the CFO to understand
the financials of the business. The CFO was able to determine how to peel back the layers of accounting numbers
and truly wrestle the IT costs from the general accounting categorizations where they comfortably hid. Within
60 days, the president and his management team had their answers.
But Horner did not stop at a good, solid set of internal cost numbers, a remarkable achievement in and of itself.
Rather than only gaze inside the firm, he found it most helpful to use the Hackett Group, an external benchmarking
consulting firm, to compare his costs against those of similar firms. This analysis was most helpful for the lead-
ership of the business because after finding that the company was high on some key IT costs, the leaders all saw
the writing on the wall for the next mission: Find ways to reduce costs but continue to provide improved services.
Two key examples of how Horner addressed those needs will help explain his early success. He accompa-
nied salespeople on actual sales calls to see exactly how the overall supply chain process worked. Then with that
information as a base, he was able to have the business provide reliable product information to customers, acceler-
ating delivery of the products customers needed without creating excessive inventory buffers.
Horner also worked with procurement officials to renegotiate contracts for the highest‐cost elements within the
company’s IT spending. For example, two very costly areas included telecommunications costs (including cell
phones) and PCs. He found two important cost‐savings opportunities: eliminate unnecessary services and nego-
tiate many small separate contracts as a larger unit, raising the business’s bargaining power. As contracts would
come up for renewal, a joint team from IT and procurement spearheaded an intense process to streamline costs,
focusing on the highest cost elements first. These contract negotiations led to another benefit: standardization,
which enabled further savings by simplifying items such as interconnectivity between segments of the business,
and PC and mobile phone support.
The lessons learned in Horner’s initial CIO role in the chemicals business transferred naturally into his next role
as CIO of Alcoa Europe, which was a collection of historical Alcoa businesses and locations along with several
newly acquired companies representing what Horner called “kind of a $3B ‘start‐up’ company.” He knew immedi-
ately that he had to get a clear picture of the IT business in Europe from several perspectives—technology, applica-
tions, people, vendors, cost, and “quick wins,” which solved problems for his business leadership colleagues. This
time Horner didn’t need the questions from the business president to guide him: He had to quickly assess talent
in his team, determine total IT cost in the business, assist the management team to move to Europe from a struc-
ture focusing on legal entity driven reporting and reporting finances in a new structure that aligned with corporate
Alcoa and unified pan‐European business units. As a result of his business‐focused thrusts, within 24 months, the
entire unified structure was created and implemented; legal entity fiscal reporting was maintained; a shared service
function for finance, accounting, HR, and procurement plus the technology to operate it was implemented; Y2K
remediation was completed; and European IT costs were reduced by 25%.
What does this experience demonstrate? It shows that there are common denominators that every business leader
understands: people, time, and money. When a business leader wants to invest capital to produce more product or
a new product, that investment is scrutinized for cost and benefit. Horner says that a CIO should make sure IT is
not the exception to that rule. “Don’t talk about ERP or mobile apps, talk about what is going to happen to the
business . . . [and] to people, time, and money when you have the ERP or the mobile app,” he says. “Getting the
cost side of the IT organization in order represents table stakes for the CIO,” implying that you would wear out
your welcome by focusing inward. Rather than focusing only on managing the technologies and IT people and
describing new investments and initiatives by using “techy” jargon, a CIO should take a business viewpoint. If you
follow that advice, you will not only be welcome at the table but also will thrive. This demonstrates the Business of
Information Technology, the title of this chapter.
In this chapter, issues related to the business side of IT are explored. We begin by looking at key activities
managers can expect of their IT organization and, probably just as importantly, what the IT organization does not
c08.indd 166 11/26/2015 6:27:59 PM
167Organizing to Respond to Business: A Maturity Model
provide. The chapter continues with a discussion of key business processes within the IT organization, such as
building a business case, managing an IT portfolio, and valuing and monitoring IT investments. This is followed
by a discussion of ways of funding the IT department and an exploration of several ways to calculate the cost of
IT investments, including total cost of ownership and activity‐based costing. These topics are critical for the IT
manager to understand, but a general manager must also understand how the business of IT works to successfully
propose, plan, manage, and use information systems.
Organizing to Respond to Business: A Maturity Model The Alcoa situation just discussed reveals that IT leaders must make sure they have the right resources and organi-
zation to respond to business needs. It is not enough to focus inward on managing personnel, software, and equip-
ment, which can seem like a full‐time responsibility. IT managers must go beyond internal matters and partner
with their business colleagues. Responding to business demands adds substantially to IT managers’ responsibilities
because it requires them not only to manage the complexity within the IT function, but also to go well beyond what
seem to be the boundaries of IT and understand intricacies of their business partners.
Merlyn’s business‐IT maturity model in Figure 8.1 provides characteristics of how engaged the IT function can be with the rest of the organization at three unique levels of maturity. At Level 1, representing an immature IT
organization, IT managers maintain an inward focus. They merely react to specific needs that are brought to their
attention, often in an environment that emphasizes cost reduction. As the IT organization matures to Level 2, the
focus shifts to business processes, and IT personnel search for solutions to business problems. Level 3 represents
IT managers as business partners who search for ideas that provide value to the organization and value relationships
both inside and outside not only the IT organization but also the firm. They seek ideas that provide not only new
revenue but also help identify new opportunities that redefine the business.
This model illustrates that for IT to provide the most value to the business, IT managers and business managers
must recognize their mutual dependency and ensure that business capability has the technology support needed
for success. This model does not comment on the type of technology used but on the way the business organi-
zation approaches its use of IT. For example, in Level 3, business leaders see IT’s role as a business partner that
they can include in high‐level meetings that explore new lines of business. Compare this approach with lower
levels of maturity. At Level 2, the focus would instead be on creating an effective business process, which has a
much more limited scope and impact. At Level 1, where the business demand for IT is primarily all about cost
FIGURE 8.1 Business‐IT maturity model. Source: Adapted from Vaughan Merlyn, http://vaughanmerlyn.com/2014/04/01/the‐disciplines‐of‐business‐it‐engagement/ (accessed April 22, 2015).
Maturity Level Nature of the Level Engagement Characteristics
Level 3 IT as business partner • Proactive • Outside‐in • Relationship centric • Focused on business growth • Framed on a context of business
value
Level 2 IT as solutions provider • Active • Process centric • Focused on solutions • Framed in a context of projects
Level 1 IT as order taker • Reactive • Inside‐out • Technology centric • Framed in a context of cost
c08.indd 167 11/26/2015 6:27:59 PM
168 The Business of Information Technology
savings and foundation systems, the IT function might be seen more as a necessary evil that needs to be pushed
into a corner rather than expanded to flex organizational muscles. When the maturity of the IT organization rises
to Level 3, it is able not only to keep up with business demands but also to enhance the business in ways that were
not envisioned before.
This chapter describes the complex, multifaceted tasks for which an IT organization takes responsibility and
how IT is organized. The chapter describes both the internal and external issues that must be handled by IT leaders
and the personnel responsible for them. The description is presented in a context of how the IT organization must
make it a priority to partner with business leaders. Because running the business of IT requires funding, we also
explore how to fund IT projects to support business and how to cover the operational costs.
Understanding the IT Organization Consider the analogy of a ship to help explain the purpose of an IT organization and how it functions. A ship trans-
ports people and cargo to a particular destination in much the same way that an IT organization directs itself toward
the strategic goals set by the larger enterprise. All ships navigate waters, but different ships have different structures,
giving them unique capabilities such as transporting people versus cargo. Even among similar categories, ships
have different features, such as those configured to transport a cargo of finished products versus one configured to
transport a cargo of oil. All IT organizations provide services to their businesses, but based on the skills and capa-
bilities of their people, the organizational focus of their management, and their state of maturity, they, too, differ
in what they can do and how they work with the businesses. Sometimes the IT organization must navigate peril-
ous waters or storms to reach port. For both the IT organization and the ship, the key is to perform more capably
than any competitors. It means doing the right things at the right time and in the right way to propel the enterprise
through the rough waters of business.
Different firms need to do different things when it comes to IT. Because firms have different goals, they need to
act in different ways and as a result, there are differences in the IT activities that are provided. But even if two firms
have similar goals, the firms’ size, organization structure, and level of maturity might affect what the IT organiza-
tion in each firm is expected to do.
What a Manager Can Expect from the IT Organization We look at the IT organization from the perspective of the customer of the IT organization, the general manager, or
“user,” of the systems. What can a manager expect from the IT organization? Just as IT leaders benefit from under-
standing their business partners, a general manager benefits from understanding what the IT organization does.
Managers must learn what to expect from the IT organization so they can plan and implement business strategy
accordingly. Although the nature of the activities may vary in each IT organization depending upon its overall goal, a
manager typically can expect some level of support in 14 core activities: (1) developing and maintaining information
systems, (2) managing supplier relationships, (3) managing data, information, and knowledge, (4) managing Internet
and network services, (5) managing human resources, (6) operating the data center, (7) providing general support,
(8) planning for business discontinuities, (9) innovating current processes, (10) establishing architecture platforms
and standards, (11) promoting enterprise security, (12) anticipating new technologies, (13) participating in setting
and implementing strategic goals, and (14) integrating social IT.2 These activities are briefly described in Figure 8.2.
Although the activities could be found at any maturity level, we indicate in Figure 8.2 the level where they are
especially important. Recall that Level 1 focuses on cost savings and efficiency of business operations; Level 2
takes a process view, provides services of an integrated nature across the organization, and supports decision mak-
ing to maximize business effectiveness; and Level 3 focuses on innovation and support of business strategy. This
progression implies that the scope of activities in the IT organization expands with increased IT maturity.
2 Eight activities are described by John F. Rockart, Michael J. Earl, and Jeanne W. Ross, “Eight Imperatives for the New IT Organization,” Sloan Management Review (Fall 1996), 52–53. Six activities have been added to their eight imperatives.
c08.indd 168 11/26/2015 6:27:59 PM
169What a Manager Can Expect from the IT Organization
FIGURE 8.2 IT organization activities and related level of maturity.
Activity Description Maturity Level
Developing and maintaining systems
• Together with business users, analyze needs, design, write, and test the software
• Identify, acquire, and install outside software packages to fill business needs
• Correct system errors or enhance the system to respond to changing business and legal environments
1
Managing supplier relationships
• Maximize the benefit of supplier relationships to the enterprise and pre‐empt problems that might occur
1
Managing data, information, and knowledge
• Collect and store data created and captured by the enterprise (Level 1) • Manage enterprise information and knowledge (Level 2)
1, 2
Managing Internet and network systems
• Develop and maintain Internet access and capabilities • Manage private networks, telephone systems, and wireless
technologies • Design, build, and maintain the network architecture and infrastructure
1, 2 (depending on nature of network)
Managing human resources
• Hire, train, and maintain good staff performers; fire poor performers • Work with enterprise HR personnel to learn up‐to‐date regulations and
practices
1
Operating the data center
• Operate and maintain large mainframe computers, rows of servers, or other hardware on which the company’s systems are built
• Provide connections between the firm’s systems and cloud services
1
Providing general support
• Manage diverse help desk activities • Collect and record support information • Assign appropriate personnel to support cases • Follow up with vendors as needed • Follow up with business contacts with updates or solutions
1
Planning for business discontinuities
• Develop and implement business continuity plan • Make preparations to counter physical or electronic attacks, hacking
attempts, weather disasters, and other events that could cripple the enterprise
1
Innovating current processes
• Work with managers to innovate processes that can benefit from technological solutions
• Explore modifications that can reduce costs, improve service, or connect with customers
• Design systems that facilitate new ways of doing business
2
Establishing architecture platforms and standards
• Develop, maintain, and communicate standards • Maintain consistency and integrity of the firm’s data
2
Promoting enterprise security
• Maintain the integrity of the enterprise infrastructure • Develop and implement enterprise information security policies,
strategy, and controls • Identify, prioritize, and guard against threats to the enterprise’s
information assets • Work with business units to enhance security of operational practices • Train employees to raise awareness, importance, and understanding of
security risks • Participate in discussions about security investments
2
Anticipating new technologies
• Scout new technology trends and help the business integrate them into planning and operations
• Assess the costs and benefits of new technologies for the enterprise • With business partners, prioritize the most promising opportunities on
strategic and operational grounds, and schedule their implementation • Limit investments in technologies that are incompatible with current or
planned systems or that quickly become obsolete
3
c08.indd 169 11/26/2015 6:27:59 PM
170 The Business of Information Technology
The IT organization can be expected to be responsible for most, if not all, of the activities listed in Figure 8.2.
However, instead of actually performing the activities, the IT organization increasingly identifies and then works
with vendors who provide them. More traditional activities such as data center operations, network management,
and system development and maintenance (including application design, development, and maintenance) have
been outsourced to vendors for decades. More recently, enterprises are outsourcing providers to perform more
newly acquired IT activities such as process management (alternatively called business process outsourcing). In our increasingly flat world, many companies are successfully drawing from labor supplies in other parts of the world
to meet the business demand that they can’t handle internally in their own IT organization. Managing the sourcing
relationships and global labor supply is so important that a whole chapter (i.e., Chapter 10) is devoted to discussing
these sourcing issues in greater depth.
What the IT Organization Does Not Do This chapter presents core activities for which the IT organization is typically responsible. It is enlightening to
examine tasks that should not be performed by the organization. Clear examples include core business functions, such as selling, manufacturing, and accounting, and few functional managers would attempt to delegate these tasks
to IT professionals. However, some functional managers inadvertently delegate key operational decisions to the IT
organization. For example, when general managers ask the IT professional to build an information system for their
organization and do not become active partners in the design of that system, they are in effect turning over control
of their business operations. Likewise, asking an IT professional to implement a software package or app without
partnering with that professional to ensure that the package meets both current and future needs is ceding control.
Partnerships between the general managers and IT professionals are also important for a number of other
decisions. For instance, IT professionals should not have the sole responsibility for deciding which business pro-
jects receive IT dollars. Giving carte blanche to the IT professional would mean that the IT organization decides
what is important to the business units. If IT professionals try to respond to every request from their business
counterparts, they would likely face a backlog of delayed initiatives and become overwhelmed. Business partners
participate in prioritizing IT projects to ensure that resources are applied appropriately. Similarly, IT professionals
should not solely decide the acceptable level of IT services or security. Because senior managers run the business,
they are the ones who must decide on the level of service and security that should be delivered by the IT organiza-
tion.3 These are examples of decisions that should be made jointly with business counterparts. Perfection comes at a
price that many business leaders may be unwilling to pay. Not every system needs to have gold‐plated functionality,
and not every system needs to be fortified from every conceivable danger.
Activity Description Maturity Level
Participating in setting and implementing strategic goals
• Enable business managers to achieve strategic goals by acting as educators or consultants
• Advise managers on best practices within IT • Work with managers to develop IT‐enhanced solutions to business
problems • Serve as partners in moving the enterprise forward
3
Integrating the use of social IT
• Leverage the use of social IT to transform the business • Adapt social IT from personal to business use • Encourage engagement, collaboration, and innovation in customer‐,
supplier‐, and employee‐directed applications • Manage the data resulting from social IT to provide business insights
3
FIGURE 8.2 (Continued)
3 J. W. Ross and P. Weill, “Six IT Decisions Your IT People Shouldn’t Make,” Harvard Business Review 80, no. 11 (November 2002), 84–95. (2002), 1–8.
c08.indd 170 11/26/2015 6:27:59 PM
171Chief Information Officer
As discussed in Chapter 2, the senior management team, including the CIO, sets business strategy. However, in
many organizations, the general manager delegates critical technology decisions to the IT professional alone, and
this can lead to technology decisions that might hinder business opportunities. The strategy formulation process is
a joint process including business and IT professionals. The role for the IT professional in the discussion of strategy
includes such things as suggesting technologies and applications that enable it, identifying limits to the technol-
ogies and applications under consideration, reporting on best practices and new technologies that might enhance
opportunities of the firm, and consulting all those involved with setting the strategic direction to make sure they
properly consider the role and impact of IT on the decisions they make. The IT organization does not set business
strategy. It does, however, participate in the discussions and partner with the business to ensure that IT can provide
the infrastructure, applications, and support necessary for the successful implementation of the business strategy.
The IT organization can also provide ideas of new business capabilities afforded by new technologies. In that sense,
IT leaders must be part of key business strategy discussions.
Chief Information Officer If an IT organization is like a ship, the chief information officer is like the captain. The chief information officer (CIO) is the most senior executive in the enterprise responsible for technology vision and leadership for designing, developing, implementing, and managing IT initiatives for the enterprise to operate effectively in a constantly
changing and intensely competitive marketplace. The CIO is an executive who manages IT resources to implement
enterprise strategy and who works with the executive team in strategy formulation processes.
CIOs are a unique breed. They have a strong understanding of the business and of the technology. In many organi-
zations, they take on roles that span both of these areas. One recently coined term is business technology strategist, the strategic business leader who uses technology as the core tool in creating competitive advantage and aligning
business and IT strategies.4 The CIO, as the most senior IT professional in the corporate hierarchy, must champion the
IT organization by promoting IT as a strategic tool for growth and innovation. The title CIO signals to both the orga- nization and to outside observers that this executive is a strategic IT thinker and is responsible for linking IS strategy
with the business strategy. In other words, CIOs must know the business vision and understand how the IT function
contributes to making this vision happen. This means that CIOs must work effectively not only in the technical arena
but also in the overall business management arena. They need the technical ability to plan, conceive, build, and
implement multiple IT projects on time and within budget. However, their technical skills must be balanced against
business skills such as the ability to realize the benefits and manage the costs and risks associated with IT, to articulate
and advocate for a management vision of IT, and to mesh well with the existing management structure.
Just as the chief financial officer (CFO) is somewhat involved in operational management of the financial activ-
ities of the organization, the CIO is involved with operational issues related to IT. More often than not, CIOs are
asked to perform strategic tasks at some part of their day and operational tasks at other times. Some of their oper-
ational activities include identifying and managing the introduction of new technologies into the firm, negotiating
partnership relationships with key suppliers, setting purchasing and supplier policies, and managing the overall
IT budget. Actual day‐to‐day management of the data center, IT infrastructure, application development projects,
vendor portfolio, and other operational issues are typically not handled directly by the CIO but by one of the man-
agers in the IT organization. Ultimately, whether they directly function as operational managers or as leaders with
oversight of other operational managers, the CIO must assume responsibility for all the activities described in
Figure 8.2 that the IT organization is charged to perform.
Where the CIO fits within an enterprise is often a source of controversy. In the early days of the CIO position,
when it was predominantly responsible for controlling costs (Level 1), the position reported to the CFO. Because
the CIO was rarely involved in enterprise governance or in discussions of business strategy, this reporting struc-
ture worked. However, as IT became a source for competitive advantage in the marketplace, reporting to the CFO
proved too limiting. Conflicts arose because the CFO misunderstood the vision for IT or saw only the costs of
technology. They also arose because management still saw the CIO’s primary responsibility as providing services
4 M. Carter, V. Grover, and J. B. Thatcher, “The Emerging CIO Role of Business Technology Strategist,” MIS Quarterly Executive 10, no. 1 (2011), 19–29.
c08.indd 171 11/26/2015 6:28:00 PM
172 The Business of Information Technology
whose costs had to be controlled. More recently, CIOs often report directly to the CEO, president, or other execu-
tive manager. This elevated reporting relationship not only signals that the role of IT is critical to the enterprise and
indicates Level 3 maturity but also makes it easier to implement strategic IT initiatives.
Some organizations choose not to have a CIO. These organizations do not believe that a CIO is necessary, in
part because technology is highly integrated into virtually every aspect of the business and no single officer need
provide oversight. These firms typically hire an individual to be responsible for running the computer systems and
possibly to manage many of the activities described later in this chapter. But they signal that this person is not a
strategist by giving him or her the title of data processing manager, director of information systems, or some other
name that clearly differentiates this person from other top officers in the company. Using the words chief and officer usually implies a strategic focus, and some organizations that do not see the value of having an IT person on their
executive team choose not to use these words.
Although the CIO’s role is to guide the enterprise toward the future, this responsibility is frequently too great
to accomplish alone. Many organizations recognize that certain strategic areas of the IT organization require more
focused guidance. This recognition led to the creation of new positions, such as the chief knowledge officer (CKO),
chief technology officer (CTO), chief telecommunications officer (also CTO), chief network officer (CNO), chief
information security officer (CISO), chief privacy officer (CPO), chief resource officer (CRO), chief mobility
officer (CMO), and chief social media officer (CSMO). See Figure 8.3 for a list of the different responsibilities for
each position that, with the occasional exception of the CTO, typically is subordinate to the CIO. Together, these
officers form a management team that leads the IT organization.
Many large corporations take the concept of CIO one step further and identify the CIO of a business unit. This
is someone who has responsibilities similar to those of a corporate CIO, but the scope is the business unit and there
is not as much concern about defining corporate standards and policies to ensure consistency across the business
units. The business unit CIO is responsible for aligning the IT investment portfolio with the business unit’s strategy.
Typically, the business unit CIO has dual reporting responsibility to both the corporate CIO and the president of the
business unit. At IBM, the CIO is a manager from a business unit who serves a two‐ to three‐year term.5
FIGURE 8.3 The CIO’s lieutenants.
Title Responsibility
Chief technology officer (CTO) Track emerging technologies; advise on technology adoption; design and manage IT architecture
Chief knowledge officer (CKO) Create knowledge management infrastructure; build a knowledge culture; make corporate knowledge payoff
Chief data officer (CDO) Create and maintain the definition, storage, and retirement of data in the firm; streamline access to the data; reduce data redundancy
Chief analytics officer (CAO) Take advantage of data analysis opportunities, often used for understanding customers, transactions, markets, or trends
Chief telecommunications officer (CTO) Manage phones, networks, and other communications technology across the entire enterprise
Chief network officer (CNO) Build and maintain internal and external networks
Chief resource officer (CRO) Manage outsourcing relationships
Chief information security officer (CISO) Ensure that information management practices are consistent with security requirements
Chief privacy officer (CPO) Establish and enforce processes and practices to meet privacy concerns of customers, employees, and vendors
Chief mobility officer (CMO) Oversee and ensure the viable use of mobile platforms and apps
Chief social media officer (CSMO) Maintain a social IT perspective that results in effectively implementing social media
5 Ann Majchrzak, Luba Cherbakov, and Blake Ives, “Harnessing the Power of the Crowds with Corporate Social Networking Tools: How IBM Does It,”
MIS Quarterly Executive 8, no. 2 (2009), 103–8.
c08.indd 172 11/26/2015 6:28:00 PM
173Building a Business Case
Building a Business Case In order to meet demand, the IT organization is often charged with providing solutions. Businesses managers often
turn to IT for good solutions, but IT projects end up competing with those of other managers in tight economic
times when there clearly aren’t enough budget resources to cover them all. After all, there is often no shortage of
other business investments such as new production machinery for higher product quality and lower costs or funding
for product research and development on product innovations. Thus, managers need to show that the solution they
want would be not only a good IT investment but also a good business investment.
To gain support and a “go‐ahead” decision, every manager must often create a business case. Similar to a legal
case, a business case is a structured document that lays out all the relevant information needed to make a go/no‐go decision. The business case for an IT project is also a way to establish priorities for investing in different projects,
an opportunity to identify how IT and the business can deliver new benefits, gain commitment from business man-
agers, and create a basis for monitoring the investment.6
The components of a business case vary from corporation to corporation, depending on the priorities and
decision‐making environment. However, there are several primary elements of any business case (see Figure 8.4).
Critical to the business case is the identification of both costs and benefits, both in financial and nonfinancial terms.
In building, it is particularly important for the business case to describe the benefits to be gained with the
acceptance of the project the case is selling. Ward, Daniel, and Peppard7 suggested a framework for identifying and
describing both financial and nonfinancial benefits (Figure 8.5). The first step in this framework is to identify each
benefit as innovation (allowing the organization to do new things), improvement (allowing the organization to do
FIGURE 8.4 Components of a business case.
Section or Component Description
Executive summary One‐ or two‐page description of the overall business case document summarizing key points
Overview and introduction Brief business background, the current business situation, a clear statement of the business problem or opportunity, and a recommended solution at a high level
Assumptions and rationale Issues driving the proposal (e.g., operational, human resources, environmental, competitive, industry or market trends, or financial)
Project summary High‐level and detailed descriptions of the project: scope, objectives, contacts, resource plan, key metrics, implementation plan, and key success factors
Financial discussion and analysis Overall summary followed by projected costs/revenues/benefits, financial metrics, financial model, cash flow statement, underlying assumptions, and total cost of ownership (TCO) analysis
Benefits and business impacts Summary of business impacts followed by details on nonfinancial matters such as new business, transformation, innovations, competitive responses, organizational, supply chain, and human resource impacts
Schedule and milestones Entire schedule for the project with milestones and expected metrics at each stage; if appropriate, can include a marketing plan and schedule
Risk and contingency analysis Analysis of risks and ways to manage those risks, sensitivity analysis of scenarios, and interdependencies and the impact they will have on potential outcomes
Conclusion and recommendation Primary recommendation and conclusions
Appendices Backup materials not directly provided in the body of the document, such as detailed financial investment analysis, marketing materials, and competitors’ literature.
6 John Ward, Elizabeth Daniel, and Joe Peppard, “Building Better Business Cases for IT Investments,” MIS Quarterly Executive 7, no. 1 (March 2008), 1–15. 7 Ibid.
c08.indd 173 11/26/2015 6:28:00 PM
174 The Business of Information Technology
things better), or cessation (stopping things). Then the benefits can be classified by degree of explicitness or the
ability to assign a value to the benefit. As shown in Figure 8.6, benefits fall into one of these categories:
• Financial: There is a way to express the benefit in financial terms. These are the metrics that are most easily used to judge the go/no‐go decision because financial terms are universal across all business decisions. An
example is improvement in profit.
• Quantifiable: There is a way to measure the size or magnitude of the benefit, but financial benefits are not directly determinable. For example, a firm might expect a 20% increase in customer retention, but to deter-
mine the financial benefit of resulting increased sales, it would require an analysis of what items they would
buy. Most business cases revolve around quantifiable benefits, so it is important to ensure the collection of a
comprehensive list of quantifiable benefits and any associated costs.
• Measurable: There is a way to measure the benefit, but it is not necessarily connectable to any organiza- tional outcome. Management must ensure alignment with the business strategy. For example, many organi-
zations collect satisfaction or web engagement data and are able to detect improvements.
• Observable: They can be detected only by opinion or judgment. These are the subjective, intangible, soft, or qualitative benefits. Things seem better but no measures are available. For example, customers might be
expected to be happier or less argumentative.
Type of Business Change
Innovation
(do new things)
High
Degree of
Explicitness
Low
Financial benefits Financial value can be calculated by applying a cost/price
or other valid financial formula to a quantifiable benefit.
Improvement
(do things better)
Cessation
(stop doing things)
Quantifiable benefits There is sufficient evidence to forecast how much
improvement/benefit should result from the changes.
Measurable benefits Although this aspect of performance is currently measured
or an approximate measure could be implemented, it is not
possible to estimate how much performance will improve
when changes are implemented.
Observable benefits By using agreed criteria, specific individuals or groups will
use their experience or judgment to decide the extent the
benefit will be realized.
FIGURE 8.5 Classification framework for benefits in a business case. Source: Adapted from John Ward, Elizabeth Daniel, and Joe Peppard, “Building Better Business Cases for IT Investments,” MIS Quarterly Executive 7, no. 1 (March 2008), 1–15.
FIGURE 8.6 Benefit examples for a business case.
Benefits Innovation: Chat Function and Customer Support Forum
Improvement: Remodeled Facebook Page
Cessation: Reduce Phone Support by 90%
Financial Fewer returns; higher sales Sales from redemption of special coupons by new customers
Overall costs reduced
Quantifiable Shorter customer wait time Number of new customers Wait time for phone lines
Measurable Higher customer satisfaction scores Number of “shares” by new customers
Overall customer service satisfaction scores
Observable Fewer complaints Supportive comments on the page
Decrease in verbal complaints by phone‐in customers
c08.indd 174 11/26/2015 6:28:00 PM
175IT Portfolio Management
Consider the example of a small manufacturing firm that hopes to differentiate itself with excellent customer
service but that has customers who are confused from time to time, an expanding customer support department,
long customer wait time, and growing dissatisfaction. The firm identified a potential three‐pronged social network
project that included a remodeled Facebook page, a new chat function, and a new customer support forum. The
project would be funded from reducing the phone support department by 90%. See Figure 8.6 for examples from a
potential benefit analysis for the social network project.
Of course, the benefit analysis is only part of the story because costs and risks need to be considered as well.
Projected costs would include purchase of hardware and software, consulting help, internal costs, training costs,
and other new expenditures. There would also be technical risks, financial risks, and organizational risks. Technical
risks could include complexity in usage of the new chat and customer support forum and incomplete statistics from
the Facebook page. Examples of financial risks would be a lack of accuracy in estimating costs, overestimates
of usage, and overly optimistic call center reduction. Organizational risks would include inadequate monitoring
of the new functionality or inability to recruit knowledgeable monitors for the chat function, support forum, and
Facebook page.
IT Portfolio Management Managing the set of systems and programs in an IT organization is similar to managing resources in a financial
organization. There are different types of IT investments or projects, and together they form the business’s IT port-
folio. IT portfolio management refers to “evaluating new and existing applications collectively on an ongoing basis to determine which applications provide value to the business in order to support decisions to replace, retire,
or further invest in applications across the enterprise.”8 This process requires thinking about IT systems as a cohe-
sive set of core assets, not as a discontinuous stream of one‐off (one‐time only), targeted investments as often has
been the case in the past. IT portfolio management involves continually deciding on the right mix of investments
from funding, management, and staffing perspectives. The overall goal of IT portfolio management is for the
company to fund and invest in the most valuable initiatives that, taken together as a whole, generate maximum
benefits for it.
Professor Peter Weill and colleagues at MIT’s Center for Information Systems Research (CISR) describe four
asset classes of IT investments that typically make up the company’s IT portfolio:9
• Transactional systems: Streamline or cut costs on the way business is done (equivalent to Level 1 in the Business Maturity Model)
• Infrastructure systems: Provide the base foundation of shared IT services used for multiple applications such as servers, networks, tablets, or smartphones (equivalent to Level 2 in the Business Maturity Model)
• Informational systems: Provide information used to control, manage, communicate, analyze, or collaborate (equivalent to Level 2 in the Business Maturity Model)
• Strategic systems: Gain competitive advantage in the marketplace (equivalent to Level 3 in the Business Maturity Model)
In analyzing the composition of any single company’s IT portfolio, one can find a profile of the relative investment
made in each IT asset class. Weill’s study found that the average firm allocates 46% of its total IT investment each
year to infrastructure and only 25% of its total IT investment in transactional systems. Weill also found that firms
in diverse industries allocate their IT resources differently.10
8 James D. McKeen and Heather A. Smith, “Developments in Practice XXXIV: Application Portfolio Management,” Communications of the Association for Information Systems 26, no. 9 (2010), http://aisel.aisnet.org/cais/vol26/iss1/9 (accessed September 4, 2015). 9 Peter Weill and Marianne Broadbent, Leveraging the New Infrastructure: How Market Leaders Capitalize on Information Technology (Cambridge, MA: Harvard Business School Press, June 1998). © MIT Sloan Center for Information Systems Research 2005–12. Used with permission. For more
information, see http://cisr.mit.edu. 10 Ibid.
c08.indd 175 11/26/2015 6:28:00 PM
176 The Business of Information Technology
Weill’s work also suggests that a different balance between IT investments is needed for a cost‐focused strategy
compared to an agility‐focused strategy. A company with a cost‐focused strategy would seek an IT portfolio that
helps lower costs as the primary business objective. In that case, Weill’s work suggests that on average, 27% of the
IT investments are made in transactional investments, suggesting higher use of applications that automate processes
and typically lower operational costs.11 On the other hand, a company with an agility focus would be more likely to
invest a higher percent of its IT portfolio in infrastructure (e.g., 51% on average) and less in transactional systems
(e.g., 24% on average). The infrastructure investment would create a platform that would likely be used to more
quickly and nimbly create solutions needed by the business whereas the transactional systems might lock in the
current processes and take more effort and time to change.
From the portfolio management perspective, potential new systems are evaluated on their own merits and com-
pared against other systems in the prospective portfolio. Often applications can’t stand alone and require integration
with other applications, some of which would need to be acquired or developed. A complete picture is required for
a fair comparison of portfolio alternatives. Portfolio management helps prioritize IT investments across multiple
decision criteria, including value to the business, urgency, and financial return. Just like an individual or company’s
investment portfolio is aligned with its objectives, the IT portfolio must be aligned with the business strategy.
Valuing IT Investments New IT investments are often justified by the business managers proposing them in terms of monetary costs and
benefits. The monetary costs and benefits are important but are not the only considerations in making IT investments.
Soft benefits, such as the ability to make future decisions, are often part of the business case for IT investments, mak-
ing the measurement of the investment’s payback (length of time to recoup the cost) difficult.
Several unique factors of the IT organization make it very challenging to determine the value from IT invest-
ments. First, the systems are complex, and calculating the costs is an art, not a science. Second, because many IT
investments are for infrastructure, calculating a payback period may be more complex than other types of capital investments. Third, many times the payback cannot be calculated because the investment is a necessity rather than
a choice without any tangible payback. For example, upgrading to a newer version of software may be required
because the older version simply is no longer supported. Many managers do not want to have to upgrade just
because the vendor insists that an upgrade is necessary. Instead, managers may resist IT spending on the grounds
that the investment adds no incremental value. These factors and more fuel a long‐running debate about the value
of IT investments. IT managers need to learn to express benefits in a businesslike manner such as return on investment (ROI) or increased customer satisfaction.
IT managers, like the business managers who propose IT projects, are expected to understand and even try to
calculate the true return on these projects. Measuring this return is difficult, however. To illustrate, consider the
relative ease with which a manager might analyze whether the enterprise should build a new plant. The first step
would be to estimate the costs of construction. The plant capacity dictates project production levels. Demand var-
ies, and construction costs frequently overrun, but the manager can find sufficient information to make a decision
about whether to build. Most of the time, the benefits of investing in IT are less tangible than those of building
a plant because the IT cannot be felt and touched like a physical building can be. Such benefits might include
tighter systems integration, faster response time, more accurate data, and more leverage to adopt future tech-
nologies, among others. How can a manager quantify these intangibles? He or she should also consider many
indirect, or downstream, benefits and costs, such as changes in how people behave, where staff report, and how
tasks are assigned. In fact, it may be impossible to pinpoint who will benefit from an IT investment when making
the decision.12
Despite the difficulty, the task of evaluating IT investments is necessary. Knowing which approaches to use
and when to use them are important first steps. A number of financial valuation approaches are summarized in
Figure 8.7. Managers should choose based on the attributes of the project. For example, ROI or payback analysis
11 Ibid. 12 John C. Ford, “Evaluating Investment in IT,” Australian Accountant (December 1994), 3.
c08.indd 176 11/26/2015 6:28:00 PM
177Monitoring IT Investments
can be used when detailed analysis is not required, as when a project is short lived and its costs and benefits are clear.
When the project lasts long enough that the time value of money becomes a factor, net present value (NPV) and economic value added (EVA) are better approaches. EVA is particularly appropriate for capital‐intensive projects.
Both IT and business managers may encounter a number of pitfalls when analyzing return on investment. First,
some situations are heavy in soft benefits and light in projected financial benefits. That is, increased customer sat-
isfaction might not result in actual financial inflows.
Second, it is difficult to reconcile projects of diverse size, benefits, and timing in light of a fixed budget avail-
able for new projects. The budget might contain enough funding for only one large project with moderate but quick
return, and then there is no room for other smaller projects with higher but slower return.
Third, circumstances may alter the way managers make estimates. For instance, in a software implementation,
if experience shows that it usually takes 20% longer than budgeted to build a system, managers might begin to rou-
tinely add 20% to future estimates when preparing schedules and budgets to account for the uncertainty.
Fourth, managers can fall into “analysis paralysis.” Reaching a precise valuation may take longer than is rea-
sonable to make an investment decision. Because a single right valuation may not exist, “close enough” usually
suffices. Experience and an eye to the risks of an incorrect valuation help decide when to stop analyzing.
Finally, even when the numbers say a project is not worthwhile, the investment may be necessary to remain
competitive. For example, UPS faced little choice but to invest heavily in IT. At the time, FedEx had made IT a
competitive advantage and was winning the overnight delivery war. More recently, companies are finding that they
must re‐invest in their applications in order to make them work on mobile devices.
Monitoring IT Investments An old adage says: “If you can’t measure it, you can’t manage it.” Management’s role is to ensure that the money
spent on IT results in value for the organization. Therefore, a common, accepted set of metrics must be created, and
those metrics must be monitored and communicated to senior management and customers of the IT department.
These metrics are often financial in nature (i.e., ROI, NPV). But financial measurement is only one category of
measures used to manage IT investments. Other IT metrics include logs of errors encountered by users, end‐user
surveys, user turnaround time, logs of computer and communication up‐/downtime, system response time, and
percentage of projects completed on time and/or within budget. An example of a business‐focused method is the
extent to which the technology innovation improves the number of contacts with external customers, increases sales
revenue, and generates new business leads.
FIGURE 8.7 Financial valuation methods.
Valuation Method Description
Return on investment (ROI) Excess of return over the investment is calculated as ROI = (Revenue − Investment)/ Investment.
Net present value (NPV) Accounting for the time value of money, the NPV discounts cash flows from future periods as being worth less than immediate cash flows. Discounting is performed by using a present value factor, which is 1/(1 + Discount rate).years
Economic value added (EVA) The amount of benefit of an investment that exceeds the costs of the capital used for investments. It is sometimes implemented firmwide as net operating profit after taxes (Capital × Cost of capital).
Payback period This is a simple and popular method that, assuming there are regular or irregular financial benefits of an investment, computes how long a firm estimates it must wait until it breaks even on the investment (all costs are finally recouped).
Internal rate of return (IRR) Like an interest rate, IRR represents the rate that is earned on an investment. The rate is compared to a target that is determined by corporate policy.
Weighted scoring methods Costs and revenues are weighted based on their strategic importance, level of accuracy or confidence, and comparable investment opportunities.
c08.indd 177 11/26/2015 6:28:00 PM
178 The Business of Information Technology
The Balanced Scorecard
Deciding on appropriate measures is half of the equation for effective IT organizations. The other half of the
equation is ensuring that those measures are accurately communicated to the business. Two methods for communi-
cating these metrics are scorecards and dashboards.
Financial measures may be the language of stockholders, but managers understand that such measures can
be misleading if used as the sole means of making management decisions. One methodology used to solve this
problem, created by Robert Kaplan and David Norton and first described in the Harvard Business Review in 1992, is the balanced scorecard, which focuses attention on the organization’s value drivers (which include, but are not limited to, financial performance).13 Companies use this scorecard to assess the full impact of their corporate strat-
egies on their customers and work force as well as their financial performance.
The balanced scorecard methodology allows managers to look at the business from four perspectives: customer,
internal business, innovation/learning, and financial. For each perspective, the goals and measures are designed to
answer these basic questions:
• How do customers see us? (customer perspective)
• At what must we excel? (internal business perspective)
• Can we continue to improve and create value? (innovation and learning perspective)
• How do we look to shareholders? (financial perspective)
Figure 8.8 graphically shows the relationship of these perspectives.
Financial Perspective
Goals Measures
Goals Measures
Goals Measures
Goals Measures
Customer Perspective
Learning Perspective
Internal Perspective
FIGURE 8.8 The balanced scorecard perspectives. Source: Based on R. Kaplan and D. Norton, “The Balanced Scorecard—Measures That Drive Performance,” Harvard Business Review (January–February 1992), 72.
13 For more detail, see R. Kaplan and D. Norton, “The Balanced Scorecard—Measures That Drive Performance,” Harvard Business Review 70, no. 1, (January–February 1992), 71–79.
c08.indd 178 11/26/2015 6:28:00 PM
179Monitoring IT Investments
Since the introduction of the balanced scorecard, many people have modified it or adapted it to apply to their
particular organization. Managers of information technology find the concept of a scorecard useful in managing
and communicating the value of the IT department.
Applying the categories of the balanced scorecard to IT might mean interpreting them more broadly than origi-
nally conceived by Kaplan and Norton. For example, the original scorecard speaks of the customer perspective, but
for the IT scorecard, the customer might be a user within the company, not an external customer of the company.
The questions asked when using this methodology within the IT department are summarized in Figure 8.9.
David Norton comments, “[D]on’t start with an emphasis on metrics—start with your strategy and use metrics
to make it understandable and measurable (that is, to communicate it to those expected to make it happen and to
manage it).”14 He finds the balanced scorecard to be the most effective management framework for achieving orga-
nizational alignment and strategic success.
FirstEnergy, a multibillion‐dollar utility company, is a good example of how the IS scorecard can be used. One
of its strategic, albeit nonfinancial, goals was to create “raving fans” among its customers. The MIS group inter-
preted “raving fans” to mean satisfied internal customers. It used three metrics to measure the performance toward
this goal:15
• Percentage of projects completed on time and on budget
• Percentage of projects released to the customer by agreed‐on delivery date
• End‐of‐project customer satisfaction survey results
A scorecard used within the IT organization helps senior IT managers understand their organization’s performance
and measure it in a way that supports its business strategy. The IT scorecard is linked to the corporate scorecard
and ensures that the measures used by IT are those that support the corporate goals. At DuPont Engineering, the
balanced scorecard methodology forces every action to be linked to a corporate goal, which helps promote align-
ment and eliminate projects with little potential impact. The conversations between IT and the business focus on
strategic goals, the merits of the project at hand, and the actual impact rather than on technology and capabilities.16
FIGURE 8.9 Balanced scorecard applied to IT departments. Source: Adapted from R. Kaplan and D. Norton, “The Balanced Scorecard—Measures That Drive Performance,” Harvard Business Review (January–February 1992), 72.
Dimension Description Example of IT Measures
Customer perspective How do customers see us?
Measures that reflect factors that really matter to customers
Impact of IT projects on users, impact of IT’s reputation among users, and user‐defined operational metrics
Internal business perspective What must we excel at?
Measures of what the company must do internally to meet customer expectations
IT process metrics, project comple- tion rates, and system operational performance metrics
Learning perspective Can we continue to improve and create value?
Measures of the company’s ability to inno- vative, improve, and learn
IT R&D, new technology introduction success rate, training metrics
Financial perspective How do we look to shareholders?
Measures to indicate contribution of activ- ities to the bottom line
IT project ROI, NPV, IRR, cost/benefit, TCO, ABC
14 “Ask the Source: Interview with David Norton,” cio.com (July 25, 2002) (accessed February 22, 2003). 15 Adapted from Eric Berkman, “How to Use the Balanced Scorecard,” CIO Magazine 15, no. 15 (May 15, 2002), 1–4. 16 Ibid; also Hall of Fame Organizations: Dupont, http://www.thepalladiumgroup.com/about/hof/Pages/HofViewer.aspx?MID=27 (accessed February 19,
2012).
c08.indd 179 11/26/2015 6:28:00 PM
180 The Business of Information Technology
IT Dashboards
Scorecards provide summary information gathered over a period of time. Another common IT management mon-
itoring tool is the IT dashboard, which provides a snapshot of metrics at any given point in time. Much like the dashboard of an automobile or airplane, the IT dashboard summarizes key metrics for senior managers in a manner
that provides quick identification of the status of the organization. Like scorecards, dashboards are useful outside
the IT department and are often found in executive offices as a tool for keeping current on critical measures of the
organization. This section focuses on the use of these tools within the IT department. The contents of a dashboard
depend on what is important to management, but in most cases graphical representations provide quick, at‐a‐glance
results. Dashboards are often quite colorful, but as Figure 8.10 illustrates, they can be very useful even without
using color.
IT dashboards are also used in an IT department, which provide frequently updated information on areas of
interest such as the status of projects of various sizes or operational systems of various types. For example, a dash-
board used by General Motors (GM) North America’s IT leadership team monitors project status.17 Because senior
managers question the overall health of a project rather than the details, the dashboard they designed provides red,
yellow, or green highlights for rapid comprehension. A green highlight means that the project is progressing as
planned and performance is within acceptable limits. A yellow highlight means at least one key target has been
missed. A red highlight means the project is significantly behind and needs some attention or resources to get back
on track.
CURRENT INVENTORY
30% Widgets
Items 23%
Stuff 6%
Parts 22%
Objects 19%
WEBSITE E-COMMERCE
PURCHASES 6,200 7,800
900
0% 100%
MARKET SHARE
BY COMPETITOR
Brand W
Brand X
Brand Y
Brand Z
55%
24%
17%
4%
COMPETITOR SPEND
Brand
W
Brand
X
Brand
Y
Brand
Z
$122
$6
$150
$24
$37
$2
$34
$17
$5 $8 $3
PROFIT BY CHANNEL
Affiliates
Website
In-Store
Social
55%
20%
13%
10%
2%
REVENUE PER PRODUCT
ALL
VIC
NSW
QLD Widgets Items Parts
Widgets Items Parts
Widgets Items Parts
Widgets Items Parts
BRAND AWARENESS
Brisbane
Cairns
0.7 Sydney
Melbourne
Perth
Darwin
ADVERTISING SPEND BY
CHANNEL THIS MONTH
COMPANY TOP-LINE REVENUE
$23,044,000 $23,044,000
$25,220,000
$21,998,000
NOV
2012
APR
2013
SEP
2013
FIGURE 8.10 Example of an executive dashboard. Source: http://www.datalabs.com.au/business‐intelligence‐dashboards/.
17 Adapted from Tracy Mayor, “Red Light, Green Light,” CIO Magazine 15, no. 1 (October 1, 2001), 108.
c08.indd 180 11/26/2015 6:28:01 PM
181Monitoring IT Investments
At GM, each project is tracked and rated monthly. GM uses four dashboard criteria: (1) performance to
budget, (2) performance to schedule, (3) delivery of business results, and (4) risk. At the beginning of a project,
these metrics are defined and acceptable levels set. The project manager assigns a color status monthly based
on the defined criteria, and the results are reported in a spreadsheet. When managers look at the dashboard, they
can immediately tell whether projects are on schedule based on the amount of green, yellow, or red highlights
on the dashboard. They can then drill down into yellow or red metrics to get the projects back on track. The
dashboard provides an easy way to identify where their attention should be focused. The director of IT opera-
tions explains, “Red means I need more money, people or better business buy‐in. . . . The dashboard provides an
early warning system that allows IT managers to identify and correct problems before they become big enough
to derail a project.”18
There are really four types of IT dashboards.19 Portfolio dashboards like GM’s help senior IT leaders manage IT projects. These dashboards show senior IT leaders the status, problems, milestones, progress, expenses, and
other metrics related to specific projects. Business‐IT dashboards show relevant business metrics and link them to the IT systems that support them. The metrics on the balanced scorecard provide a sample of the type of metrics
followed by this dashboard. A service dashboard is geared toward the internal IS department, showing important metrics about the IS such as up time, throughput, service tickets, progress on bug fixes, help desk satisfaction, and
so on. The fourth type is an improvement dashboard, which monitors the three to five key improvement goals for the IT group. Like the portfolio dashboard, the metrics to be monitored are based on the projects undertaken, but
unlike the other dashboards, this one is geared toward monitoring progress toward important goals of the IT orga-
nization itself.
In order to increase its transparency, the U.S. government created an IT dashboard Web site20 in 2009. This
Web site, which was built in six weeks, displays the status of each IT project (termed an “investment”) currently
under development within the U.S. government. This dashboard provides status information by project and agency
and offers the ability to drill down for details. For each project, it provides color‐coded (i.e., green, yellow, and
red) performance metrics for cost, schedule, and CIO evaluation along with a project history. For each agency,
it provides an agency rating and count of projects in each color grouping. For example, in September 2015, one
could click the “Portfolio” button for a list of departments and their overall ratings.21 Across all projects, pie charts
revealed green, yellow, and red counts of 575, 129, and 34, respectively. The Department of Homeland Security
(DHS) had average project rating of 3.9 out of 5 over 89 projects.
Clicking on the DHS name allowed drilling down for detail about its projects, and clicking on each project
provided 2015 spending along with ratings and commentary.22 For instance, the $163.5 million “FEMA—Infra-
structure” project had a very low rating of 2.0 out of 5. A narrative and graphical rating history23 allows the user to
understand the problems and when they occurred. The FEMA—Infrastructure evaluation score fell in April 2013,
largely because the project was over budget and behind schedule. It is apparent that the increased transparency pro-
vides increased accountability for managing the investments.24
Dashboards are built on the information contained in the other applications, databases, and analytical systems
of the organization (see Chapter 12 for a more complete discussion of business intelligence and business ana-
lytics). Refer to Figure 8.11 for the architecture of a sample dashboard for Western Digital, a $3‐billion global
designer and manufacturer of high‐performance hard drives for PCs, networks, storage devices, and entertainment
systems.25
18 Ibid. 19 Adapted from Chris Curran, “The 4 Types of CIO Dashboards,” CIO.com (June 15, 2009), http://www.ciodashboard.com/metrics‐and‐measurement/ the‐4‐types‐of‐cio‐dashboards/ (accessed April 9, 2012). 20 See https://itdashboard.gov/ (accessed September 4, 2015). 21 http://www.itdashboard.gov/portfolios (accessed September 4, 2015). 22 https://itdashboard.gov/portfolios/agency=024 (accessed September 4, 2015). 23 https://itdashboard.gov/investment?buscid=163 (accessed September 4, 2015). 24 U.S. government IT Dashboards, http://www.itdashboard.gov/portfolios (accessed on accessed April 23, 2015). 25 Robert Houghton, O. A. El Sawy, P. Gray, C. Donegan, and A. Joshi, “Vigilant Information Systems for Managing Enterprises in Dynamic Supply
Chains: Real‐Time Dashboards at Western Digital,” MISQE 3, no. 1 (March 2004), 19–35.
c08.indd 181 11/26/2015 6:28:01 PM
182 The Business of Information Technology
Funding IT Resources Who pays for IT? The users? The IT organization? Headquarters? Certain costs are associated with designing,
developing, delivering, and maintaining the IT systems. How are these costs recovered? The three main funding
methods are chargeback, allocation, and corporate budget. Both chargeback and allocation methods distribute the
costs back to the businesses, departments, or individuals within the company. This distribution of costs is used so
that managers can understand the costs associated with running their organization or for tax reasons when the costs
associated with each business must be paid for by the appropriate business unit. Corporate budgeting, on the other
hand, is a completely different funding method in which IT costs are not linked directly with any specific user or
business unit; costs are recovered using corporate coffers.
Chargeback
With a chargeback funding method, IT costs are recovered by charging individuals, departments, or business units based on actual usage and cost. The IT organization collects usage data on each system it runs. Rates for
usage are calculated based on the actual cost to the IT group to run the system and billed out on a regular basis.
For example, a PC might be billed at $100/month, which includes the cost of maintaining the system, any soft-
ware license fees for the standard configuration, e‐mail, network access, a usage fee for the help desk, and other
related services. Each department receives a monthly bill showing the number of units it has, such as PCs, printers,
or servers, multiplied by the charge for each unit. Services such as mainframe processing time and special project
consulting help can also be included. When the IT organization wants to recover administrative and overhead costs
using a chargeback system, these costs are built into rates charged for each service.
Corporate Dashboards
Planning/Forecasting
Revenue Positions
Inventory Positions
BMIS
(financial
performance)
ERP Logistics Point of
Sale
Supplier
Quality
System
Raw Data
Drive Cost, Customer Order, Customer Payment, Test Data, Build Data, etc.....
Mfg.
Execution
System
Marginal
Monitoring
System
Failure
Analysis
System
QIS
(product
performance)
Mitec Reporting
(factory performance)
Factory Dashboard
Component Inventory
Line Utilization
Yield
Dashboards
Highly Summarized
Key Metric Driven
Visualization and Alertness
Business Intelligence
Cross Application Query/Data Mining
Statistical Analysis
Functional Applications
Transaction Based
Standard Reporting
Highly Focused
Raw Data
Feeds Transaction System
FIGURE 8.11 Example architecture of a dashboard. Source: Robert Houghton, O. A. El Sawy, P. Gray, C. Donegan, and A. Joshi, “Vigilant Information Systems for Managing Enter- prises in Dynamic Supply Chains: Real‐Time Dashboards at Western Digital,” MIS Quarterly Executive 3, no. 1 (March 2004).
c08.indd 182 11/26/2015 6:28:02 PM
183Funding IT Resources
Chargeback systems are popular because they are viewed as the most equitable way to recover IT costs. Costs
are distributed based on usage or consumption of resources, ensuring that the largest portion of the costs is paid
for by the group or individual who consumes the most. Chargeback systems can also provide managers a “menu”
of options for managing and controlling their IT costs. For example, a manager may decide to select tablets rather
than laptops because the unit charge is less expensive. The chargeback system gives managers the details they need
to understand both what IT resources they use and how to account for IT consumption in the cost of their products
and services. Because the departments get a regular bill, they know exactly what their costs are.
Creating and managing a chargeback system, however, is a costly endeavor itself. IT organizations must build
systems to collect details that might not be needed for anything other than the bills they generate. For example, if
PCs are the basis for charging for network time, the network connect time per PC must be collected, stored, and
analyzed each billing cycle. The data collection quickly becomes large and complex, which often results in com-
plicated, difficult‐to‐understand bills. In addition, picking the charging criteria is challenging. For example, it is
relatively easy to count the number of PCs located in a particular business unit, but is that number a good measure
of the network resources used? It might be more accurate to charge based on units of network time used, but how
would that be captured and calculated? Chargeback methods are most appropriate when there is a wide variation in
usage among users or when actual costs need to be accounted for by the business units.
Allocation
To simplify the cost recovery process, an allocation system can be used. An allocation funding method recovers costs based on something other than usage, such as revenues, log‐in accounts, or head count (number of employees)
in each business unit or department. For example, suppose the total spending for IT for a year is $1 million for a
company with 10,000 employees. A business unit with 1,000 employees might be responsible for 10%, or $100,000,
of the total IT costs. Of course, with this type of allocation system, it does not matter whether these employees even
use the IT; the department is still charged the same amount.
The allocation mechanism is simpler than the chargeback method to implement and apply each month. Actual
usage does not need to be captured. The rate charged is often fixed at the beginning of the year. Allocation offers
two main advantages. First, the level of detail required to calculate the allocations is much less, which reduces
record keeping expenses. Second, the charges from the IT organization are predictable. Unlike the chargeback
mechanism, where each bill opens up an opportunity for discussion about the charges incurred, the allocation
mechanism seems to generate far less frequent arguments from the business units. Often, quite a bit of discussion
takes place at the beginning of the year when rates and allocation bases are set, but less discussion occurs each
month because the managers understand and expect the bill.
Two major complaints are made about allocation systems. First is the free‐rider problem: A large user of IT ser-
vices pays the same amount as a small user when the charges are not based on usage. Second, deciding the basis for
allocating the costs is an issue. Choosing the number of employees over the number of desktops or other basis is
a management decision, and whichever basis is chosen, someone will likely pay more than his or her actual usage
would imply. Allocation mechanisms work well when a corporate directive requires the use of this method and
when the units agree on the basis for dividing the costs.
Often when an allocation process is used, a follow‐up process is needed at the end of the fiscal year to compare
the total IT expenses against the total IT funds recovered from the business units, and any extra funds are given back
to the business. Sometimes this process is called a “true‐up” process because true expenses are balanced against
payments made. In some cases, additional funds are needed; however, IT managers try to avoid asking for funds
to make up for shortfalls in their budget. The true‐up process is needed because the actual cost of the information
system is difficult to predict at the beginning of the year. Cost changes over the year because hardware, software,
or support costs fluctuate in the marketplace and because IT managers, like all managers, work constantly on
improving efficiency and productivity, resulting in lower costs. In an allocation process that charges a fixed rate for
each service for the year, a true‐up process allows IT managers to pass along any additional savings to their business
counterparts. Business managers often prefer the predictability of their monthly IT bills along with a true‐up pro-
cess over the relative unpredictability of being charged actual costs each month.
c08.indd 183 11/26/2015 6:28:02 PM
184 The Business of Information Technology
Corporate Budget
An entirely different way to pay for IT costs is to simply consider them all to be corporate overhead and pay for
them directly out of the corporate budget. With the corporate budget funding method, the costs fall to the corpo- rate bottom line, rather than levying charges on specific users or business units.
Corporate budgeting is a relatively simple method for funding IT costs. It requires no calculation of prices of the IT
systems. And because bills are not generated on a regular cycle to the businesses, concerns are raised less often by the
business managers. IT managers control the entire budget, giving them control of the use of those funds and, ultimately,
more input into what systems are created, how they are managed, and when they are retired. This funding method also
encourages the use of new technologies because learners are not charged for exploration and inefficient system use.
As with the other methods, certain drawbacks come with using the corporate budget. First, all IT expenditures
are subjected to the same process as all other corporate expenditures, namely, the budgeting process. In many com-
panies, this process is one of the most stressful events of the year: Everyone has projects to be done, and everyone
is competing for scarce funds. If the business units are not billed in some way for their usage, many companies
find that the units do not control their usage. Getting a bill for services motivates the individual business manager
to reconsider his or her usage of those services. Finally, if the business units are not footing the bill, the IT group
may feel less accountable to them, which may result in an IT organization that is less end‐user or customer oriented.
Figure 8.12 summarizes the advantages and disadvantages of these methods.
How Much Does IT Cost? The three major IT funding approaches in the preceding discussion are designed to recover the costs of building
and maintaining the information systems in an enterprise. The goal is to simply cover the costs, not to generate a
profit (although some IT organizations are actually profit centers for their corporation). The most basic method for
calculating the costs of a system is to add the costs of all the components, including hardware, software, network,
and the people involved. IT organizations calculate the initial costs and ongoing maintenance costs in just this way.
Activity‐Based Costing
Another method for calculating costs is known as activity‐based costing (ABC). Traditional accounting methods account for direct and indirect costs. Direct costs are those that can be clearly linked to a particular process or
product, such as the components used to manufacture the product and the assembler’s wages for time spent building
FIGURE 8.12 Comparison of IT funding methods.
Funding Method Description Why Do It? Why Not Do It?
Chargeback Charges are calculated based on actual usage.
It is the fairest method for recovering costs based on actual usage. IT users can see exactly what their usage costs are.
IT department must collect details on usage, which can be expensive and difficult. IT must be prepared to defend the charges, which takes time and resources.
Allocation Total expected IT expen ditures are divided by agreed upon basis such as number of login IDs, number of employees, or number of workstations.
It requires less bookkeeping for IT because rate is set once per fiscal year, and basis is well understood. Monthly costs for the business units are predictable.
IT department must defend allocation rates; it may charge a low‐usage department more than its usage would indicate is fair.
Corporate Budget Corporate allocates funds to IT at annual budget session.
There is no billing to the business units. IT exercises more control over what projects are done. It is good for encouraging the use of new technologies.
It competes with all other budgeted items for funds; users might draw on excessive resources, lacking any incentive to economize.
c08.indd 184 11/26/2015 6:28:02 PM
185How Much Does IT Cost?
the product. Indirect costs are the overhead costs, which include everything from the electric bill, the salary of
administrative managers, and the expenses of the administrative function to the wages of the supervisor over-
seeing the assembler, the cost of running the factory, and the maintenance of machinery used for multiple products.
Further, depending on the funding method used by the enterprise, indirect costs are allocated or absorbed elsewhere
in the pricing model. The allocation process can be cumbersome and complex and often is a source of trouble for
many organizations. The alternative to the traditional approach is ABC.
Activity‐based costing calculates costs by counting the actual activities that go into making a specific product or delivering a specific service. Activities are processes, functions, or tasks that occur over time and produce recog- nized results. They consume assigned resources to produce products and services. Activities are useful in costing
because they are the common denominator between business process improvement and information improvement
across departments.
Rather than allocate the total indirect cost of a system across a range of services according to an allocation for-
mula, ABC calculates the amount of time that system supported a particular activity and allocates only that cost to
that activity. For example, an accountant would look at the enterprise resource planning (ERP) system and divide
its cost over the activities it supports by calculating how much of the system is used by each activity. Product A
might take up one‐twelfth of an ERP system’s capacity to control the manufacturing activities needed to make it,
so it would be allocated one‐twelfth of the system’s costs. The help desk might take up a whole server, so the entire
server’s cost would be allocated to that activity. In the end, the costs are put in buckets that reflect the products and
services of the business rather than the organization structure or the processes of any given department. In effect,
ABC is the process of charging all costs to “profit centers” instead of to “cost centers.”
Jonathan Bush, CEO of management services company Athenahealth, did activity‐based costing for Children’s
Hospital in Boston. When he found that it cost the hospital about $120 to admit a patient, he recommended a solu-
tion of using the information received from the primary care doctor. He argues, “Your primary‐care doctor has
already created 90% of that information to see you for your regular visit. Why wouldn’t the hospital give the doctor
$100 if it was costing them $120 to do it themselves?”26 The ABC approach allowed the hospital to realize the cost
of running the hospital systems to perform the activity and to compare it with the cost of an alternative source that
turned out to be cheaper. But until the thorny issues of electronic medical records are sorted out, the doctors and the
hospitals will likely continue to create their own records.
Total Cost of Ownership
When a system is proposed and a business case is created to justify the investment, summing up the initial outlay
and the maintenance cost does not provide an entirely accurate total system cost. In fact, if only the initial and main-
tenance costs are considered, the decision is often made on incomplete information. Other costs are involved, and
a time value of money affects the total cost. One technique used to calculate a more accurate cost that includes all
associated costs is total cost of ownership (TCO). It has become the industry standard. Gartner Group introduced TCO in the late 1980s when PC‐based IT infrastructures began gaining popularity.27 Other IT experts have since
modified the concept, and this section synthesizes the latest and best thinking about TCO.
TCO looks beyond initial capital investments to include costs associated with technical support, administration,
training, and system retirement. Often, the initial cost is an inadequate predictor of the additional costs necessary
to successfully implement the system. TCO techniques estimate annual costs per user for each potential infrastruc-
ture choice; these costs are then totaled. Careful estimates of TCO provide the best investment numbers to compare
with financial return numbers when analyzing the net returns on various IT options. The alternative, an analysis
without TCO, can result in an “apples and oranges” comparison. Consider a decision about printers. The initial cost
of a laser printer may be much less than an inkjet printer, but when considering the cost of toner and ink over the
expected lifetime of the printers, the total cost of ownership of the laser printer is much lower. A similar analysis of
a larger IT system clarifies similar alternatives and comparisons.
26 David Lidsky, “#43 Athenahealth,” fastcompany.com (February 17, 2010), http://www.fastcompany.com/mic/2010/profile/athenahealth (accessed
January 30, 2012). 27 M. Gartenberg, “Beyond the Numbers: Common TCO Myths Revealed,” Gartner Group Research Note: Technology (March 2, 1998).
c08.indd 185 11/26/2015 6:28:02 PM
186 The Business of Information Technology
A major IT investment is for infrastructure. The hardware, software, network, and data framework can be used
to organize the TCO components the manager needs to evaluate each infrastructure option. Hardware, software,
and networking units can include the obvious equipment and packages but also “invisible” significant items such
as technical support, administration, training, and disposal costs can easily be overlooked. “Soft” data costs can
include removable media such as thumb drives or portable hard drives, as well as on‐site and off‐site storage.
Even if managers can’t get a completely accurate figure of costs, they can be more aware of areas where costs
can be cut. More or less detail can be used in each area as needed by the business environment. The manager can
adapt this framework for use with varying IT infrastructures.
TCO Component Breakdown
TCO is sometimes difficult for managers to fully comprehend. To clarify how the TCO framework is used, this
section examines the hardware category in more detail. For shared components, such as servers and printers, TCO
estimates should be computed per component and then divided among all users who access them.
For more complex situations, such as when only certain groups of users possess certain components, it is wise to
segment the hardware analysis by platform. For example, in an organization in which every employee possesses a
desktop computer that accesses a server and half the employees also possess stand‐alone laptops that do not access
a server, one TCO table could be built for desktop and server hardware and another for laptop hardware. Each table
would include software, network, and data costs associated only with its specific platforms.
Soft costs, such as technical support, administration, and training, are easier to estimate than they may first appear.
For example, as Figure 8.13 depicts, technical support costs include areas such as phone support, troubleshooting, hot
swaps, and repairs. These and all other costs are summed and divided by the number of devices to derive an amount
per unit, which is when added to the initial cost of a device, and reflects a truer sense of cost of ownership, or TCO.
The final soft cost, informal support, may be harder to determine, but it is important nonetheless. Informal
support comprises the sometimes highly complex networks that develop among co‐workers through which many
problems are fixed and much training takes place without the involvement of any official support staff. In many
circumstances, these activities can prove more efficient and effective than working through official channels. Still,
managers want to analyze the costs of informal support for two reasons:
1. The costs—both in salary and in opportunity—of a nonsupport employee providing informal support may prove significantly higher than analogous costs for a formal support employee. For example, it costs
much more in both dollars per hour and forgone management activity for a midlevel manager to help a line
employee troubleshoot an e‐mail problem than it would for a formal support employee to provide the same
service.
2. The quantity of informal support activity in an organization provides an indirect measure of the efficiency of its IT support organization. The formal support organization should respond with sufficient promptness
and thoroughness to discourage all but the briefest informal support transactions.
Various IT infrastructure options affect informal support activities differently. For example, a more user‐friendly
systems interface may alleviate the need for much informal support, justifying a slightly higher software expendi-
ture. Similarly, an investment in support management software may be justified if it reduces the need for informal
support. Web‐based applications change the equation even further. Those companies that use a vendor‐supplied
Web‐based application may find that support activities are provided by the vendor or the applications are written in
such a way as to minimize or eliminate support entirely.
TCO as a Management Tool
This discussion focused on TCO as a tool for evaluating which infrastructure components to choose, but TCO
also can help managers understand how infrastructure costs break down. Research has consistently shown that the
labor costs associated with an IT infrastructure far outweigh the actual capital investment costs. TCO provides the
c08.indd 186 11/26/2015 6:28:02 PM
187Summary
fullest picture of where managers spend their IT dollars. Like other benchmarks, TCO results can be evaluated
over time against industry standards (much TCO target data for various IT infrastructure choices are available
from industry research firms). Even without comparison data, the numbers that emerge from TCO studies assist in
making decisions about budgeting, resource allocation, and organizational structure.
However, like the ABC approach, the cost of implementing TCO can be a detriment to the program’s overall suc-
cess. Both ABC and TCO are complex approaches that may require significant effort to determine the costs to use
in the calculations. Managers must weigh the benefits of using these approaches with the costs of obtaining reliable
data necessary to make their use successful.
S U M M A R Y
• IT organizations can be expected to anticipate new technologies, participate in setting and implementing strategic goals, innovate current processes, develop and maintain information systems, manage supplier relationships, estab-
lish architecture platforms and standards, promote enterprise security, plan for business discontinuities, manage data/
information/knowledge, manage Internet and network services, manage human resources, operate the data center, pro-
vide general support, and integrate social IT.
• IT activities can reveal the group’s level of maturity. The most mature IT organizations are proactive and partner with business executives.
• The chief information officer (CIO) is a high‐level IS officer who oversees many important organizational activities. The CIO must display both technical and business skills. The role requires both strategic and operational skills.
• A business case is a tool used to support a decision or a proposal of a new investment. It is a document containing a project description, financial analysis, marketing analysis, and all other relevant documentation to assist managers in
making a go/no‐go decision.
• Benefits articulated in a business case can be categorized as observable, measurable, quantifiable, and financial. These benefits are often for innovations, improvements, or cessation.
• The portfolio of IT investments must be carefully evaluated and managed.
• The investments may be valued using such methods as return on investment (ROI), net present value (NPV), economic value added (EVA), payback period, internal rate of return (IRR), and weighted scoring.
• Benefits derived from IT investments are sometimes difficult to quantify and to observe or are long range in scope.
FIGURE 8.13 Soft cost considerations.
Soft Cost Areas Example Components of Cost Source
Technical support Hardware phone support Call center
In‐person hardware troubleshooting IT operations
Hardware hot swaps IT operations
Physical hardware repair IT operations
Total cost of technical support
Administration Hardware setup System administrator
Hardware upgrades/modifications System administrator
New hardware evaluation IT operations
Total cost of administration
Training New employee training IT operations
Ongoing administrator training Hardware vendor
Total cost of training
Total soft costs for hardware
c08.indd 187 11/26/2015 6:28:02 PM
188 The Business of Information Technology
• Monitoring and communicating the status and benefits of IT is often done through the use of balanced scorecards and IT dashboards.
• IT is funded using one of three methods: chargeback, allocation, or corporate budget.
• Chargeback systems are viewed as the most equitable method of IT cost recovery because costs are distributed based on usage. Creating an accounting system to record the information necessary to do a chargeback system can be expensive
and time consuming and usually has no other useful application.
• Allocation systems provide a simpler method to recover costs because they do not involve recording system usage to allocate costs. However, allocation systems can sometimes penalize groups with low usage.
• The corporate budget method does not allocate costs at all. Instead, the CIO seeks and receives a budget from the corpo- rate overhead account. This method of funding IT does not require any usage record keeping but is also most likely to be
abused if the users perceive it to be “free.”
• Activity‐based costing (ABC) is another technique to group costs into a meaningful bucket. Costs are accounted for based on the activity, product, or service they support. ABC is useful for allocating large overhead expenses.
• Total cost of ownership (TCO) is a technique used to understand all the costs beyond the initial investment costs associ- ated with owning and operating an information system. It is most useful as a tool to help evaluate which infrastructure
components to choose and to help understand how infrastructure costs occur.
K E Y T E R M S
activity‐based costing (ABC) (p. 185)
allocation funding method (p. 183)
balanced scorecard (p. 178)
business case (p. 173)
business‐IT maturity model (p. 167)
business technology strategist (p. 171)
chargeback funding method (p. 182)
chief information officer
(CIO) (p. 171)
corporate budget funding
method (p. 184)
dashboard (p. 180)
economic value added (EVA) (p. 177)
IT portfolio management (p. 175)
net present value (NPV) (p. 177)
payback period (p. 176)
return on investment (ROI) (p. 176)
total cost of ownership (TCO) (p. 185)
D I S C U S S I O N Q U E S T I O N S
1. Using an organization with which you are familiar, describe the role of the most senior IS professional. Is that person a strategist or an operational manager?
2. What advantages does a CIO bring to a business? What might be the disadvantages of having a CIO?
3. Under what conditions would you recommend using each of these funding methods to pay for information systems expenses: allocation, chargeback, and corporate budget?
4. In the following table are comparative typical IT portfolio profiles for different business strategies from Weill and Broad- bent’s study.28 Explain why infrastructure investments are higher and transactional and informational investments are lower
for a firm with an agility focus than a firm with a cost focus. Also, how would you explain the similar values for strategic
investments among the three profiles?
Transactional Investments
Infrastructure Investments
Informational Investments
Strategic Investments
Average firm 25% 46% 18% 11%
Cost focus 27% 44% 18% 11%
Agility focus 24% 51% 15% 10%
5. Describe the conditions under which ROI, payback period, NPV, and EVA are most appropriately applied to information systems investments.
28 Weill and Broadbent, Leveraging The New Infrastructure.
c08.indd 188 11/26/2015 6:28:02 PM
189Case Study
KLM Airlines , headquartered in the Netherlands, is one of the world ’ s leading international airlines. Following its merger
with Air France in 2004, KLM employs 33,000 people worldwide (1,000 of whom work in the IT function) and operates
about 200 planes. 29
Following the 9/11 terrorist attack in 2001, the challenging business environment for airlines caused KLM ’ s CEO to
appoint a new CIO from the operations area, clearly outside of the IT area, to make a structural break from the past. Three
priorities included examining outsourcing IT, creating a board of business and IT representatives, and fashioning a process
for governance of IT that is shared between the IT function and business units.
The result of the ensuing efforts over several years was to create four levels of committee governance: An executive
committee kept an eye on matching the business strategy with IT strategies; A business/IT board, which was composed
of the CEO, CIO, and all business unit executive vice presidents, was formed to manage the portfolio and budget; an
IT management team worked on tactical planning for the business/IT board; and fi nally, the CIO/information services
management team planned and managed IT operations. KLM also established a set of key principles and practices
and developed a standard business case template that had to be used whenever requesting an investment greater than
150,000 euros.
KLM experienced fi ve benefi ts attributed to the governance structure: reduced IT costs per kilometer fl own, increased
capacity for IT innovation, better alignment of investments to business goals, increased trust between functional units and
the IT organization, and a mind‐set of the value of IT.
■ CASE STUDY 8‐1 KLM Airlines
6. A new inventory management system for ABC Company could be developed at a cost of $260,000. The estimated net operating costs and estimated net benefits over six years of operation would be:
Year Estimated Net Operating Costs Estimated Net Benefi ts
0 $260,000 $0
1 7,000 42,000
2 9,400 78,000
3 11,000 82,000
4 14,000 115,000
5 15,000 120,000
6 25,000 140,000
a. What would the payback period be for this investment? Would it be a good or bad investment? Why? b. What is the ROI for this investment? c. Assuming a 15% discount rate, what is this investment ’ s NPV?
7. Compare and contrast the IT scorecard and dashboard approaches. Which, if either, would be most useful to you as a general manager? Please explain.
8. TCO is one way to account for costs associated with a specific infrastructure. This method does not include additional costs such as disposal costs—the costs to dispose of the system when it is no longer of use. What other additional costs might be
of importance in making total cost calculations?
9. Check out the U.S. government IT dashboard site at http://www.itdashboard.gov/portfolios. Based upon the site: a. Describe the portfolio for the Department of Justice. b. Which investments, if any, appear to be in trouble in the Department of Justice? Based on the information that is provided,
can you estimate the status of those projects? Is there any additional information that you think a manager would like to
see about the status of the project?
29 Adapted from Steven De Haes , Dirk Gemke , John Thorp , and Wim Van Grembergen , “ KLM ’ s Enterprise Governance of IT Journey: From Managing
IT Costs to Managing Business Value ,” MIS Quarterly Executive 10 , no. 3 ( 2011 ), 109 – 20 .
c08.indd 189 11/26/2015 6:28:03 PM
190 The Business of Information Technology
Discussion Questions
1. What is likely to have led to increased trust for the IT organization?
2. What might explain an item that is seemingly quite unrelated to IT (costs per kilometer flown) decreased as a result of
the new CIO structure?
3. What maturity level did KLM appear to exhibit (a) in 2000 and (b) in 2011? Why?
4. Why do you think that KLM requires its employees to use a standard business case template when they want to make
an investment?
Sources: Adapted from Steven De Haes , Dirk Gemke , John Thorp , and Wim Van Grembergen , “ KLM ’ s Enterprise Governance of IT Journey: From Managing IT Costs to Managing Business Value ,” MIS Quarterly Executive 10 , no. 3 ( 2011 ), 109 – 20 , and “Analyz- ing IT Value Management at KLM Through the Lens of Val IT," http://www.isaca.org/JOURNAL/ARCHIVES/2011/VOLUME‐5/Pages/ Analyzing‐IT‐Value‐Management‐at‐KLM‐Through‐the‐Lens‐of‐Val‐IT.aspx (accessed May 30, 2015).
BIOCO is a profi table and growing medium‐sized biopharmaceutical company located in the southeast United States.
It develops, produces, and markets vaccines and antibody‐based pharmaceutical products. As part of the company ’ s strate-
gic transformation, BIOCO ’ s CEO introduced a top‐down, strategy‐driven management process called the “BIOCO Way.”
The CEO has a strong conviction that the success of a company starts with a clear vision of what the company wants to be
and a corporate strategy that refl ects that vision. In the BIOCO Way, the corporate vision and strategy are translated into a
long‐term corporate strategic plan, which in turn is used to generate the corporate strategy map. To measure progress against
the strategy map, a cascade of balanced scorecards (corporate, division/department) are developed and used. As a result of
the full integration of the levels of balanced scorecards into the planning process, the BIOCO Way emphasizes how the
strategies and related tactics should be carried out and measured at all levels. The CEO is a strong champion of balanced
scorecards and is considered an in‐house guru for the method.
Each year, BIOCO managers at the corporate and department levels review performance and assess the appropriateness
of their respective balanced scorecards for the prior year. Based on the results of the performance reviews and a short‐term
execution plan for the upcoming year, strategic initiatives are added, modifi ed, or removed, and the metrics in the scorecards
are adjusted accordingly. The CIO thinks that the balanced scorecards help the departments look beyond their own opera-
tions, and the vice president thinks they mobilize everyone in the company by setting up tangible goals that are clearly linked
to the overall goals of the company. The CIO thinks the scorecard enhances communications because it “provides a focal
point and common language around the key value drivers of the organization,” and it helps IT understand other business
areas. To overcome cultural differences among the departments, he added culture as a fi fth perspective in the scorecards.
Discussion Questions
1. What benefits has BIOCO realized from its use of balanced scorecards?
2. Do you think the BIOCO Way was useful in helping the IT department align its goals with that of the company? Why
or why not?
3. Do you think that the BIOCO approach could be implemented successfully in large companies? Why or why not? If so,
what, if any, adjustments need to be made?
4. BIOCO recently was sold and now has a new CEO. Do you think the BIOCO Way will be as successful under the new
CEO? Why or why not?
Sources: Q. Hu and C. D. Huang , “ Using the Balanced Scorecard to Achieve Sustained IT‐Business Alignment: A Case Study ,” Communications of the Association for Information Systems 17 , no. 1 ( 2006 ) ; Organized Change Consultancy, ”Examples of Companies Using the Balanced Scorecard” (2010), https://www.organizedchange.com/examplesofcompaniesusingthebalancedscorecard.htm (accessed May 30, 2015).
■ CASE STUDY 8‐2 Balanced Scorecards at BIOCO
c08.indd 190 11/26/2015 6:28:03 PM
191
9 chapter
1 http://www.intel.com/content/dam/www/public/us/en/documents/reports/2012‐2013‐intel‐it‐performance‐report.pdf (accessed
September 1, 2015). 2 http://www.intel.com/content/www/us/en/it‐management/intel‐it‐best‐practices/intel‐it‐annual‐performance‐report‐2014‐15‐
paper.html (accessed September 1, 2015).
Governance structures defi ne the way decisions are made in an organization. This chapter explores four models of governance based on the location of decision making in organiza- tion structure (centralized, decentralized, and federal), decision rights, digital ecosystems, and control, considering frameworks from the Committee of Sponsoring Organizations of the Treadway Commission (COSO), Control Objectives for Information and related Tech- nology (COBIT), and Information Technology Infrastructure Library (ITIL). Examples and strat- egies for implementation are discussed.
Governance of the Information Systems Organization
Intel ’ s information technology (IT) performance reports for 2013 1 and 2015 2 boast about how the
company increased its storage capacity from 25 petabytes in 2010 to 106 petabytes in 2014, and over
the same interval raised the number of handheld devices from 19,400 to 53,700. Intel also exploited
other highly visible opportunities of using predictive data analytics. It reduced the amount of time
required to detect data threats from two weeks in 2013 to 20 minutes in 2014. Finally, Intel enjoyed
a revenue increase of $351 million from advanced analytics in the areas of sales leads, supply,
demand, and pricing.
An outsider might assume that Intel stepped up spending and IT investments to accomplish these
goals. However, it actually reduced the number of data centers from 91 in 2010 to 61 in 2014 and reduced IT spending from 2.64% to 2.30% of revenue during that same fi ve‐year interval.
How did Intel accomplish these and other laudable goals? Its approach was the result of 23 years
of evolution of its strategy that began by creating a centralized IT organization in 1992 with control
resting in IT. Intel has come a long way from its original governance structure, which was centered
on mainframes and wide‐area networks. Later, in 2003, Intel initiated its “Protect Era” in response
to two events: the then‐new Sarbanes–Oxley legislation and a virus that had infected Intel ’ s internal
networks through an employee ’ s home‐based network connection. The company ’ s “Protect Era”
was led by IT and locked down resources to such an extent that employees had to devise risky policy
workarounds to be able to complete some of their tasks. Data could be used only within a particular
functional area, not shared among areas.
Intel ’ s current “Protect to Enable Era” in information governance began in 2009 after man-
agers found that its overly restrictive policies on bring your own device (BYOD) had frustrated its
employees who saw those policies as both expensive and detrimental to innovation over the long
run. This led Intel to discover that consumerization is a powerful force. That six‐syllable mouthful describes the increasingly powerful tools available in the consumer space that can impact the corpo-
rate space. Mobility has been the major breakthrough in consumerization, and the increasing use of
c09.indd 191 11/26/2015 7:33:25 PM
192 Governance of the Information Systems Organization
smartphones, tablets, and smaller/more powerful laptops coupled with Web‐based applications that offer everything
from free business productivity tools, such as Google Docs to sharing applications like YouTube and SlideShare
and to social tools such as Twitter and LinkedIn, have created a new IT environment.
Intel found that cloud services, desktop applications, social networking, mobile devices, and the management
policies surrounding them had changed the business of IT. BYOD forced IT leaders at Intel and many other firms to
re‐evaluate how IT services are offered. Intel’s traditional command and control mentality—with IT leaders making
all technology decisions—no longer could work. The consumerization of technology changed Intel’s management
approach3 from “How do we stop it?” to “How do we work with this?”
Intel’s governance structure also resulted in a lost opportunity to exploit data and analytics (described in
Chapter 13). Because information was restricted to the particular department in which it was generated, Intel could
not explore connections between manufacturing decisions and consumer reactions or between social media trends
and product design decisions. A new approach to governance was clearly needed, and Protect to Enable has ad-
dressed those needs.
More recently, Intel has extended the governance framework’s reach by its new six‐pronged focus on social net-
working, mobile devices, analytics, cloud technologies, Internet of Things, and security. Intel reports that it has now
moved to the top of a three‐tiered pyramid of IT leadership of (1) developing programs and delivering services, (2)
contributing business value, and (3) transforming the company.
How does a governance framework provide these benefits? Intel now uses information governance boards that
include representatives from a variety of its functions, including marketing, manufacturing, product design, human
resources (HR), legal, business development, internal audit, and IT. Sharing the governance with business units is
one of five key success factors, according to an analysis of the Intel case.4 Intel reports that they have moved beyond
categorizing challenges as IT problems or business problems. They assert that only integrated solutions work to
“disrupt instead of being disrupted.”5
Although each information systems (IS) organization is unique in many ways, all have elements in common. The
focus of this chapter is to introduce managers to issues related to the way decisions about IT are made in the organi-
zation. These issues should reflect the typical activities of an IS organization that were discussed in Chapter 8. The
current chapter examines governance of the IS organization as it relates to decisions about IT issues.
IT Governance Expectations (or more specifically, what managers should and should not expect from the IS organization) are at
the heart of IT governance. Governance in the context of business enterprises is all about making decisions that define expectations, grant authority, or ensure performance. In other words, governance is about aligning behavior
with business goals through empowerment and monitoring. Empowerment comes from granting the right to make
decisions, and monitoring comes from evaluating performance. As noted in Chapter 3, a decision right is an impor-
tant organizational design variable because it indicates who in the organization has the responsibility to initiate,
supply information for, approve, implement, and control various types of decisions.
Four perspectives of IT governance are described here. The first, a traditional perspective of IT governance,
focuses on how decision rights can be distributed to facilitate centralized, decentralized, or hybrid modes of
decision making. In this view of governance, the organization structure plays a major role. The second focuses on
the interaction between accountability and allocation of decision rights to executives, business unit leaders, or IT
leaders. The third focuses on an “ecosystem” that reflects the significant impacts of the large variety of resources
available from individuals, organizational units, and outside service providers. The final perspective, control struc-
tures developed in response to important legislation, also provides governance guidelines to firms.
3 Paul P. Tallon, James E. Short, and Malcolm Harkins, “The Evolution of Information Governance at Intel,” MIS Quarterly Executive 12, no. 4 (2013), 189–98. 4 Ibid. 5 http://www.intel.com/content/www/us/en/it‐management/intel‐it‐best‐practices/intel‐it‐annual‐performance‐report‐2014‐15‐paper.html, 20 (accessed
September 3, 2015).
c09.indd 192 11/26/2015 7:33:25 PM
193IT Governance
Centralized versus Decentralized Organizational Structures
Companies’ organizational strategies exist along a continuum from centralization to decentralization. At one end
of the continuum, centralized IS organizations bring together all staff, hardware, software, data, and processing into a single location. Decentralized IS organizations scatter these components across different locations to address local business needs. These two approaches do not refer to IT architectures but to decision‐making frame-
works. A combination, or hybrid, of the two is called federalism, found in the middle (see Figure 9.1). Enterprises of all shapes and sizes can be found at any point along the continuum. Over time, however, each enterprise may
gravitate toward one end of the continuum or the other, and often reorganization is in reality a change toward one
end to the other.
Centralization and decentralization trends have evolved through the five eras of information usage (see
Chapter 2, Figure 2.1). In the 1960s, mainframes dictated a centralized approach to IS because the mainframe
resided in one physical location. Centralized decision making, purchasing, maintenance, and staff kept these early
computing behemoths running. The 1970s remained centralized due in part to the constraints of mainframe com-
puting, although minicomputers planted early seeds for decentralizing. In the 1980s the advent of the personal
computer (PC), which allowed computing power to spread beyond the raised‐floor, super‐cooled rooms of main-
frames, provided further fuel for decentralization. Users especially liked the shift to decentralization because it put
them more in control and increased their agility. However, the pressures for secure networks and massive corpo-
rate databases in the 1990s shifted some organizations back to a more centralized approach. Yet, the increasingly
global nature of many businesses makes complete centralization impossible. The most recent global survey found
that 70.6% of the participating organizations were centralized in terms of IT, 13.5% were decentralized, and 12.7%
were federated.6 Although the high percentage of centralized companies in the sample may seem surprising, the
study suggested that with the increasing appreciation for governance found in companies with high levels of gov-
ernance maturity comes the need for control that is made possible in the centralized structure.
The survey also found that two‐thirds of responding enterprises had governance activities for enterprise IT
(GEIT). These companies indicated that the main driver for GEIT activities is to ensure that IT functionality aligns
with business needs, and, like Intel’s findings, the most commonly experienced outcomes were improvements in
management of IT‐related risk and communication and relationships between business and IT. Good governance
therefore can increase the transparency of IT supply and demand and help in assigning priorities for IT projects
and services.
What are the most important considerations in deciding how much to centralize or decentralize? Figure 9.2
shows some advantages and disadvantages of each approach.
Consider two competing parcel delivery companies, UPS and FedEx, in the year that they both reported
spending about $1 billion on IT. UPS’s IT strategy focused on delivering efficiencies to meet the business demands
of consistency and reliability. UPS’s centralized, standardized IT environment supported dependable customer
service at a relatively low price. In contrast, FedEx chose a decentralized IT strategy that allowed it to focus on
flexibility in meeting business demands generated from targeting various customer segments. The higher costs of
the decentralized approach to IT management were offset by the benefits of localized innovation and customer
responsiveness.7
Decentralization Federalism Centralization
FIGURE 9.1 Organizational continuum.
6 IT Governance Institute, “Global Status Report on the Governance of Enterprise IT (GEIT)” (2011), 49, http://www.isaca.org/Knowledge‐Center/
Research/Documents/Global‐Status‐Report‐GEIT‐10Jan2011‐Research.pdf (accessed February 27, 2011). 7 J. W. Ross and P. Weill, “Six IT Decisions Your IT People Shouldn’t Make,” Harvard Business Review (November 2002), 1–8.
c09.indd 193 11/26/2015 7:33:26 PM
194 Governance of the Information Systems Organization
FIGURE 9.2 Advantages and disadvantages of organizational approaches.
Approach Advantages Disadvantages Companies Adopting
Centralized • Global standards; common data • “One voice” for negotiating
supplier contracts • Greater leverage in deploying
strategic IT initiatives • Economies of scale and a shared
cost structure • Access to large capacity • Improved recruitment and
training of IT professionals • Improved control of security and
databases • Consistent with centralized
enterprise structure
• Technology may not meet local needs
• Slow support for strategic initiatives
• Schism between business and IT organization
• “Us versus them” mentality when technology problems occur
• Lack of business unit control over overhead costs
Zara, UPSa
Decentralized • Technology customized to local business needs
• Close partnership between IT and business units
• Greater flexibility • Reduced telecommunication
costs • Consistency with decentralized
enterprise structure • Business unit control of overhead
costs
• Difficulty in maintaining global standards and consistent data
• Higher infrastructure costs • Difficulty in negotiating
preferential supplier agreements • Loss of control • Duplication of staff and data
VeriFone, FedExb
a J. W. Ross and P. Weill, “Six IT Decisions Your IT People Shouldn’t Make,” Harvard Business Review (November 2002), 1–8. b Ibid.
Zara, the global retail and apparel manufacturer introduced in Chapter 2, also used a centralized approach, which
differs from other clothing chains. The head of IS, who was not a CIO, reported directly to the deputy general
manager, who was two levels below the CEO.8 This way of structuring the IS department was consistent with the
organization’s predominantly centralized structure. It was also well suited to organizational processing about which
most administrative decisions were made in the headquarters at Lacoruńa, Spain. The users did not require a lot of hand‐holding with regard to the point‐of‐sale (POS) systems in the stores. For these reasons, a centralized approach
was a good fit for Zara. The store managers, however, did retain some decision rights about which products to order.
Thus, Zara was not totally at the centralization end of the continuum. In contrast, Verifone, which we discuss in
Chapter 4, needs a decentralized structure for its globally distributed employees.
Companies adopt a strategy based on lessons learned from earlier years of centralization and decentralization.
Most companies want to achieve the advantages derived from both organizational paradigms. This desire leads
to federalism,9 a structuring approach that distributes power, hardware, software, data, and personnel between a central IS group and IS in business units. Many companies adopt a form of federal IT yet still count themselves
as either decentralized or centralized, depending on their position on the continuum. Organizations such as Home
Depot and the U.S. Department of Veteran Affairs recognize the advantages of a more hybrid approach and actively
seek to benefit from adopting a federal structure. See Figure 9.3 for the interrelationship of these approaches.
Archetypes of Accountability and Decision Rights
Sometimes the centralized/decentralized/federal approaches to governance are not fine‐tuned enough to help
managers deal with the many contingencies facing today’s organizations. This issue is addressed by a framework
8 Andrew McAfee, Vincent Dessain, and Anders Sjman, “Zara: IT for Fast Fashion,” Harvard Business School Case 9‐604‐081 (September 6, 2007). 9 John F. Rockart, Michael J. Earl, and Jeanne W. Ross, “Eight Imperatives for the New IT Organization,” Sloan Management Review (Fall 1996), 52–53.
c09.indd 194 11/26/2015 7:33:26 PM
195IT Governance
Federal IT
Centralized IT Decentralized IT
The federal IT attempts
to capture the benefits of
centralized and decentralized
organizations while eliminating
the drawbacks of each.
• Unresponsive
• No Business
Unit Ownership
of Systems
• No Business
Unit Control of
Central Overhead
Costs
• Doesn't Meet
Every Business
Unit's Needs
• Economies
of Scale
• Control of
Standards
• Critical
Mass of
Skills
• IT Vision and
Leadership
• Groupwide IT
Strategy and
Architecture
• Strategic
control
• Synergy
• Users Control
IT Priorities
• Business
Units Have
Ownership
• Responsive
to Business
Unit's Needs
• Excessive Overall
Costs to Group
• Variable
Standards of IS
Competence
• Reinvention of
Wheels
• No Synergy and
Integration
FIGURE 9.3 Federal IT. Source: Michael J. Earl, “Information Management: The Organizational Dimension,” The Role of the Corporate IT Function in the Federal IT Organization, ed. S. L. Hodgkinson (New York: Oxford University Press, 1996), Figure 12.1. By permission of Oxford University Press, Inc.
10 Peter Weill and Jeanne W. Ross, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results (Cambridge, MA: Harvard Business School Press, 2004); Peter Weill, “Don’t Just Lead, Govern: How Top‐Performing Firms Govern IT,” MIS Quarterly Executive 3, no. 1 (2004), 1–17. The quote is on page 3. 11 P. Weill, “Don’t Just Lead, Govern: How Top‐Performing Firms Govern IT,” MIS Quarterly Executive 3, no. 1 (2004).
developed by Peter Weill and Jeanne Ross. They define IT governance as “specifying the decision rights and accountability framework to encourage desirable behavior in using IT.”10 IT governance is not about what decisions
are actually made but rather about who is making them (i.e., who holds the decision rights) and how the decision
makers are held accountable for them.
It is important to match the manager’s decision rights with his or her accountability for a decision. Figure 9.4
indicates what happens when there is a mismatch. Where the CIO has a high level of decision rights and account-
ability, the firm is likely to be at maturity Level 3 (which was introduced in Chapter 8). Where both the decision
rights and accountability are low, the company is likely to be at Level 1. Mismatches result in either an oversupply
of IT resources or the inability of IT to meet business demand.
Good IT governance provides a structure to make good decisions. It can also limit the negative impact of orga-
nizational politics in IT‐related decisions. IT governance has two major components: (1) assignment of decision‐
making authority and responsibility and (2) decision‐making mechanisms (e.g., steering committees, review boards,
policies). When it comes specifically to IT governance, Weill and his colleagues proposed five generally applicable
categories of IT decisions: IT principles, IT architecture, IT infrastructure strategies, business application needs,
and IT investment and prioritization.11 A description of these decision categories with an example of major IS activ-
ities affected by them is provided in Figure 9.5.
Weill and Ross’s study of 256 enterprises shows that a defining trait of high‐performing companies is the use
of proper decision right allocation patterns for each of the five major categories of IT decisions. They use six
political archetypes with highly descriptive names (business monarchy, IT monarchy, feudal, federal, IT duopoly,
and anarchy) to label the combinations of people who either input information or have decision rights for the key
c09.indd 195 11/26/2015 7:33:26 PM
196 Governance of the Information Systems Organization
FIGURE 9.5 Five major categories of IT decisions. Source: Adapted from P. Weill, “Don’t Just Lead, Govern: How Top‐Performing Firms Govern IT,” MIS Quarterly Executive 3, no. 1 (2004), 4, Figure 2.
Category Description Examples of Affected IS Activities
IT principles How to determine IT assets that are needed
Participating in setting strategic direction
IT architecture How to structure IT assets Establishing architecture and standards
IT infrastructure strategies How to build IT assets Managing Internet and network services, data, human resources, mobile computing
Business application needs How to acquire, implement, and maintain IT (insource or outsource)
Developing and maintaining information systems
IT investment and prioritization How much to invest and where to invest in IT assets
Anticipating new technologies
FIGURE 9.4 IS Decision rights accountability gap. Source: Adapted from V. Grover, R. M. Henry, and J. B. Thatcher, “Fix IT‐Business Relationships through Better Decision Rights,” Communications of the ACM 50, no. 12 (December 2007), 82, Figure 1.
Accountability
Low High
Decision Rights High Technocentric gap
• There is danger of overspending on IT, creating an oversupply
• IT assets may not be utilized to meet business demand
• Business group might become frustrated with IT group
Strategic norm (Level 3 balance)
• IT is viewed as competent • IT is viewed as strategic to business
Low Support norm (Level 1 balance)
• It works for organizations where IT is viewed as a support function
• Its focus is on business efficiency
Business gap
• Cost considerations dominate IT decision • IT assets may not utilize internal
competencies to meet business demand • IT group might cause frustration for
business group
IT decisions.12 An archetype is a pattern resulting from allocation of decision rights. Decisions can be made at several levels in the organization: top executives, IT executives, or business unit executives. Figure 9.6 summarizes
the level and function for the allocation of decision rights in each archetype.
For each decision category, the organization adopts an archetype as the means to obtain inputs for decisions and
to assign accountability for them. Although there is little variation in the selection of archetypes regarding who
provides information for decision making, there is significant variation across organizations in terms of archetypes
selected for decision right allocation. For instance, the duopoly is used by the largest portion (36%) of organiza-
tions for IT principles decisions whereas the IT monarchy is the most popular for IT architecture and infrastructure
decisions (i.e., 73% and 59%, respectively).13
There is no one best arrangement for the allocation of decision rights. Rather, the most appropriate arrangement
depends on a number of factors, including the type of performance indicator. Some common performance indica-
tors are asset utilization, profit, or growth.
12 Peter Weill and Jeanne W. Ross, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results (Cambridge, MA: Harvard Business School Press, 2004). 13 Weill and Ross, IT Governance.
c09.indd 196 11/26/2015 7:33:26 PM
197IT Governance
Emergent Governance—The Digital Ecosystem
New consumer technologies challenge a “top‐down” governance approach for making all decisions in a planned
and methodical manner. The best‐laid plans are often derailed. Intel’s decree to lock down data and strictly control
devices used by employees grew so difficult that it impeded the company’s ability to not only compete but also
to fulfill everyday tasks. Sometimes the best plans aren’t even prescribed far in advance; in some situations, they
simply emerge. For instance, social networking was ignored by many firms in its early days because they failed to
recognize its impact. Most firms now realize that social networking needs not only recognition but also strategic
investments.
There are many freely available and widely used apps, Web sites, social networks, smartphones, and other IT
assets; it would be foolish to try to invent something identical in house, so firms often exploit them. Using a variety
of such assets implies that governance might need to be more flexible and follow patterns of adaptation much like
biological ecosystems, forming an interrelated set of interacting species.14 Just as a species cannot ignore preda-
tors, prey, and complementary species, an information systems department cannot ignore new technologies and
information assets that emerge suddenly and unexpectedly. One interesting definition of digital ecosystem regards those systems as self‐interested, self‐organizing, and autonomous digital entities.15
A simple example can be useful. Before YouTube, firms had to find their own way to provide digital video
content to customers on the Web. Some used animations that were available in special image formats whereas
others had to choose between requiring a download of a video file that they hoped would be playable on a user’s
computer or streaming a file to users who had to also install a particular streaming player that was compatible with
the streaming video. Providing that content widely was not generally considered to be feasible or even desirable.
With YouTube, firms can now simply use a link or even embed the video into their own Web site. Coupling this
FIGURE 9.6 IT governance archetypes. Source: P. Weill, “Don’t Just Lead, Govern: How Top‐Performing Firms Govern IT,” MIS Quarterly Executive 3, no. 1 (2004), 5, Figure 3.
Decision rights or inputs rights for a particular IT decision are held by:
CxO Level Execs
Corp. IT and/or Business Unit IT
Business Unit Leaders or Process Owners
Business Monarchy
A group of, or individual, business executives (i.e., CxOs). Includes committees comprised of senior business executives (may include CIO). Excludes IT executives acting independently.
✓
IT monarchy Individuals or groups of IT executives. ✓ Feudal Business unit leaders, key process owners or their
delegates. ✓
Federal C level executives and at least one other business group (e.g., CxO and BU leaders)—IT executives may be an additional participant. Equivalent to a country and its states working together.
✓
✓
✓
✓ ✓
IT duopoly IT executives and one other group (e.g., CxO or BU leaders).
✓ ✓ ✓ ✓
Anarchy Each individual user.
14 Maja Hadzic and Elizabeth Chang, “Application of Digital Ecosystem Design Methodology within the Health Domain,” IEEE Transactions on Systems, Man and Cybernetics, Part A: Systems and Humans 40, no. 4 (2010): 779–88. 15 Rahnuma Kazi and Ralph Deters, “Mobile Event‐Oriented Digital Ecosystem,” Digital Ecosystems Technologies (DEST), 2012 6th IEEE International Conference (2012).
c09.indd 197 11/26/2015 7:33:27 PM
198 Governance of the Information Systems Organization
new simplicity with an ability to display a map from Google Maps forms new and very useful interdependencies
between these digital assets.
In recent years, mobile computing, GPS, and social media have indeed presented new, unexpected challenges
and opportunities as described earlier. However, other technological developments have also provided digital eco-
system opportunities, such as cloud computing, the Internet of Things (IoT), radio frequency ID (RFID), and smart
cards. Interconnecting firms with each other allows connectivity in new, unpredictable, and very helpful ways.
A good example in the health care arena is an electronic medical record (EMR).16 An EMR is filled with a variety
of information about a patient (for instance, patient demographics, appointments, medications, medical history,
billing records). Not only can a doctor’s computer pick out the relevant information about a patient to use but also
a pharmacy can identify potential drug interactions and a laboratory can be informed of certain medical conditions
when processing a specimen. In addition, both the pharmacy process and the insurance company can bill for the
medication and the appointment.
Some or all of these functions could have been in the original plans for EMRs, but others might occur to enter-
prising designers along the way. For instance, a bank that is administering the patient’s flexible spending account
can be provided medical billing information for properly disbursing funds. Also, a tax authority might be provided
billing information from the EMR to verify deductible expenses. Each party would be privy only to the relevant
information for it, and the rest would be kept confidential.
A smartphone provides another example of how a digital ecosystem can form between applications, firms, and
digital entities. Even just the junction of identity, date, location, preference, and relationship information can pro-
vide real‐time driving directions, invitations to nearby events, alerts about nearby friends, personalized advertising,
and chatter on social network alerts. Many of these uses were not even imagined 15 years ago, and it is hard to
imagine the possible new connections and uses that will occur in another 15 years. For instance, new ecosystem
connections will be made possible when the IoT places more technology into automobiles. A self‐driving car could
actually react independently to an urgent situation with a family member and safely make a split‐second decision to
change course before all of the information is fully comprehended by the occupant (formerly called the “driver”).
Individual devices and applications that are difficult to imagine today might be combined in new ways on the road,
in the home, and at the office.
Strong governance implications emerge from ecosystems. The symbiotic multifirm and adaptive situations
cannot be completely planned or orchestrated by a single entity. Much of the decision making exists outside the
firm, and, therefore, complete plans no longer can be made in a single boardroom. Along with the good news of
synergies between with and among various “apps” and devices, there is the potential danger of changes to the
information passed between them or even the complete failure of an outside entity. Imagine what hotels would
need to do if Google Maps would disappear altogether. Further, what would need to be done with location‐based
ads if predictions come true that one or more of the GPS satellites would fail17 and are also vulnerable to attack?18
Fortunately, most ecosystems have adopted stringent standards for data exchange, and the most useful ones are
quite successful. The likelihood of a permanent failure of Google Maps is quite remote for the foreseeable future.
Even if Google were to divest the app, a new firm would likely be able to maintain the tightly specified connec-
tions. IT governance is perhaps most vulnerable to an inability to imagine strategic potential from new devices,
applications, and connections. A firm should explore whether plans can be changed in mid‐year. Can competitors
become allies? Can business processes be changed quickly? Can new capabilities that might be contrary to previous
activities or directions be enabled? Firms in the future will probably need to answer all of these questions in the
affirmative for their ultimate survival.
To summarize the three governance frameworks, see Figure 9.7 for the main concept and potential best practice
of each framework.
16 Hadzic and Chang, “Application of Digital Ecosystem Design Methodology within the Health Domain.” 17 “GPS System Close to Breakdown,” http://www.theguardian.com/technology/2009/may/19/gps‐close‐to‐breakdown (accessed September 4, 2015). 18 “Global Positioning System Is a Single Point of Failure,” http://www.afcea.org/content/?q=global‐positioning‐system%E2%80%A8‐single‐point‐
failure (accessed September 4, 2015).
c09.indd 198 11/26/2015 7:33:27 PM
199Decision‐Making Mechanisms
Decision‐Making Mechanisms Many different types of mechanisms can be created to ensure good IT governance. Policies are useful for defining
the process of making a decision under certain situations. However, when the environment is complex, policies are
often too rigid. In a recent worldwide study of IT governance, almost 60% of the respondents relied on policies
and standards for governance, making it the most popular mechanism for governance.19 A second method, a review board, or committee that is formally designated to approve, monitor, and review specific topics, can be an effective governance mechanism. For example, Twila Day, CIO of Sysco, established an architecture review board to look
at new technologies and processes.20
A third mechanism that is used very frequently for IT decisions is the IT steering committee, also called an IT governance council. Such a committee is composed of key stakeholders or experts who provide guidance on important IT issues. Steering committees work especially well with the federal archetype, which calls for joint
participation of IT and business leaders in the decision‐making process. Steering committees can be geared toward
different levels of decision making. The highest level of steering committees report to the board of directors or the
CEO and are often composed of top‐level executives and the CIO. At this level, the steering committee provides
strategic direction and funding authority for major IT projects and ensures that adequate resources be allocated to
the IS organization for achieving strategic goals.
Committees with lower‐level players typically are involved with allocating scarce resources effectively and effi-
ciently. Lower‐level steering committees provide a forum for business leaders to present their IT needs and to offer
input and direction about the support they receive from IT operations.
Either level may have working groups to help increase the steering committee’s effectiveness and to measure
the performance of the IS organization. The assessment of performance differs for each group. For example, the
lower‐level committee likely would include more details and would focus on the progress of the various projects
and adherence to the budget. The higher‐level committee would focus on the performance of the CIO and the ability
of the IS organization to contribute to the company’s achievement of its strategic goals.
Although an organization may have both levels of steering committees, it is more likely to have one or the other.
If the IS organization is viewed as being critical for the organization to achieve its strategic goals, the firm’s C‐level
executives are likely to be on the committee. Otherwise, the steering committee tends to be larger so that it can
have widespread representation from the various business units. In this case, the steering committee is an excellent
mechanism for helping the business units realize the competing benefits of proposed IT projects and develop an
approach for allocating among the project requests.
FIGURE 9.7 Three governance frameworks.
Governance Framework Main Concept Possible Best Practice
Centralization‐Decentralization Decisions can be made by a central authority or by autonomous individuals or groups in an organization.
Use a hybrid, federal approach.
Decision archetypes Patterns based upon allocating decision rights and accountability are specified.
Tailor the archetype to the situation.
Digital ecosystems Members of the ecosystem contribute their strengths, giving the whole ecosystem a complete set of capabilities that can impact decision making and operations.
Build flexibility and adaptability into governance.
19 IT Governance Institute, “Global Status Report on the Governance of Enterprise IT (GEIT)” (2011), 49, http://www.isaca.org/Knowledge‐Center/
Research/Documents/Global‐Status‐Report‐GEIT‐10Jan2011‐Research.pdf (accessed February 27, 2011). 20 Martha Heller, “How to Make Time for Strategy,” CIO.com (April 22, 2010), http://www.cio.com/article/591719/How_to_Make_Time_for_Strategy (accessed January 16, 2012).
c09.indd 199 11/26/2015 7:33:27 PM
200 Governance of the Information Systems Organization
For example, when Hilton Worldwide’s CIO started working on a project to create a new loyalty program,
he and the business sponsor of the project convened a lower‐level steering committee made up of people from
IT, marketing, HR, finance, and other departments. They discussed change management and business issues that
arose as they designed the system to be used in 85 countries in over ten brands in the Hilton portfolio. The project
went very smoothly. But earlier, another project to outsource the hotel help desk had not gone as well. The CIO
learned from both experiences that there is no such thing as too much communication and created weekly steering
committee meetings for each project. The CIO is quoted as saying, “E‐mail is great for scheduling meetings, but
it’s the steering committees where we are working through really difficult issues together, and making promises and
keeping promises, where the foundations of trust are established.”21
Governance Frameworks for Control Decisions The framework described previously focuses on which department is responsible for decisions. More recently, gov-
ernance frameworks have been employed specifically to define responsibility for control decisions. They are being
implemented to help ward off future accounting fiascos. These frameworks focus on processes and risks associated
with them.
Sarbanes–Oxley Act of 2002
In response to rogue accounting activity by major global corporations such as Enron and WorldCom and their
accounting firms, such as Arthur Andersen, the Sarbanes–Oxley Act (SoX) was enacted in the United States in 2002 to increase regulatory visibility and accountability of public companies and their financial health. The
U.S. government wanted to assure the investing public that they could rely on financial markets to deliver valid
performance data and accurate stock valuation. All corporations that fall under the jurisdiction of the U.S. Securities
and Exchange Commission are subject to SoX requirements. This includes not only U.S. and foreign companies
that are traded on U.S. exchanges but also those entities that make up a significant part of a U.S. company’s finan-
cial reporting. Within five years of SoX’s passage, 15,000 U.S. companies, 1,200 non‐U.S.‐based companies. and
over 1,400 accounting firms in 76 countries have been affected by SoX.22
According to SoX, CFOs and CEOs must personally certify and be accountable for their firms’ financial records
and accounting (Section 302), auditors must certify the underlying controls and processes that are used to compile
the financial results of a company (Section 404), and companies must provide real‐time disclosures of any events
that may affect their stock price or financial performance within a 48‐hour period (Section 409). Penalties for fail-
ing to comply range from monetary fines to a 20‐year jail term.
A comprehensive Public Company Accounting Oversight Board (PCAOB) review of 2,800 engagements of the
largest audit firms found hundreds of cases involving audit failures, suggesting that improvements could be made in
audit firm performance as well as the PCAOB’s process for assessing and reporting on engagements. However, the
review reported that SoX has been successful in increasing corporate focus on a strong ethical culture in publicly
owned companies.23
Although SoX was not originally aimed at IT departments, it soon became clear that IT played a major role in
raising the accuracy of financial data. Consequently, in 2004 and 2005, there was a flurry of activity as IT managers
21 Adapted from “Candid Talk Trumps the Blame Game,” CIO.com (November 2011), http://www.cio.com/article/693018/Candid_Talk_Trumps_the_
Blame_Game (accessed September 4, 2015); “How CIOs Build Bridges with Other C‐Level Execs,” CIO.com (November 2011), http://www.cio.com/
article/2402725/relationship‐building‐networking/how‐cios‐build‐bridges‐with‐other‐c‐level‐execs.html (accessed September 4, 2015). 22 These figures were derived from the Public Company Accounting Oversight Board (PCAOB) as reported in Ashley Braganza and Arnoud Franken,
“SoX, Compliance, and Power Relationships,” Communications of the ACM 50, no. 9 (September 2007), 97–102. 23 Curtis Vershoor, “Has SoX Been Successful,” September 5, 2012, http://www.accountingweb.com/article/has‐sox‐been‐successful/219796 (accessed
March 27, 2015).
c09.indd 200 11/26/2015 7:33:27 PM
201Governance Frameworks for Control Decisions
identified controls, determined design effectiveness, and validated operational controls through testing. Five IT
control weaknesses repeatedly were uncovered by auditors:24
1. Failure to segregate duties within applications, set up new accounts, and terminate old ones in a timely manner.
2. Lack of proper oversight for making application changes, including appointing a person to make a change and another to perform quality assurance on it.
3. Inadequate review of audit logs to ensure that systems are running smoothly and that there is an audit of the audit log.
4. Failure to identify abnormal transactions in a timely manner.
5. Lack of understanding of key system configurations.
Although SoX’s focus is on financial controls, many auditors encouraged (forced) IT managers to extend their
focus to organizational controls and risks in business processes. This means that IT managers must assess the level
of controls needed to mitigate potential risks in organizational business processes. As companies move beyond
SoX certification into maintaining compliance, IT managers must be involved in ongoing and consistent risk
identification, actively recognize and monitor changes to the IS organization and environment that may affect SoX
compliance, and continuously improve IS process maturity. It is likely that managers will turn to software to auto-
mate many of the needed controls.
Frameworks for Implementing SoX
COSO
The Enron and WorldCom major financial scandals were not the first. In the wake of financial scandals in the
mid‐1980s, the Treadway Commission (or National Commission on Fraudulent Financial Reporting) was created.
Its head, James Treadway, had previously served as commissioner of the SEC. The members of the Treadway
Commission came from five highly esteemed accounting organizations: Financial Executives International (FEI),
American Accounting Association (AAA), American Institute of Certified Public Accountants (AICPA), Institute
of Internal Auditors (IIA), and Institute of Management Accountants (IMA). These organizations became known as
the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The commission created three control objectives for management and auditors that focused on addressing risks to internal control. These control
objectives deal with:
• Operations: To help the company maintain and improve its operating effectiveness and protect the assets of shareholders
• Compliance: To ensure that the company is in compliance with relevant laws and regulations
• Financial reporting: To ensure that the company’s financial statements are produced in accordance with generally accepted accounting principles (GAAP). SoX is focused on this control objective.
To make sure a company meets its control objectives, COSO established five essential control components for
managers and auditors: (1) create a control environment that addresses the overall culture of the company; (2) assess
the most critical risks to internal controls; (3) create control structures that outline important processes and guide-
lines; (4) provide clear information about employees’ responsibilities and procedures to be followed; and (5) mon-
itor internal controls. The Sarbanes–Oxley Act requires public companies to define their control framework and
specifically recommends COSO as that business framework for general accounting controls. It is not IT specific.
24 Ben Worthen, “The Top Five IT Control Weaknesses” (July 1, 2005), http://www.cio.com/article/2448687/project‐management/the‐top‐five‐it‐ control‐
weaknesses.html (accessed September 4, 2015).
c09.indd 201 11/26/2015 7:33:27 PM
202 Governance of the Information Systems Organization
COBIT
Control Objectives for Information and Related Technology (COBIT) COBIT (Control Objectives for Information and Related Technology) is an IT governance framework that is consistent with COSO controls, and also a governance tool to ensure that IT provides the systematic rigor needed for the strong internal controls and
Sarbanes–Oxley compliance. It provides a framework for linking IT processes, IT resources, and IT information to
a company’s strategies and objectives. As a governance framework, it provides guidelines about who in the organi-
zation should make decisions about IT processes, resources, and information.
Information Systems Audit & Control Association (ISACA) issued COBIT in 1996. COBIT consists of several
overlapping sets of guidance with multiple components, which almost form a cascade of process goals, metrics,
and practices. At the highest level, key areas of risks are defined in four major domains: planning and organization,
acquisition and implementation, delivery and support, and monitoring and evaluating. When implementing a COBIT
framework, a company determines the processes that are the most susceptible to the risks that it judiciously chooses to
manage. There are far too many risks for a company to try to manage all of them.
Once the company identifies processes that it is going to manage, it sets up a control objective and then more
specific key goal indicators. As with any control system, metrics called key performance indicators (KPIs) need to be established to enable measurement of progress in meeting the goals. Then activities to achieve the KPIs are
selected. These activities, or critical success factors, are the steps that need to be followed to successfully provide controls for a selected process. When a company wants to compare itself with other organizations, it uses a well‐
defined maturity model. The components of COBIT and examples of each component are provided in Figure 9.8.
One advantage of COBIT is that it is well suited to organizations focused on risk management and mitigation.
Another advantage is that it is very detailed. However, this high level of detail unfortunately can serve as a dis-
advantage in the sense that it makes COBIT very costly and time consuming to implement. Yet, despite the costs,
companies are starting to realize benefits from its implementation. As a governance framework, it designates clear
ownership and responsibility for key organizational processes in such a way that is understood by all organizational
FIGURE 9.8 Components of COBIT and their examples. Source: Adapted from Hugh Taylor, The Joy of SoX (Indianapolis, IN: Wiley, 2006).
Component Description Example
Domain One of four major areas of risk: plan and organize (PO), acquire and implement (AI), deliver and support (DS), and monitor and evaluate (ME); each domain consists of multiple processes
Deliver and support (or DS)
Control objective Focus on control of a process associated with risk; can be 34 processes
DS (deliver and support) objective #11—Manage data: ensures delivery of complete, accurate, and valid data to the business
Key goal indicator
Specific measures of the extent to which the goals of the system have been met in regard to a control objective
A measured reduction in the data preparation process and tasks
Key performance indicator
Actual, highly specific measures for measuring accomplishment of a goal
Percent of data input errors (Note: percentage should decrease over specified periods of time)
Critical success factor
Description of the steps that a company must take to accomplish a control objective; can be 318 critical success factors
Data entry requirements clearly stated, enforced, and supported by automated techniques at all levels, including database and file interfaces
Maturity model A uniquely defined six‐point ranking of a company’s readiness for each control objective made in comparison with other companies in the industry
Level 0: Data not recognized as corporate resources and assets; no assigned data ownership or individual accountability for data integrity and reliability; data quality and security poor or nonexistent
c09.indd 202 11/26/2015 7:33:27 PM
203Governance Frameworks for Control Decisions
stakeholders. Consistent with the Information Systems Strategy Triangle discussed in Chapter 1, COBIT provides
a formal framework for aligning IS strategy with the business strategy. It does so by using a governance framework
and focusing on risks of internal control and associated processes to recognize who is responsible for important
control decisions. Finally, COBIT makes possible the fulfillment of the COSO requirements for the IT control envi-
ronment that is encouraged by the Sarbanes–Oxley Act.
Other Control Frameworks
Although COBIT is the most common set of IT control guidelines for SoX, it is by no means the only control frame-
work. Others include those provided by the International Standards Organization (ISO), as well as the Information Technology Infrastructure Library (ITIL). A set of concepts and techniques for managing information tech- nology infrastructure, development, and operations, ITIL was developed in the United Kingdom. It is a widely
recognized framework for IT service management and operations management that has been adopted around the
globe. ITIL 2011 has five distinct volumes: service strategy; service design; service transition; service operation;
and continual service improvement.
IS and the Implementation of Sarbanes–Oxley Act Compliance
Because of the level of detail, the involvement of the IS department and the CIO in implementing SoX—most nota-
bly Section 404, which deals with management’s assessment of internal controls—is considerable. Although the IS
department typically plays a major role in SoX compliance, it often lacks formal authority. Thus, the CIO needs to
tread carefully when working with auditors, the CFO, the CEO, and business leaders. Braganza and Franken pro-
vide six tactics that CIOs can use in working effectively in these relationships. These strategies include knowledge
building, knowledge deployment, innovation directive, mobilization, standardization, and subsidy. Figure 9.9 pro-
vides a definition for each of these tactics, along with examples of activities to enact them.
FIGURE 9.9 CIO tactics for implementing SoX compliance.
Tactic Definition Examples of Activities
Knowledge building
Establish a knowledge base to implement SoX
Acquire technical knowledge about SoX and Section 404
Knowledge deployment
Disseminate knowledge about SoX and develop an understanding of this knowledge by management and other organizational members
Move IT staff with knowledge of 404 to parts of the organization that are less knowledgeable; create a central repository of 404 knowledge; absorb 404 requirements from external bodies; conduct training programs to spread an understanding of SoX
Innovation directive
Organize for implementing SoX and announce the approach
Issue instructions that encourage the adoption of 404 compliance practices; publish reports of each unit’s progress toward implementation; deploy drivers for implementation; direct implementation from top down and/or bottom up
Mobilization Persuade decentralized players and subsidiaries to participate in SoX implementation
Create a positive impression of SoX (and 404) implementation; conduct promotional and awareness campaigns
Standardization Negotiate agreements between organizational members to facilitate the SoX implementation
Use mandatory controls, often embedded within the technology; indicate formal levels of compliance required; establish firmwide standards of control; create an overarching corporate compliance architecture
Subsidy Fund the implementers’ costs during the SoX implementation and the users’ costs during its deployment and use
Centralize template development; develop Web‐based resources; train IT staff for implementing 404; fund short‐term skill gaps; track implementation; target funds during implementation for specific IT‐related 404 goals
Source: Adapted from Ashley Braganza and Arnoud Franken, “SoX, Compliance, and Power Relationships,” Communications of the ACM 50, no. 9 (September 2007), 97–102.
c09.indd 203 11/26/2015 7:33:27 PM
204 Governance of the Information Systems Organization
The extent to which a CIO could use these various tactics depends on the power that he or she holds relating to
the SoX implementation. Those few CIOs who are given carte blanche by their CEOs to implement SoX compli-
ance can employ compelling activities, such as subsidy, standardization, and innovation directives. Those CIOs can
establish standards and enforce their compliance, creating an overarching corporate compliance architecture. They
can direct the SoX implementation from top down and put Section 404 implementation drivers in place. If, on the
other hand, the CEO does not vest the CIO with the considerable power to employ such tactics, the CIO may need
to take more of a persuasive stance and focus on training programs and building an electronic knowledge database
of SoX documents. In this case, it is especially important to sell the CIO and CFO on the importance of complying
with prescribed procedures and methods. In either situation, the CIO needs to acquire and manage the considerable
IT resources to make SoX compliance a reality.
These new guidelines sound reasonable enough, but they are much more stringent than the previous set of
guidelines they replaced. Instagram deleted not only thousands of accounts, which mostly involved spam and fake
id entities, but also others that the company deemed inappropriate. According to some sources, the crowd was not
happy. A mass campaign to stop following Instagram ’ s own offi cial Instagram account followed, and that account
lost 30% of its followers. Does the crowd govern the content or the company?
Social Business Lens: Governing the Content
Since the beginning of social applications like Facebook, Twitter , and Instagram , there has been a debate about
who gets to decide on what ’ s allowed to be posted. Should the users decide? Should the application company
decide? This debate still rages today.
One perspective is that the users own and manage their content. Aside from the legal issues, which are dis-
cussed in Chapter 13 of this text, users have control over what they post and what they block from their pages on
most social media. Most social networks have controls that allow users to block others from posting on their page,
but it ’ s not the default in most cases. For example, when a user tags another Facebook user in a post or photo, the
content then also shows up on the tagged person ’ s timeline. Even though a control can be set to minimize this,
some have found it troublesome that items can be placed in their timeline in this manner. Most users feel that they
should have control of their content on their social media page.
Now ratchet this up to the group level. Should the “crowd” decide what is appropriate to put on a social media
site or should the company decide? The crowd has a say in some manner; members of the community can vote
or “like” a post and in some cases, content with the most votes rises to the top for others to see.
But the social media company also has a say in what content is appropriate. Again, aside from content that
crosses legal boundaries, which of course vary country by country, some companies have taken a stronger stance.
For example, Instagram removed a number of users from its Web site for not following instructions. Its Web site
plainly stated two new policies:
We want Instagram to continue to be an authentic and safe place for inspiration and expression. Help us foster this
community. Post only your own photos and videos and always follow the law. Respect everyone on Instagram, don ’ t
spam people or post nudity. *
We want . . . to maintain the best possible experience on Instagram , so spam, fake accounts and other people and posts
that don ’ t follow our Community Guidelines may be removed from Instagram . †
* From Instagram ’ s Community Guidelines, https://help.instagram.com/477434105621119/ (accessed May 22, 2015). † From Instagram ’ s Help Center, https://help.instagram.com/309501049246773 (accessed May 22, 2015).
Sources: “Chaos Ensues As Instagram Deletes Millions of Accounts,” http://www.businessinsider.com/chaos‐ensues‐as‐instagram‐deletes‐ millions‐of‐accounts‐2014‐12#ixzz3MJXUmhlm (accessed September 4, 2015); and Instagram company website, www.instagram.com; “Instagram Users Report Mass Deletion of Profiles for ‘ violating ’ Terms of Service,” http://tech.firstpost.com/news‐analysis/instagram‐ users‐report‐mass‐deletion‐of‐profiles‐for‐violating‐terms‐of‐service‐86660.html (accessed September 4, 2015); “Instagram Deletes Millions of Accounts in Spam Purge,” http://www.bbc.com/news/technology‐30548463 (accessed September 4, 2015).
c09.indd 204 11/26/2015 7:33:27 PM
205
S U M M A R Y
• Alternative approaches to governance of information systems organization are possible. One approach is based on where IS decisions are made in the organization ’ s structure. Centralized IS organizations place IT staff, hardware, software,
and data in one location to promote control and effi ciency. At the other end of the continuum, decentralized IS organiza-
tions with distributed resources can best meet the needs of local users. Federalism in IS organizations is in the middle of
the centralization/decentralization continuum.
• A second governance approach involves decision rights. In this approach, IT governance specifi es how to allocate decision rights in such a way as to encourage desirable behavior in the use of IT. The allocation of decision rights can be broken
down into six archetypes (business monarchy, IT monarchy, feudal, federal, IT duopoly, and anarchy). High‐performing
companies use the proper decision rights allocation patterns for each of the fi ve major categories of IT decisions.
• A third governance approach recognizes the power of combining complementary technologies in ways that were not predicted or controlled by an organization. This so‐called digital ecosystem represents formal recognition of a fi rm ’ s
healthy adaptation and synergistic adoption to new hardware, applications, and connections with customers, employees,
and other fi rms. Much of this has been driven by consumerization of technology.
• A fourth governance approach is based on controls. The Sarbanes–Oxley Act (2002) was enacted to improve organiza- tions ’ internal controls. COBIT is an IT governance framework based on control that can be used to promote IT‐related
internal controls and Sarbanes–Oxley compliance.
K E Y T E R M S
archetype (p. 196)
centralized IS organizations (p. 193)
COBIT (Control Objectives for
Information and Related
Technology) (p. 202)
Consumerization (p. 191)
decentralized IS organizations (p. 193)
digital ecosystem (p. 197)
federalism (p. 194)
governance (p. 192)
Information Technology Infrastructure
Library ( ITIL ) (p. 203)
IT governance (p. 195)
review board (p. 199)
Sarbanes–Oxley Act ( SoX ) (p. 200)
steering committee (p. 199)
D I S C U S S I O N Q U E S T I O N S
1. The debate about centralization and decentralization is heating up again with the advent of BYOD and the increasing use of the Web. Why does the Internet make this debate topical?
2. Why is the discussion of decision rights among managers in a firm important?
3. Why can an IT governance archetype be good for one type of IS decision but not for another?
University of the Southeast 25 was (and still is) one of the largest universities in the United States. It had been growing rap-
idly; that growth was spurred, in part, by information technology. The university embraced lecture capture technologies that
allowed lectures to be streamed to students in a classroom, in dorm rooms, on the grass near the main campus central foun-
tain, and at a variety of other places of the students ’ choosing whenever they chose to watch. This made it possible to have
sections of classes with over 1,000 students without having to build physical classrooms with enough seats to accommodate
each person enrolled. It also made it possible to offer classes that were streamed to students at remote campuses. Each stu-
dent was charged a technology fee (i.e., $5.16 for undergraduates and $13.85 for graduates per credit hour each semester),
which was administered by the Information Technologies and Resources (IT&R) Offi ce to help fund the costs of providing
IT to students and faculty.
■ CASE STUDY 9‐1 IT Governance at University of the Southeast
25 The name University of the Southeast is made up but the school and situation were real.
Case Study
c09.indd 205 11/26/2015 7:33:27 PM
206 Governance of the Information Systems Organization
IT&R was responsible for providing computer services, technologies, and telecommunications across the campus
(Computer Services and Technology), helping faculty with their instructional delivery and multimedia support (Offi ce of
Instructional Resources), helping faculty develop and deliver Web‐based and lecture capture courses (Center for Distributed
Learning), and the library. The IT&R Offi ce developed IT‐related policies with very little input from the faculty and was
responsible for deciding and implementing decisions concerning IT architecture and infrastructure. IT&R worked with the
university president and other top administrators in making IT investment decisions. IT&R staff also worked with the vari-
ous colleges, administrative offi ces, and an advisory board in making decisions about applications that needed to be devel-
oped. However, faculty were not consulted at all when the lecture capture system was selected.
As was often the case at large universities, many decision rights on a wide range of issues had been allocated to the
colleges. The College of Business Administration had its own server and Technology Support Department (TSD). A recent
survey of faculty and staff in the college indicated a high level of satisfaction with the TSD but far less satisfaction with the
services provided by the university‐level IT&R. Some college respondents indicated their displeasure about IT&R ’ s support
of the technology for the lecture capture courses, help desk, and classroom technologies.
The problems with the technology support for lecture capture software were particularly troublesome. The software
would not authenticate students who had paid to enroll in some lecture capture courses, making it impossible for them to
download the lectures even though they were registered in the course. Further, some university‐affi liated housing did not
have adequate network bandwidth to allow students to download the lectures. When problems occurred—which they did on
a daily basis—the IT&R help desk often referred the students to instructors who could not resolve their problems. One fac-
ulty member who was teaching a lecture class with 1,400 students exclaimed, “It is utter chaos for me when something goes
wrong with the system and hundreds of my students are trying to call, see or email me in panic to get me to fi x something
that I can ’ t fi x.”
To fi x some of these issues, the CIO argued that all e‐mail accounts should be placed on one central server. This would
allow the IT&R greater control and make maintenance easier and more effi cient. It also would considerably improve se-
curity. But it was not ideal for the faculty. A faculty meeting about e‐mail revealed some concerns with this move. First,
faculty wanted e‐mails sent to the central university server to be forwarded to their accounts on their other university‐based
servers (i.e., the college, department, or institute servers) but found that this was impossible to do so. Second, faculty wanted
to retain their control over archiving e‐mails. Third, faculty wanted to have control over their preferred e‐mail address. In
some cases, the faculty e‐mail addresses that they had used for a decade had been changed in the printed university directory
to the e‐mail address on the central university server without their knowledge. This meant that faculty did not receive (or
even know about) messages sent to them via the address on the university server. They could not change the printed e‐mail
address in the university directory to the address on the college server that they had been using or forward the mail sent to
the central server to a different account.
The IT&R spokesman said that having a centralized server for e‐mail accounts was more secure, reliable and effi cient.
He said that faculty shouldn ’ t have control over their preferred e‐mail address, even if it were on a campus server, because of
the identity management problems that it would create. A frustrated faculty member at the meeting asked the IT&R spokes-
man to describe one time when issues about ease of use and functionality of the system by the user were weighted more than
security in decisions about e‐mail. The IT&R spokesman could not think of an example.
Discussion Questions
1. Describe the IT governance system that was in place at the University of the Southeast using both decision rights and
structure as the bases of governance.
2. The CIO wanted to implement a centralized IT governance system. As demonstrated in this case, what are the advan-
tages of a centralized IT governance system? What are the disadvantages?
3. In your opinion, what assignment of decision rights would be best for University of the Southeast? Please explain.
c09.indd 206 11/26/2015 7:33:28 PM
207Case Study
“The customer is in control of the data and can share with dealers, crop consultants, and anyone in their network of trust-
ed advisers; securely, from any internet enabled device,” says Chris Batdorf, a marketing manager at John Deere . 26 The
MyJohnDeere project was designed with the realization that there was synergy in linking together disparate sources of
information into this “platform.” 27
Who would be interested in using this application? You might expect that John Deere customers and employees would be
the only parties. But according to Accenture , a multinational management consulting, technology services, and outsourcing
company, John Deere realized that there was value in opening access to its system to farmers, ranchers, landowners, banks,
and government workers. The platform is useful for all those people because it integrates information about equipment, pro-
duction data, and farm operations and helps users improve their profi tability. 28
A farmer described how the John Deere Operations Center allowed him to upload a treasure trove of data about planting,
spraying, fertilizing, and harvesting. He said that he accessed that information later not only to diagnose problems about
the equipment but also to make decisions about the use of land and personnel. He said that he can send that information to
consultants for real‐time recommendations on what to change even while he was harvesting. 29
A platform such as MyJohnDeere could introduce new capabilities that can provide strategic value to customers, other
fi rms, and, of course, its host. According to Accenture, the platform integrated the Internet of Things with social, mobile,
analytics, and cloud technology. The combination encouraged the development of new applications over time and repre-
sented a recent pivotal technology trend. Such a platform provided reusable components that can evolve over time. 30
Discussion Questions
1. What governance approach did John Deere appear to have adopted? Did it fit the profile of an “old” heavy industry
player?
2. What difficulties do you think an “old” heavy industry player such as John Deere encountered internally when proposing
to develop the MyJohnDeere platform?
3. What difficulties do you believe John Deere faced externally among the proposed users?
4. How do you think John Deere might have overcome those internal and external difficulties?
5. What other parties might have been interested in obtaining the information in John Deere ’ s cloud? What might they
have done with it?
Sources: Adapted from John Deere press release , “ The MyJohnDeere Operations Center—New Tools to Manage Data ” (August 21, 2014 ), https://www.deere.com/en_US/corporate/our_company/news_and_media/press_releases/2014/agriculture/2014aug21_mjd_ operations_center.page (accessed September 4, 2015) ; Cindy Zimmerman , “ MyJohnDeere Operations Center Connectivity ” (March 2, 2015 ) ; http://precision.agwired.com/2015/03/02/myjohndeere‐operations‐center‐connectivity/ (accessed September 4, 2015) ; and William Lesieur , “ Proliferating Digital Ecosystems through ‘The Platform (R)evolution ’ —Accenture Technology Vision 2015 ,” http:// www.accenture.com/us‐en/blogs/technology‐blog/archive/2015/01/26/proliferating‐digital‐ecosystems‐through‐the‐platform‐ %28R%29evolution‐acn‐technology‐vision‐2015.aspx (accessed September 4, 2015) .
■ CASE STUDY 9‐2 The “MyJohnDeere” Platform
26 https://www.deere.com/en_US/corporate/our_company/news_and_media/press_releases/2014/agriculture/2014aug21_mjd_operations_center.page
(accessed September 4, 2015). 27 http://www.accenture.com/us‐en/blogs/technology‐blog/archive/2015/01/26/proliferating‐digital‐ecosystems‐through‐the‐platform‐%28R%29
evolution‐acn‐technology‐vision‐2015.aspx (accessed September 4, 2015). 28 Ibid. 29 http://precision.agwired.com/2015/03/02/myjohndeere‐operations‐center‐connectivity/ (accessed September 4, 2015). 30 http://www.accenture.com (accessed September 4, 2015).
c09.indd 207 11/26/2015 7:33:28 PM
208
10 chapter
Information Systems Sourcing
After 13 years, Kellwood, an American apparel maker, ended its soups‐to‐nuts IS outsourcing
arrangement with EDS . The primary focus of the original outsourcing contract was to integrate
12 individually acquired units with different systems into one system. Kellwood had been satis-
fi ed enough with EDS ’ s performance to renegotiate the contract in 2002 and 2008, even though
at each renegotiation point, Kellwood had considered bringing the IS operations back in house,
or backsourcing. The 2008 contract iteration resulted in a more fl exible $105 million contract that
EDS estimated would save Kellwood $2 million in the fi rst year and $9 million over the remaining
contract years. But the situation at Kellwood had changed drastically. In 2008, Kellwood had been
purchased by Sun Capital Partners and taken private. The chief operating offi cer (COO), who was
facing a mountain of debt and possibly bankruptcy, wanted to consolidate and bring the operations
back in house to give some order to the current situation and reduce costs. Kellwood was suffering
from a lack of IS standardization as a result of its many acquisitions. The chief information offi cer
(CIO) recognized the importance of IS standardization and costs, but she was concerned that the
transition from outsourcing to insourcing would cause serious disruption to IS service levels and
project deadlines if it went poorly. Kellwood hired a third‐party consultant to help it explore the
issues and decided that backsourcing would save money and respond to changes caused by both the
market and internal forces. Kellwood decided to backsource and started the process in late 2009. It
carefully planned for the transition, and the implementation went smoothly. By performing stream-
lined operations in house, it was able to report an impressive $3.6 million savings, or about 17% of
annual IS expenses after the fi rst year. 1
The Kellwood case demonstrates a series of decisions made in relation to sourcing. Both the
decision to outsource IS operations and then to bring them back in house were based on a series of
This chapter is organized around decisions in the Sourcing Decision Cycle. The fi rst question regarding information systems (IS) in the cycle relates to the decision to make (insource) or buy (outsource) them. This chapter ’ s focus is on issues related to outsourcing whereas issues related to insourcing are discussed in other chapters of this book. Discussed are the critical decisions in the Sourcing Decision Cycle: how and where (cloud computing, onshoring, offshoring). When the choice is offshoring, the next decision is where abroad (farshoring, nearshoring, or captive centers). Explored next in this chapter is the fi nal decision in the cycle, keep as is or change in which case the current arrangements are assessed and modi- fi cations are made to the outsourcing arrangement, a new outsourcing provider is selected, or the operations and services are backsourced, or brought back in house. Risks and strat- egies to mitigate risks are discussed at each stage of the cycle.
1 For more information see Stephanie Overby, “Company Saves Millions by Ending Outsourcing Deal,” CIO.com, http://www.cio.
com/article/549463/Company_Saves_Millions_By_Ending_IT_Outsourcing_Deal?page=1&taxonomyId=3195 (accessed January
31, 2012); B. Bacheldor, “Kellwood Stayed on Top of Its Outsourcing All the Way to the End,” CIO.com, http://blogs.cio.com/
beth_bacheldor/kellwood_stayed_ on_top_of_its_outsourcing_all_the_way_to_the_end?page=0 (accessed February 10, 2012).
c10.indd 208 11/26/2015 6:32:09 PM
209Sourcing Decision Cycle Framework
factors. These factors, similar to those used by many companies in their sourcing decisions, are discussed later in
this chapter. The global outsourcing market has been growing steadily. Companies of all sizes pursue outsourcing
arrangements, and many multimillion‐dollar deals have been widely publicized. As more companies adopt out-
sourcing as a means of controlling IS costs and acquiring “best‐of‐breed” capabilities, managing these supplier
relationships has become increasingly important. IS departments must maximize the benefit of these relationships
to the enterprise and pre‐empt problems that might occur. Failure in this regard could result in deteriorating quality
of service, loss of competitive advantage, costly contract disputes, low morale, and loss of key personnel.
How IS services are provided to a firm has become an important strategic and tactical discussion. As briefly
mentioned in Chapter 6, there are numerous alternatives to sourcing computing power, applications, and infrastruc-
ture. This chapter examines the sourcing cycle to consider the full range of decisions related to who should perform
the IS work of an organization. The cycle begins with a decision to make or buy information services and products.
Once the decision to make or buy has been finalized, a series of questions must be answered about where and how
these services should be delivered or products developed. The discussion in this chapter is built around the Sourcing
Decision Cycle framework discussed in the next section. Considering the answers to sourcing questions can help
explain a number of terms associated with sourcing: insourcing, outsourcing, cloud computing, full outsourcing, selective outsourcing, multisourcing, onshoring, offshoring, nearshoring, farshoring, and backsourcing. For each type of sourcing decision, the risks, or likelihood of something negative occurring as a result of the decision, are
discussed, and some steps that can be taken to manage the risks are proposed.
Sourcing Decision Cycle Framework Sourcing does not really just involve only one decision. It involves many decisions. The rest of this chapter is built
around the critical sourcing decisions shown in Figure 10.1. Many of the chapter headings are tied to key decisions
in Figure 10.1. Although the Sourcing Decision Cycle starts anywhere, we choose to start with the original
make‐or‐buy decision. If an organization decides to “make,” that means that it plans to create and run its own
applications. “Buy,” on the other hand, means the organization plans to obtain its applications from an outside
HYBRID CAPTIVE
CENTER
OFFSHORING
OUTSOURCING
ONSHORING
CLOUD
INSOURCING
Where abroad?
Make
Note: Insourcing can include captive centers
Buy
Keep as is or
Change?
Where?
FARSHORING
NEARSHORING
How to source?
Where?
FIGURE 10.1 Sourcing Decision Cycle framework.
c10.indd 209 11/26/2015 6:32:09 PM
210 Information Systems Sourcing
vendor or vendors. When the “buy” option is selected, the organization becomes a client company that must then
decide on “how” and “where” to outsource. The answers to the “how” question include the scope of the outsourcing
and the steps that should be taken to ensure its success. The answers to the “where” question focus on whether the
client company should work with an outsourcing provider (i.e., vendor) in its own country, offshore, or in a cloud.
If the client company decides to go offshore because labor is cheaper or needed skills are more readily available, it
must make another decision: It must decide whether it wants the work done in a country that is relatively nearby or
in a country that is quite distant. Finally, the client company chooses an outsourcing provider (or decides to do its
own IS work). After a while, the client company faces another decision. It periodically must evaluate the sourcing
arrangement and see whether a change is in order. If the in house work is unsatisfactory or other opportunities that
are preferable to the current arrangement have become available, then the client company may turn to outsourcing.
If, on the other hand, the outsourcing arrangement is unsatisfactory, the client company has several options to con-
sider: to correct any existing problems and continue outsourcing with its current provider, to outsource with another
provider, or to backsource. If the company decides to make a change in its sourcing arrangements at this point, the
Sourcing Decision Cycle starts over again.
Starting the Cycle: The Make‐or‐Buy Sourcing Decision
Managers decide whether to make or buy information services and products. The products can include an appli-
cation or a system, and services can range from help desk support, telecommunications, running data centers, and
even implementing and operating business processes as in business process outsourcing (BPO). A simple “make”
decision often involves insourcing some or all of the business’s IS infrastructure, and a simple “buy” decision often
involves outsourcing, although it could also include purchasing packaged software. In its simplest form, the make‐
or‐buy decision hinges on whether to insource (“make”) or outsource (“buy”).
Insourcing
The most traditional approach to sourcing is insourcing, or providing IS services or developing them in the com- pany’s own in house IS organization and/or in its local cloud. Several “yes” answers to the questions posed in
Figure 10.2 favor the decision to insource. Probably the most common reason is to keep core competencies in house.
Managers are concerned that if they outsource a core competency, they risk losing control over it or losing contact
with suppliers who can help them remain innovative in relation to that competency. Failing to control the competency
or stay innovative is a sure way to forfeit a company’s competitive advantage. On the other hand, by outsourcing
commodity work, a firm can concentrate on its core competencies. Other factors that weigh in favor of insourcing
are having an IS service or product that requires considerable security, confidentiality, or adequate resources in house
(e.g., time to complete the project with current staffing or IS professionals with the needed skills and training).
In some companies, the IS function is underappreciated by top management. As long as everything is running
smoothly, top managers may not notice the work done by or appreciate the services and products of the IS orga-
nization. Often an IS department that insources has found it necessary to compete for resources differently than
if it outsources. It is necessary for the department to have enough respect and support from top management to
acquire resources and get the department’s job done. A major risk of insourcing is that the complexities of running
IS in house requires management attention and resources that might better serve the company if focused on other
value‐added activities.
Captive centers are a new variation of insourcing. A captive center is an overseas subsidiary that is created to serve its main “client,” the parent company, but it may serve other clients as well. Firms have set up such subsid-
iaries to operate like an outsourcing provider, but the firms actually own the subsidiaries. They are launched in
less expensive locations, usually away from the company’s headquarters or major operating units. The three most
common types of captive centers are basic, shared, and hybrid.2 The basic captive center provides services only to the parent firm. The shared captive center performs work for both a parent company and external customers.
2 I. Oshri, J. Kotalarsky and C.‐M. Liew, “What to Do with Your Captive Center: Four Strategic Options,” The Wall Street Journal (May 12, 2008), http:// www.wsj.com/articles/SB121018777870174513 (accessed September 2, 2015).
c10.indd 210 11/26/2015 6:32:10 PM
211Sourcing Decision Cycle Framework
The hybrid captive center typically performs the more expensive, higher profile or mission‐critical work for the par- ent company and outsources the more commoditized work that is more cheaply provided by an offshore provider.
Outsourcing
Outsourcing means purchasing a good or service that was previously provided internally or that could be provided internally but is now provided by outside vendors. In the early days of outsourcing, outside providers often took
over entire IS departments, including people, equipment, and management responsibility. Reducing costs was the
primary motivation for outsourcing. This classic approach prevailed through most of the 1970s and 1980s but then
experienced a decline in popularity. In 1989, Eastman Kodak Company’s multivendor approach to meeting its
IS needs created the “Kodak effect.” Kodak outsourced its data center operations to IBM, its network to Digital
Equipment Company, and its desktop supply and support operations to Businessland.3 Kodak managed these rela-
tionships through strategic alliances.4 It retained a skeleton IS staff to act for its business personnel with out-
sourcing providers. Its approach to supplier management became a model emulated by Continental Bank, General
Dynamics, Continental Airlines, National Car Rental, and many more.5
Kodak’s watershed outsourcing arrangement ushered in new outsourcing practices that put all IS activities up
for grabs, including those providing competitive advantage. As relationships with outsourcing providers become
FIGURE 10.2 Make or buy? Questions and risks.
Make or Buy Questions Suggests Insourcing
Suggests Outsourcing
Examples of Associated Risk in Worse‐Case Scenarios
Does it involve a core competency? Yes No If outsourced: Loss of control over strategic initiatives; loss of strategic focus
Does it involve confidential or sensitive IS services or software development?
Yes No If outsourced: Competitive secrets may be leaked
Is there enough time available to complete software development projects in house?
Yes No If insourced: Project not completed on time
Do the in‐house IS professionals have adequate training, experience, or skills to provide the service or develop the software?
Yes No If outsourced: Technological innovations limited to what provider offers; overreliance on provider’s skills
Are there reliable outsourcing providers who are likely to stay in business for the duration of the contract?
No Yes If outsourced: Project not completed or, if completed, is over budget and late when another provider takes it over
Is there an outsourcing provider that has a culture and practices that are compatible with the client?
No Yes If outsourced: Conflict between client and provider personnel
Does the provider have economies of scale that make it cheaper to provide the service or develop the software than in house?
Most likely No Most likely Yes If outsourced: Excessive costs of project or operations because of the way the contract is written
Does it offer a better ability to handle peaks?
Most likely No Most likely Yes If insourced: Loss of business
Does it involve consolidating data centers?
Most likely No Most likely Yes If insourced: Inefficient operations
3 L. Applegate and R. Montealegre, “Eastman Kodak Co.: Managing Information Systems Through Strategic Alliances,” Harvard Business School case
192030 (September 1995). 4 Anthony DiRomualdo and Vijay Gurbaxani, “Strategic Intent for IT Outsourcing,” Sloan Management Review (June 22, 1998). 5 Mary C. Lacity, Leslie P. Willcocks, and David F. Feeny, “The Value of Selective IT Sourcing,” Sloan Management Review (March 22, 1996).
c10.indd 211 11/26/2015 6:32:10 PM
212 Information Systems Sourcing
more sophisticated, companies realize that even such essential functions as customer service are sometimes better
managed by experts on the outside. Over the years, motives for outsourcing broadened beyond cost control. The
next section examines factors and risks to be considered in making the outsourcing decision. The sourcing strategy
suggested by the answers to the key how to source question and associated risks are listed in Figure 10.2.
Factors in the Outsourcing Decision
Under what conditions would an organization decide to outsource? There are three primary factors that are likely to
favor the decision to seek to buy the services or products of an outsourcing provider: lower costs due to economies
of scale, ability to handle processing peaks, and the client company’s need to consolidate data centers. These and
other factors are listed in Figure 10.2.
One of the most common reasons given for outsourcing is the desire to reduce costs. Outsourcing providers
derive savings from economies of scale that client companies often cannot realize. Outsourcing providers achieve
these economies through centralized (often “greener”) data centers, preferential contracts with suppliers, and large
pools of technical expertise. Most often, enterprises lack such resources on a sufficient scale within their own
IS departments. For example, a single company may need only 5,000 PCs, but an outsourcing provider might
negotiate a contract for 50,000 to spread over many clients and at a much lower cost per computer. Second, the
outsourcing provider’s larger pool of resources than the client company’s allows the provider leeway in assign-
ing available capacity to its clients on demand. For instance, at year‐end, an outsourcing provider potentially can
allocate additional mainframe capacity to ensure timely completion of nightly processing in a manner that would
be impossible for an enterprise running its own bare‐bones data center. Third, an outsourcing provider may help
a client company to consolidate data centers following a merger or acquisition or when the internal group cannot
overcome the inertia of its top management. Outsourcing may also offer an infusion of cash as a company sells its
equipment to the outsourcing vendor.
If the service or product involves a core competency, then the organization should strongly consider insourcing
to protect the benefits the organization enjoys from its own competency. However, if the product or service is con-
sidered to be a commodity instead of a core competency, then there are some distinct advantages to outsourcing. By
bringing in outside expertise, client company management often can pay more attention to its core activities rather
than to IS operations. Further, if an organization does not have employees with the training, experience, or skills
in house to successfully implement new technologies, it should consider outsourcing. This is because outsourcing
providers generally have larger pools of talent with more current knowledge of advancing technologies and best
practices. For example, many outsourcing providers gain vast experience solving business intelligence problems
whereas IS staff within a single company would have only limited experience, if any. That is why client companies
turn to outsourcing providers to help them implement such technologies as Enterprise 2.0, Web 2.0 tools, cloud
computing, and enterprise resource planning (ERP) systems. However, it is important to remember that client
company managers are ultimately still responsible for IS services and products provided to their firm.
Outsourcing providers also have an added advantage because they can specialize in IS services. Outsourcing
providers’ extensive experience in dealing with IS professionals helps them to understand how to hire, manage,
and retain IS staff effectively. Often they can offer IS personnel a professional environment in which to work that
a typical company cannot afford to build. For example, a Web designer would have responsibility for one Web site
within a company but for multiple sites when working for an outsourcing provider. It becomes the outsourcing
provider’s responsibility to find, train, and retain highly marketable IS talent. Outsourcing relieves a client of costly
investments in continuous training to keep its IS staff current with the newest technologies and the headaches of
hiring and retaining highly skilled staff that easily can change jobs.
Outsourcing Risks
Opponents of outsourcing cite a considerable number of risks with it (see Figure 10.2). A manager should consider
each of these before making a decision about outsourcing. Each risk can be mitigated with effective planning and
ongoing management.
c10.indd 212 11/26/2015 6:32:10 PM
213Sourcing Decision Cycle Framework
6 Stephanie Overby, “The Hidden Costs of Offshore Outsourcing” (September 1, 2003), http://www.cio.com/article/29654/The_Hidden_Costs_of_
Offshore_Outsourcing (accessed June 4, 2012).
First, outsourcing requires that a client company surrender a degree of control over critical aspects of the
enterprise. The potential loss of control could extend to several areas: project control, scope creep, technologies
employed, costs, financial controls, accuracy and clarity of financial reports, and even the company’s IS direction.
By turning over data center operations, for example, a company puts itself at the mercy of an outsourcing provider’s
ability to manage this function effectively. A manager must choose an outsourcing provider carefully and negotiate
terms that encourage an effective working relationship.
Second, outsourcing client companies may not adequately anticipate new technological capabilities when nego-
tiating outsourcing contracts. Outsourcing providers may not recommend so‐called bleeding‐edge technologies for
fear of losing money in the process of implementation and support, even if their implementation would best serve
the client company. Thus, poorly planned outsourcing can result in a loss in IS flexibility. For example, some out-
sourcing providers were slow to adopt social technologies for their clients because they feared the benefits would
not be as tangible as the costs of entering the market. This reluctance impinged on clients’ ability to realize social
business strategies. To avoid this problem, an outsourcing client should have a chief technology officer (CTO)
or technology group that is charged with learning about and assessing emerging technologies that can be used to
support its company’s business strategy.
Third, by surrendering IS functions, a client company gives up any real potential to develop them for compet-
itive advantage—unless, of course, the outsourcing agreement is sophisticated enough to comprehend developing
such an advantage in tandem with the outsourcing company. However, the competitive advantage may be compro-
mised if it is made available to the outsourcing provider’s other clients. Under many circumstances, the outsourcing
provider becomes the primary owner of any technological solutions that it develops for the client. This allows the
outsourcing provider to leverage the knowledge to benefit other clients, possibly even competitors of the initial
client company.
Fourth, contract terms may leave client companies highly dependent on their outsourcing provider with little
recourse in terms of terminating troublesome provider relationships. That is, the clients may be locked into an
arrangement that they no longer want. It may be too expensive to switch to another outsourcing provider should
the contract sour. Despite doing due diligence and background checks, the outsourcing provider may be unreliable
or go out of business before the end of the contract. The risk of over‐reliance for any number of reasons typi-
cally increases as the size of the outsourcing contract increases. DHL Worldwide Express entrusted 90% of its IT
development and maintenance projects to a large Indian‐based company, Infosys. “There’s a lot of money wrapped
up in a contract this size, so it’s not something you take lightly or hurry with,” said Ron Kifer, DHL’s Vice President
of Program Solutions and Management.6 Clearly, DHL faced considerable risk in offshoring with Infosys because
of its reliance on the provider.
Fifth, it might be harder to keep its competitive secrets when a company employs an outsourcing provider.
Although outsourcing providers are sensitive to keeping client information separated in their systems, an outsourcer’s
staff will usually work with multiple customers. Some managers are concerned that their company databases are no
longer kept in house, and the outsourcing provider’s other customers may have easier access to sensitive information.
Although all outsourcing agreements contain clauses to keep customer data and systems secure, managers still voice
concern about data security and process skills when they are managed by a third party. Thinking through the security
issues carefully and implementing controls where possible mitigate this risk. Often, the outsourcing provider has
more secure processes and practices in place simply because its business depends on it—it’s a competitive necessity
and often a core competency of the outsourcing provider.
Sixth, the outsourcing provider’s culture or operations may be incompatible with that of the client company,
making the delivery of the contracted service or system difficult. Conflicts between the client’s staff and the staff
of the outsourcing provider may delay progress or harm the quality of the service or product delivered by the out-
sourcing provider.
Finally, although many companies turn to outsourcing because of perceived cost savings, these savings may
never be realized. Typically, the cost savings are premised on the old way that the company performed the processes.
c10.indd 213 11/26/2015 6:32:10 PM
214 Information Systems Sourcing
However, new technologies may usher in new processes, and the anticipated savings on the old processes become
moot. Further, the outsourcing client is, to some extent, at the mercy of the outsourcing provider. Increased vol-
umes due to unspecifi ed growth, software upgrades, or new technologies not anticipated in the contract may end
up costing a fi rm considerably more than it anticipated when it signed the contract. Also, some savings, although
real, may be hard to measure.
Decisions about How to Outsource Successfully
Clearly, the decision about whether to outsource must be made with adequate care and deliberation. It must be fol-
lowed with numerous other decisions about how to mitigate outsourcing risks and make the outsourcing arrange-
ment work. Once these decisions have been made, they should be openly communicated to all relevant stakeholders.
Three major decision areas are selection, contracting, and scope.
Selection
Selection‐related decisions focus on fi nding compatible outsourcing providers whose capabilities, managers,
internal operations, technologies, and culture complement those of the client company. This means that compati-
bility and cultural fi t might trump price, especially when long‐term partnerships are envisioned. Selection factors
are discussed more fully in the “where” and “where abroad” decisions.
Contracting
Many “how” decisions center around the outsourcing contract. In particular, client companies must ensure that
contract terms allow them the fl exibility they require to manage and, if necessary, sever supplier relationships.
The 10 ‐year contracts that were so popular in the early 1990s are being replaced with contracts of shorter duration
lasting 3 to 5 years and full life cycle service contracts that are broken up into stages. Deal size also has declined
this millennium. Although the numbers of megadeals and midrange contracts awarded each year have remained
relatively stable since 2002, smaller contracts valued at $100 million or less had more than tripled a decade later. 7
Social Business Lens: Crowdsourcing
Crowdsourcing is a form of outsourcing that is provided by a very large number of individuals. Two forms of
crowdsourcing are available: collaboration and tournament. Collaboration crowdsourcing occurs when individ-
uals use social media to collectively create a common document or solution. Examples are Wikipedia or crowd-
sourcing for innovation as was discussed in Chapter 5 . Tournament crowdsourcing also uses social media to solicit
and collect independent solutions from a potentially large number of individuals but selects one or a few of the
contributions in exchange for fi nancial or nonfi nancial compensation.
Some sites offer marketplaces to promote particular types of tournament crowdsourcing. Consider 99designs
(99designs.com), which is the largest online graphic design marketplace where people or fi rms can go to get
affordable designs for such things as logos, labels, business cards, and Web sites. It is anticipated that by 2016,
the site will have over a million members offering graphic services. Businesses can source graphic design work
by launching design contests to the 99design community, working individually with designers who are members
of the community, or purchasing design templates from 99designs ’ ready‐made logo store. Recently, 99designs
opened a new site, Swiftly, for customers who want to get small design tasks done quickly for a fl at fee.
Sources: I. Blohm , J. M. Leimeister , and H. Krcmar , “Crowdsourcing: How to Benefit from (Too) Many Great Ideas ” MIS Quarterly Executive 12 , no. 4 ( 2013 ), 199 – 211 ; About 99designs, http://99designs.com/about (downloaded May 22, 2015).
7 Stephanie Overby , “ IT Outsourcing Deal Size Data Shows Decade‐Long Decline ,” http://www.cio.com/article/2399755/it‐organization/it‐outsourcing‐
deal‐size‐data‐shows‐decade‐long‐decline.html (accessed March 9, 2015) .
c10.indd 214 11/26/2015 6:32:10 PM
215Sourcing Decision Cycle Framework
Often client companies and outsourcing providers have formal outsourcing arrangements, called service level agreements (SLAs) that define the level of service to be provided. SLAs often describe the contracted delivery time and expected performance of the service. Contracts are tightened by adding clauses describing actions to be
taken in the event of a deterioration in quality of service or noncompliance with the SLA. Service levels, baseline
period measurements, growth rates, and service volume fluctuations are specified in the contracts to reduce oppor-
tunistic behavior on the part of the outsourcing provider. Research demonstrates that tighter contracts tend to lead
to more successful outsourcing arrangements.8 To write tighter contracts, it is a good idea for the client company to
develop contract management skills and to hire both outsourcing and legal experts. Unfortunately, a tight contract
does not provide much solace to a client company when an outsourcing provider goes out of business. It also does
not replace having a good relationship with the outsourcing provider that allows the client to work out problems
when something unanticipated occurs.
Scope
Most enterprises outsource at least some IS functions. This is where scope questions come into play. Defining the
scope of outsourcing means that the client must decide whether to pursue outsourcing fully or selectively with one
(single sourcing) or more providers (multisourcing). If a client decides to go the selective outsourcing route, it may
insource most of its IS duties but selectively outsource the remaining functions.
Full outsourcing implies that an enterprise outsources all its IS functions from desktop services to software development. An enterprise typically outsources everything only if it does not view IT as a strategic advantage.
Full outsourcing can free resources to be employed in areas that add greater value. This choice can also reduce
overall cost per transaction due to size and economies of scale.9 Many companies outsource IS simply to allow
their managers to focus attention on other business issues. Others outsource to accommodate growth and respond
to their business environment. Kellwood, the case discussed at the beginning of the chapter, appeared to have used
full outsourcing to improve operations.
With selective outsourcing, an enterprise chooses which IT capabilities to retain in house and which to give to one or more outsiders. A “best‐of‐breed” approach is taken to choose suppliers for their expertise in specific tech-
nology areas. Possible areas for selective sourcing include Web site hosting, Web 2.0 applications, cloud services,
business process application development, help desk support, networking and communication, social IT services, and
data center operations. Although an enterprise can acquire top‐level skills and experience through such relationships,
the effort required to manage them grows tremendously with each new provider. Still, selective outsourcing, some-
times called strategic sourcing, reduces the client company’s reliance on outsourcing with only one provider. It also provides greater flexibility and often better service due to the competitive market.10 To illustrate, an enterprise might
retain a specialist firm to develop social business applications and at the same time select a large outsourcing provider,
such as IBM, to assume mainframe maintenance.
Consider JetBlue, an airline that turned to Verizon to manage its IT infrastructure—its network, data center, and
help desk. The six‐year contract with Verizon allows the data centers to scale as JetBlue grows and helps JetBlue
“reduce the cycle time for delivery of those capabilities and allow the rest of IT to focus on other capabilities,”
said JetBlue CIO, Joe Eng. Eng asserted that JetBlue can still have control over IT: “We own the decision paths,
the service‐level agreements and what direction we want to take, but Verizon will be key in the implementation.”11
Verizon was chosen over other providers for a number of reason, especially because the operation of networks is
its core business.
A client company that decides to use multiple providers when fully or selectively outsourcing is multisourc-
ing. IT multisourcing is defined as delegating “IT projects and services in a managed way to multiple vendors
8 See, for example, C. Saunders, M. Gebelt, and Q. Hu, “Achieving Success in Information Systems Outsourcing,” California Management Review 39, no. 2 (1997), 63–79; M. Lacity and R. Hirschheim, Information Systems Outsourcing: Myths, Metaphors and Realities (Hoboken, NJ: John Wiley, 1995). 9 Tom Field, “An Outsourcing Buyer’s Guide: Caveat Emptor” (April 1, 1997). 10 Ibid. 11 M. Hamblen, “Verizon to Manage JetBlue’s Network, Data Centers and Help Desk,” CIO.com (October 6, 2009), http://www.computerworld.com/s/
article/9138965/Verizon_to_manage_JetBlue_s_network_data_centers_and_help_desk (accessed January 31, 2012).
c10.indd 215 11/26/2015 6:32:10 PM
216 Information Systems Sourcing
12 Martin Wiener and Carol Saunders, “Forced Coopetition in IT Multi‐Sourcing,” The Journal of Strategic Information System 23, no. 3 (2014), 210–25. 13 Ibid. 14 Ibid. 15 Till Winkler, Alexander Benlian, Marc Piper, and Henry Hirsch, “Bayer HealthCare Delivers a Dose of Reality for Cloud Payoff Mantras in Multina-
tionals,” MIS Quarterly Executive 13, no. 4 (2014), 193–207.
who must (at least partly) work cooperatively to achieve the client’s business objectives.”12 Over the last 15 years,
numerous benefits of IT multisourcing have made this approach take off markedly in terms of number of com-
panies using it and contract sizes. In particular, it helps companies limit the risks associated with working with
just one provider. It can also help client firms lower their IT service costs due to competition among providers,
improve the quality through best‐of‐breed services, enhance their flexibility in adapting to changing market condi-
tions, and provide easier access to specialized IT expertise and capabilities.13 However, multisourcing comes with
its downsides. Having more providers requires more coordination than with working with a single outsourcing
provider. Further, when a major problem occurs, there may be a tendency to “finger‐point.” That is, each out-
sourcing provider may claim that the problem is caused by or can be corrected only by another provider. And as
outsourcing providers expand their service offerings, unexpected competition among providers can hurt the client
if not managed well.
Adidas, a multinational footwear and sports apparel company, recently adopted a multisourcing strategy,
which carefully pitted three IT providers against each other at the same time that they were working coopera-
tively together.14 Adidas split virtually all of its huge IT budget allocated for outsourcing among three providers:
a large Indian outsourcing company with which it had worked for a decade and two “hungry” smaller firms.
Adidas selected the three firms in such a way that at least two vendors, and sometimes all three, could perform
particular services that it needed. The large Indian outsourcing provider had become complacent, and the competi-
tion provided better IT services at a lower price. In addition, all three vendors were charged to be more innovative.
Through careful management, Adidas orchestrated the delicate balance between provider cooperation and compe-
tition among the providers.
Deciding Where—In the Cloud, Onshoring, or Offshoring?
Until recently, outsourcing options were either to use services onshore (work performed in the same country as the
client) or offshore (work performed in another country). More recently, a new sourcing option has become more
available and more accepted by managers: cloud computing. We next describe the three sourcing options. We also
describe some answers to the “how” question: how to make the arrangement successful. Many best practices were
discussed in the previous subsection because they are common to all three outsourcing options. A few more unique
practices are discussed in the next sections.
Cloud Computing
As discussed in Chapter 6, cloud computing is the dynamic provisioning of third‐party‐provided IT services over the Internet using the concept of shared services. Companies offering cloud computing make an entire
data center’s worth of servers, networking devices, systems management, security, storage, and other infra-
structure available to their clients. In that way, their clients can buy the exact amount of storage, computing
power, security, or other IT functions that they need, when they need it, and pay only for what they use. Thus,
the client company can realize cost savings by sharing the provider’s resources with other clients. The pro-
viders also provide 24/7 access using multiple mobile devices, high availability for large backup data storage,
and ease of use.
Cloud computing’s many advantages make it quite popular with executives. The total global cloud computing
market is estimated to spurt from $61 billion in 2012 to $241 billion in 2020.15 This growth was originally fueled
by small‐ to medium‐size businesses that lacked large IT functions or internal capabilities. More recently, larger
companies have been signing up for cloud services to take advantage of the cloud’s many benefits.
c10.indd 216 11/26/2015 6:32:10 PM
217Sourcing Decision Cycle Framework
Advantages and Risks/Challenges of Cloud Computing Cloud computing offers a number of advantages.
Because resources can be shared, costs for IT infrastructure and services can be slashed. There are no up‐front
investment costs, and ongoing costs are variable according to the firm’s needs, especially for those with multina-
tional units in large countries.16 The Commonwealth Bank of Australia claimed that its IT costs dropped by approx-
imately 40% when it moved to a cloud for IT infrastructure, software, and development.17 Further, with companies
such as Amazon, Google, IBM, and Microsoft vying for customers, pricing is still rather competitive. Flexibility
is enhanced because infrastructure needs that vary over time can be met dynamically. For many companies, cloud
computing means “pay‐as‐you‐go.” They can get the exact level of IT support that they need when they need it.
Further, cloud computing is scalable, which means that more providers can be added if requirements increase, or
they theoretically can be taken out of play if the needs decrease. This allows business units to focus on their core
competencies as long as they do not need to deal with local idiosyncrasies and customizations.18
Netflix realized the advantages of cloud computing to support its strategic initiative to stream movies to its cus-
tomers instead of mailing them DVDs. To do so, it needed so much more infrastructure that the cloud appeared to be
its only option. “Netflix.com is nearly 100% in the cloud. . . . We really couldn’t build data centers fast enough,” says
Jason Chan, Netflix’s cloud security architect. The introduction of a Netflix application for iPhones will place even
greater spikes in demand, at least temporarily. But Chan isn’t concerned: “That’s what cloud is really intended for.”19
As with any sourcing decision, organizations considering cloud computing must weigh its benefits against its
risks and challenges. Executives worry over many of the same types of risks that are found with other types of out-
sourcing. In particular, they fear technical lock in, long‐term business commitments, and lost IT capabilities, which
ultimately could lead to overdependence on the outsourcing provider.20 IT executives are particularly concerned
that they might lose control over the IT environment for which they bear responsibility. One big concern with cloud
computing has been security, specifically with external threats from remote hackers and security breaches as the
data travel to and from the cloud. Tied to the concerns about security are concerns about data privacy. The stan-
dards, monitoring, and maintenance tools for cloud computing are still not mature. This makes security, interoper-
ability, and data mobility difficult. However, knowing that their business is on the line, many cloud providers have
strengthened their security and are willing to deal with the security issues of individual customers. For example,
when Bayer HealthCare ran into security risks related to its pharmaceutical customer data in its cloud customer
relationship management (CRM), a middleware solution was implemented to protect internal systems against intru-
sions from outside the firewall.
Another challenge that causes some managers to shy away from cloud computing is the fact that the ability to
tailor service‐level requirements, such as uptime, response time, availability, performance, and network latency,
to the specific needs of a client is far less than with insourcing or many other outsourcing options. To manage this
risk, an SLA needs to spell out these requirements. For multinationals, a related challenge is data sovereignty,
which means that data are subject to the laws of the country in which they are located.21 The Commonwealth
Bank of Australia has excluded some application providers because the core data need to remain in Australia.22
Bayer Healthcare took a different, far more time‐consuming approach. It adopted a global solution that took into
account the different regulatory requirements and processes across its business units in different countries. It also
used a two‐platform approach: The business units in small and medium countries used an in‐house system as their
“common platform,” while business units in larger countries with more complex systems relied on cloud providers
that offered an “advanced” cloud‐based platform.23
16 Ibid. 17 Daniel Schlagwein, Alan Thorogood, and Leslie Willcocks, “How Commonwealth Bank of Australia Gained Benefits Using a Standards‐Based,
Multiprovider Cloud Model,” MIS Quarterly Executive 13, no. 4 (2014), 209–22. 18 Winkler et al., “Bayer HealthCare Delivers a Dose of Reality,” 193–207. 19 Tim Greene, “Netflix Deals with Cloud Security Concerns,” CIO.com (September 21, 2011), http://www.cio.com/article/print/690236 (accessed
September 22, 2011). 20 Schlagwein, Thorogood, and Willcocks, “How Commonwealth Bank of Australia Gained Benefits,” 209–22. 21 Winkler et al., “Bayer HealthCare Delivers a Dose of Reality,” 193–207; Schlagwein, Thorogood, and Willcocks, “How Commonwealth Bank of
Australia Gained Benefits,” 209–22. 22 Schlagwein, Thorogood, and Willcocks, “How Commonwealth Bank of Australia Gained Benefits.” 23 Winkler et al., “Bayer HealthCare Delivers a Dose of Reality,” 193–207.
c10.indd 217 11/26/2015 6:32:10 PM
218 Information Systems Sourcing
24 Ben Eaton, Hanne Kristine Hallingby, Per‐Jonny Nesse, Ole Hanset, “Achieving Payoffs from an Industry Cloud Ecosystem at BankID,” MIS Quarterly Executive 13, no. 4 (December 2014), 51–60. 25 Paul J. Stamas, Michelle L. Daarst‐Brown, and Schoot A. Bernard, “The Business Transformation Payoffs of Cloud Services at Mohawk,” MIS Quarterly Executive 13, no. 4 (December 2014), 177–92. 26 Ibid. 27 Diana Kelley, “How Data‐Centric Protection Increases Security in Cloud Computing and Virtualization” (2011), http://www.securitycurve.com
(accessed September 22, 2011). 28 Ibid.; Winkler et al., “Bayer HealthCare Delivers a Dose of Reality,” 193–207.
Cloud Computing Options Cloud computing comes in many different forms. Options include on‐premise or
private clouds, community clouds, hybrid clouds and public clouds. In private clouds, data are managed by the organization and remain within its existing infrastructure, or it is managed offsite by a third party for the organi-
zation (client company). In a community cloud, the cloud infrastructure is shared by several organizations and supports the shared concerns of a specific community. An example of a community cloud is Norway’s BankID
community. BankID relies on a cloud infrastructure to provide a system that enables electronic identification,
authentication, and signing. Members of the BankID community include Norwegian banks, the Norwegian
government, the Norwegian Banking Federation, and merchants.24
A hybrid cloud is a combination of two or more other clouds. Mohawk, a U.S. manufacturer of premium paper products discussed in Chapter 6, has a hybrid cloud. It is part of a computing environment with on‐premises ERP
and manufacturing systems, a secure suite of private cloud services to send and receive data files among on‐prem-
ises databases and to integrate with its business partners, and a suite of cloud services to integrate public cloud
applications with internal applications and business processes.25
In a public cloud, data are stored outside of the corporate data centers in the cloud provider’s environment. As discussed in Chapter 6, public clouds include:
• Infrastructure as a service (IaaS): Provides infrastructure through grids or clusters or virtualized servers, net- works, storage, and systems software designed to augment or replace the functions of an entire data center.
The customer may have full control of the actual server configuration allowing more risk management con-
trol over the data and environment. The earlier Netflix example illustrates the IaaS cloud option.
• Software as a service (SaaS): Provides software application functionality through a Web browser. Mohawk uses the Web for a variety of SaaS applications (e.g., e‐marketing, CRM, and human resources [HR]).26
Both the platform and the infrastructure are fully managed by the cloud provider, which means that if the
operating system or underlying service is not configured correctly, the data at the higher application layer
may be at risk. This is the most widely known and used form of cloud computing. A provider of SaaS is
sometimes called application service provider (ASP).27
• Platform as a service (PaaS): Provides services using virtualized servers on which clients can run existing applications or develop new ones without having to worry about maintaining the operating systems, server
hardware, load balancing, or computing capacity; the cloud provider manages the hardware and under-
lying operating system, which limits its enterprise risk management capabilities. Bayer Healthcare’s cloud
platform‐based component development (PaaS) is used to customize cloud solutions when the existing SaaS
solutions are unable to satisfy the complex, idiosyncratic needs of its large business units.28
Onshoring
Outsourcing does not necessarily mean that IT services and software development are shipped abroad. Onshoring, also called inshoring, means performing outsourcing work domestically (i.e., in the same country). Onshoring may be considered the “opposite” of offshoring. In scope, it involves either selective or full outsourcing.
A growing trend in onshoring in the United States is rural sourcing, which is hiring outsourcing providers with
operations in rural parts of the country. Rural sourcing firms can be competitive because they take advantage of
lower salaries and living costs when compared to firms in metropolitan areas. Dealing with a rural company can
have advantages in terms of different time zones, similar culture, and fewer hassles compared with dealing with
foreign outsourcing providers. However, the rural sourcing firms are usually too small to handle large‐scale projects
c10.indd 218 11/26/2015 6:32:10 PM
219Sourcing Decision Cycle Framework
29 Bob Violino, “Rural Outsourcing on the Rise in the U.S.” (March 7, 2011), http://www.computerworld.com/s/article/353556/Lure_of_the_Countryside?
taxonomyId=14&pageNumber=1 (accessed September 22, 2011). 30 India Brand Equity Foundation, http://www.ibef.org/industry/information‐technology‐india.aspx (accessed March 9, 2015). 31 Aditya Bhasin, Vinay Couto, Chris Disher, and Gil Irwin, “Business Process Offshoring: Making the Right Decision” (January 29, 2004), http://www2.
cio.com/consultant/report2161.html (accessed August 14, 2005).
and may not have the most technologically advanced employees. Rural sourcing is often viewed as more politically
correct than offshoring.29
Offshoring
Offshoring (which is short for offshore sourcing) occurs when the IS organization uses contractor services, or even its own hybrid captive center in a distant land. The functions sent offshore range from routine IT transactions to
increasingly higher‐end, knowledge‐based business processes.
Programmer salaries can be a fraction of those in the home country in part because the cost of living and the
standard of living in the distant country are much lower, maybe as much as 70% lower when only considering direct
labor costs. However, these savings come at a price because other costs increase. Additional technology, telecom-
munications, travel, process changes, and management overhead are required to relocate and supervises overseas
operations. For example, during the transition period, which can be rather lengthy, offshore workers must often
be brought to the home country headquarters for extended periods to become familiar with the company’s oper-
ations and technology. Because of the long transition period, it can often take several years for offshoring’s labor
savings to be fully realized. And even if they are realized, they may never reflect the true cost to a company. Many,
especially those who have lost their jobs to offshore workers, argue that offshoring cuts into the very fiber of the
society in the country of origin whose companies are laying off workers. Yet, it helps the economies of the countries
where offshoring is performed. For example, India’s IT services industry, the largest private sector employer, was a
$108 billion industry in fiscal year 2013 with $76 billion derived from exports of services and products.30
Even though the labor savings are often very attractive, companies sometimes turn to offshoring for other rea-
sons. The employees in many offshore companies are typically well educated (often holding master’s degrees) and
proud to work for an international company. The offshore service providers are often “profit centers” that have
established Six Sigma, ISO 9001, Capability Maturity Model (CMM), or another certification program. These off-
shore providers usually are more willing to “throw more brainpower at a problem” to meet their performance goals
than many companies in the United States or Western Europe. In offshore economies, technology know‐how is a
relatively cheap commodity in ample supply.31
Offshoring raises the fundamental question of what to send offshore and what to keep within the enterprise IS
organization when implementing the selective outsourcing model. Because communications are made difficult by
differences in culture, time zones, and possibly language, outsourced tasks are usually those that can be well spec-
ified. They typically, but not always, are basic noncore transactional systems that require the users or customers to
have little in‐depth knowledge. In contrast, early stage prototypes and pilot development are often kept in house
because this work is very dynamic and requires familiarity with business processes. Keeping the work at home
allows CIOs to offer learning opportunities to in house staff. In summary, the cost savings that lure many companies
to turn to offshoring need to be assessed in relation to the increased risks and communication problems in working
with offshore workers and relying on them to handle major projects.
Deciding Where Abroad—Nearshoring or Farshoring?
Offshoring can be either relatively proximate (nearshoring) or in a distant land (farshoring). Each of these offshore
options is described in more detail here. They are also shown in Figure 10.3 with other domestic and nondomestic
sourcing options in Figure 10.3. In some cases, the distinction is hard to make because some cloud computing can
be considered as insourcing if it is a local private cloud or local community cloud or some hybrid. However, in
most cases, cloud computing tends to be a form of outsourcing either domestically or nondomestically in the ether.
Further, although most captive centers could be considered a form of insourcing, hybrid captive centers sometimes
outsource a client’s simple, more commoditized work.
c10.indd 219 11/26/2015 6:32:10 PM
220 Information Systems Sourcing
Farshoring
Farshoring is a form of offshoring that involves sourcing service work to a foreign, lower‐wage country that is relatively far away in distance or time zone (or both). For countries such as the United States and United Kingdom
that outsource large amounts of work, India and China are the most popular farshoring destinations. Ironically,
companies in India and China are now themselves farshoring to countries with lower labor costs.
Nearshoring
Nearshoring , on the other hand, uses providers in foreign, lower‐wage countries that are relatively close in dis- tance or time zones to the client company. With nearshoring, the client company hopes to benefi t from one or more
dimensions of being close: geographic, temporal, cultural, linguistic, economical, political, or historic linkages.
Nearshoring basically challenges the assumption on which farshoring is premised: Distance doesn ’ t matter. The
advocates of nearshoring argue that distance does matter, and when closer on one or more of these dimensions,
the client company faces fewer challenges in terms of communication, control, supervision, coordination, or social
bonding.
Geographic Lens: Corporate Social Responsibility
Many outsourcing clients are increasing their corporate social responsibility (CSR) expectations for themselves
and for their global IS outsourcing providers. Pessimists of global IS outsourcing are concerned that it maximizes
profi t for the rich but offers little or no benefi ts for other groups, especially the poor in developing countries. The
pessimists are concerned that global IS outsourcing will deepen income inequalities and have disruptive effects
on society around the globe. Optimists of global IS outsourcing see it as a way of sharing wealth on a global
basis. It is ethically justifi ed because it can improve effi ciency, help developing countries where unemployment is
very high by providing jobs, lead to transfers of knowledge and information technology, and encourage better
educational systems in less developed countries so that people can do the outsourcing work. Ironically, global IS
outsourcing may benefi t both the more developed origin country (frequently the United States, Western Europe,
and Australia) as well as the destination country through free trade and reduced prices for computers and com-
munications equipment. It also may fuel the creation of high‐level jobs for workers in more developed countries.
To promote corporate social responsibility, both clients and outsourcing providers should implement the
following guidelines: understand relevant CSR regulatory requirements to ensure compliance, establish mea-
sures and report CSR performance and compliance to stakeholders, respond to inquiries about CSR compliance,
embed CSR in ongoing operations, and develop a CSR culture through hiring and education.
Sources: R. Babin and B. Nicholson , “ Corporate Social and Environmental Responsibility and Global IT Outsourcing ,” MIS Quarterly Executive 8 , no. 4 ( 2009 ), 203 – 12 ; Laura D ’ Andrea Tyson , “ Outsourcing: Who ’ s Safe Anymore? ” (February 23, 2004 ) .
FIGURE 10.3 Different forms of sourcing. Source: Adapted from http://www.dbresearch.com/PROD/DBR_INTERNET_EN‐PROD/PROD0000000000179790/Offshoring%3A+ Globalisation+wave+reaches+services+se.PDF (downloaded May 22, 2015).
Insourcing Outsourcing
Domestic (local)
Situation in which a fi rm provides IS services or develops IS in its own in house organization and/or in its local private cloud or, possibly, local community cloud
Purchase of a good or services that was previously provided internally or that could be provided internally but is now provided by an outside domestic outsourcing provider (i.e., onshoring), or outsourced to a rural or local cloud provider
Nondomestic Situation in which a fi rm uses an offshore captive center
Situation when the IS organization uses contractor services in a distant land or in the ether; may include nearshoring, farshoring, cloud computing, or a hybrid captive center
c10.indd 220 11/26/2015 6:32:10 PM
221Sourcing Decision Cycle Framework
Three major global clusters of countries are focused on building a reputation as a home for nearshoring: a cluster
of 20 nations around the United States and Canada, a cluster of 27 countries around Western Europe, and a smaller
cluster of three countries in East Asia: China, Malaysia, and Korea.32
The dimensions of being close clearly extend beyond distance and time zone. For example, language makes
a difference in nearshoring. That is why Latin American nearshoring destinations are appealing to Texas and
Florida where there is a large Spanish‐speaking population and why French‐speaking North African nations are
appealing to France. These dimensions likely play a key role when companies are trying to decide between a near-
shore or farshore destination (particularly India). Ironically, India, which exports roughly five times the software
of the strictly nearshoring nations in the three major nearshoring clusters, is responding to the competitive threat
that these nations pose by offering its clients nearshoring options. For example, India‐based Tata Consulting Ser-
vices (TCS) offers its British clients services that are nearshore (Budapest, Hungary), farshore (India), or onshore
(London, United Kingdom). It is likely that the differentiation based on “distance” will continue to be important
in the outsourcing arena.
Selecting an Offshore Destination: Answering the “Where Abroad?” Question
A difficult decision that many companies face is selecting an offshoring destination. To answer the where abroad question, client companies must consider attractiveness, level of development, and cultural differences.
Attractiveness Approximately 100 countries are now exporting software services and products. For various rea-
sons, some countries are more attractive than others as hosts of offshoring business because of the firm’s geographic
orientation. With English as the predominant language of outsourcing countries (i.e., United States and United
Kingdom), countries with a high English proficiency are more attractive than those where different languages
are spoken. Geopolitical risk is another factor that affects the use of offshore firms in a country. Countries on the
verge of war, with high rates of crime, and with hostile relationships with the client company’s home country are
typically not suitable candidates for this business. Other factors including regulatory restrictions, trade issues, data
security, and intellectual property also affect the attractiveness of a country for an offshoring arrangement. Hiring
legal experts who know the laws of the outsourcing provider’s company can mitigate legal risks. Nonetheless, some
countries are more attractive than others because of their legal systems. The level of technical infrastructure avail-
able in some countries also can add to or detract from the attractiveness of a country. Although a company may
decide that a certain country is attractive overall for offshoring, it still must assess city differences when selecting
an offshore outsourcing provider. For example, Chennai is a better location in India for finance and accounting, but
Delhi has better call center capabilities.33
Some countries have created an entire industry of providing IT services through offshoring. India, for example,
took an early mover advantage in the industry. With a large, low‐cost English‐speaking labor pool, many entre-
preneurs set up programming factories that produce high‐quality software to meet even the toughest standards.
One measure of the level of proficiency of the development process within an IS organization is the Software
Engineering Institute’s Capability Maturity Model (CMM).34 Its Level 1 means that the software development
processes are immature, bordering on chaotic. Few processes are formally defined, and output is highly inconsis-
tent. At the other end of the model is Level 5 in which processes are predictable, repeatable, and highly refined.
Level 5 companies are consistently innovating, growing, and incorporating feedback. The software factories in
many Indian enterprises are well known for their CMM Level 5 software development processes, making them
extremely reliable, and, thus, desirable as vendors. However, if the client company is not at the same CMM level
as the provider, it may want to specify which CMM processes it will pay for to avoid wasting money. Further,
it may seek to elevate its own CMM certification to close the process gap between what it can do and what the
outsourcing provider can do.
32 Erran Carmel and Pamela Abbott, “Why ‘Nearshore’ Means that Distance Matters,” Communications of the ACM 50, no. 10 (October 2007), 40–46. 33 Ben Worthen and Stephanie Overby, “USAA IT Chief Exits” (June 15, 2004), http://www.cio.com/archive/061504/tl_management.html (accessed
August 14, 2005). 34 CMM is now referred to as Capability Maturity Model Integration (CMMI).
c10.indd 221 11/26/2015 6:32:11 PM
222 Information Systems Sourcing
35 Erran Carmel and Paul Tjia, Offshoring Information Technology (Cambridge, UK: Cambridge University Press, 2005). 36 Overby, “The Hidden Costs of Offshore Outsourcing.” 37 Carmel and Tjia, Offshoring Information Technology. 38 Ibid., 181.
Development Tiers A very important factor in selecting an offshore destination is the level of development of
the country, which often subsumes a variety of other factors. For example in the highest tier, the countries have an
advanced technological foundation and a broad base of institutions of higher learning. Carmel and Tjia suggest that
there are three tiers of software exporting nations:35
• Tier 1—Mature software‐exporting nations: These include such highly industrialized nations as the United Kingdom, the United States, Japan, Germany, France, Canada, the Netherlands, Sweden, and Finland. It also
includes the three “I’s” (i.e., India, Ireland, and Israel) that became very prominent software exporters in the
1990s as well as China and Russia, which entered the tier in the 2000s.
• Tier 2—Emerging software‐exporting nations: These nations are the up‐and‐comers. They tend to have small population bases or unfavorable conditions such as political instability or an immature state of economic develop-
ment. Countries in this tier include Brazil, Costa Rica, South Korea, and many Eastern European countries.
• Tier 3—Infant stage software‐exporting nations: These nations have not significantly affected the global software market, and their software industries are mostly “cottage industries” with small, isolated firms.
Some of the 15 to 25 Tier 3 countries are Cuba, Vietnam, and Jordan.
The tiers were determined on the basis of industrial maturity, the extent of clustering of some critical mass of
software enterprises, and export revenues. The higher‐tiered countries tend to offer higher levels of skills but also
charge higher prices.
Cultural Differences Often misunderstandings arise because of differences in culture and, sometimes, language.
For example, GE Real Estate’s CIO quickly learned that U.S. programmers have a greater tendency to speak up and
offer suggestions whereas Indian programmers might think something does not make sense, but they go ahead and
do what they were asked, assuming that this is what the client wants.36 Thus, a project, such as creating an auto-
mation system for consumer credit cards that is common sense for a U.S. worker, may be harder to understand and
take longer when undertaken by an offshore worker. The end result may be a more expensive system that responds
poorly to situations unanticipated by its offshore developers. It is important to be aware of and to manage the risks
due to cultural differences.
Sometimes cultural and other differences are so great that companies take back in house operations that were
previously outsourced offshore. Carmel and Tjia outlined some examples of communication failures with Indian
developers due to differences in language, culture, and perceptions about time:37
• What is funny in one culture is not necessarily funny in another culture.
• Indians are less likely than Westerners, especially the British, to engage in small talk.
• Indians, like Malaysians and other cultures, are hesitant about saying “no.” Answers to questions to which one option for response is “no” are extremely difficult to interpret.
• Indians often are not concerned with deadlines. When they are, they are likely to be overly optimistic about their ability to meet the deadlines of a project. One cultural trainer was heard to say, “When an Indian
programmer says the work will be finished tomorrow, it only means it will not be ready today.”38
Re‐evaluation—Keep as Is or Change Decision
The final decision in the Sourcing Decision Cycle requires an assessment as to whether the sourcing arrangement is
working as it should be. If everything is basically satisfactory, then the arrangement can continue as is. Otherwise,
the arrangement may need to be adjusted. If the arrangement is very unsatisfactory, another outsourcing provider
c10.indd 222 11/26/2015 6:32:11 PM
223Sourcing Decision Cycle Framework
may be selected or backsourcing may occur. Backsourcing is a business practice in which a company takes back in house assets, activities, and skills that are part of its information systems operations and were previously outsourced
to one or more outside IS providers.39 Kellwood, the company described at the beginning of this chapter, frequently
re‐evaluated its outsourcing arrangements and eventually backsourced.
Backsourcing may be partial or complete reversal of an outsourcing contract. A growing number of companies
around the globe have brought their outsourced IS functions back in house after terminating, renegotiating, or let-
ting their contracts expire. Some companies, such as Continental Airlines, Cable and Wireless, Halifax Bank of
Scotland, Sears, Bank One, and Xerox, have backsourced contracts worth a billion dollars or more.
The most expensive contract that was backsourced to date was the one that JP Morgan Chase signed with IBM
for a whopping $5 billion dollars. JP Morgan Chase terminated its contract and brought information systems (IS)
operations back in house only 21 months into a seven‐year mega‐contract. The CIO of JP Morgan Chase, Austin
Adams, stated at that time, “We believe managing our own technology infrastructure is best for the long‐term
growth and success of our company, as well as our shareholders. Our new capabilities will give us competitive
advantages, accelerate innovation, and enable us to become more streamlined and efficient.”40 A number of factors
appear to have played a role in the decision to bring the IS operations back in house. Outsourcing appeared to stag-
nate IT at JP Morgan Chase under the outsourcing arrangement. Another factor is that the company had undergone
a major change with its July 2004 merger with Bank One, which had gained a reputation for consolidating data
centers and eliminating thousands of computer applications. And the man who had played a big role in the consoli-
dation was Bank One’s CIO, Austin Adams. In his new role at JP Morgan Chase, Adams managed the switch from
IBM to self‐sufficiency by taking advantage of the cost‐cutting know‐how he had gained at Bank One. Thus, the
underperforming JP Morgan Chase learned much from the efficient Bank One.41
It is not only large companies that are backsourcing. Small‐ to medium‐size firms also report having negative
outsourcing experiences, and many of these have backsourced or are considering backsourcing. Given the size and
number of the current outsourcing contracts and the difficulties of delivering high‐quality information services and
products, backsourcing is likely to remain an important option to be considered by many client companies.
Ironically, the reasons given for backsourcing often mirror the reasons for outsourcing in the first place. That
is, companies often claim that they backsource to reduce costs and become more efficient. Based on reports in the
popular press, the most common reasons given for backsourcing are a change in the way the IS is perceived by the
organization, the need to regain control over critical activities that had been outsourced, a change in the executive
team (where the new executives favored backsourcing), higher than expected costs, and poor service. The studies
found that backsourcing was not always due to problems. Sometime companies saw opportunities, such as mergers,
acquisitions, or new roles for IS, that required backsourcing to be realized.42
Outsourcing decisions can be difficult and expensive to reverse because outsourcing requires the enterprise to
acquire the necessary infrastructure and staff. Unless experienced IT staff from elsewhere in the firm can contribute,
outsourcing major IT functions means losing staff to either the outsourcing provider or other companies. When IT
staff gets news that their company is considering outsourcing, they often seek work elsewhere. Even when staff
are hired by the outsourcing provider to handle the account, they may be transferred to other accounts, taking with
them critical knowledge. Although backsourcing represents the final decision in one Sourcing Decision Cycle, it
is invariably followed by another cycle of decisions as the company seeks to respond to its dynamic environment.
39 Rudy Hirschheim, “Backsourcing: An Emerging Trend” (1998); Mary C. Lacity and Leslie P. Willcocks, “Relationships in IT Outsourcing: A Stake-
holder’s Perspective,” Framing the Domains of IT Management. Projecting the Future . . . Through the Past, ed. Robert W. Zmud (Cincinnati, OH: Pin- naflex Education Resources, 2000), 355–84. 40 Stephanie Overby, “Outsourcing—and Backsourcing—at JP Morgan Chase” (2005), http://www.cio.com/article/print/10524 (accessed July 23, 2008). 41 Paul Strassmann, “Why JP Morgan Chase Really Dropped IBM” (January 13, 2005), http://www.baselinemag.com/c/a/Projects‐Management/Why‐
JP‐Morgan‐Chase‐Really‐Dropped‐IBM/. 42 N. Veltri, C. Saunders, and C. B. Kavan, “Information Systems Backsourcing: Correcting Problems and Responding to Opportunities” (2008). These
economic and relationship issues are similar to those found in the three empirical studies that have performed backsourcing research to date: Bandula
Jayatilaka, “IS Sourcing a Dynamic Phenomena: Forming an Institutional Theory Perspective,” Information Systems Outsourcing: Enduring Themes, New Perspectives and Global Challenges, ed. Rudy Hirschheim, Armin Heinzl, and Jens Dibbern (Berlin: Springer‐Verlag, 2006), 103–34; R. Hirschheim and M. C. Lacity, “Four Stories of Information Systems Sourcing,” Information Systems Outsourcing: Enduring Themes, New Perspectives and Global Challenges, ed. R. Hirschheim, Armin Heinzl, and J. Dibbern (Berlin: Springer‐Verlag, 2006), 303–46; Dwayne Whitten and Dorothy Leidner, “Bringing IT Back: An Analysis of the Decision to Backsource or Switch Vendors,” Decision Sciences 37, no. 4 (2006), 605–21.
c10.indd 223 11/26/2015 6:32:11 PM
224 Information Systems Sourcing
43 Ibid., 7. 44 Ibid., 122. 45 Masaaki Kotabe and Janet Y. Murray, “Global Sourcing Strategy and Sustainable Competitive Advantage,” Industrial Marketing Management 33 (2004), 7–14. 46 James F. Moore, “Predators and Prey: A New Ecology of Competition,” Harvard Business Review 71, no. 3 (May/June 1993), 75–83. 47 Eaton et al., “Achieving Payoffs from an Industry Cloud Ecosystem at BankID,” 51–60.
Outsourcing in the Broader Context Most of our discussion about outsourcing has focused on the dyadic relationship between a client and its out-
sourcing provider(s). However, as business becomes more complex and organizations become more intertwined
with one another, it becomes increasingly important to consider outsourcing in a broader context that includes stra-
tegic networks and business ecosystems.
Strategic Networks
Typically, outsourcing relationships are couched in terms of an outsourcing provider and a client—just as we
have done in this chapter. A different approach to viewing outsourcing arrangements is the strategic network, a long‐term, purposeful “arrangement by which companies set up a web of close relationships that form a veritable
system geared to providing product or services in a coordinated way.”43 The client company becomes a hub and its
suppliers, including its outsourcing providers, are part of its network. The advantage of the strategic network is that
it lowers the costs of working with others in its network. In doing so, the client company can become more efficient
than its competitors as well as flexible enough to respond to its rapidly changing environment. Perhaps the strategic
network is the best way to think about outsourcing arrangements in today’s world.
An example of a strategic network is a Japanese keiretsu that has a hub company, a policy that encourages spe- cialization within the network, and investments (financial and otherwise) in long‐term relationships.44 Japanese
companies manage their outsourcing activities based on inputs from different types of suppliers.45 The strategic
suppliers (kankei kaisa) fall into the keiretsu category whereas independent suppliers (dokuritsu kaisha) do not. Japanese companies work very closely with other companies in the keiretsu.
Another type of strategic network that increasingly affects outsourcing arrangements is a network with a parent
or multinational organization and a number of its subsidiaries. Often one subsidiary performs outsourcing services
for another subsidiary in the network. Given the increasingly complex structure of today’s multinationals, the role
of strategic networks in outsourcing arrangements is likely to grow.
Business Ecosystems
Digital ecosystems are discussed in Chapter 9. Another type of ecosystem is the business ecosystem, which is defined as “an economic community supported by a foundation of interacting organizations and individuals—the
organisms of the business world.”46 This economic community is comprised of customers, suppliers, lead pro-
ducers, competitors, outsourcing providers, and other stakeholders. Over time, the community members’ invest-
ments, capabilities, and roles become aligned as they all move toward a shared vision.
In Norway, a business ecosystem was created by Norwegian banks using the BankID cloud community dis-
cussed earlier in the chapter.47 The community with its cloud infrastructure was established in 2000 by two major
Norwegian banks. Eventually, other Norwegian banks, the Federation of Norwegian Banking, and the government
joined in as core members to subsidize and nurture the ecosystem. Merchants were brought into the ecosystem
to grow the community and its offerings. Students and landlords were brought in when BankID was expanded to
allow students to pay for their housing online. The BankID ecosystem also includes the main cloud infrastructure
suppliers as core members and equipment vendors and the outsourcing companies as peripheral members. Systems
such as BankID are becoming more and more common.
c10.indd 224 11/26/2015 6:32:11 PM
225Case Study
Where would you go if you needed to fi nd hundreds of people each willing to take on a tiny portion of a large task for minimal
pay? Projects like these include fi lling out surveys, verifying or entering data, writing articles, and transcribing audio fi les.
They are increasingly common in the digital age, so you might turn to an online marketplace such as Crowdsourcing.com,
CrowdFlower , or Amazon ’ s Mechanical Turk where people around the globe go to fi nd work.
Daniel Maloney, an AOL executive, recently turned to crowdsourcing for help inventorying AOL ’ s vast video library.
( Note: This defi nition of crowdsourcing differs from the one used in Chapter 5 as a way to spur innovation. ) He broke the
■ CASE STUDY 10‐1 Crowdsourcing at AOL
S U M M A R Y
• Firms typically face a range of sourcing decisions. The Sourcing Decision Cycle Framework highlights decisions about where the work will be performed. Decisions include insourcing versus outsourcing; onshoring versus cloud com-
puting versus offshoring; and selecting among offshoring options (nearshoring versus farshoring). The cycle involves an
assessment of the adequacy of the IS service/product delivery. The assessment can trigger a new cycle.
• Cost savings or fi lling the gaps in the client company ’ s IT skills are powerful reasons for outsourcing. Other reasons include the ability of the company to adopt a more strategic focus, manage IS staff better, better handle peaks, or consolidate data cen-
ters. The numerous risks involved in outsourcing arrangements must be carefully assessed by IS and general managers alike.
• Full or selective outsourcing offers client companies an alternative to keeping top‐performing IS services in house. These fi rms can meet their outsourcing needs by using single‐vendor or multiple‐vendor models (multisourcing).
• Cloud computing allows client fi rms to buy the exact amount of storage, computing power, security, or other IT functions that they need, when they need it. It includes infrastructure as a service (IaaS), platforms as a service (PaaS),
and software as a service (SaaS).
• Offshoring may be performed in a country that is proximate along one or a number of dimensions (nearshoring) or that is distant (farshoring). Offshoring must be managed carefully and take into consideration functional differences.
• As business becomes more complex, outsourcing should be considered in the broader context of strategic networks and business ecosystems.
D I S C U S S I O N Q U E S T I O N S
1. The make‐versus‐buy decision is important every time a new application is requested of the IS group. What, in your opinion, are the key reasons an IS organization should make its own systems? What are the key reasons it should buy an application?
2. Is offshoring a problem to your country? To the global economy? Please explain.
3. When does cloud computing make sense for a large corporation that already has an IS organization? Give an example of cloud computing that might make sense for a start‐up company.
4. Does a captive center resolve the concerns managers have about outsourcing to a third party vendor? Why or why not?
K E Y T E R M S
backsourcing (p. 223)
business ecosystem (p. 224)
captive center (p. 210)
cloud computing (p. 216)
community cloud (p. 218)
crowdsourcing (p. 214)
farshoring (p. 220)
full outsourcing (p. 215)
hybrid cloud (p. 218)
insourcing (p. 210)
IT multisourcing (p. 215)
nearshoring (p. 220)
offshoring (p. 219)
onshoring (p. 218)
outsourcing (p. 211)
private clouds (p. 218)
public cloud (p. 218)
selective outsourcing (p. 215)
service level agreements
(SLA) (p. 215)
strategic network (p. 224)
c10.indd 225 11/26/2015 6:32:11 PM
226 Information Systems Sourcing
The road to Altia Business Park in San Pedro Sula, Honduras, is quite memorable. On one side of the road are gated com-
munities with small but neatly maintained stucco houses. On the other side of the road is a small river with clear running
water. One bank of the river is covered with tightly cramped shanties. Further down the road towers a 13‐story monolith
in black glass. This is the home of Altia Business Park, a technological park developed by Grupo Karims , a multinational
corporation with core businesses in textiles and real estate and operations in Asia, North America, Central America, and the
Caribbean. The building is antiseismic and Leed Certifi ed, which means that it follows green building practices. It is energy
self‐suffi cient and connected to North and South America through three fi ber optic submarine cables. The building is the
fi rst of two that will comprise the Business Park.
On a recent visit, Corporate Marketing Director Barbara Rivera guided an American student group through the marbled
halls of the building. She introduced Marcus, who was a manager in the call center in the building. Marcus explained that
call center business, especially to North America, was picking up. He was born and raised in the United States and graduated
from the University of Maryland. Because he could not fi nd work in the United States upon graduation, he moved to Hon-
duras where he has family. Rivera also introduced Lena, a 20‐something professional, who spoke to the visiting group in
perfect English, complete with current idioms. Lena had recently graduated from a university in Honduras with a master ’ s
degree in graphical design. She said this degree was very helpful in managing the room full of graphic designers working for
the company that maintains the Web site for Sandal Resorts. Rivera told the visitors that the average salary of the workers in
■ CASE STUDY 10‐2 Altia Business Park
large job into microtasks and described the tasks that he needed to be done on Mechanical Turk. In particular, each worker
was asked to fi nd Web pages containing a video and identify the video ’ s source and location on those pages. The over
one‐half million workers that were registered at Mechanical Turk could read about the tasks and decide if they wanted to
perform them.
Using the crowdsourcing service, the AOL project took less than a week to get up and running and only a couple of
months to reach completion. The total cost was about as much as it would have been to hire two temp workers for the same
period.
Maloney was pleased with the cost savings and added, “We had a very high number of pages we needed to process. Being
able to tap into a scaled work force was massively helpful.” 48 However, he really did not know very much about the workers
who did the work for AOL, and he likely had to make sure that their work was done correctly.
Critics of crowdsourcing feel it can lead to “digital sweatshops,” where workers, many of whom may be underage, put
in long hours to generate very little pay and no benefi ts. Some also believe that crowdsourcing will eliminate full‐time jobs.
The crowdsourcing marketplace services counter that they are trying to register stay‐at‐home parents or college students
with spare time.
Discussion Questions
1. Is crowdsourcing as used by AOL a form of outsourcing? Why or why not?
2. What steps do you think Maloney might have taken to ensure that the crowdsourcing would be a success for the inventory
project?
3. What factors should be considered when deciding whether to crowdsource a particular part of a business?
4. Describe the advantages and disadvantages of crowdsourcing.
Sources: http://aws.amazon.com/mturk (accessed April 17, 2012); Haydn Shaughnessy , “ How to Cut Consulting Costs by 90% and Keep Your Talent Happy! ” www.forbes.com (accessed April 16, 2012) ; Scott Kirsner , “ My Life as a Micro‐Laborer ,“ www.boston.com (accessed April 1, 2012) ; R. E. Silverman , “ Big Firms Try Crowdsourcing ,” http://online.wsj.com/article/SB10001424052970204409004577157493201863200. html?mod=djem_jiewr_IT_domainid (accessed November 2, 2011) (accessed January 17, 2012) .
48 R. E. Silverman , “ Big Firms Try Crowdsourcing ” (January 17, 2012 ), http://online.wsj.com/article/SB10001424052970204409004577157493201863200.
html?mod=djem_jiewr_IT_domainid (accessed November 2, 2011) .
c10.indd 226 11/26/2015 6:32:11 PM
227
49 The GDP was $4,300 at the time of the case according to CIA—World Fact Book—Honduras, https://www.cia.gov/library/publications/the‐world‐
factbook/geos/ho.html (accessed February 13, 2012); GDP is now $4,800, https://www.cia.gov/library/publications/the‐world‐factbook/geos/ho.html
(accessed March 9, 2015); and 65% of the population still live below the poverty line; see also http://hondurasoutsourcing.nearshoreamericas.com/.
the companies in the Business Park was $4,800 a year 49 and people were eager to get the jobs because of the excellent pay in
a country where 65% of the population lives below the poverty line. The country has a literacy rate of 84.3%, and 47% of the
employable work force is between the ages of 20 and 34, so the competition for good jobs can be fi erce. Honduras actually
has more English speakers as a proportion of population than the average Central American economy.
Discussion Questions
1. Discuss offshoring from the perspective of potential workers in your country. Discuss offshoring from the perspective
of potential workers in Honduras.
2. Barbara Rivera is marketing Altia Business Park as a nearshoring site to companies in North America. What character-
istics make it a desirable nearshoring site to them?
3. Is this a good idea to market Altia Business Park as a nearshoring site to people in North America? Why or why not?
Case Study
c10.indd 227 11/26/2015 6:32:11 PM
228
11 chapter
Managing IT Projects
The Rural Payments Agency (RPA), an agency responsible for administering agricultural subsidies
to farmers in the United Kingdom (U.K.) blamed poor planning and lack of testing of its IT system
for delays in paying out £1.5 billion of European Union (EU) subsidies. 1 The U.K. government
developed a complex system for administering the Single Payment Scheme, which maps farmers’
land to a database that was used to calculate subsidy payments. By the end of 2006, only 15% of
the subsidies had been paid to farmers and, as a result, a large number of farmers faced bankruptcy
after not receiving subsidies due. Problems still plagued the system in early 2012 when the RPA ’ s
CEO stated that the agency had deep‐rooted problems that included inaccurate data sources of past,
present, and future scheme claims, a lack of standard processes and controls, aging systems, unsuit-
able technology, and an organizational structure and associated corporate services that did not offer
a good fi t with the RPA ’ s purpose. The agency ’ s new three‐year framework document included a
vision of openness, effi ciency, simplifi cation, availability of authoritative data, and a promise of
correcting the problems in early 2014. 2
In 2014, the Single Payment Scheme was indeed rolled out two months ahead of the adjusted
deadline, but the story does not end there. In response to new agreements in the EU, the RPA
announced a new system, the Basic Payment Scheme, which repaired some inequities and allowed
richer data to be collected. That system was intended to be 100% online and required farmers to ver-
ify their identity and accurately measure and map their properties, including certain surface features
of the property such as terrain and vegetation. 3
In January 2015, the identity verifi cation process proved to be a barrier for many farmers because
it was diffi cult to use. A telephone service for assistance was consequently overloaded and diffi cult
or impossible to reach. 4 Also, even with only a few farmers online, the servers operated at 100% of
capacity, and the system became intolerably slow. 5 In March, the CEO announced that “all farmers
A major function of the information systems (IS) organization always has been to build and implement systems. This chapter begins with a discussion about defi ning a project and identifying key players and then follows up with a description of how information tech- nology (IT) projects are managed. Various system development methodologies and approaches are introduced and compared. The chapter concludes with a discussion of two critical management areas for project success: risk management and change management.
1 At that time, that amount represented about U.S.$2.77 billion when the exchange rate was £1.7 to U.S.$1.00. By spring, 2015, the
exchange rate had dropped to £1.52 to U.S.$1.00. 2 Warmwell postings (February 26, 2012), http://www.warmwell.com/rpa.html (accessed April 10, 2012). 3 Warmwell postings (June 2014), http://www.warmwell.com/rpa.html (accessed September 1, 2015). 4 Warmwell postings (January 2015), http://www.warmwell.com/rpa.html (accessed September 1, 2015). 5 Bryan Glick , “ What Went Wrong with Defra ’ s Rural Payment Scheme? ” Computer Weekly (March 20, 2015 ), http://www. computerweekly.com/news/2240242763/What‐went‐wrong‐with‐Defras‐rural‐payments‐system (accessed September 1, 2015) .
c11.indd 228 11/26/2015 7:35:04 PM
229Managing IT Projects
6 Warmwell postings (March 20, 2015), http://www.warmwell.com/rpa.html (accessed September 1, 2015). 7 Warmwell postings (July 20, 2010), http://www.warmwell.com/rpa.html (accessed April 10, 2012). 8 Adapted from http://www.silicon.com/publicsector/0, 3800010403, 39168359, 00.htm (accessed July 28, 2008); “Review Calls for Rationalisation of
Rural Payments Agency IT Systems,” Computing.co. United Kingdom (July 21, 2010), http://www.computing.co.uk/ctg/news/1842966/review‐calls‐
rationalisation‐rural‐payments‐agency‐it‐systems (accessed January 22, 2012). 9 Glick, “What Went Wrong with Defra’s Rural Payment Scheme?” 10 Parliamentary business report (March 24, 2015), http://www.publications.parliament.uk/pa/cm201415/cmselect/cmenvfru/942/94203.htm (accessed
September 1, 2015). 11 The information from the Standish Group CHAOS Report for 2006 was quoted in C. Sauer, A. Gemino, and B. H. Reich, “The Impact of Size and
Volatility on IT Project Performance,” Communications of the ACM 50, no. 11 (November 2007), 79–84.
are now being offered the opportunity to complete applications on paper,” using forms that were “tried and tested”
in the past.6
An independent watchdog group investigated the situation and learned that the implementation of the system
began before final specifications and regulations were agreed on by the European Commission (the executive body
of the European Union). The RPA then had to make many substantial changes to the system after implementation.
Further, the investigation found that testing did not take into account the real environment, leading to unanticipated
work to populate the database with what has now been realized to be largely inaccurate data. Four separate govern-
mental reviews have all been deeply critical of the system and its implementers. The RPA’s July 2010 report com-
mented, “the review process was made unnecessarily difficult by the RPA leadership resisting its commencement.”7
Despite receiving three “red” warnings from the Office of Government Commerce during reviews, the imple-
mentation continued. Time was not built into the schedule for testing the whole system as well as the individual
components. The components were not compatible with the business processes they were supposed to support.8
The Single Payment Scheme system itself has cost £350 million, which is considerably more than the original esti-
mated cost of £75.5m. An additional £304 million has been spent on staff costs to respond to the early payment
fiascos. As of March 2015, the Single Payment Scheme has been abandoned and the Basic Payment Scheme cost
an additional £154 million but does not work properly.9 All told, since the project began, £600 million in EU fines
had accumulated.10
This example highlights the possible financial and social consequences of a failed IS project. Such failures occur
at an astonishing rate. The Standish Group, a technology research firm, found that 67% of all software projects are
challenged—that is, are delivered late, are over budget, or simply fail to meet their performance criteria.11 Business
projects increasingly rely on IS to attain their objectives, especially with the increased focus of business over the
Internet. Thus, managing a business project means managing, often to a large degree, an IS project. To succeed, a
general manager must be both a project manager and a risk manager.
In the current business environment, the quality that differentiates firms in the marketplace—and destines them
for success or failure—is often the ability to adapt existing business processes and systems to produce innovative
ideas faster than the competition. The process of continual adaptation to the changing marketplace drives the need
for business change and thus for successful project management. Typical adaptation projects include the following:
• Rightsizing the organization
• Re‐engineering business processes
• Adopting more comprehensive, integrative processes
• Incorporating new information technologies
Projects are made up of a set of one‐time activities that transforms a set of resources into a new information
system. Firms seek to compete through new products and processes, but the work of initially building or radically
changing them falls outside the scope of normal business operations. That is where projects come in. When work
can be accomplished only through methods that fundamentally differ from those employed to run daily operations,
the skilled project manager must play a crucial role.
Successful business strategy requires executive management to decide which objectives can be met through
normal daily operations and which require a specialized project. Rapidly changing business situations make it dif-
ficult to keep the IT projects aligned with dynamic business strategy. Furthermore, the complexity of IT‐intensive
c11.indd 229 11/26/2015 7:35:04 PM
230 Managing IT Projects
12 Project Management Institute, A Guide to the Project Management Body of Knowledge, 3rd ed. (Newtown Square, PA: Project Management Institute, 2004), 5. 13 Ibid., 24.
projects has increased over the years, magnifying the risk that the finished product or process will no longer satisfy
the needs of the business originally targeted to benefit from the project in the first place. Thus, learning to man-
age projects successfully, especially their IT component, is a crucial competency for every manager. Executives
acknowledge skilled IT project management as fundamental to business success.
This chapter provides an overview of what a project is and how to manage one. It begins with a general discussion
of project management and then continues with aspects of IT‐intensive projects that make them uniquely challeng-
ing. It identifies the issues that shape the role of the general manager in such projects and help them to manage risk.
Finally, the chapter considers what it means to successfully complete IT projects.
What Defines a Project? In varying degrees, organizations combine two types of work—projects and operations— to transform resources
into profits. Both types are performed by people and require a flow of limited resources. Both are planned, executed,
and controlled. The flight of an airplane from its point of departure to its destination is an operation that requires
a pilot and crew, the use of an airplane, and fuel. The operation is repetitive: After the plane is refueled and main-
tained, it takes new passengers to another destination. The continuous operation the plane creates is a transporta-
tion service. However, developing the design for such a plane is a project that may require years of work by many
people. When the design is completed, the work ends. Figure 11.1 compares characteristics of both project and
operational work. The last two characteristics are distinctive and form the basis for the following formal definition:
[A] project is a temporary endeavor undertaken to create a unique product, service or result. Temporary means that
every project has a definite beginning and a definite end12 [emphasis added].
All projects have stakeholders. Project stakeholders are the individuals and organizations that either are involved in the project or whose interests may be affected as a result of the project.13 The most obvious project
stakeholders are the project manager and project team. But other stakeholders include the project sponsor who
typically is a general manager who provides the resources for the project and who often expects to use the project
deliverables. Customers, also stakeholders, are individuals or organizations who use the project product. Multiple
layers of customers may be involved. For example, the customers for a new pharmaceutical product may include
the doctors who prescribe the medications, the patients who take them, and the insurers who pay for them. Finally,
employees in the organization undertaking the project are stakeholders with varying degrees of involvement.
To organize the work of a project team, the project manager may break a project into subprojects. He or she
then organizes these subprojects around distinct activities, such as quality control testing. This organization method
allows the project manager to contract certain kinds of work externally to limit costs or other drains on crucial
project resources. At the macro level, a general manager may choose to organize various projects as elements of a
larger program if doing so creates efficiencies. A program is a collection of related projects that is often related to
FIGURE 11.1 Characteristics of operational and project work.
Characteristics Operations Projects
Purpose To sustain the enterprise To reach a specific goal or accomplish a task
Trigger to change Operation no longer allows an enterprise to meet its objectives
Project goal is reached or task is completed
Quality control Formal Informal
Product or service Repetitive Unique
Duration Ongoing Temporary
c11.indd 230 11/26/2015 7:35:04 PM
231What Is Project Management?
a strategic organizational objective.14 There is often some uncertainty about how that objective will be achieved. For
example, total quality management (TQM) and workplace safety are programs,15 and each might involve several IT (and non‐IT) projects. TQM might require projects to develop defect databases, deploy on‐line training pro- grams, and implement measurement systems to track improvements. Other programs include the space program or
the development of Boeing’s Dreamliner. Such programs provide a framework from which to manage competing
resource requirements and assign priorities among a set of projects.
What Is Project Management? Project management is the “application of knowledge, skills, tools, and techniques to project activities in order to meet project requirements.”16 Project management always involves continual trade‐offs, and it is the manager’s
job to manage them. Even the tragic sinking of the Titanic has been attributed, in part, to project trade‐offs. The company that built the Titanic, Harland and Wolff of Belfast, Northern Ireland, had difficulty finding the millions of rivets it needed for the three ships it was building at the same time. Under time and cost pressures to build these
ships, the company managers decided to sacrifice quality by purchasing low‐grade rivets that were used on some
parts of the Titanic. When making the trade‐offs, it was unlikely that the company’s management knew that they were purchasing something so substandard that their ship would sink if it hit an iceberg. Nonetheless, the trade‐off
proved disastrous.17
The three well‐known trade‐offs are depicted in the project triangle (see Figure 11.2), which highlights the
importance of balancing scope, time, and cost. Scope may be subdivided into that of the product (the detailed description of the system’s quality, features, and functions) and of the project itself (the work required to deliver
a product or service with the intended product scope). Time refers to the time required to complete the project, whereas cost encompasses all the resources required to carry out the project. In the tragic case of the Titanic, the managers were willing to trade off quality for lower‐cost rivets that allowed them to build all three ships (scope) in a more timely fashion (time). In contrast, a successful balance of scope, time, and cost yields a high‐quality project—one in which the needs and expectations of the users are met.
The tricky part of project management is successfully juggling these three elements. Changes in any one of the
sides of the triangle affect one or both of the other sides. For example, if the project scope increases, more time
and/or more resources (cost) are needed to do the additional work. This increase in scope after a project has begun
is aptly called scope creep. In most projects, only two of these elements can be optimized, and the third must be adjusted to maintain
balance. A project can be finished in a specific amount of time for a specific budget, but then the scope must be
adjusted accordingly. Or if the project is needed quickly and with a specific scope, then the cost must be adjusted
Time Cost
Quality
Scope
FIGURE 11.2 Project triangle.
14 Savvy Project Manager (April 9, 2008), https://thesavvypm.wordpress.com/2008/04/09/definition‐of‐program‐vs‐project/ (accessed September 1, 2015). 15 Dan Friedmann, “Program vs. Project Management,” http://www.proj‐mgt.com/PMC_Program_vs_Project.htm (accessed September 1, 2015). 16 Ibid., 8. 17 This research was described in J. H. McCarty and T. Foecke, What Really Sank the Titanic (New York: Citadel Press, 2008) and is based on J. H. McCarty, PhD Thesis, The Johns Hopkins University (2003).
c11.indd 231 11/26/2015 7:35:04 PM
232 Managing IT Projects
accordingly. It is usually not possible to complete a project cheaply, quickly, and with a large scope. To do so usu-
ally means introducing errors and completion at a quality level that is too low for acceptance testing. The reasoning
is that many cutting‐edge technologies can be acquired, but they are often proprietary and unique, requiring steep
fees or specialized “rock star” developers to adapt or install them. The final choice is to attempt to build an excel-
lent system cheaply; however, it will take a long time if the firm waits for competing vendors to offer less expensive
alternatives. Sometimes a firm might hire college interns with up‐to‐date, excellent skills at a very low rate, but
their availability is often limited because of classes, homework, or exams. If a firm waits several years, it might find
technologies available at no cost from an open source provider.
It is important that the project stakeholders decide on the overriding “key success factor” (i.e., time, cost, or
scope) although the project manager has the important responsibility of demonstrating to the stakeholders the
impact on the project of selecting any of these. In the RPA case at the beginning of this chapter, scope was a key
success factor that was managed inappropriately, ultimately resulting in a much longer time and much higher cost.
But the key success factor is only one metric to use when managing a project. Stakeholders are concerned about
all facets of the project. Measuring and tracking progress is often done by tracking time (How are we doing com-
pared to the schedule?), cost (How are we doing compared to the budget?), scope (Are we on track to provide the
intended functionality?), resources (How much of our resources have we consumed so far?), quality (Is the quality
of the output/deliverables at the level required for success?), and risks (How are we doing managing the risk asso-
ciated with this project?).
A successful business project often begins with a well‐written business case that spells out the components of the
project. The business case clearly articulates the details of the project and argues for resources for it. For example,
UPS prioritizes projects on the strength of their business cases and financial metrics. They also make nonfinancial
considerations such as weighing international projects more heavily to spur the company’s growth.18 The compo-
nents of a business case and common financial metrics are discussed in Chapter 8.
The process used to develop the business case sets the foundation for the project itself. Therefore, detailed
planning and contingency planning are important parts of project management. It is often in the planning phase
that implementation issues, areas of concern, and gaps are first identified. Further, a strong business plan developed
from the business case gives all members of the project team a reference document to help guide decisions and
activities.
Project management software is often used to manage projects and keep track of key metrics. A recent well‐
known survey by Capterra19 revealed that the top five project management systems are Microsoft Project, Atlassian
Jira, Podio, Smartsheet, and Basecamp but that 13 others are used by at least 200,000 users. Those packages can
keep track of team members, deliverables, schedules, budgets, priorities, tasks, and other resources. Many of these
systems provide a dashboard of key metrics to help project managers quickly identify areas of concern or poten-
tially critical issues that need attention. Some packages have “moved to the cloud” and enable employees to access
status reports and plans anywhere.20
Organizing for Project Management Although managing projects is not a new set of activities for management, it is a struggle for many to bring a project
in on time, on budget, and within scope. Some organizations create a project management office (PMO), which is a department responsible for boosting efficiency, gathering expertise, and improving project delivery. A PMO oper-
ates at the project level and often is tasked with accomplishing goals defined in various organizational programs.
A PMO is created to bring discipline to the project management activities within the enterprise. The Sarbanes–
Oxley Act is also a driver because it forces companies to pay close attention to project expenses and progress.
18 UPS, “IT Governance: The Key to Aligning Technology Initiatives with Business Direction,” http://www.pressroom.ups.com (accessed July 22, 2008). 19 Jordan Barrish, “The 20 Most Popular Project Management Software Products” (November 13, 2013), http://blog.capterra.com/20‐popular‐project‐
management‐software‐products‐infographic/ (accessed September 2, 2015). 20 Don Reisinger, “10 Cloud‐Based Project Management Tools to Serve Every Company’s Needs” (July 5, 2013), http://www.eweek.com/cloud/
slideshows/10‐cloud‐based‐project‐management‐tools‐to‐serve‐every‐companys‐needs (accessed September 2, 2015).
c11.indd 232 11/26/2015 7:35:04 PM
233Project Elements
Although companies may not immediately realize cost savings, the increased efficiencies and project discipline
from a PMO may eventually lead to cost savings.
PMOs can be expected to function in the following seven areas, according to CIO Magazine:
• Project support
• Project management process and methodology
• Training
• Project manager home base
• Internal consulting and mentoring
• Project management software tools and support
• Portfolio management (managing multiple projects)
The responsibilities of a PMO range widely based on the preferences of the chief information officer (CIO)
under which the PMO typically falls. Sometimes the PMO is simply a clearinghouse for best practices in project
management, and other times it is the organization that more formally manages all major projects. At risk
management company Assurant Group, for example, a number of project managers work in the PMO under the
direction of the chief operating officer (COO). Using well‐defined software development and project management
methodologies, these PMO managers work with business managers to refine their project management efforts—
from requirements definition to postimplementation audits. Within four years of the installation of its PMO, 97%
of Assurant’s projects were delivered on schedule and within budget.21
Project Elements Project work requires in‐depth situational analyses and the organization of complex activities into often coincident
sequences of discrete tasks. The outcomes of each activity must be tested and integrated into the larger process to
produce the desired result. The number of variables affecting the performance of such work is potentially enormous.
Four elements essential for any project include (1) project management, (2) a project team, (3) a project cycle
plan, and (4) a common project vocabulary. Project management includes the project sponsor who initiates the
project and a project manager who makes sure that the entire project is executed appropriately and coordinated properly. A good project manager defines the project scope realistically, and then manages the project so that it can
be completed on time and within budget.
The project team has members who work together to ensure that all parts of the project come together correctly
and efficiently. The plan represents the methodology and schedule to be used by the team to execute the project.
Finally, a common project vocabulary allows all those involved with the project to understand the project and com-
municate effectively.
It is essential to understand the interrelationships among these elements and with the project itself. Both a com-
mitment to working together as a team and a common project vocabulary must permeate the management of a
project throughout its life. The project plan consists of the sequential steps of organizing and tracking the work of
the team. Finally, the project manager ensures the completion of work by team members at each step of the project
cycle plan (see later discussion) and as situational elements evolve throughout the project cycle.
Project Management
Two key players in project management are the sponsor and the manager. The project sponsor liaises between the
project team and the other stakeholders. The sponsor is the project champion and works with the project manager
in providing the leadership to accomplish project objectives. Often the sponsor is a very senior‐level executive in
21 M. Santosus, “Why You Need a Project Management Office (PMO),” http://www.cio.com/article/29887/Why_You_Need_a_Project_Management_
Office_PMO_/1 (accessed July 15, 2008).
c11.indd 233 11/26/2015 7:35:05 PM
234 Managing IT Projects
the firm, someone who has influence with the key stakeholders and C‐level team. The project sponsor secures the
financial resources for the project.
The project manager is central to the project. The project manager role is not an easy one because it requires a
range of management skills to make the project successful. The challenge facing a project manager is to learn and
apply these skills properly in the situations that require them. The skills include (1) identifying requirements of
the systems to be delivered, (2) providing organizational integration by defining the team’s structure, (3) assigning
team members to work on the project, (4) managing risks and leveraging opportunities, (5) measuring the project’s
status, outcomes, and exceptions to provide project control, (6) making the project visible to general management
and other stakeholders, (7) measuring project status against plan, often using project management software,
(8) taking corrective action when necessary to get the project back on track, and (9) providing project leadership.
The first three of these skills are formulative; they require considerable planning and designing ability. The remain-
ing skills are all about taking action and reacting. When a project deviates from its desired path, corrective action
is needed to get it back on track.22
Another way to understand this list of skills is that the last one, providing project leadership, guides the first
eight skills. Lack of leadership can result in unmotivated or confused people doing the wrong things and ultimately
derailing the project. Strong project leaders skillfully manage team composition, reward systems, and other tech-
niques to focus, align, and motivate team members. Figure 11.3 reflects the inverse relationship between the mag-
nitude of the project leader’s role and the experience and commitment of the team. In organizations with strong
processes for project management and professionals trained for this activity, the need for aggressive project lead-
ership is reduced.
A number of factors influence project managers and, ultimately, their team’s performance. These include orga-
nizational culture and socioeconomic influences. Organizational culture affects the leadership style of the project manager and the communication between team members. For example, a culture that rewards individual achieve-
ment over team participation may hinder a project team. Members might hoard information instead of sharing it.
A leader who sets a good example for the team and who encourages teamwork has the opportunity to eliminate
these barriers. Socioeconomic influences on projects include government and industry standards, globalization, and cultural issues.
Project Team
The project team consists of those people who work together to complete the project. Business teams often fail
because members don’t understand the nature of the work required to make their team effective. Teamwork
begins by clearly defining the team’s objectives and each member’s role in achieving these objectives. Teams
More
leadership
needed
Less
leadership
needed
No PM process exists
Team is new to PM process
Team does not value process
PM process exists
Team is fully trained in process
Team values process
Project leadership
PM process
FIGURE 11.3 Project leadership versus project management (PM) process.
22 Adapted from K. Forsberg, H. Mooz, and H. Cotterman, Visualizing Project Management (Hoboken, NJ: John Wiley, 1996).
c11.indd 234 11/26/2015 7:35:05 PM
235Project Elements
need to have norms about conduct, shared rewards, a shared understanding of roles, and team spirit. Project
managers should leverage team member skills, knowledge, experiences, and capabilities when assigning the
team members to complete specific activities on an as‐needed basis. In addition to completing their team activ-
ities, team members also represent their departments and transmit information about their department to other
team members. Such information sharing constitutes the first step toward building consensus on critical project
issues that affect the entire organization. Thus, effective project managers use teamwork both to organize and
apply human resources, to motivate an acceptance of change, and to collect and share information throughout
the organization.
Project Cycle Plan
The project cycle plan organizes discrete project activities and sequences them in steps along a timeline so that the
project fulfills the requirements of customers and stakeholders. It identifies critical beginning and end dates and
breaks the work spanning these dates into phases. Using the plan, the time and resources needed to complete the
work based on the project’s scope are identified, and tasks are assigned to team members. The general manager
tracks the phases to coordinate the eventual transition from project to operational status, a process that culminates
in the “go‐live” date. The project manager uses the phases to control the progress of work. He or she may estab-
lish “control gates” at various points along the way to verify that project work to date has met key requirements
regarding cost, quality, and features. If it has not met these requirements, he or she can make changes, which could
also delay the project plan’s “go‐live” date.
The project cycle plan can be developed using various approaches and software tools. The three most common
approaches are the project evaluation and review technique (PERT), critical path method (CPM), and Gantt chart.
PERT identifies the tasks within the project, orders them in a time sequence, identifies their interdependencies, and
estimates the time required to complete the task. The critical path is a set of important tasks that must be performed sequentially without skipping any of them. Together, these critical tasks account for the total elapsed time of the
project. Noncritical tasks are those that can be performed in parallel and for which some slack time can be built into
the schedules without affecting the duration of the entire project. A PERT chart is shown in Figure 11.4. Note that
talking with a selected group of customers must be done before holding the first approval meeting. Likewise, that
meeting must be held before the needs assessment can be completed.
CPM is a project planning and scheduling tool that is similar to PERT. Unlike PERT, CPM incorporates a
capability for identifying relationships between costs and the completion date of a project and the amount and
value of resources that must be applied in alternative situations. The two approaches differ in terms of time
estimates. PERT builds on broad estimates of the time needed to complete project tasks. It takes into account
the optimistic, most probable, and pessimistic time estimates for each task. In contrast, CPM assumes that
all time requirements for completion of individual tasks are relatively predictable. Because of these differ-
ences, CPM tends to be used on projects for which direct relationships can be established between time and
resources (costs).
Gantt charts are commonly used as visual tools for displaying time relationships of project tasks and for mon-
itoring the progress toward project completion. Gantt charts list project tasks. For each task, a bar indicates the
relative amount of time expected to complete the task. Milestones (i.e., due dates) are noted with diamonds. At the
start of the project, Gantt charts are especially useful for planning and monitoring purposes. As the project prog-
resses, the chart is modified to reflect the extent to which each task is completed at the time the project is monitored.
A Gantt chart is displayed in Figure 11.5.
Figure 11.6 presents a comparison of a generic project cycle plan, the Project Management Institute’s project life
cycle, and a typical high‐tech commercial business cycle. Notice that although each of these life cycles has unique
phases, all can loosely be described by three major periods (shown at the top of the diagram): study, implementa-
tion, and operations.
Projects are all about change. They bring new products, services, or systems into organizations or make them
available for the organization’s customers. These project deliverables need to be integrated into the organization’s
(or its customers’) operations. Not surprisingly, the three major periods in the project life cycle in Figure 11.6
c11.indd 235 11/26/2015 7:35:05 PM
236
c11.indd 236 11/26/2015 7:35:05 PM
1
Begin initiation phase
0 days
1/15/16 1/15/16
Hold approval meeting 1
1 day
2/5/16 2/5/16
5
Begin background reading
12 days
1/15/16 1/30/16
2
Conduct feasibility study
10 days
1/15/16 1/28/16
3
Talk with select group of customers
15 days
1/15/16 2/4/16
4
Begin requirements definition phase
0 days
2/5/16 2/5/16
6
Define problem
3 days
2/6/16 2/10/16
7
Conduct needs assessment
5 days
2/6/16 2/12/16
8
Hold approval meeting 2
1 day
2/13/16 2/13/16
9
10
Begin functional design phase
0 days
2/12/16 2/12/16
Develop specifications
14 days
2/14/16 3/5/16
11
Begin conceptual system design
5 days
3/6/16 3/12/16
12
Hold approval meeting 3
1 day
3/13/16 3/13/16
13 ID
Name
Duration
Start Finish
Critical
Noncritical Noncritical Milestone
Critical Milestone
Key
FIGURE 11.4 PERT chart.
237
c11.indd 237 11/26/2015 7:35:05 PM
ID
1
2
3
4
5
6
7
8
9
10
11
12
13
Task Name
Begin initiation phase
Begin background reading
Conduct feasibility study
Talk with select group of customers
Hold approval meeting 1
Begin requirements definition phase
Define problem
Conduct needs assessment
Hold approval meeting 2
Begin functional design phase
Develop specifications
Design conceptual system
Hold approval meeting 3
Duration
0 days
12 days
10 days
15 days
1 day
0 days
3 days
5 days
1 day
0 days
14 days
5 days
1 day
15 18 21 24 27 30 2 5 8 11 14 17 20 23 26 1 4 7 10
1/15
2/5
2/13
February March
Task Split Progress Milestone
FIGURE 11.5 Gantt chart.
238
c11.indd 238 11/26/2015 7:35:05 PM
FIGURE 11.6 Project cycle template. Source: Adapted from K. Forsberg, H. Mooz, and H. Cotterman, Visualizing Project Management, 3rd ed. (Hoboken, NJ: John Wiley, 2005). Used with permission.
Study Period Implementation Period Operation Period
Typical High-Tech Commercial Business
Product requirements
Product definition
Product proposal
Product development
Engineer model
Internal test External test Production Manufacturing sales and support
Generic Systems Development Life Cycle Template (See also Figure 11.7 for more detail)
Initiation and feasibility
Requirements definition
Functional design
Technical design and construction
Verification Implementation Maintenance and review
Project Management Institute Process Groups in a Project Life Cycle
Initiating Planning Executing Monitoring and controlling
Closing
239IT Projects
(study, implementation, and operations) correspond respectively to Lewin’s classic change model introduced in
Chapter 4: unfreezing, changing, and refreezing.23 First, according to Lewin, people need to be given a motivation
for change in the unfreezing stage. People don’t want to change unless they see some reason for doing so. This is
what happens in the study period when it is determined what needs to be changed and why. The project sponsor
is often a key mover in providing answers to these questions. Then in the changing stage, when the system is built
(or purchased) and installed, people in the organization are made aware of what the change is and receive training
about how to take advantage of it. It is not possible for people to fully understand the change until the implemen-
tation period, after the service, product, or system has been designed or built, and they are then trained to use it.
Those on the project team can better understand what the project deliverable is and why it was designed the way it
was. Finally, the refreezing stage occurs when the organization helps the employees integrate the change into their
normal way of working. This occurs in the operations period.
Common Project Vocabulary
Typical project teams include a variety of members from different backgrounds and parts of the organization. Often
the team is made up of consultants who are new to the organization, a growing number of technical specialists,
and business members. Each area of expertise represented by team members uses a different technical vocabulary.
For example, an accountant in a manufacturing firm might consider the “end of year” to be June 30, the end of the
company’s fiscal year, but a sales representative might consider the “end of year” as December 31 when the frantic
sales activity ends for a while. Also, an executive might refer to the sale of a subsidiary as a “sale” whereas an
accountant would call it a “divestment.” When used together in the team context, these different vocabularies make
it difficult to carry on conversations, meetings, and correspondence.
To avoid misunderstandings, project team members need to commit to a consistent meaning for terms used on
their project. After agreeing on definitions and common meanings, the project team should record and explain the
terms in its own common project vocabulary. The common project vocabulary includes many terms and meanings
that are unfamiliar to the general manager and the team’s other business members. To improve their communica-
tions with general managers, users, and other nontechnical people, technical people should limit their use of acro-
nyms and cryptic words and should strive to place only the most critical ones in the common project vocabulary.
Good management of the common project vocabulary, the project management, the project team, and the project
life cycle are all essential to project success.
IT Projects An IT project is a specific type of business project. One industry saying is that there is no such thing as an IT
project; all projects are really business projects involving varying degrees of IT. Sometimes managing the IT com-
ponent of a project is referred to separately as an IT project not only for simplicity but also because the business
world perceives that managing an IT project is somehow different from managing any other type of project. How-
ever, projects done by the IT department typically include an associated business case and other components of
business projects; even though the project owner may be an IT person, mounting evidence indicates that IT projects
are just business projects involving significant amounts of technology. However, the more complex the IT aspect of
the project is, the higher is the risk of failure of the project, which makes these types of projects worthy of special
consideration.
IT projects are difficult to estimate despite the increasing amount of attention given to mastering this task. Like
the case of the RPA’s Single Payment Scheme, most software projects fail to meet their schedules and budgets.
Managers attribute that failure to poor estimating techniques, poorly monitored progress protocols, and the misin-
formed idea that schedule slippage can be solved by simply adding additional people to the team.24 This fallaciously
23 Kurt Lewin, “Frontiers In Group Dynamics II. Channels of Group Life; Social Planning and Action Research,” Human Relations 1, no. 2 (1947): 143–53. 24 Frederick Brooks, The Mythical Man‐Month: Essays on Software Engineering (Reading, MA: Addison‐Wesley, 1982).
c11.indd 239 11/26/2015 7:35:05 PM
240 Managing IT Projects
assumes not only that people and months are interchangeable but also that if the project is off schedule, it may be
that it was incorrectly designed in the first place, and putting additional people on the project just hastens the pro-
cess to an inappropriate end.
Many projects are measured in terms of function points, or the functional requirements of the software product, which can be estimated earlier than total lines of code. Others are measured in “man‐months,” the most common
unit for discussing the size of a project. For example, a project that takes 100 man‐months means that it will take
one person 100 months to do the work, or 10 people can do it in 10 months.
A recent study found that managing projects using the man‐months metric was linked to more underperforming
projects than those using any other metric of size (i.e., budget, duration, team size).25 Man‐months may be a poor
metric for project management because some projects cannot be sped up with additional people. An analogy is that
of pregnancy. It takes one woman nine months to carry a baby, and putting nine people on the job for one month
cannot speed that process. Software systems often involve highly interconnected, interdependent, and complex sets
of tasks that rely on each other to make a completed system. Further, adding people means that more communica-
tion is needed to coordinate all the team members’ activities. In sum, additional people can speed the process in
some cases, but most projects cannot be made more efficient simply by adding talent. Often, adding people to a late
project only makes the project later.26
IT Project Development Methodologies and Approaches The choice of development methodologies and managerial influences also distinguishes IT projects from other pro-
jects. The general manager needs to understand the issues specific to the IT aspects of projects to select the right
management tools for the particular challenges presented in such projects. The systems development life cycle (SDLC) is a traditional tool for developing IS or for implementing software developed by an outsourcing provider or software developer. Many steps in the SDLC are used by other methodologies, although not to the same extent.
For example, most other methodologies try to determine user needs and test the new system, even though these
other methodologies don’t perform all of the other steps in the SDLC. Thus, this chapter provides greater detail on
SDLC than on the other methodologies. The SDLC discussion is followed by a short description of two key itera-
tive approaches—agile programming and prototyping.
Systems Development Life Cycle
Systems development refers to the set of activities used to create an IS, a process in which the phases of the project are well documented, milestones are clearly identified, and all individuals involved in the project fully understand
what exactly the project consists of and when deliverables are to be made. The SDLC typically refers to the pro-
cess of designing and delivering the entire system. Although the system includes hardware, software, networking,
and data (as discussed in Chapter 6), the SDLC generally is used in one of two distinct ways. On the one hand, it
is the general project plan of all the activities that must take place for the entire system to be put into operation,
including the analysis and feasibility study, development or acquisition of components, implementation activities,
maintenance activities, and retirement activities. In the context of an information system, however, the term SDLC can refer to a highly structured, disciplined, and formal process for design and development of system software.
In either view, the SDLC is grounded on the systems approach and allows the developer to focus on system goals
and trade‐offs.
The SDLC approach is much more structured than other development approaches, such as agile programming
or prototyping. However, despite being a highly structured approach, no single well‐accepted SDLC process exists.
For any specific organization, and for a specific project, the actual tasks under each phase may vary. In addition,
the checkpoints, metrics, and documentation may vary somewhat. The SDLC typically consists of seven phases
(see Figure 11.7).
25 Sauer, Gemino, and Reich, “The Impact of Size and Volatility on IT Project Performance.” 26 Brooks, The Mythical Man‐Month.
c11.indd 240 11/26/2015 7:35:06 PM
241IT Project Development Methodologies and Approaches
Phase Description Sample Activities
Initiation and feasibility
Project is begun with a formal initiation and overall project is understood by IS and user/ customers.
• Document project objectives, scope, benefits, assumptions, constraints, estimated costs and schedule, and user commitment mechanisms
• Plan for human resources, communication, risk management, and quality
Requirements definition
The system specifications are identified and documented.
• Define business functionality; review existing systems • Identify current problems and issues, potential solutions • Identify and prioritize user requirements • Develop user acceptance plan, user documentation needs,
and user training strategy
Functional design
The system is designed. • Complete a detailed analysis of new system including entity‐ relationship diagrams, data flow diagrams, and functional design diagrams
• Define security needs; revise system architecture • Identify standards; define systems acceptance criteria • Define test scenarios • Revise implementation strategy • Freeze design
Technical design and construction
The system is built or a purchased system is customized and implemented.
• Finalize architecture, technical issues, standards, and data needs • Complete technical definition of data access, programming
flows, interfaces, special needs, inter‐system processing, conversion strategy, and test plans
• Construct system • Monitor and control the development process • Revise schedule, plan, and costs, as necessary
Verification The system is reviewed to make sure it meets specifications and requirements.
• Finalize verification testing, user testing, security testing, error‐handling procedures, acceptance testing, end‐user training, documentation, and support
Implementation The system is brought up for use.
• Put system into production environment • Establish security procedures • Deliver user documentation • Execute training and complete monitoring of system
Maintenance and review
The system is maintained and repaired as needed throughout its lifetime.
• Run system • Conduct user review and evaluation • Conduct internal review and evaluation • Check metrics to ensure usability, reliability, utility, cost,
satisfaction, business value, etc. • Fix errors and add new features • Ensure contract closure
Note that system construction or acquisition cannot begin until the requirements are specified and the functional
and technical designs are completed. After the new system is built or bought, it is tested, and users must approve
it before the implementation phase can begin. The implementation phase is the “cutover” where the new system
is put in operation and all links are established. Cutover may be performed in several ways: The old system may
run alongside the new system (parallel conversion), the old system may stop running as soon as the new system is installed (direct cutover), or the new system may be installed in stages across locations, or in phases. The safest way to convert from an old system to a new system is parallel conversion because if the new system fails, users
easily can revert to the old system. The riskiest approach is direct cutover because there is no backup system to
turn to in the event of problems with the new system. Usually direct cutover is reserved for small, less‐critical sys-
tems or for systems that weren’t previously available. An instance when direct cutover was a good idea was Dagen
H (Högertrafik) Day, September 3, 1967, when Swedish drivers were to change from driving on the left‐hand to
FIGURE 11.7 Systems development life cycle (SDLC) phases.
c11.indd 241 11/26/2015 7:35:06 PM
242 Managing IT Projects
the right‐hand side of the road. On Dagen H Day, all non‐essential vehicles needed to be off the roads between
1:00 and 6:00 p.m. Those that remained pulled over at 4:50 p.m, moved carefully to the right‐hand side of the road,
and remain stopped for the next ten minutes. Then at 5:00 p.m, they were permitted to proceed.27
Also, note that implementation is not the final stage. Periodic evaluation is conducted in the maintenance
and review stage to ensure that the project continues to meet the needs for which it was designed. The system
development project is evaluated using postproject feedback (sometimes called postimplementation audit) from all involved in the project. Postproject feedback brings closure to the project by identifying what went right and what
could be done better next time. Maintenance is conducted on the system and enhancements made until it is decided
that a new system should be developed and the SDLC begins anew. The maintenance and review phase is typically
the longest phase of the life cycle.
Agile Development
Several problems arise with using traditional SDLC methodology for newer IT projects. First, many systems pro-
jects fail to meet objectives even with the structure of the SDLC. The primary reason is often because the skills
needed to estimate costs and schedules are difficult to obtain, and each project is often unique so that previous expe-
rience may not provide the skills needed for the current one. Second, even though objectives that were specified
for the system were met, those objectives may reflect a scope that is too broad or too narrow or has changed since
the project was initiated. Thus, the problem that the system was designed to solve may or may not still exist, or the
opportunity that it was to capitalize on may not be appropriately leveraged. Third, organizations need to respond
quickly because of the dynamic nature of the business environment. Not enough time is available to adequately
complete each step of the SDLC for each IT project. Newer methodologies designed to address these concerns use
an iterative approach (Figure 11.8).
One of the dangers developers face is expecting a predictable development process when in reality it’s not
predictable at all. In response to this challenge, agile development methodologies are being championed. These include extreme programming (XP), crystal, scrum, feature‐driven development, and dynamic system development
method (DSDM). To deal with unpredictability, agile methodologies tend to be people‐ rather than process‐ oriented.
They adapt to changing requirements by iteratively developing systems in small stages and then testing the new
code extensively. The mantra for agile programming is “Code a little; test a little.” Some agile methodologies build
on existing methodologies. For example, DSDM is an extension of rapid applications development (RAD) used
in the United Kingdom that draws on the underlying principles of active user interaction, frequent deliveries, and
empowered teams. It incorporates a project planning technique that divides the schedule into a number of sepa-
rate time periods (timeboxes) with each part having its own deliverables, deadline, and budget. DSDM is based on
four types of iterations: study (business and feasibility), functional model, design and build, and implementation.
These iterations occur (and recur) in cycles of between two and six weeks. In contrast is XP, a more prescriptive
agile methodology that revolves around 12 practices, including pair programming, test‐driven development, simple
design, and small releases.28
System as
originally
conceptualized
Version 1
Iteration 1
Iteration 2
Iteration “n” Version 2
Version “n”
(still subject to
revision)
FIGURE 11.8 Iterative approach to systems development.
27 H. Dagen, Wikipedia, http://en.wikipedia.org/wiki/Dagen_H (accessed September 2, 2015). 28 Kent Beck, Extreme Programming Explained: Embrace Change (Reading, MA: Addison‐Wesley Longman, 1999).
c11.indd 242 11/26/2015 7:35:06 PM
243IT Project Development Methodologies and Approaches
Although it allows speedy development and creates happy customers, there are some downsides to agile
development. For large projects, it is difficult to estimate the effort that will be required. Further, in the rush to
get the project completed, designing and documentation might be underemphasized. Also, an agile development
project can easily get off track if the customer representatives are not clear about what final outcome they want.
Prototyping
Another iterative approach is prototyping, a type of evolutionary development that uses the method of building systems in which developers get a general idea of what is needed by the users and then build a fast, high‐level ver-
sion of the system at the beginning of the project. The idea of prototyping is to quickly get a version of the software
in the hands of the users and to jointly let the system evolve through a series of iterative cycles of design. In this
way, the system is done either when the users are happy with the design or when the system is proven impossible,
too costly, or too complex. Some IS groups use prototyping as a methodology by itself because users are involved
in the development much more closely than is possible with the traditional SDLC process. Users see the day‐to‐day
growth of the system and contribute frequently to the development process. In other cases, prototyping is used as a
phase in the SDLC to capture project requirements. Through this iterative process, the system requirements usually
are made clear.
There are several drawbacks to prototyping. First, documentation may be more difficult to write as the system
evolves, because of frequent changes over time. Second, users often do not understand that a final prototype may
not be scalable to an operational version of the system without additional costs and organizational commitments.
Once users see a working model, they typically assume that the work is also almost done, which is not usually the
case. An operational version of the system needs to be developed using enterprise‐level tools rather than desktop
tools. In many cases, a system built with desktop tools can serve only one or a small number of users at a time. An
enterprise‐ready system can often serve hundreds or thousands of users simultaneously. A seemingly operational
version may be difficult to complete because the user is unwilling to give up a system that is up and running, and
she or he often has unrealistic expectations about the amount of work involved in creating an enterprise‐ready ver-
sion. This reluctance leads to the fourth drawback. Because it may be nearly impossible to definitively say when the
prototype is complete, the prototyping development process may be difficult to manage.
A fifth problem with prototyping is caused by the difficulty of integration across a broad range of requirements;
this approach is best suited for “quick‐and‐dirty” types of systems. Developers should rely on a more structured
approach such as the SDLC for extremely large and complex systems. Finally, because of the speed of development
and reliance on a small number of people for quick (perhaps hasty) feedback, there may be flaws in the system’s
design. The advantages and disadvantages of the SDLC, agile development, and prototyping approaches are sum-
marized in Figure 11.9.
Other Development Methodologies and Approaches
A variety of other methodologies and approaches exist. These include RAD; joint applications development; user‐
centered design; object‐oriented analysis, design, and development; and open sourcing.
Rapid Applications Development and Joint Applications Development
Rapid applications development (RAD) is similar to prototyping in that it is an interactive process, in which tools are used to drastically speed the development process. RAD systems typically have tools for developing the user
interface—called the graphical user interface (GUI)—reusable code, code generation, and programming language testing and debugging. These tools make it easy for the developer to build a library of standard sets of code (some-
times called objects) that can easily be used (and reused) in multiple applications. Similarly, RAD systems typically have the ability to allow the developer to simply “drag and drop” many objects such as buttons, tables, menus, and
drop‐down lists into the design, and the RAD system automatically writes some or all of the code necessary to
include the desired functionality. Even platforms like Facebook and Web hosting sites such as WordPress allow the
user to create feature‐rich sites without writing a single line of computer code.
c11.indd 243 11/26/2015 7:35:06 PM
244 Managing IT Projects
Finally, RAD includes a set of tools to create, test, and debug the programs written in the pure programming lan-
guage. However, one must remember that “a fool with a tool is still a fool.” RAD is more than just using advanced
systems development tools. Rather, it is about making systems developers work more effectively.
RAD is commonly used for developing user interfaces and rewriting legacy applications. It may incorporate
prototyping to involve users early and actively in the design process. Although RAD is an approach that works well
in the increasingly dynamic environment of systems developers, it does have some drawbacks. Sometimes basic
principles of software development (e.g., programming standards, documentation, data‐naming standards, backup,
and recovery) are overlooked in the race to finish the project. Also, the process may be so speedy that requirements
are frozen too early.29 As a result, systems developed by using RAD may lack quality.
Joint applications development (JAD) is a version of RAD or prototyping in which users are more integrally involved, as a group, with the entire development process up to and, in some cases, including coding. JAD uses a
group approach to elicit requirements in a comprehensive manner. Interviewing groups of users saves interviewing
and data collection time, but it can be expensive in terms of the travel and living expenses needed to get the partic-
ipants together.
User‐Centered Design
User‐centered design uses tools for RAD, JAD, agile development, and prototyping to provide assurance that users’ needs will be met. Early in the process, users are involved on the project team and are asked to evaluate
impacts on system utility, usability, organizational/social/cultural impact, and the holistic human experience. The
goals of user‐centered design are to improve efficiency and reduce effort; reduce or prevent errors; strive for a fit
between the user’s task, the information provided, and the format of the information provided; enable an enjoyable,
engaging, and satisfying interaction experience; promote trust; and keep the design simple.30
FIGURE 11.9 Comparison of IT development methodologies.
Methodology Advantages Disadvantages
SDLC • Has a structured approach with milestones and approvals for each phase
• Uses system approach • Focuses on goals and trade‐offs • Emphasizes documentation • Requires user sign‐offs
• Has systems that often fail to meet objectives • Needs skills that are often difficult to obtain • Has scope that may be defined too broadly or
too narrowly • Is very time consuming
Agile development
• Is good for adapting to changing requirements
• Is good for understanding and responding to changing user requirements
• Allows face‐to‐face communication and continuous inputs from users
• Speeds up development process • Is liked by users
• Is hard to estimate system deliverables at start of project
• Underemphasizes designing and documentation
• Is easy to get project off track if user not clear about what the final outcome should be
Prototyping • Improves user communications • Is liked by users • Speeds up development process • Is good for eliciting system requirements • Provides a tangible model to serve as
basis for production version
• Is often underdocumented • Is not designed to be an operational version • Often creates unrealistic expectations • Has a difficult‐to‐manage development process • End result is often difficult to integrate • Is more likely to experience design flaws than
in SDLC • Is often hard to maintain
29 Joey F. George, “The Origins of Software: Acquiring Systems at the End of the Century,” Framing the Domains of IT Management, ed. R. Zmud ( Cincinnati, OH: Pinnaflex Education Resources, 2000). 30 Dov Te’eni, Jane Carey, and Ping Zhang, HCI: Developing Effective Organizational Information System (New York: John Wiley, 2006).
c11.indd 244 11/26/2015 7:35:06 PM
245IT Project Development Methodologies and Approaches
The U.S. government maintains the Web site Usability.gov, which provides over 200 design guidelines, such as
“do not require users to remember information from place to place on a Web site” and “make upper and lower case
search terms equivalent.” Each guideline provides an assessment of importance and the strength of evidence that
supports it.31 Although it might be difficult to remember and follow hundreds of recommendations, heeding them
will likely reduce frustration and confusion and perhaps save millions of dollars by reducing the amount of main-
tenance that could be needed.
However, the guidelines do not cover all possible ways in which to simplify design and engage users. Some of
the most popular technologies, such as those from Apple, Microsoft, and Google, offer particular usability advan-
tages and disadvantages. Apple’s famous designs have led to long lines in front of retail outlets when new products
are introduced. Most have been wildly successful with notably few exceptions. In 2000, Microsoft offered a touch-
screen‐capable PC operating system when it introduced Windows XP, one of its most popular operating systems
ever. Interestingly, when the interface was adapted in 2012 to include larger icons, making for easier finger targets
using a special “tiled” display in Windows 8, users balked at the change. Windows 10 moved back to a more “clas-
sic” look and feel. Apple’s OSX exhibits a future touchscreen path with a large icon screen “app” view. Google
quietly adapted its Android and Chromebook software to conform to its material design approach in which system
elements look and behave like tactile reality, image choices are bold and intentional, and motion is used to convey
meaningful feedback and guidance on what to do next.32
Often technologies fail but form the basis of very successful products as time goes on. For example, Apple’s
Newton boasted ground‐breaking mobile device features but relied on hardware of its time—the early 1990s—and
users found it slow with a dim screen and short‐lived batteries. Twenty years later, better screens, processors, and
batteries became available, and Apple tried again with an unprecedented successor to the Newton that also served as
a phone, music player, and camera: the iPhone. It is obvious that the iPhone has revolutionized not only the product
category and the entire company but also the entire electronics industry.
These examples demonstrate that in software projects, usability has great commercial value in the marketplace.
Research on usability and the user experience (UX) has been conducted for decades, but many systems even today
are not very usable. For instance, smartphones and tablets famously lack an “undo” function, often requiring users
to start from scratch if they press the wrong key.33Web sites sometimes use language in their links that is unfamiliar
to users, and it is difficult to understand precisely where to click next. Search functions sometimes fail to unearth
the desired results. Users just simply dislike some designs, such as the unusual “tile” design of Windows 8 that was
discarded in Windows 10 in the summer of 2015.
Why do these failures occur? First, product delivery deadlines sometimes push usability to the back burner
because feature lists tend to be the main force in selling software.34 Also, usability involves a large number of dis-
ciplines, such as psychology, graphic art, Internet technologies, and business needs. It is difficult to master a large
set of tools from so many disciplines.35 Finally, systems are quite complex and are difficult to test thoroughly from
a usability standpoint.36 Testing requires designing a comprehensive list of tasks to perform, assembling groups of
users who try to perform them, and acting on feedback received by observing errors, confusion, and misinterpre-
tations. One encouraging factor is that over time, most poor systems suffer a Darwinian fate: They must evolve or
die. The fit survivors will eventually either outnumber the endangered ones or perhaps serve as good examples to
those that started out poorly.
31 Usability.Gov. Research Based Web Design and Usability Guidelines, Department of Health and Human Services and General Services Administration,
http://www.usability.gov/sites/default/files/documents/guidelines_book.pdf (accessed September 2, 2015). 32 Google, http://www.google.com/design/spec/material‐design/introduction.html#introduction‐principles (accessed September 2, 2015). 33 D. Norman and J. Nielsen, “Gestural Interfaces: A Step Backward In Usability,” Interactions (2010). 34 Chris Ward, “Feature‐zilla! Will Featureful Kill Usable on the Web?” January 23, 2014, http://www.sitepoint.com/featureful‐vs‐usable/ (accessed
September 2, 2015). 35 K. Instone, “User Experience: An Umbrella Topic,”CHI’05 Extended Abstracts on Human Factors in Computing Systems (Association for Computing Machinery, 2005), 1087–88. 36 Jim Ross, “17 Usability Testing Myths and Misconceptions” (January 5, 2015), http://www.uxmatters.com/mt/archives/2015/01/17‐usability‐testing‐
myths‐and‐misconceptions.php (accessed September 2, 2015).
c11.indd 245 11/26/2015 7:35:06 PM
246 Managing IT Projects
Object‐Oriented Development
Object‐oriented development is becoming increasingly popular as a way to avoid the pitfalls of procedural method-
ologies. Object‐oriented development, unlike more traditional development using the SDLC, builds on the concept
of objects. An object encapsulates both the data stored about an entity and the operations that manipulate that data. A program developed using an object orientation is basically a collection of objects. The object orientation makes
it easier for developers to think in terms of reusable components. Using existing components can save program-
ming time. Such component‐based development, however, assumes that the components have been saved in a
repository and can be retrieved when needed and assumes that the components in the programs in newly developed
information systems can communicate with one another.
Open Sourcing Approach
Linux, the brainchild of Linus Torvalds, is a world‐class operating system created from part‐time hacking by sev-
eral thousand developers scattered all over the planet and connected only by the Internet. This system was built
using a development approach called open sourcing, or building and improving “free” software by an Internet community. The brilliance of Linux was that Torvalds took a very powerful but proprietary operating system, Unix,
and rewrote it to make it available as an open source. In fact, the kernel of Linux contains the statement, “Linux is
a Unix clone written from scratch by Linus Torvalds with assistance from a loosely‐knit team of hackers across the
Net.”37 Torvalds managed the development process by releasing early and often, delegating as much as possible,
being open to new ideas, and archiving and managing the various versions of the software.
Eric Raymond, the author of The Cathedral and the Bazaar, suggests that the Linux community resembles a great bazaar of differing agendas and approaches (with submissions from anyone) out of which a coherent and stable system emerged. This development approach is in contrast to cathedrals in which software is carefully
crafted by company employees working in isolation. The most frequently cited example of a cathedral is Micro-
soft, a company known, if not ridiculed, for espousing a proprietary approach to software development.38 However,
Microsoft has endorsed a movement toward open source code in many of its projects.39 One example is the adoption
of open XML file formats to replace the proprietary and secret formats in previous versions of Word, PowerPoint,
and Excel files.40
Software is open source software (OSS) if it is released under a license approved by the Open Source Initiative (OSI). The most widely used OSI license is the GNU general public license (GPL), which is premised on the con-
cept of free software. Free software offers the following freedoms for the software users:
• To run the program for any reason you want
• To study how the program works and to adapt it to your needs, assuming you have access to the source code
• To distribute copies so that you can help your neighbor
• To improve and release your improvements to the public so that the whole community benefits, assuming you have access to the source code41
A user who modifies the software must observe the rule of copyleft, which stipulates that the user cannot add restrictions to deny other people their central freedoms regarding the free software.
Open sourcing is a movement that offers a speedy way to develop software. Further, because it is made available
to a whole community, testing is widespread. Finally, its price is always right—it is free. However, a number of
managerial issues are associated with its use in a business organization.
37 See the “read‐me” file at https://www.kernel.org/pub/linux/kernel/README (accessed September 2, 2015). 38 Eric S. Raymond, “The Cathedral and the Bazaar,” http://www.catb.org/~esr/writings/cathedral‐bazaar/cathedral‐bazaar/ (accessed June 4, 2012). 39 Microsoft. “Openness,” http://openness.microsoft.com/blog/ (accessed September 2, 2015). 40 Microsoft. “Overview of the XML file formats in Office 2010,” https://technet.microsoft.com/en‐us/library/cc179190.aspx (accessed September 2,
2015). 41 GNU Project—Free Software Foundation, “The Free Software Definition,” http://www.gnu.org/philosophy/free‐sw.html (accessed February 27, 2002).
c11.indd 246 11/26/2015 7:35:07 PM
247Managing IT Project Risk
• Preservation of intellectual property: The software is open to the whole community. It cannot be sold, and its use cannot be restricted. Thus, the community is the “owner” of the code. But how are the contributions
of individuals recognized?
• Updating and maintaining open source code: A strength of the open source movement is that it is open to the manipulation of members of an entire community. That very strength makes it diffi cult to channel the
updating and maintenance of code.
• Competitive advantage: Because the code is available to all, a company would not want to open‐source a system that it hopes can give it a competitive advantage.
• Tech support: The code may be free, but technical support usually isn ’ t. Users of an open‐source system must still be trained and supported.
• Standards: Standards are open. Yet, in a technical world that is fi lled with incompatible standards, open sourcing may take a very long time to provide a viable strategy for its many organizations.
Applications written following the open source standards were initially rejected by corporate IT organizations.
Executives wondered how code that was free, open, and available to all could be counted on to support critical
business applications. However, executives began to see the benefi ts of open source code after OSI created a series
of examples and case studies that highlighted the benefi ts. In addition to Linux, Android (Google’s smartphone
operating system), Mozilla (a popular Web browser core), Apache (Web server), PERL (Web scripting language),
OpenOffi ce (a Sun Microsystems ‐originated set of offi ce applications that support the Microsoft Offi ce suite for-
mats), and PNG (graphics fi le format) are examples of very popular software that is based on open source efforts.
Advances in the applications available on the Internet, particularly many of the Web 2.0 applications that are mak-
ing their way slowly into the corporate infrastructure, are open sourced. Corporations are learning to manage the
open‐source process by more clearly stating their requirements and interfacing with developers on what typically
begin as their noncore or least critical systems (those that, if copied, do not endanger the fi rm).
Many good references are available for systems development, but further detail is beyond the scope of this text.
The interested general manager is referred to a more detailed systems development text for a deeper understanding
of this critical IS process.
Managing IT Project Risk IT projects are often distinguished from many non‐IT projects on the basis of their high levels of risk. Although
every manager has an innate understanding of what risk is, there is little consensus as to its defi nition. Risk is
perceived as the possibility of additional cost or loss due to the choice of an alternative. Some alternatives have a
Social Business Lens: Mashups
Social IT applications are often designed with an open architecture to make them easy to adapt. One way orga-
nizations take advantage of this feature and create new applications is by using mashups . These are Web apps
that combine other apps to create a new app, data, functionality, and even interface. The goal of a mashup is to
be able to create new applications quickly using existing applications, data, and infrastructure. Some mashups are
used internally within a fi rm, but others are set up on the Web and become a new app.
An example of a mashup is Zillow.com, the real estate Web site. It has a relationship with numerous data pro-
viders across the country and accesses public records, which are used in its service. But in addition, Zillow uses
Google ’s street views and displays the Google logo. It also uses home data from walkscore.com and gives
credit to that site for that data. In 2012, Zillow launched a social home shopping site, called Neighborhood Advice,
which links users’ search for a home with information about their community of friends on Facebook. Zillow then
displays circles on a map to indicate where the user ’ s friends live or have checked in, enabling the user to locate
areas where they have many, or few, friends.
c11.indd 247 11/26/2015 7:35:07 PM
248 Managing IT Projects
lower associated risk than others. Risk can be quantified by assigning a probability of occurrence and a financial
consequence to each alternative. We consider project risk to be a function of complexity, clarity, and size.42
Complexity
The first determinant of risk on an IT project is its complexity level, or the extent of difficulty and number of inter-
dependent components. Several factors contribute to increased complexity in IT projects. The first is the sheer
pace of technological change. The increasing numbers of products and technologies affecting the marketplace
cause rapidly changing views of any firm’s future business situation. For example, introducing a new development
approach such as open sourcing creates significantly different ideas in people’s minds about the future direction of
IT development in the firm. Such uncertainty makes it difficult for project team members to identify and agree on
common goals. This fast rate of change also creates new vocabularies to learn as technologies are implemented,
which can undermine effective communication.
The development of more complex technologies accelerates the trend toward increased specialization among
project team members and multiplies the number of interdependencies that must be tracked in project management.
Team members must be trained to work on the new technologies. More subprojects must be managed, which, in
turn, means developing a corresponding number of interfaces to integrate the pieces (i.e., subprojects) back into
a whole.
High complexity played a part in the 2008 failure at Heathrow Airport’s terminal 5.43 The project involved
180 IT suppliers and over 160 IT systems. There are more than 9,000 devices connected to the system along with
another 2,100 PCs. The system includes 175 lifts (elevators), 131 escalators, and 18 kilometers of conveyor belts
for baggage handling. According to the British Airports Authority (BAA), “It has taken 400,000 man‐hours of
software engineering just to develop the complex system, and coding work is set to continue even after the initial
installation begins.”44 The British Airways CIO was quoted as saying that “the construction of T5 involved creating
a small town with a full telecommunications network for the construction workers, merely to enable the terminal to
be built.”45 But the failure in 2008 resulted in canceled flights, lost baggage, substantial delays, and frustrated cus-
tomers and employees. According to blogger Michael Krigsman, “The systems incorporated in T5 severely taxed
BA’s planning, testing and deployment capabilities.”46
Complexity can be determined once the context of a project has been established. Consider the hypothetical case
of a manager given six months and $500, 000 to build a corporate Web site to sell products directly to customers.
Questions that might be used to build context for this case include the following:
• How many products will this Web site sell?
• Will this site support global, national, regional, or local sales?
• How will this sales process interface with the existing customer fulfillment process?
• Does the company possess the technical expertise in house to build the site?
• What other corporate systems and processes will this project affect?
• How and when will these other systems be coordinated?
42 The ideas were derived from this source, but we used different names and expanded the application. L. Applegate, F. W. McFarlan, and J. L. McKenney,
Corporate Information Systems Management: Text and Cases, 5th ed. (Homewood, IL: Irwin/McGraw‐Hill, 1999). 43 Michael Krigsman, “IT Failure at Heathrow T5: What Really Happened” (April 7, 2008), blogs.zdnet.com/projectfailures/?p=681 (accessed September
2, 2015). 44 Ibid. 45 CIO UK, www.cio.co.uk/concern/change/news/index.cfm?articleid=2487&pn=2 (accessed April 11, 2012). 46 Michael Krigsman, “IT Failure at Heathrow T5: What Really Happened.”
c11.indd 248 11/26/2015 7:35:07 PM
249Managing IT Project Risk
Clarity
A project is risky if it is hard to define. Clarity is concerned with the ability to define the requirements of a
system. A project has low clarity if the users cannot easily state their needs or define what they want from
the system. A project also has low clarity if user demands for the system or regulations that guide its structure
change considerably over the life of the project. A project with high clarity is one in which the systems require-
ments do not change and can be easily documented. A payroll package that calculates gross pay and deductions
and then automatically deposits net pay into predetermined bank accounts is an example of a high‐clarity project
for most firms; each firm could likely use exactly the same package with minimal tailoring. In contrast, one of the
authors interviewed a developer on a low‐clarity project that was to monitor competitor advertising. The system
measured magazine ads by the square inch and radio and TV ads by the minute. There was no established single
way in which this monitoring had to take place, and various other options were viable, such as measuring the use
of particular words, humor, or particular types of images. The field was, and still is, quite undefined as to what it
means to monitor competitors’ ads.
Size
Size also plays a big role in project risk. All other things being equal, big projects are riskier than small ones.
A project can be considered big if it has the following characteristics:
• Large budget relative to other budgets in the organization
• Large number of team members (and, hence, a large number of man‐months)
• Large number of organizational units involved in the project
• Large number of programs/components
• Large number of function points
• Large number of source lines of code (i.e., the number of lines of code in the software product’s source file)
It is important to consider the relative size. At a small company with an average project budget of $30,000,
$90,000 would be a large project. However, to a major corporation that just spent $2 million implementing an ERP,
a $90,000 budget would be peanuts.
Managing Project Risk Level
Risk management is usually a two‐stage process: first the risk is assessed and then actions are taken to control it.47
The project’s complexity, clarity, and size determine the level of risk. Varying levels of these three determinants
differentially affect the amount of project risk. At one extreme, large, highly complex projects that are low in clarity
are extremely risky. In contrast, small projects that are low in complexity and high in clarity have low risk. Every-
thing else is somewhere in between.
The level of risk determines how formal the project management system and detailed the planning should be.
When it is difficult to estimate how long or how much a project will cost because it is so complex or what should
be done because its clarity is so low, using formal management practices or planning is inappropriate. A high level
of planning makes it almost impossible in these circumstances because of the uncertainty surrounding the project
and makes it difficult to adapt to external changes that are bound to occur. On the other hand, formal planning tools
47 R. Schmidt, K. Lyytinen, M. Keil, and P. Cule, “Identifying Software Project Risks: An International Delphi Study,” Journal of Management Information Systems 17, no. 4 (Spring 2001), 5–36.
c11.indd 249 11/26/2015 7:35:07 PM
250 Managing IT Projects
may be useful in low‐risk projects because they can help structure the sequence of tasks and provide realistic cost
and time targets.48
Managing the Complexity Aspects of Project Risk
The more complex the project, the greater is the risk. The increasing dependence on IT in all aspects of business
means that managing the risk level of such a project is critical to a general manager’s job. Organizations increas-
ingly embed IT more deeply into their business processes, not only raising efficiency but also increasing risk. Many
companies now rely entirely on IT for their revenue‐generating processes whether the processes use the Internet or
not. For example, airlines depend on IT for generating reservations and ultimately sales. If the reservation system
goes down, that is, if it fails, agents simply cannot sell tickets. In addition, even though the airplanes technically can
fly if the reservation system fails, the airline cannot manage seat assignments, baggage, or passenger loads without
the reservation system. In short, the airline would have to stop doing business should its reservation system fail.
That type of dependence on IT raises the risk levels associated with adding or changing the system. A manager may
adopt several strategies in dealing with complexity, including leveraging the technical skills of the team, relying on
consultants to help deal with project complexity, and a host of internal integration strategies.
Leveraging the Technical Skills of the Team When a project is complex, it is helpful to have a project manager
with experience in similar situations or who can translate experiences in many different situations to a new com-
plex one. For projects high in complexity, it also helps to have team members with significant work experience,
especially if it is related.
Relying on Consultants and Vendors Few organizations develop or maintain the in‐house capabilities they need
to complete complex IT projects. Risk‐averse managers want people who possess crucial IT knowledge and skills.
Often that skill set can be attained only from previous experience on similar IT projects. Such people are easier to
find at consulting firms because consultants’ work is primarily project based. Consulting firms rely on processes
that develop the knowledge and experience of their professionals. Thus, managers often choose to “lease” effective
IT team skills rather than try to build them with their own people. However, the project manager must balance the
benefits achieved from bringing in outsiders at the cost of not developing in house the skill set that the outsiders
have. When the project is over and the consultants leave, will the organization be able to manage without them?
Having too many outsiders on a team also increases the difficulty of alignment. Outsiders may have different objec-
tives, such as selling more business or learning new skills, which might conflict with the project manager’s goal
for the project.
Integrating Within the Organization Highly complex projects require good communication among the team
members, which helps them to operate as an integrated unit. Ways of increasing internal integration include holding
frequent team meetings, documenting critical project decisions, and conducting regular technical status reviews.49
These approaches ensure that all team members are “on the same page” and are aware of project requirements and
milestones.
Managing Clarity Aspects of Project Risk
When a project has low clarity, project managers need to rely more heavily on the users to define system require-
ments. It means managing project stakeholders and sustaining commitment to projects.
Managing Project Stakeholders A project’s low clarity may be the result of its multiple stakeholders’ conflicting
needs and expectations for the system. The project manager must balance the goals of the various project stakeholders
to achieve desired project outcomes. The project manager may also need to specifically manage stakeholders. It is
48 H. Barki, S. Rivard, and J. Talbot, “An Integrative Contingency Model of Software Project Risk Management,” Journal of Management Information Systems 17, no. 4 (Spring 2001), 37–69. 49 Ibid. and Applegate, McFarlan, and McKenney, Corporate Information Systems Management.
c11.indd 250 11/26/2015 7:35:07 PM
251Managing IT Project Risk
not always a simple task to identify project stakeholders. They may be employees, managers, users, other depart-
ments, or even customers. However, failure to manage these stakeholders can lead to costly mistakes later in the
project if a particular group does not support the project.
Managing stakeholders’ expectations and needs often involves both the project manager and the general man-
ager. Project sponsors are especially critical of IT projects with organizational change components. Sponsors use
their power and influence to remove project barriers by gathering support from various social and political groups
both inside and outside the organization. They also prove to be valuable when participating in communication
efforts to build the visibility of the project.
Sustaining Commitment to Projects An important way to increase the likelihood of project success is to gain
commitment from stakeholders and to sustain that commitment throughout the life of the project. Research indicates
five primary determinants of project commitment: project, psychological, social, organizational, and cultural.50
(See Figure 11.10.) Project teams often focus on only the project factors, ignoring the other four because of their
complexity.
By identifying how these factors are manifest in an organizational project, managers can use tactics to ensure
a sustained commitment. For example, to maintain commitment, a project team might continually remind stake-
holders of the benefits to be gained from completion of this project. Likewise, assigning the right project champion
the task of selling the project to all levels of the organization can maintain commitment. Other strategies encourage
stakeholder, especially user, buy‐in so that they can help clarify project requirements. Examples include making a
user or the project sponsor the project team leader; encouraging the project sponsor to provide public support for
the project; placing key stakeholders on the project team; placing key stakeholders in charge of the change process,
training, or system installation; and formally involving stakeholders in the specification approval process. Being
involved in the project makes stakeholders more aware of the trade‐offs that inevitably occur during a system
implementation and perhaps more willing to accept the consequences of the trade‐offs. In addition, being involved
in the project allows stakeholders who are users to better understand how the system works and thus may make it
easier for them to use it.
FIGURE 11.10 Determinants of commitment for IT projects. Sources: Adapted from Mark Keil, “Pulling the Plug: Software Project Management and the Problem of Project Escalation,” MIS Quarterly 19, no. 4 (December 1995), 421–47; Michael Newman and Rajiv Sabherwal, “Determinants of Commitment to Information Systems Development: A Longitudinal Investigation,” MIS Quarterly, 20, no. 1 (March 1996), 23–54.
Determinant Description Example
Project Objective attributes of the project such as cost, benefits, expected difficulty, and duration
Projects more likely to have higher commitment if they involve a large potential payoff
Psychological Factors managers use to convince themselves things are not so bad, such as previous experience, personal responsibility for outcome, and biases
Projects more likely to have higher commitment when there is a previous history of success
Social Elements of the various groups involved in the process, such as rivalry, norms for consistency, and need for external validation
Projects more likely to have higher commitment when external stakeholders have been publicly led to believe the project will be successful
Organizational Structural attributes of the organization, such as political support, and alignment with values and goals
Projects more likely to have higher commitment when there is strong political support from executive levels
Cultural Cultural attributes such as appreciation for teamwork or a focus on technical issues
Projects more likely to have higher commitment when there is a culture of teamwork
50 See, for example, Mark Keil, “Pulling the Plug: Software Project Management and the Problem of Project Escalation,” MIS Quarterly 19, no. 4 (December 1995), 421–47; Michael Newman and Rajiv Sabherwal, “Determinants of Commitment to Information Systems Development: A Longitudinal
Investigation,” MIS Quarterly 20, no. 1 (March 1996), 23–54.
c11.indd 251 11/26/2015 7:35:07 PM
252 Managing IT Projects
Pulling the Plug
The risk management strategies described here are designed to turn potentially troubled projects into successful
ones. Often projects in trouble persist long after they should be abandoned. Interestingly, this would be a case of
sustaining too much commitment to a project. Research shows that the amount of money already spent on a project
biases managers toward continuing to fund the project even if its prospects for success are questionable.51
Other factors can also enter in the decision to keep projects too long. For example, when the penalties for failure
within an organization are high, project teams are often willing to go to great lengths to ensure that their project
persists even if that means extending resources. Also, a propensity for taking risks or an emotional attachment to the
project by powerful individuals within the organization can contribute to the continuation of a troubled project well
beyond reasonable time limits. A recent global survey found that ultimately the plug is pulled on approximately
one project of every five.52
Gauging Success
How does a manager know when a project has been a success? At its start, the general manager who built the
business case would have considered several aspects based on achieving the business goals. It is important that
the goals be measurable so that they can be used throughout the project to provide the project manager real‐time
feedback. The general manager probably also wants to know whether the system meets the specifications and
project requirements set in the project scope, but measuring this is complex. Metrics may be derived specifically
from the requirements and business needs that generated the project to determine whether the system meets expec-
tations. Such metrics need to be based on the specific system, such as automating the order entry process or building
a knowledge management system for product design.
Four dimensions that are useful in determining whether a project is successful are shown in Figure 11.11. The
dimensions are defined as follows:
• Resource constraints: Does the project meet the established time and budget criteria? Was there schedule slip (i.e., the current scheduled time divided by the original scheduled time)? Most projects set some mea- sure of short‐term success along this dimension that is easy to measure.
• Impact on customers: How much benefit does the customer receive from this project? Although some IT projects are transparent to the organization’s end customer, every project can be measured on the benefit to the
immediate customer of the IS. This dimension includes performance and technical specification measurements.
• Business success: How high are the profits and how long do they last? Did the project meet its return on investment goals? This dimension must be aligned with the organization’s business strategy.
• Prepare the future: Has the project altered the organization’s infrastructure so that its future business success and positive customer impact are likely? Today, many companies are building Internet infrastruc-
tures in anticipation of future business and customer benefits. Overall success of this strategy is measurable
only in the future, although projects underway now can be evaluated on how well they prepare the business
for future opportunities.
What other considerations should be made when defining success of an IS? Is it enough just to complete a
project? Is it necessary to finish on time and on budget? If other dimensions are important, what are they? The type
of project can greatly influence how critical each of these dimensions is in determining overall success. It is the
responsibility of the general manager to coordinate the company’s comprehensive business strategy with the project
51 Hal Arkes and Catherine Blumer, “The Psychology of Sunk Cost,” Organizational Behavior and Human Decision Processes 35 (1985), 124–40; Daniel Kahneman and Amos Tversky. “Prospect Theory: An Analysis of Decision under Risk,” Econometrica: Journal of the Econometric Society 47, no. 2 (1979), 263–91. 52 Governance Institute, Global Status Report on the Governance of Enterprise IT (GEIT) (2011), 11, http://www.isaca.org/Knowledge‐Center/Research/
ResearchDeliverables/Pages/Global‐Status‐Report‐on‐the‐Governance‐of‐Enterprise‐IT‐GEIT‐2011.aspx (accessed September 8, 2015).
c11.indd 252 11/26/2015 7:35:07 PM
253Summary
type and the project success measurements. In this way, the necessary organizational changes can be coordinated
to support the new information system. After the project is completed, postproject feedback should be elicited to
ensure that the system meets its requirements and its development process is a good one.
S U M M A R Y
• A general manager fulfills an important role in project management. As a project sponsor, the general manager may be called on to select the project manager, provide resources to the project manager, and to give direction to and support for
the project.
• The business case provides the foundation for a well‐managed project by specifying its objectives, required resources, critical elements, and stakeholders.
• Project management involves continual trade‐offs. The project triangle highlights the need to delicately balance cost, time, and scope to achieve quality in a project.
• Four important project elements are project management, project team, project cycle plan, and common project vocabulary.
• Understanding the complexity of the project, the environment in which it is developed, and the dimensions used to measure its success allows the general manager to balance the trade‐offs necessary for using resources effectively and to
keep the project’s direction aligned with the company’s business strategy.
• Three popular information technology project development methodologies are SDLC, agile programming, and prototyping. Each of these methodologies offers both advantages and drawbacks. Other methodologies and approaches
are emerging.
• The project management office (PMO) brings focus and efficiency to project management activities. Often the PMO is a formal organization under the chief information officer (CIO).
• In increasingly dynamic environments, it is important to manage project risk, which is a function of project size, clarity, and level of complexity. For low‐clarity projects, interfacing with users and gaining their commitment in the project are
important. Projects that are highly complex require leveraging the technical skills of the team members, bringing in con-
sultants when necessary and using other strategies to promote internal integration.
• Projects are here to stay, and every general manager must be a project manager at some point in his or her career. In that capacity, the general manager is expected to lead the daily activities of the project. This chapter offers insight into the
necessary skills, processes, and roles that project management requires.
• Mashups are new applications derived from combining existing applications on the Web.
Success Dimension Low Tech Medium Tech High Tech
Existing technologies with new features
Most technologies new but available before the project
New, untested technologies
Resource constraint Important to meet Overruns acceptable Overruns most likely
Impact on customers Added value Significantly improved capabilities
Quantum leap in effectiveness
Business success Profit; return on investment High profits; market share High profits and market share but may come much later; market leader
Prepare the future Gain of additional capabilities New market; new service Leadership core and future technologies
FIGURE 11.11 Success dimensions for various project types. Source: Adapted from Aaron Shenhar, Dov Dvir, and Ofer Levy, and Alan C. Maltz “Project Success: A Multidimensional Strategic Concept,” Long Range Planning 34, no. 6 (2001), 699–725.
c11.indd 253 11/26/2015 7:35:07 PM
254 Managing IT Projects
D I S C U S S I O N Q U E S T I O N S
1. What are the trade‐offs between cost, quality, and time designing a project plan? What criteria should managers use to man- age this trade‐off?
2. Why does it often take a long time before troubled projects are abandoned or brought under control?
3. What are the critical success factors for a project manager? What skills should managers look for when hiring someone who would be successful in this job?
4. What determines the level of technical risk associated with a project? What determines the level of organizational risk? How can a general manager assist in minimizing these risk components?
5. Lego ’ s Mindstorms Robotics Invention System was designed for 12‐year‐olds. But after more than a decade of development at the MIT Media Lab using the latest advances in artificial intelligence, the toy created an enormous buzz among grown‐up
hackers. Despite its stiff $199 price tag, Mindstorms sold so quickly that store shelves were emptied two weeks before its
first Christmas in 1998. In its first year, a staggering 100,000 kits were sold, far beyond the 12,000 units the company had
projected. Of Mindstorms’ early customers, 70% were old enough to vote. These customers bought the software with the
intention of hacking it. They wanted to make the software more flexible and powerful. They deciphered Mindstorms’ pro-
prietary code, posted it on the Internet, began writing new advanced software, and even wrote a new operating system for
their robots. To date, Lego has done nothing to stop this open source movement even though thousands of Lego ’ s customers
now operate their robots with software the company didn ’ t produce or endorse and can ’ t support. In fact, Lego actively sup-
ports the open source movement by providing source code on its site. 53 There is said to be some danger: software that others
develop may end up damaging the robot ’ s expensive infrared sensors and motors. 54
a. What are the advantages of Lego ’ s approach to open sourcing? b. What are the disadvantages of Lego ’ s approach to open sourcing? c. How should Lego manage the open source movement?
Atlanta‐based Southern Company , a leading utility provider in the southeast United States, is valued by its 4.4 million
electricity customers for its excellent service, and it ranks as Fortune magazine ’ s “most admired” company in its industry. That means quality is important in everything the company does. When David Traynor, the company ’ s business excellence
manage, was charged with implementing a new enterprise change management (ECM) suite, 55 he knew its key users,
employees in the IT department, would scrutinize the new system and be very critical if anything didn ’ t work exactly as it
should.
■ CASE STUDY 11‐1 Implementing Enterprise Change Management at Southern Company
K E Y T E R M S
agile development (p. 242)
direct cutover (p. 241)
function points (p. 240)
joint applications development
(JAD) (p. 244)
mashups (p. 247)
object (p. 246)
open source software (OSS) (p. 246)
open sourcing (p. 246)
parallel conversion (p. 241)
program (p. 230)
project (p. 230)
project management (p. 231)
project management offi ce
(PMO) (p. 232)
project manager (p. 233)
project stakeholders (p. 230)
prototyping (p. 243)
rapid applications development
(RAD) (p. 243)
systems development life
cycle (SDLC) (p. 240)
user‐centered design (p. 244)
53 John Baichtal , “ Lego Mindstorms EV3 Source Code Available ,” Makezine Blog (August 2, 2013 ), http://makezine.com/2013/08/02/lego‐mindstorms‐
ev3‐source‐code‐available/ (accessed September 2, 2015); Lego, http://www.lego.com/en‐us/mindstorms/downloads (accessed September 2, 2015) . 54 Paul Keegan , “ Intellectual Property Is Not a Toy ,” Business 2.0 2, no. 8 (October 2001 ), 90 . 55 An enterprise change management suite is a series of programs that increase the readiness of people in an organization to be able to accept and thrive
under organizational change. Such readiness comes with developing skills as well as handling resistance to change.
c11.indd 254 11/26/2015 7:35:07 PM
255Case Study
The projected investment for the ECM was in the seven fi gures range, but the business case was straightforward. The
justifi cation was based on the savings in time and costs from reduced meetings and the ability to devote more attention to
risky projects. The IT department was handling over 7,000 change requests a year, each of which required a time‐consuming
approval process no matter how small or routine it was. Each change request needed to be approved at one of the three hour‐
long review committee meetings that were held each week. Some frustrated employees were even starting to circumvent the
approval process. Clearly, something had to be done. But even though the ECM suite had clear benefi ts, the IT department
was not eager to work on a system that didn ’ t promise to be very exciting. Further, installing the ECM suite promised to
markedly change the way the IT folks performed their work. “They had to log all their changes, gain approval, take all these
steps that they weren ’ t being tasked with before,” said Traynor.
The department selected BMC ’s Remedy software suite after spending 6 months designing the new process. Next came
10 months of customizing the systems and 7 months to build them. The fi rst ECM phase was rolled out in August 2010.
Surprisingly, the new system produced even more change requests than before—almost 3,000 additional ones each year.
Traynor reasoned that before the ECM was switched on, a lot of changes must have been processed without any review. That
was problematic given that about 8 of 10 requested projects have at least some level of risk, and 100% require resources to
complete. Now the change advisory board meets monthly (rather than three times weekly) and deals only with emergency
changes and high‐risk changes that could affect critical sites or many users. Routine change requests are preapproved using
standard formats.
Traynor hadn ’ t spent much time getting buy in from the IT department during the fi rst phase of the ECM project. He
now believes he should have started the ECM communication and training effort much sooner in the fi rst phase. The sec-
ond phase of the implementation, the incident and problem management system, was done differently. Traynor appointed
“ambassadors” from each IT unit as before, but this time they participated from the very fi rst day of the second phase.
Traynor encouraged them to talk with the IT employees in their unit so the employees were not playing catch‐up as they
had been in the fi rst phase. Rather, the ambassadors were actively involved in designing system changes: “They ’ ve put their
fi ngerprints on it. . . . We get a lot of mileage from [the ambassadors].” Traynor wants them to learn the ECM and play a
major role in training and testing the system . He adds, “The hope is that [they] . . . become the go‐to person after we go live.”
Discussion Questions
1. What type of development methodology appears to have been employed at Southern Company for the ECM project?
Was this a good approach? Provide a rationale for your response.
2. Describe how Traynor could have applied Lewin ’ s three‐stage model of change in implementing the ECM. What would
have been the advantages of applying Lewin ’ s three‐stage model?
3. Assess Southern ’s ECM system on the four dimensions of project success. How successful do you think this project is?
Sources: Southern Company Web site, www.southerncompany.com (accessed April 18, 2012); S. Overby, “How Southern Company Revamped IT Change Management,” Cio.com (October 18, 2010), http://www.cio.com/article/2414206/it‐organization/how‐southern‐ company‐revamped‐it‐change‐management.html (accessed September 2, 2015).
As London entered the 21st century, it confronted a major issue that plagues many cities throughout the world—excessive
automobile traffi c. Many Londoners—particularly the business community—rated traffi c congestion as the city ’ s most
serious problem. At peak periods, the average speed was less than 10 miles per hour, a slower speed than the horse‐drawn
carriages of previous centuries. Drivers spent about half their time waiting in traffi c. This congestion nightmare was not
only a major source of driver frustration but also a contributor to both environmental and economic problems. By one
estimate, traffi c‐related problems cost London businesses roughly £2 million—more than $3 million—every week. Clearly,
the city needed an aggressive policy to address this issue. The solution, proposed by the government study Road Charging Options for London (ROCOL) authorized by the 1999 Greater London Authority Act and endorsed by incoming mayor Ken Livingstone, was congestion charging . As the name suggests, the city would assess a fee, or charge, on every automobile that entered high‐traffi c sections of London during peak hours.
■ CASE STUDY 11‐2 Dealing with Traffi c Jams in London
c11.indd 255 11/26/2015 7:35:07 PM
256 Managing IT Projects
Rather than attempt a broad citywide implementation, the government focused specifi cally on the highly congested
section of central London where roughly 1 million people entered every day, about 150,000 of them by private automobile.
Beginning in February 2003, drivers who entered this area between 7 a.m . and 6:30 p.m . had to pay a fee of £5 (roughly $8)
by midnight. The fee has steadily increased over the years, and by 2014 it had increased to £11.50 (roughly $18). 56 Certain
types of vehicles, such as ambulances, buses, and taxis, are exempt. Drivers have the option to pay the charge by mail
(prepay), text messaging, telephone, or in person at various pay points. Failure to pay the fee results in a fi ne of £130 (roughly
$200). 57 Signifi cantly, this solution makes extensive use of current technologies. From the start, the city installed almost
700 cameras at more than 200 sites in the designated high‐traffi c area to photograph the license plates of every vehicle that
entered the area. The city transmitted these photos to a data center that translated the photographic images into license plate
numbers utilizing automatic number plate recognition technology. Drivers who failed to pay the fee received a notice of the
fi ne in the mail.
To create and implement the congestion charge plan, the government had a number of project risks:
• Tight schedule: The project needed to be completed under tight deadlines in order to meet multiple statutory requirements and minimize disruptions to commuters.
• Technology: The cameras had to be strategically placed in order to accurately photograph tens of thousands of license plates every day.
• Lack of pre‐existing models: There were no pre‐existing models in the world to follow. • Limited experience and expertise: Livingstone had been recently elected mayor, and the supervising governmental
agency—Transport for London—had only recently been created. Thus, neither was experienced in building such
a system.
• Political fallout: The political risk of a system failure to Livingstone was so huge that it would be extremely dam- aging to his career.
Transport for London adopted a series of management strategies to navigate these waters and limit the risks resulting
from its limited experience, IT ability, and management time. Perhaps the most signifi cant decision was to outsource the
basic management activities to fi rms that specialized in these areas. For example, PricewaterhouseCoopers fi rst and then
Deloitte & Touche were contracted to manage the competitive bidding process.
Early in the project, project managers identifi ed the critical technical elements and divided the project into fi ve “pack-
ages” that could, if required, be bought and managed separately. These included (1) the camera component, (2) the so‐called
image store (storage) component that collected images, converted them into license numbers, and condensed the images
(duplicates would occur when one vehicle was photographed by several cameras), (3) the telecommunications links between
the cameras and the image store component, (4) the customer services infrastructure, including the ability to pay by phone,
Web, and mail, and (5) an extensive network of retail outlet kiosks and gas stations where people could pay the toll.
The retail (driver ’ s) side of the system was seen as such a big risk that it was bought and managed separately. To
further reduce the risks, it was decided to select the best available technologies for each of the fi ve packages. Another risk‐
aversive move was to utilize only established technologies for the actual process of identifying the vehicles in the designated
zone. For example, Transport for London rejected proposals to employ electronic tags because this technology had not been
proved effective in scenarios such as this one. Finally, the city added roughly 200 buses to its fl eet to accommodate increased
ridership.
Transport for London requested bids on the project early in 2001. The estimated $116.2 million project was large enough
to require listing in the European Union ’ s public sector register. Companies throughout Europe were allowed to bid on it.
Separate bids could be tendered for the camera and communications packages whereas the remaining three packages could
receive bids on a combined basis or individually. Deloitte & Touche reviewed more than 40 bids before deciding on a single
contractor to manage the entire program. Its choice was The Capita Group , England ’ s largest business process outsourc-
ing fi rm. Signifi cantly, before accepting Capita’ s bid, Deloitte & Touche required both that fi rm and the other fi nal candi-
date to submit technical design studies. In addition, Capita ’s contract included penalties if the company failed to meet the
established deadlines.
56 Transport for London, https://tfl.gov.uk/modes/driving/congestion‐charge (accessed September 2, 2015); BBC News , “ London ’ s Congestion Charge
Rises to £11.50 ” (June 16, 2014 ), http://www.bbc.com/news/uk‐england‐london‐27865252 (accessed September 2, 2015) . 57 BBC News, “London ’ s Congestion Charge Rises.”
c11.indd 256 11/26/2015 7:35:08 PM
257
After awarding the contract to Capita , Deloitte & Touche closely monitored every step of the process, and it kept addi-
tions to the original plan to a minimum. As a result, scope creep—the process whereby a project increases in both size and
costs as new features are added—was never a serious issue. One of the few changes added to the requirements was an option
for motorists to pay fees through the popular SMS text‐messaging format.
Throughout the implementation of the new system, the city continually sought feedback from key stakeholders. In
addition, it regularly updated the public concerning the project ’ s status. Consequently, few drivers were caught unaware
when the new policy went into effect on February 17, 2003. The mayor also wisely decided to begin operations during a
school holiday period when traffi c volumes would be signifi cantly lower. Thus, by the time traffi c returned to normal, drivers
generally had adapted to the new procedures.
What were the results of these concerted efforts? Unlike so many systems projects, London ’ s congestion charging plan
was completed on time and within budget. Signifi cantly, however, the demanding schedule did not compromise the quality
of the work. Instead, fi ve months after it was begun, the new program appeared to have achieved its basic goals when a
follow‐up study 58 indicated that traffi c in central London had diminished by as much as 20%, and average driving speeds had
improved. A 10‐year study found sustained reductions in central London, averaging 23% over the longer period. 59 The fi nes
and fees resulted in a project payback period of about one and one‐half years. It was estimated that total revenues would
amount to $2.2 billion over a 10‐year period. Moreover, vehicular emissions of toxic substances such as nitrogen dioxide
were also reduced. However, a study found it diffi cult to determine the precise causes of London ’ s decreased emissions bet-
ween 2003 and 2011. 60 Because half of the European Union’s automobiles have diesel engines, nitrogen dioxide levels might
have fallen further if Volkswagens had proper emission controls. 61
One potential problem that did not emerge was “rat runs” in which traffi c jams would appear in areas outside the zone as drivers altered their routes to avoid the charges. After reviewing the outcomes of the London program, many observers
predicted that congestion charging would become a standard practice in cities throughout the world.
Discussion Questions
1. Assess the risks of this project. Given your assessment of the project complexity, clarity, and size, what management
strategies would you recommend for it? What, if any, of these strategies were adopted in this project?
2. Describe the development methodology that was applied to this project. Was this the most appropriate approach?
Provide a rationale for your response.
3. When a project is outsourced, who should manage the project—the internal group or the outsourcer? Why?
Sources: Ken Livingstone , “ The Challenge of Driving through Change: Introducing Congestion Charging in Central London ,” Planning Theory and Practice 5 , no. 4 ( December 2004 ), 490 – 98 ; Bradford Wernie , Wim Oude Weernink, and Sylviane de Saint‐Seine, “The World Watches As London Tries to End Congestion,” Automotive News Europe 8 , no. 2 (January 27, 2003 ) 3 – 4 ; Malcolm Wheatley , “ How IT Fixed London ’ s Traffi c Woes ,” CIO 16, no. 19 (July 15, 2003 ), http://www.cio.com/article/2439968/it‐organization/how‐technology‐fi xed‐ london‐s‐traffi c‐woes.html (accessed September 3, 2015) ; “Transport for London Study: Public and Stakeholder Consultation on a Var- iation Order to Modify the Congestion Charging Scheme: Impact Assessment” (January 2014), https://consultations.tfl .gov.uk/roads/ cc‐changes‐march‐2014/user_uploads/cc‐impact‐assessment.pdf (accessed September 3, 2015).
58 Malcolm Wheatley , “ How IT Fixed London ’ s Traffic Woes ,” CIO16, no. 19 (July 15, 2003 ), http://www.cio.com/article/2439968/it‐organization/
how‐technology‐fixed‐london‐s‐traffic‐woes.html (accessed September 3, 2015). 59 “Transport for London Study: Public and Stakeholder Consultation on a Variation Order to Modify the Congestion Charging Scheme: Impact
Assessment” (January 2014), https://consultations.tfl.gov.uk/roads/cc‐changes‐march‐2014/user_uploads/cc‐impact‐assessment.pdf (accessed September
3, 2015). 60 Green Car Congress , “ HEI Study Finds London Congestion Charging Scheme shows Little Evidence of Improving Air Quality ” (April 27, 2011 ),
http://www.greencarcongress.com/2011/04/hei‐study‐finds‐london‐congestion‐charging‐scheme‐shows‐little‐evidence‐of‐improving‐air‐quality.html#tp
(accessed September 3, 2015) . 61 Karl Mathieson and Arthur Neslen, “ VW scandal caused nearly 1m tonnes of extra pollution, analysis shows ,” The Guardian (September 23, 2015 ), http:// www.theguardian.com/business/2015/sep/22/vw-scandal-caused-nearly-1m-tonnes-of-extra-pollution-analysis-shows (accessed September 26, 2015).
Case Study
c11.indd 257 11/26/2015 7:35:08 PM
258
12 chapter
Business intelligence and analytics have become a source of strategic advantage for those fi rms who understand and develop skills to manage big data. This chapter provides an overview of the ways businesses make decisions. Making better decisions begins by understanding how to build capabilities in knowledge management, business intelligence, and analytics and how to protect an organization ’ s intellectual property. Data, information, and knowledge (both tacit and explicit) are then defi ned and discussed because they com- pose the foundation of making better decisions. Knowledge is managed through four main processes, which are outlined next. A discussion of competing with analytics, and the capa- bilities that enable it, follows. The chapter then takes a more technical turn, addressing the components of business analytics and big data amassed in data warehouses. The chapter concludes with a discussion of the Internet of Things, social media analytics, and caveats that managers must anticipate.
Business Intelligence, Knowledge Management, and Analytics
Netfl ix knew House of Cards would be a blockbuster before it aired the fi rst episode. 1 Using data from its 33 million customers worldwide, Netfl ix data scientists had their own internal data source
of viewing customer preferences, and analysis indicated that using director David Fincher, starring
Kevin Spacey, and basing the show on the British series House of Cards would be a success. The scientists identifi ed patterns in the data that gave them support for a decision to create this new
series. For example, they found that Netfl ix had a very large audience who watched the British ver-
sion of House of Cards and watched fi lms starring Kevin Spacey and directed by David Fincher. By “running the numbers,” execs knew this new show would appeal to a very large group of people and
that it would be a hit before the fi lming even started.
Netfl ix has a competitive advantage because of its big data and analytics investment—the
company knows not only what is watched on its site by all of its customers but also much more
information. For example, the company knows when someone pauses, rewinds, or fast forwards;
what is being searched for and what is chosen from the search results; what device is used to watch
the program; and when the viewer leaves the content and whether he or she ever comes back. Ana-
lytics data can be valuable from these data. Analysis shows that the analytics results differ signifi -
cantly from the results obtained by convening focus groups, and it turns out the analytics algorithms
give better direction for a more successful outcome. Netfl ix ’ s data‐driven culture extends not only to
decisions about original content but many other major decisions such as what fi lms to license, what
shows to recommend to customers, and what colors and images to use on their site.
1 Adapted from “Giving Viewers What They Want,” The New York Times (February 24, 2013), http://www.nytimes.com/2013/02/25/ business/media/for‐house‐of‐cards‐using‐big‐data‐to‐guarantee‐its‐popularity.html (accessed September 5, 2015); “Big Data Lessons
from Netflix” (March 11, 2014), http://www.wired.com/2014/03/big‐data‐lessons‐netflix/ (accessed September 5, 2015); “What
Netflix ’ s ‘House of Cards’ Means for the Future of TV” (March 4, 2013), http://www.forbes.com/sites/gregsatell/2013/03/04/what‐
netflixs‐house‐of‐cards‐means‐for‐the‐future‐of‐tv/ (accessed September 5, 2015).
c12.indd 258 11/26/2015 6:33:43 PM
259Competing with Business Analytics
Enterprises have long sought a way to harness the value locked inside the extensive data they collect and store
about customers, markets, competitors, products, people, and processes. In today’s business environment, external
data sources and real‐time data flows add opportunities for insight that might otherwise be missed. Algorithms and
analytics programs are the way this value is unlocked and used to describe, predict, and prescribe future activity.
Managers use these insights to make better decisions in virtually every corner of their business from marketing and
customer management to supply chains, risk management, hiring practices, and research and development activ-
ities. Moving forward, the amount of data available to analyze will continue to explode, especially with the growth
of the Internet of Things, fueled by rapid growth of smart devices connected to the Web. This chapter describes how
organizations compete with analytics, then addresses basic concepts of knowledge management, and reviews the
current thinking about business intelligence, business analytics, big data, and intellectual property.
Competing with Business Analytics In recent years, many companies have found success competing through better use of analytics. Companies such
as Netflix as described at the beginning of this chapter have used analytics to improve on their otherwise lackluster
business to become industry leaders. Caesars Entertainment, the largest gaming company in the world by some
measures, found a way to more than double revenues by collecting and analyzing customer data. Capital One has
also emerged from a crowded field of financial services firms to become one of the industry’s leaders through the
use of extensive business analytics. Those analytics enable Capital One to continuously create new products and
services that appeal to new customers and to reinvigorate relationships with existing customers. The bank was
founded on the idea that by mining data about individual customers it could create financial products that addressed
what the big players would consider “niche markets.” Although these markets were unattractive to the large players
because of the smaller number of potential customers, the niche markets were profitable. Using the customer
database of a small bank and running numerous analytical tests, Capital One identified characteristics that would
create a profitable service. It learned, for example, that the most profitable customers were ones who charged a large
amount but paid their credit cards off slowly. At the time, most credit cards companies did not differentiate between
these and other customers. Capital One’s innovative idea was to create a product that catered to these customers.
Today, Capital One runs hundreds of experiments to identify new products that target individual customers. Using
analytics to simulate and test is a very low‐cost way to design and develop these products.2
Sports teams have propelled themselves to league success through business analytics. The systematic use of
factual data in proprietary models is credited with helping the Oakland As and the Boston Red Sox. As seen in
the movie, Moneyball, Billy Beane was one of the first general managers in Major League Baseball to build his organization, the Oakland As, around analytics. Although this industry collected data extensively, it was mostly
used to manage the game in process. The Oakland As used data on things that it could measure such as the on‐base
percentage (the number of times a player gets on base) instead of softer criteria such as estimating the effort the
player is willing to put in. The Oakland As used analytics in its recruiting efforts to predict which young players
had the best chances of becoming major league players and hired players that other teams overlooked at salaries
that were much more affordable. This strategy paid off, consistently carrying the Oakland As to the playoffs despite
a budget for player’s salaries that was a fraction of what some of its competitors had.
One reason for the rise in companies competing on analytics is that numerous companies in many industries
offer similar products and use comparable technologies. Therefore, business processes are among the last remain-
ing points of differentiation, and analytic competitors are wringing every last drop of value from those processes.3
Business analytics fuel fact‐based decision making. For example, a company may use simple inventory reports
to figure out what products are selling quickly and which are moving slowly, but a company that uses analytics
also knows who buys them, what price each customer pays, how many items the customer will likely purchase in
a lifetime, what motivates each customer to purchase, and which incentives to offer to increase the revenue from
each sale.
2 Thomas Davenport and Jeanne Harris, Competing on Analytics (Boston, MA: Harvard Business School Press, 2007), 41–42. 3 Ibid.
c12.indd 259 11/26/2015 6:33:43 PM
260 Business Intelligence, Knowledge Management, and Analytics
According to a study by consulting firm McKinsey and Company, there are five ways big data and analytics can
help an organization:4
1. Making information more transparent and usable at a frequency that outpaces the competition
2. Exposing variability and boosting performance by collecting and analyzing more transactional and performance data
3. More precisely tailoring products and services using better‐designed segmentation and large data samples
4. Improving decision making through experiments, forecasting and feedback, and just‐in‐time analysis
5. Developing the next generation of products and services more quickly using sensor data to collect after‐ sales information on product usage, performance, and so on.
Knowledge Management, Business Intelligence, and Business Analytics It’s all about making better decisions. Before the terms “big data” and “analytics” were all the rage, managers
talked about knowledge management. Managing knowledge is not a new concept,5 but it has been invigorated by
new technologies for collaborative systems, the emergence of the Internet and intranets—which in themselves act
as a large, geographically distributed knowledge repository—and the well‐publicized successes of companies like
Netflix that use business analytics. The discipline draws from many established sources, including anthropology,
cognitive psychology, management, sociology, artificial intelligence, information technology (IT), and library sci-
ence. Knowledge management remains, however, an emerging discipline with few generally accepted standards or
definitions of key concepts.
Knowledge management includes the processes necessary to generate, capture, codify, integrate, and transfer knowledge across the organization to achieve competitive advantage. Individuals are the ultimate source
of organizational knowledge. The organization gains only limited benefit from knowledge isolated within indi-
viduals or among workgroups; to obtain the full value of knowledge, it must be captured and transferred across
the organization.
Business intelligence can be considered a component of knowledge management. Business intelligence (BI) is the term used to describe the set of technologies and processes that use data to understand and analyze business
performance.6 It is the management strategy used to create a more structured approach to decision making based on
facts that are discovered by analyzing information collected in company databases. While knowledge management
includes the processes necessary to capture, codify, integrate, and make sense of all types of knowledge as
described earlier, business intelligence is more specifically about extracting knowledge from data. Davenport and
Harris suggest that business analytics is the term used to refer to the use of quantitative and predictive models, algorithms, and evidence‐based management to drive decisions.7 By this definition, business analytics is a subset
of BI. Some, however, use the terms BI and analytics interchangeably.
The most profound aspect of knowledge management and business intelligence is that an organization’s sus-
tainable competitive advantage ultimately lies in what its employees know and how they apply that knowledge to
business problems. Exaggerated promises and heightened expectations couched in the hyperbole of technology ven-
dors and consultants may create unrealistic expectations. Knowledge management is not a silver bullet, however,
because it cannot solve all business problems. Knowledge must serve the broader goals of the organization, and
4 James Manyika, Michael Chui, Brad Brown, Jacques Bughin, Richard Dobbs, Charles Roxburgh, and Angela Hung Byers, “Big Data: The Next
Frontier for innovation, competition, and productivity,” May 2011, http://www.mckinsey.com/insights/business_technology/big_data_the_next_frontier_
for_innovation (accessed September 5, 2015). 5 The cuneiform texts found at the ancient city Ebla (Tall Mardikh) in Syria are, at more than 4,000 years old, some of the earliest known attempts to
record and organize information. 6 Davenport and Harris, Competing on Analytics, 7. 7 Ibid.
c12.indd 260 11/26/2015 6:33:43 PM
261Data, Information, and Knowledge
analytics alone do not create competitive advantage. How the information is used and how the knowledge is linked
back to business processes are important components of knowledge management.
Data, Information, and Knowledge The terms data, information, and knowledge are often used interchangeably but have significant and discrete mean- ings within the knowledge management domain. As was first presented in the Introduction of this textbook, there
are differences (see Figure 12.1). Data are specific, objective facts or observations, such as “distributor ABC bought 600 of our sweaters.” Standing alone, such facts have limited intrinsic meaning. But key features of data are
that it can be easily captured, transmitted, and stored electronically.
Information is defined by Peter Drucker as “data endowed with relevance and purpose.”8 People turn data into information in different ways. One way is by organizing them into some unit of analysis (e.g., dollars, dates, or
customers), which helps interpret the data by giving it context. Another way is by combining related data to create
relevance. For example, a customer’s data such as name or address become information when combined with the
average order size as well as orders from that customer over time because at that point, the combined facts give a
different meaning than the individual facts alone. Extending the ABC example, knowing that an average distributor
buys 800 sweaters annually provides more than just the data about ABC’s purchase of 600 this year. Also, knowing
that ABC bought 400 sweaters last year, and 200 sweaters the year before starts to indicate much more than just
the current data alone.
Knowledge is a mix of contextual information, experiences, rules, and values. It is richer and deeper than information and more valuable because someone has thought deeply about that information and added his or her
own unique experience, judgment, and wisdom. Continuing with the sweater example, the sales manager might
know more about distributor ABC and therefore have some additional information or experiences that add to the
information. The manager knows that this is a new distributor, one with a strategy to add additional retail outlets
each year. Then the information put in a richer context indicates something very different than just the sales num-
bers alone. The sales manager knows that his or her company has an opportunity to grow as the distributor grows.
Values and beliefs are also a component of knowledge; they determine the interpretation and the organization of
knowledge. Tom Davenport and Larry Prusak, experts who have written about this relationship, say, “The power of
knowledge to organize, select, learn, and judge comes from values and beliefs as much as, and probably more than,
from information and logic.”9 Knowledge also involves the synthesis of multiple sources of information over time.10
FIGURE 12.1 The relationships between data, information, and knowledge. Source: Adapted from Thomas Davenport, Information Ecology (New York: Oxford University Press, 1997).
Data Information Knowledge
Definition Simple observations of the state of the world
Data endowed with relevance and purpose
Information from the human mind (includes reflection, synthesis, context)
Characteristics • Easily structured • Easily captured on
machines • Often quantified • Easily transferred • Mere facts presented
• Unit of analysis required • Data that have been
processed • Human mediation
necessary
• Hard to structure • Difficult to capture on machines • Often tacit • Hard to transfer
Example Daily inventory report of all inventory items sent to the CEO of a large manufacturing company
Daily inventory report of items that are below economic order quantity levels sent to inventory manager
Inventory manager knowing which items need to be reordered in light of daily inventory report, anticipated labor strikes, and a flood in Brazil that affects the supply of a major component.
8 Peter F. Drucker, “The Coming of the New Organization” (January–February 1988), 45–53. 9 Thomas H. Davenport and Laurence Prusak, Working Knowledge (Boston, MA: Harvard Business School Press, 1998), 12. 10 Thomas H. Davenport, Information Ecology (New York: Oxford University Press, 1997), 9–10.
c12.indd 261 11/26/2015 6:33:43 PM
262 Business Intelligence, Knowledge Management, and Analytics
The amount of human contribution increases along the continuum from data to information to knowledge. Com-
puters work well for managing data but are less efficient at managing information. The more complex and ill‐defined
elements of knowledge (for example, “tacit” knowledge described in the next section) are difficult if not impossible
to capture electronically.
Although knowledge has always been important to the success of an organization, it was presumed that the
natural, informal flow of knowledge was sufficient to meet organizational needs. But managing knowledge has
become far more complex, the amount of knowledge to manage far greater than ever, and the tools to manage
knowledge far more powerful. Managing knowledge provides value to organizations in several ways as summa-
rized in Figure 12.2.
Tacit versus Explicit Knowledge
Knowledge can be further classified into two types: tacit and explicit. Tacit knowledge was first described by philos- opher Michael Polanyi in his book, The Tacit Dimension with the classic assertion that “We can know more than we can tell.”11 For example, try writing, or explaining verbally, how to swim or ride a bicycle. Describe the color aqua
to someone who cannot see or the sound made by a piano to someone who has never heard one. Tacit knowledge
is personal, context specific, and hard to formalize and communicate. It consists of experiences, beliefs, and skills.
Tacit knowledge is entirely subjective and is often acquired through physically practicing a skill or activity.
FIGURE 12.2 The value of managing knowledge.
Value Sources of Value
Sharing of best practices • Avoid reinventing the wheel • Build on valuable work and expertise
Sustainable competitive advantage • Shorten the life cycle of innovation • Promote view of an “infinite resource” that isn’t used up • Impact bottom‐line returns
Managing overload • Filter data to assimilate relevant knowledge into the company • Provide organization and storage for easier data retrieval
Rapid change • Build on previous work to make company more agile • Streamline processes/build dynamic processes • Sense and respond to changes more quickly • Customize preexisting solutions for unique customer needs
Embedded knowledge from products • Use smart products to gather product information automatically to refine products, provide maintenance, add upgrades and identify customer usage.
• Blur distinction between manufacturing and service firms when information systems are embedded in products
• Add value through intangibles such as fixing systems before customers know they’re broken
Globalization • Decrease cycle times for global processes because information moves faster than physical process components
• Manage global competitive pressures • Provide global access to knowledge • Adapt to local conditions
Insurance for downsizing • Protect against loss of knowledge when workers leave • Provide portability for workers who move between roles • Reduce time for knowledge acquisition
11 Michael Polanyi, The Tacit Dimension (Chicago, IL: University of Chicago Press, 1966), 4.
c12.indd 262 11/26/2015 6:33:43 PM
263Data, Information, and Knowledge
In 2011, quarterback Drew Brees broke the NFL single‐season record for the most passing yards with 5,476 yards.
It would be nearly impossible to verbally describe all the factors that Brees had to consider when making those
passes, yet he knew to whom to throw the ball, where to put the ball, and why to make that throw—all in a matter
of seconds. Brees’ ability to pass the football incorporates so much of his own personal experience and kinesthetic
memory that it is impossible to separate that knowledge from the player himself. His bone structure, muscular
development, and the nerves between his arm and his brain all contribute to his ability to throw the types of passes
he does.
IT has traditionally focused on explicit knowledge, that is, knowledge that can be easily collected, organized, and transferred through digital means, such as a memorandum or financial report. Individuals, however, possess
both tacit and explicit knowledge. Explicit knowledge, such as the knowledge gained from reading this textbook, is
objective, theoretical, and codified for transmission in a formal, systematic method using grammar, syntax, and the
printed word. Figure 12.3 summarizes these differences.
Knowledge conversion strategies are often of interest in the business environment. Companies often want to take
an expert’s tacit knowledge and make it explicit or to take explicit, book‐learning to their new hires and make it
tacit. In their book The Knowledge Creating Company, Ikujiro Nonaka and Hirotaka Takeuchi describe four differ- ent modes of knowledge conversion (see Figure 12.4). The modes are (1) from tacit knowledge to tacit knowledge, called socialization, (2) from tacit knowledge to explicit knowledge, called externalization, (3) from explicit knowledge to explicit knowledge, called combination, and (4) from explicit knowledge to tacit knowledge, called internalization.12 Socialization is the process of sharing experiences; it occurs through observation, imitation, and practice. Common examples of socialization are sharing war stories, apprenticeships, conferences, and casual,
unstructured discussions in the office or “at the water cooler.”
FIGURE 12.3 Examples of explicit and tacit knowledge.
Tacit Knowledge Explicit Knowledge
• Knowing how to identify the key issues necessary to solve a problem • Applying similar experiences from past situations • Estimating work required based on intuition and experience • Deciding on an appropriate course of action
• Procedures listed in a manual • Books and articles • News reports and financial statements • Information left over from past projects
12 Ikujiro Nonaka and Hirotaka Takeuchi, The Knowledge‐Creating Company (New York: Oxford University Press, 1995), 62–70.
Tacit Knowledge
Explicit Knowledge
Tacit Knowledge Explicit Knowledge
TO
FROM
SOCIALIZATION Transferring tacit knowledge through shared experiences, apprenticeships, mentoring relationships, on-the-job training, “talking at the water cooler”
INTERNALIZATION Converting explicit knowledge into tacit knowledge; learning by doing; studying previously captured explicit knowledge (manuals, documentation) to gain technical know-how
EXTERNALIZATION Articulating and thereby capturing tacit knowledge through use of metaphors, analogies, and models
COMBINATION Combining existing explicit knowledge through exchange and synthesis into new explicit knowledge
FIGURE 12.4 The four modes of knowledge conversion. Source: Ikujiro Nonaka and Hirotaka Takeuchi, The Knowledge‐Creating Company: How Japanese Companies Create the Dynamics of Innovation (New York: Oxford University Press, 1995), 62. By permission of Oxford University Press, Inc.
c12.indd 263 11/26/2015 6:33:43 PM
264 Business Intelligence, Knowledge Management, and Analytics
Knowledge Management Processes Knowledge management involves four main processes: the generation, capture, codification, and transfer of
knowledge. Knowledge generation includes all activities that discover “new” knowledge, whether such knowledge is new to an individual, a firm, or an entire discipline. Knowledge capture involves continuous processes of scanning, organizing, and packaging knowledge after it has been generated. Knowledge codification is the repre- sentation of knowledge in a manner that can be easily accessed and transferred. Knowledge transfer involves trans- mitting knowledge from one person or group to another, and the absorption of that knowledge. Without absorption,
a transfer of knowledge does not occur. Generation, codification, and transfer generally take place constantly
without management intervention. Knowledge management systems seek to enhance the efficiency and effective-
ness of these activities and leverage their value for the firm as well as the individual. But with the increasing intro-
duction of new and more robust systems for managing and using knowledge, knowledge management processes are
dynamic and continuously evolving.
Knowledge management processes are different in the age of widespread Internet use, including robust search
tools such as Google’s. Whereas traditional knowledge management systems had well‐defined processes for
generation, capture, codification, and transfer, technologies such as large data warehouses, ubiquitous Web
sites, search tools, and tagging made it possible to capture and find information without those formal processes.
Tagging, where users themselves list key words that codify the information or document at hand, creates an ad hoc codification system, sometimes referred to as a folksonomy. Search engines have changed the way information is accessed, making it possible to quickly find virtually anything on any system connected to the Internet. These
technologies have replaced traditional knowledge management systems and have given individuals the ability to
find information that traditionally was locked within structures that had to be designed, managed, and then taught
to users.
Business Intelligence In the past, traditional BI was associated with providing real‐time, easy‐to‐use dashboards and reports to assist
managers in monitoring key performance metrics. Common elements of BI systems include reporting, querying,
dashboards, and scorecards. Dashboards tend to be simple, online displays of key metrics, often graphically dis-
played in pie charts, bar charts, red‐yellow‐green coded data, and other images that easily convey both the value
of the metric and, with the color coding, whether the metric is within acceptable parameters. In one example, a
map of the United States was used to indicate sales performance by geography, and each state was color coded to
indicate whether targets were being met. Managers could click on each state to drill down into the next level of
detail, which provided information by region. Further drilling down indicated sales by city and ultimately by sales
person. At each level, the data were presented and color coded to give a visual, and therefore quick, indication of
who was making targets and who was missing them. Traditional BI is useful for strategic, tactical, and operational
decisions.
BI today incorporates a number of additional characteristics and capabilities. Some function as a service in
the cloud. Others are event driven, offer instant access to real‐time information, and provide dynamically cre-
ated reports that “mash up” or combine streaming data, internal data sources, and external data sources. It is also
common to find systems that enable mobile/ubiquitous access. These and other newer technologies have enabled
BI to move to a new level with robust user interfaces and powerful visualization and analytics tools. Algorithms
are much more sophisticated than ever before, giving managers more accurate and better insights. Crowdsourc-
ing allows the data structures and report designs to be created by the community rather than by a single designer.
Data and reports are infused with narratives from the users to provide richer context. Dynamic capabilities in the
BI system provide exceptions, alerts, and notifications that change based on what the system learns from the data
alone. A manager who sees something in the data that requires an intervention will be able not only to perform it
but also to tag it and link it with the data so that the collective knowledge grows over time.
c12.indd 264 11/26/2015 6:33:44 PM
265Components of Business Analytics
Components of Business Analytics To successfully build business analytics capabilities in the enterprise, companies make a significant investment in
their technologies, their people, and their strategic decision‐making processes. Four components are needed (see
Figure 12.5).
Data Sources
Data used in the analytical processes come from various sources and are stored in corporate databases, usu-
ally as tables of data in a very structured format. One might think about a customer database that has for each
customer a number of pieces of data such as name, account number, and address. These pieces contain a wide
variety of data used to create a coherent picture of business conditions at a single point in time. Much of the data
used by the organization is generated internally and captures operational and financial information. Other data
can be gathered from external sources, such as competitor’s public activities, weather patterns, and economic
trends. Because the information in these data sources is clear and easily categorized into databases, it is called
structured data. Other data, such as conversations, Twitter streams, and videos are considered unstructured data. These data
sources have information embedded in them but work needs to be done to extract the useful information. Other
examples of unstructured data are the data in blogs, e‐mails, documents, photos, audio files, presentations, Web
pages, and other similar files. A single unstructured data file might contain multiple items of interest. When data
are taken out of the context of the original file, they lose some of their meaning. The common characteristic of
these data sources is that the data are not easily put into a tabular or other structured format and therefore do not fit
neatly into a database.
Data warehouses, or collections of data designed to support management decision making, sometimes serve as repositories of all of an organization’s databases. The warehouses are centralized so all the organization’s depart-
ments can access the data and store new data in formats that are easily used by others. Data warehouses traditionally
have held structured data, but today, there are multiple examples of data warehouses that manage large collections
of unstructured data.
Real‐time data sources are another type of data stream that companies use in their analytics program. Many people have seen stock prices flow across a screen for financial traders. This is a type of real‐time data. The
information changes constantly (or at least often). Modern analytics programs have found ways to use real‐time
streams of data in their algorithms.
FIGURE 12.5 Components of successful business analytics programs.
Component Definition Example
Data sources Data streams and repositories Data warehouses; weather data
Software tools Applications and processes for statistical analysis, forecasting, predictive modeling, and optimization
Data-mining process; forecasting software package
Data‐Driven environment Organizational environment that creates and sustains the use of analytics tools
Reward system that encourages the use of the analytics tools; willingness to test or experiment
Skilled workforce Workforce that has the training, experience, and capability to use the analytics tools
Data scientists, chief data officers, chief analytics officers, analysts, etc. Netflix, Caesars, and Capital One are examples of companies with these types of roles
c12.indd 265 11/26/2015 6:33:44 PM
266 Business Intelligence, Knowledge Management, and Analytics
Software Tools
At the core of business analytics are the tools. An approach used to extract information from data sources is data mining, which is the process of analyzing data warehouses and other sources for “gems” that can be used in management decision making. The term typically refers to the process of combing through massive amounts of cus-
tomer data to understand buying habits and to identify new products, features, and enhancements. It also identifies
previously unknown relationships among data. The analysis may help a business better understand its customers by
answering such questions as these; Which customers prefer to contact us via the Web instead through a call center?
How are customers in Location X likely to react to the new product that we will introduce next month? How would
a proposed change in our sales commission policy likely affect the sales of Product Y? Using data mining to answer
such questions helps a business reinforce its successful practices and anticipate future customer preferences. For
example, The New York Times reported that by using data mining, Walmart uncovered the surprising fact that its Florida customers stocked up on beer and strawberry pop tarts when a hurricane was predicted. It now initiates
quick shipments to its stores when hurricanes are on the horizon so that there are plenty of these two items when a
hurricane becomes a more tangible threat.13
There are four categories of tools that are typically included under the business analytics umbrella. They include14
• Statistical analysis: Answers questions such as “Why is this happening?”
• Forecasting/Extrapolation: Answers questions such as “What if these trends continue?”
• Predictive modeling: Answers questions such as “What will happen next?”
• Optimization: Answers questions such as “What is the best that can happen?”
These tools are used with the data in the data warehouse to gain insights and support decision making.
Data‐Driven Environment
A data‐driven culture, an environment that supports and requires analytics, is a critical factor for success. It requires aligning information systems (IS) strategy and organizational strategy with the business strategy.
Executives in the organization demand that staff provide not only a decision or recommendation but also the
data to support it. Gone are the days of just evaluating results at the end of a financial period. In a data‐driven
culture, staff use data streams to continually evaluate and make corrections in midcourse. To achieve a data‐
driven organization, there must be alignment of the corporate culture, the incentive systems, the metrics used
to measure success of initiatives, and the processes for using analytics with the objective of building a compet-
itive advantage through analytics. As an example of aligning organizational strategy with a business strategy
promoting the use of analytics to gain competitive advantage, one financial services firm encouraged the use of
analytics by changing its appraisal system. Demonstration of skills associated with applying analytics was made
a significant factor in compensation decisions.
Although many companies have some sort of analytical tools in place, most are not used for mainstream decision
making, and they certainly do not drive the strategy formulation discussions of the company. Those who gain com-
petitive advantage from analytics use these capabilities as an integral component of their business. Companies such
as GE, Proctor and Gamble, Walmart, Chevron, and HP routinely expect data‐driven decision making and have
built strong analytics capabilities into their teams to expand the use of data in decision making.
Leadership plays a big role in creating a strong analytics environment. Leaders must move the company’s
culture toward an evidence‐based management approach in which evidence and facts are analyzed as the first step in decision making. Those in this type of culture are encouraged to challenge others by asking for data support, and
when no data are available, to experiment and learn to generate facts. Use of evidence‐based management encour-
ages decisions based on data and analysis rather than on experience and intuition.
13 Constance Hays, “What Walmart Knows about Customers’ Habits” (November 14, 2004), http://www.nytimes.com/2004/11/14/business/yourmoney/
14wal.html (accessed September 6, 2015). 14 Ibid.
c12.indd 266 11/26/2015 6:33:44 PM
267Components of Business Analytics
Skilled Workforce
It’s clear that to be successful with analytics, data and technology must be used. But experts point out that even with
the best data and the most sophisticated analytics, people must be involved. Managers must be able to leverage their
knowledge of analytics to improve decision making. Leaders must set examples for the organization by using ana-
lytics and requiring that decisions made by others use that process. Perhaps the most important role is sponsorship.
Davenport and Harris point out that it was the CEO‐level sponsorship and the corresponding passion for analytics
that enabled firms such as Caesars Entertainment and Capital One to achieve the success they did.15
Although leadership is important and general management and staff must be data driven, the staff must also have
analytics experts. A key role for a successful analytics program is the data scientist, a professional who has the skills to use the right analytics with the right data at the right time for the right business problem. Some describe this role as
part science and part art because there are multiple ways to use data and analytics to answer business questions. The
data scientist has the skills to look at the data in different ways to extract the appropriate information for the business.
Leading the analytics program is often a chief analytics officer (CAO) or chief data officer. As the name implies, the CAO is the individual at the helm of the analytics activities of an organization. Organizations typically
create a center of excellence for analytics capabilities that operates as a shared service of expertise. The CAO would
be the leader of this center. Likewise, a chief data officer has the responsibility for the data warehouse, organiza-
tional databases, relationships with vendors who supply external data sources, and sometimes the algorithms that
use these data sources.
Levels of Analytical Capabilities
All businesses have data, but some do a better job than others at using it, creating a potent source of competitive
advantage. Companies tend to fall into one of five levels of analytical capabilities, with each level adding to the
lower levels. Understanding the different levels can help organizations envision how to improve their capabilities
to gain additional advantages. Figure 12.6 summarizes these levels.
FIGURE 12.6 Analytical capabilities levels. Sources: Adapted from conversations with Farzad Shirzad, leader of Teradata’s Center for Excellence in Analytics in 2011; Jeff Bertolucci, “Big Data Analytics: Descriptive vs. Predictive vs. Prescriptive,” Information Week (December 31, 2013).
Level Description Source of Business Value
Level 1: Reporting Answers “What happened?” by creating batch and ad hoc reports that summarize historical data; data across functions possibly not consistent or well integrated
Reduction in costs of report generation and printing
Level 2: Analyzing Answers “Why did it happen?” by using ad hoc, real‐time reports, and business intelligence tools to understand root causes
Understanding root causes
Level 3: Descriptive Answers “What is happening now?” by linking business intelligence tools with operational systems to provide instantaneous views and updated status; data integrated, clean, and reliable
Real‐time understanding of action/reaction and course correction instantly to improve operations
Level 4: Predictive Answers “What will happen?” by using predictive models that extrapolate from data to enable possible scenarios for the future; may be used to see potential for strategic advantage to business
Ability to take action on predictions to help the business
Level 5: Prescriptive Answers “How should we respond?” by automatically linking analytics with other systems, creating continuous updates from business intelligence tools that automatically are understood by operational tools and trigger events as needed
Automated reactions based on real‐time data stream; value from dynamic process that “learns and corrects” automatically
15 Davenport and Harris, Competing on Analytics.
c12.indd 267 11/26/2015 6:33:44 PM
268 Business Intelligence, Knowledge Management, and Analytics
Big Data One impact of our information‐based economy is the very large amount of data amassing in databases inside both
companies and the environment. Consider, for a moment the vast amount of data Google must process every time
it is queried. Google tells the inquirer how many results are found and how fast the search process found them.
A recent query of “big data” produced “about 774,000,000 results in 0.42 seconds.” A second query of “lady
gaga” produced 240,000,000 results in 0.33 seconds. Google indexes billions of Web sites as part of its search
algorithm.
Big data is the term used to describe techniques and technologies that make it economical to deal with very large data sets at the extreme end of the scale. Data sets are usually evaluated according to their size in bytes, which are
characters such as letters, numbers, and symbols. According to Wikipedia, big data sets are on the order of exabytes
(1018 bytes, abbreviated as EB) and zettabytes (1021 bytes, abbreviated as ZB). A megabyte (MB) is 106 bytes.
Extreme data sets get so big because volumes of information are continuously created, usually quickly, and stored
for analysis. These extreme data sets create difficulties in storing, searching, sharing, and analyzing; the size just
cannot be handled by traditional data management tools or techniques. Having large data sets is desirable because
of the potential trends and analytics that can be extracted, but when the sets are so large that the information system
cannot manage them, they are considered a “big data problem.” In those cases, specialized computers and tools are
needed to help managers mine the data.
One reason for the explosion of data is that traditionally, managers looked at only transaction data, but now it is
possible to also look at information around a transaction. Consider Netflix, described in the opening of this chapter.
It tracks not only what movie or show is watched but dozens of pieces of information around that transaction,
including what was in the user’s search results but not chosen, when the user stopped watching and at what point in
the program this occurred, and other events that occur before, during, and after the actual transaction.
Social media channels are a source of big data. Conversations contain words that get their meaning from the
other words in the sentence, and companies want to know that meaning. They want to analyze the conversation, not
just keywords or tags associated with it. For example, marketers want to evaluate sentiment, and that often depends
on the context in which words are used. A conversation might include a phrase “wicked problems.” A wicked problem is a problem that is difficult or impossible to solve because there is incomplete, contradicting, or too much information. However, taken alone, wicked means bad or evil, and problem might mean a situation or inquiry that needs to be solved. Without the context, the marketer might conclude that there is a particularly bad or evil problem
to solve, when in actuality, that was not the sentiment at all. For that reason, social media data often is captured in its
entirety so analysis can be done as needed later. However, conversations are large, unstructured clusters of words,
and the resulting database is considered big data.
An important practical application of big data can illustrate how analytics of social media data can be useful.
Researchers at the University of Arizona found that they can predict the number of asthma‐related emergency room
visits with 70% accuracy by tracking in real time pollution data and the incidence of words such as wheezing, sneezing, and inhaler found in tweets and Google searches. Although only about 1% of tweets report those words out of 464.8 million Tweets in a two and a half month period, that proportion represents about 15,000 tweets per
day globally. The researchers plot the trends on a map and can alert hospitals in areas with asthma terms and con-
ditions that indicate a likely outbreak.16
Big data are increasingly common in part because of the rich, unstructured data streams that are created by
conversations. With the growth of social IT, managers are increasingly finding that gathering all the information
about their company and their customers from all the social sites available creates a data set that has the potential
to supply unique customer intelligence. Finding ways to collect, manage, and use the data, however, is significantly
more difficult than managing more structured data sets.
16 Sudha Ram, Wenli Zhang, Max Williams, and Yolande Pengetnze, “Predicting Asthma‐Related Emergency Department Visits Using Big Data,” IEEE Journal of Biomedical and Health Informatics 19, no. 4 (July 2015), 1216–23.
c12.indd 268 11/26/2015 6:33:44 PM
269Social Media Analytics
Internet of Things
The Internet of Things also creates massive amounts of data. Technology embedded in devices stream sensor data from those devices to create rich databases of operational data. Devices such as elevators, vehicles, refriger-
ators, industrial equipment, wristwatches, pacemakers, and more are all equipped with sensors that capture rel-
evant operational information such as floors of buildings visited; miles driven; food stored; forklifts in use; time
of day; heart health including blood flow; and sensor‐maintenance information such as the health of the device,
time between failures, and battery level. Advanced sensors also interact with other sensors, sending and receiving
signals that guide the operations of the device. As these technologies proliferate, the information generated grows
exponentially.
Kevin Ashton was a brand manager for Oil of Olay in the mid‐1990s when he wondered why some products
flew off the shelf and others seemed to stay forever. He came up with the idea of tagging products with sensors so
they could be tracked and stores could know what was on their shelves. Fast forward to today; sensors embedded
in devices generate so much data that estimates of the amount of data generated are out of date before they are
published. Internet protocol (IP) version 6, the latest version, allows 3.4 × 1038 addresses on the Internet, and each
address could be generating data continuously.
Sensors connected to the Internet have many uses. Imagine a sprinkler system that senses moisture in the ground,
follows the weather forecast, and optimizes water consumption, or a trucking company that places sensors on each
of its trucks to track where it is and to optimize its route in terms of saving gas and time and increasing responsive-
ness to customers. The abundance of sensors sets the stage for new business models that incorporate a “sense and
respond” capability. But managers cannot successfully invest in the Internet of Things without a robust analytics
capability to manage the data this type of investment will generate.
Database warehouse vendors, such as Teradata, IBM, and Oracle, have tailored tools for customers with big data
problems. In order to integrate with business applications and provide appropriate accessibility, backup and secu-
rity, data warehouses must be scalable to allow capture and storage of all the data; agile to accommodate changing requirements, mixed types of work, and quick turnaround of queries and reports; and compatible with the enterprise infrastructure.
There is a “dark side” to big data. The intense number crunching is likely to yield a number of “false discov-
eries.” Any results should be questioned before they are applied. Extensive analysis might yield a correlation and
lead to a statistical inference that is unfair or discriminatory. Big data might offer a high‐tech twist to the old prac-
tice of “I know what the facts are—now let’s find the ones we want.” Here again, care must be applied when using
powerful tools.17 But the biggest concern is what some consumers consider an invasion of privacy. Companies now
can use analytics to paint a far more accurate picture of a customer than he or she might like.
Social Media Analytics Managers have seen a rise in interest in using social IT that can be attributed to the increase in the number and ease
of ways to measure the value gained from the invested time and resources. A class of tools called social media analytics addresses this opportunity. The goal of social media analytics is to measure the impact of social IT invest- ments on a business. At issue, however, is how to analyze conversations, tweets, blogs, and other social IT data to
create meaningful, actionable facts from statements of preferences and emotions. For example, it might be relatively
easy to measure the number of hits on a Web site or the number of click‐throughs from a link. But what does that information really tell a manager? What action would the manager consider taking based on these types of data?
Hits and click‐throughs are meaningful only in context and with other data that indicate whether business value was achieved. That is, they become information only when they are processed to become relevant and purposeful.
17 Davenport and Harris, Competing on Analytics.
c12.indd 269 11/26/2015 6:33:44 PM
270 Business Intelligence, Knowledge Management, and Analytics
Sentiment analysis uses algorithms to analyze text to extract subjective information such as emotional state- ments, preferences, likes/dislikes, and so on. Managers seeking to understand what is being said in social media use
sentiment analysis. This type of process helps answer questions such as these:
• What do our customers think about our position on this issue?
• How well received is our latest marketing campaign?
• What is our customer’s experience with this problem?
Sentiment analysis can be used to scrutinize conversations, reports, e‐mails, blogs, Tweets, Facebook posts,
and other unstructured files. The goal is to identify issues and spot trends before they grow into big business
problems. Most sentiment analysis software extracts sentiments, identifies changes in sentiment over time, and
evaluates content for positive, negative, and neutral text entries. The more useful software does this in real
time to allow dynamic changes in the way business is done. Some customizing is also necessary; the asthma
researchers in Arizona needed to create their own algorithms to analyze the context of each tweet to make sure
it was indeed of concern. For example, a tweet describing how a person’s breath was taken away after watching
a video needed to be differentiated from a tweet describing how a person had trouble catching her or his breath
after a run.18
Vendors such as Google Analytics and Salesforce.com offer platforms with social media analytics tools.
A platform includes tools that enable:
• Listening to the community: Identifying and monitoring all conversations in the social Web on a particular topic or brand.
• Learning who is in the community: Identifying customer demographics such as age, gender, location, and other trends to foster closer relationships with the community.
• Engaging people in the community: Communicating directly with customers on social platforms such as Facebook, YouTube, LinkedIn, and Twitter using a single app.
• Tracking what is being said: Measuring and tracking demographics, conversations, sentiment, status, and customer voice using a dashboard and other reporting tools.
• Building an audience: Using algorithms to analyze data from internal and external sources to understand customer attributes, behaviors, and profiles and to then find new similar customers.
UPS, Pizza Hut, Pepsi, AMD, and Dell Computers are examples of companies with well‐known case studies
about their use of social analytics and monitoring tools for engaging and encouraging collaboration among their
customers. For example, in a presentation to the Blogwell community, a UPS manager described how the company
turned around its customer service efforts using social IT and social analytics.19 UPS studied its customer service
process and monitored the social Web for comments. Managers noticed that some customers loved it, but others
had a bad experience and wrote about it on sites such as Twitter and Facebook. By using a social media analytics
platform, the managers identified dissatisfied customers and addressed their problems on the social platform used
by the customer. This resulted in more than 1 million positive tweets about UPS and lots of public recognition for
turning around its customer service process.
Google Analytics, on the other hand, is a set of analytics tools that enable organizations to analyze traffic com-
ing, going, and on their Web site. The Google Analytics suite thoroughly analyzes many aspects of the key words
used by visitors to reach a Web site and provides statistics to help managers understand the searches potential cus-
tomers use. Some of its features are:
• Web site testing and optimizing: Understanding traffic to Web sites and optimizing a site’s content and design for increasing traffic.
18 Ram et al., “Predicting Asthma‐Related Emergency Department Visits Using Big Data.” 19 socialmedia.org/blogwell (November 8, 2011).
c12.indd 270 11/26/2015 6:33:44 PM
271Social Media Analytics
• Search optimization: Understanding how Google sees an organization ’ s Web site, how other sites link to the organization ’ s site, and how specifi c search queries drive traffi c to the organization ’ s site.
• Search term interest and insights: Understanding interests in particular search terms globally and regionally, top searches for similar terms, and popularity over time.
• Advertising support and management: Identifying the best ways to spend advertising resources for online media.
RE/MAX is an example of a company using social media analytics. With franchises in 62 countries, RE/MAX
is a leading provider of residential, commercial, referral, relocation, and asset management. As part of its online
strategy, RE/MAX created a site that listed all properties available whether listed by its own agents or those from
other companies and made it available to anyone accessing the site. The company then used Google Analytics to
understand consumer behavior on the site and to drive leads to agents in their franchises. Prior to this strategy,
RE/MAX had used focus groups to understand consumer behavior, but these were expensive, limited in scope, and
lacked real data. Its site gets more than 2 million hits a month, mostly from visitors who searched for “remax” in
queries. Google Analytics helped managers redesign the Web site so the most used tools were on the home page,
Social Business Lens: Personalization and Real‐Time Data Streams
Has this happened to you? You do a search on the Internet for cuff links, read about them, but decide not to
purchase them. Then for the next few days, every time you are on the Web, you see advertisements for the same
cuff links. Then some ads appear for shirts with cuffs. That might be followed by ads for formal wear. Somehow
the system knows that you were shopping for cuff links and makes some leaps about other items you might like.
It seems like the system knows you; in fact, it does.
Storing data streams to later analyze user preferences simply to provide trends and historic data is a thing of
the past. Analytics groups are able to use algorithms to analyze data in real time as they stream through the Inter-
net. The processing power available today coupled with new means of analyzing real‐time data streams makes it
possible to provide services that personalize the system to individuals as they are using it.
Personalization can be done in a number of ways. In the cuff link example, it ’ s likely that a cookie, a small
data element, has been deposited in your cookies fi le of your laptop by a third party ad provider through an
agreement with owners of many of the most popular sites today. That cookie is accessed by the third party ad
provider when you navigate to other sites and provides ads that correspond to pages you have viewed in an
attempt to match your latest interests and stimulate future purchases. The user can delete the cookie anytime, and
most cookies are not considered useful after a month or two. But while it resides on the system, it provides Web
sites a way to personalize information delivered to you. Cookies are described in more detail in Chapter 13 .
Another way to personalize the information seen by a user is to draw inferences from the Internet protocol (IP)
address of the user. When you access the Internet, your connection has a unique IP address. Systems can connect
the IP address with your location (in the United States, that is done through Zip Codes because IP addresses are
associated with specifi c geographic locations). Coupling the Zip Code with other demographic information pro-
vides enough clues about the user to predict her or his likes and dislikes and ultimately personalize the message
delivered by the Web site.
Conversations are another source of personalization. Real‐time data streams are fertile ground for clues about
users. Systems “monitor” the public data streams, and analytics fi nd patterns and trends. Managers place great
value on the inferences they can draw from real‐time data streams, and executives can make more impactful
decisions. For example, suppose a sports event half‐time show is not well received by the public. Twitter and
other social media sites will begin to buzz with comments. Systems designed to monitor and notice these remarks
will alert managers of a possible situation that may need action, damage control, or other decision.
As algorithms, analytics, and other data management hardware and software increase in sophistication, we can
expect to see increasingly more accurate predictions and more personalized interaction.
c12.indd 271 11/26/2015 6:33:44 PM
272 Business Intelligence, Knowledge Management, and Analytics
further providing value to potential customers. Ultimately, Google Analytics helped RE/MAX drive an increased
number of leads to agents, reducing the cost agents had been paying for leads. 20
Intellectual Capital and Intellectual Property
Two other terms frequently encountered in discussions of knowledge and information are intellectual capital and intellectual property . Intellectual capital is defi ned as knowledge that has been identifi ed, captured, and leveraged to produce higher‐value goods or services or some other competitive advantage for a fi rm. Knowledge management and intellectual capital are often used imprecisely and interchangeably to describe similar concepts. To be more precise, the former describes the process for managing knowledge and the latter indicates the desired product of the
process. That is, by adopting knowledge management technologies, a fi rm can create a treasure trove of intellectual
Geographic Lens: When Two National Views of Intellectual Property Collide
U.S. and Chinese government offi cials have been at odds over the issue of intellectual property for decades.
For years, Chinese offi cials have promised to improve their protection of intellectual property. In December 2010
at a Joint Commission on Commerce and Trade meeting in Washington, China ’ s top economic policy maker
promised better protection for foreign software, better tracking of the management of software in state‐owned
enterprises, no discrimination against foreign intellectual property in government procurement, and improve-
ments in the Chinese patent process.
These promises will be hard to keep because stringent protection of foreigners ’ intellectual property is at
odds with China ’ s development strategy and even its history and traditions. The concept of intellectual property
protection did not exist in China until Westerners introduced it in the early 20th century. The emperors who ruled
China prior to the 20th century were concerned about unauthorized publication because they wanted to control
what was disseminated, not because they wanted to encourage private, individual expression. Unfortunately,
when Western ideas of intellectual property were introduced to China, it was done in a threatening manner to
protect Western economic interests. As a result, many Chinese viewed the concept of intellectual property as a
foreign imposition. Furthermore, the impact of Marxist theories of collective ownership that marked China ’ s com-
munist period meant that it was not until the 1980s that modern notions of intellectual property were brought to
China—notions that remain novel and alien to many Chinese.
In addition, many foreign companies operating in China complain that Beijing views the appropriation of
foreign innovations as a viable approach for developing domestic technology. These companies claim that the
Chinese government tacitly supports forcing foreigners to disclose their technology and transfer patents to gain
contracts. In fact, China ’ s new antimonopoly laws allow compulsory licensing of foreign technologies in some
cases and require foreign companies that wanted to merge with or buy a Chinese company to transfer technol-
ogy to China. Such policies can ratchet Chinese fi rms up the tech ladder more rapidly, but they are considered by
many to refl ect the misappropriation of intellectual property. Although the United States has made some progress
at the World Trade Organization against the theft of intellectual property in China, and China has enacted some
intellectual property laws, the battle over intellectual property is still raging.
Sources: Editorial, China and Intellectual Property (December 23, 2010 ), http://www.nytimes.com/2010/12/24/opinion/24fri1. html (accessed February 22, 2015) ; William Alford , “ Understanding Chinese Attitudes Toward Intellectual Property (IP) Rights ” (September 15, 2006 ), http://www.cio.com/article/2444480/it‐organization/understanding‐chinese‐attitudes‐towards‐intellectual‐ property—ip—rights.html (accessed February 22, 2015) .
20 www.google.com/analytics/case_study_remax.html (accessed on February 20, 2012).
c12.indd 272 11/26/2015 6:33:44 PM
273Social Media Analytics
capital. However, there are no guarantees; IT provides an infrastructure for capturing and transferring knowledge
but does not create knowledge and cannot force people to share or use the knowledge.
Individuals can own their information‐based ideas in the same way they own their physical property. Intellectual property (IP) is the term used to describe these creative and innovative information‐based outputs. However, because intellectual property is information based, it differs from physical property in two important ways. First, information‐
based property is nonexclusive to the extent that when one person uses it, another person can use it without degra-
dation or loss of quality. Consider an MP3 file of music that can be easily copied and shared with another without
loss of the original property. Second, unlike the cost structure of physical property, the marginal cost of producing
additional copies of information‐based property is negligible compared with the cost of original production. These
factors create differences in the ethical treatment of physical and information‐based intellectual property. The eco-
nomics of information versus the economics of physical property is further explored in the Introduction of this text.
The protections available for IP make it possible for owners to be rewarded for the use of their ideas and it allows
them to have a say in how their ideas are used. To protect their ideas, owners typically apply for and are granted
intellectual property rights. In some cases, as soon as a record is made of what has been created, the owner can
expect some protection automatically. An owner only needs to declare ownership and mark the ideas appropriately.
The four main types of intellectual property protections are patents for inventions, trademarks for brand identity,
designs for product appearance, and copyrights for literary and artistic material, music, films, sound recordings,
broadcasts, and software.21 In 2002, the music‐sharing Web site Napster raised controversial issues long surround-
ing the practice of copyright. The Audio Home Recording Act (1992), passed in the United States to prevent serial
copying, didn’t seem to apply to Napster, which only facilitated the sharing. In 1998, the more stringent Digital
Millennium Copyright Act (DMCA) was passed by a unanimous vote in the U.S. Congress with the active support
of the entertainment industry.22 The DMCA makes it a crime to circumvent copy protection even if that copy pro-
tection impairs rights established by the Audio Home Recording Act. A senior‐level position, Coordinator for
International Intellectual Property Enforcement in the U.S. Department of Commerce, was created in 2009 to lead
the battle against global piracy of intellectual property.
The U.S. Congress continues to propose and discuss ways to protect intellectual property, particularly from
piracy of online materials by sites and companies outside of U.S. jurisdiction. But the U.S. government has addi-
tional organizations to monitor and manage these issues. The Executive Office of the President of the United States
oversees the Office of the U.S. Trade Representative, which annually reviews the state of IP rights protection and
enforcement with global trading partners. It publishes the “Special 301” report annually to share the status of IP
management around the world.23
But management of IP is a concern not only to the U.S. government. In 2014, the United Kingdom passed the
Intellectual Property Act of 2014,24 introducing criminal liability and penalties for infringing on registered designs
and specifying processes for determining ownership in some situations. The Australian Parliament passed a sim-
ilar bill, the Intellectual Property Laws Amendment Bill 2014, which also clarified earlier IP and patent protection
laws.25 The World Intellectual Property Organization (WIPO), an agency of the United Nations, has 188 member
states and works with governments to “lead the development of a balanced and effective international intellectual
property system that enables innovation and creativity for the benefit of all.”26
21 “What Is Intellectual Property or IP?” http://www.intellectual‐property.gov.uk/std/faq/question1.htm (accessed June 25, 2002). 22 On March 10, 2004, the European Union passed the EU Copyright Directive, which is similar in many ways to DCMA. 23 For more information on intellectual property and the Special 301 report, see Office of the U. S. Trade Representative, https://ustr.gov/issue‐areas/
intellectual‐property (accessed September 6, 2015). 24 http://www.legislation.gov.uk/ukpga/2014/18/contents/enacted (accessed September 6, 2015). 25 http://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r5192 (accessed September 6, 2015); http://
www.ipaustralia.gov.au/about‐us/public‐consultations/Consulting_on_proposals_to_streamline_IP_processes_and_support_small_business/ (accessed
September 6, 2015). 26 http://www.wipo.int/wipolex/en/news/ (accessed September 6, 2015).
c12.indd 273 11/26/2015 6:33:44 PM
274 Business Intelligence, Knowledge Management, and Analytics
Caveats for Managing Knowledge and Business Intelligence Following such a broad review of the topics provided in this chapter, it seems appropriate to conclude with a few
caveats. First, recall that BI, analytics, big data, and even knowledge management continue to be emerging disci-
plines. Viewing BI as a process rather than an end in and of itself requires managers to remain flexible and open
minded.
Second, the objective of knowledge management is not always to make knowledge more visible or available. Like
other assets, it is sometimes in the best interests of a firm to keep knowledge tacit, hidden, and nontransferable. Com-
petitive advantage increasingly depends on knowledge assets that are difficult to reproduce. Retaining knowledge
is as much a strategic issue as sharing knowledge. Business intelligence, on the other hand, is designed to make
knowledge visible, at least inside the enterprise, so it can be analyzed and acted upon to meet business objectives.
Third, knowledge can create a shared context for thinking about the future. If the purpose of knowledge
management and business intelligence is to help make better decisions, then it must provide value for future events,
not just views of the past history. The goal is to use data to identify trends and environmental changes and then cre-
ate predictions that help inform business strategy and long‐term goal setting.
Finally, people lie at the heart of knowledge management and business intelligence. Establishing and nurturing
a culture that values learning and sharing of knowledge enables effective and efficient knowledge management.
Knowledge sharing—subject, of course, to the second caveat—must be valued and practiced by all employees for
knowledge management to work. The success of knowledge management ultimately depends on a personal and
organizational willingness to learn.
S U M M A R Y
• Competing with analytics is done by building analytics capabilities that give insights to a new way to operate a business by making faster decisions and using different business models or better information.
• Knowledge management includes the processes necessary to generate, capture, codify, and transfer knowledge across organizations. Business intelligence (BI) is the set of technologies and practices used to analyze and understand data and to use it in making decisions about future actions. Business analytics is the set of quantitative and predictive models
used to drive decisions.
• Data, information, and knowledge should not be viewed as interchangeable. Knowledge is more valuable than information, which is more valuable than data because of the human contributions involved.
• The two kinds of knowledge are tacit and explicit. Tacit knowledge is personal, context specific, and hard to formalize and communicate. Explicit knowledge is easily collected, organized, and transferred through digital means.
• Knowledge management is a dynamic and continuously evolving process that involves knowledge generation, capture, codification, and transfer. Technologies have enabled user‐generated codification with tagging.
• In the past, traditional business intelligence provided periodically updated dashboards to monitor key performance met- rics. The current generation of BI is event driven, offers instant access, and can dynamically update dashboards in real
time from streaming data, ubiquitous access, and user configurability.
• The five levels of analytics capabilities are reporting, analyzing, describing, predicting, and prescribing.
• The term big data refers to very large data repositories often found in environments where volumes of information are generated at a high velocity. Much big data are unstructured, requiring different algorithms to mine for insights than
those used with structured data.
• The Internet of Things is the term used for the connection of physical devices to the Internet using sensors and creating large, real‐time data streams.
• Social media analytics provide companies the tools to monitor and engage their communities and to evaluate the success of their investment in social IT. Sentiment analysis is used to extract insights from conversations and social media data streams.
• The four main types of intellectual property are patents, trademarks, designs, and copyrights.
c12.indd 274 11/26/2015 6:33:44 PM
275Case Study
The grocery store and supermarket shopping industries have combined annual revenues in the hundreds of billions of dollars.
Just food and beverage sales in the United States (U.S.) brought in $600 billion in revenue in 2014. Grocery shopping was
a highly commoditized industry with over 85,000 stores in the U.S. at that time. With little variation in available item selec-
tion and less money being spent on groceries in the down economy, competition for customer loyalty continued to grow. By
using business analytics to help process buying habits of its customers, Stop & Shop , a Quincy, Massachusetts‐based grocer,
tried to get a better grasp on the hard‐to‐understand concept of customer loyalty in grocery shopping.
■ CASE STUDY 12‐1 Stop & Shop ’ s Scan It! App
K E Y T E R M S
big data (p. 268)
business analytics (p. 260)
business intelligence (p. 260)
chief analytics offi cer ( CAO ) (p. 267)
chief data offi cer (p. 267)
combination (p. 263)
data (p. 261)
data‐driven culture (p. 266)
data mining (p. 266)
data scientist (p. 267)
data warehouses (p. 265)
evidence‐based management (p. 266)
explicit knowledge (p. 263)
externalization (p. 263)
folksonomy (p. 264)
information (p. 261)
intellectual capital (p. 272)
intellectual property (IP) (p. 273)
internalization (p. 263)
Internet of Things (p. 269)
knowledge (p. 261)
knowledge capture (p. 264)
knowledge codifi cation (p. 264)
knowledge generation (p. 264)
knowledge management (p. 260)
knowledge transfer (p. 264)
real‐time data sources (p. 265)
sentiment analysis (p. 270)
socialization (p. 263)
social media analytics (p. 269)
structured and unstructured data (p. 265)
tacit knowledge (p. 262)
tagging (p. 264)
D I S C U S S I O N Q U E S T I O N S
1. What does it take to be a successful competitor using business analytics? What is the role of information technology (IT) in helping build this competence for the enterprise?
2. The terms data , information , and knowledge are often used interchangeably. But as this chapter discussed, they can be seen as three points on a continuum. What, if anything, in your opinion, is next on this continuum?
3. What is the difference between tacit and explicit knowledge? From your own experience, describe an example of each. How might an organization manage tacit knowledge?
4. How will the Internet of Things change the way managers make decisions? Give an example of a data stream from sensor data that you would like to monitor. Please explain why this would be beneficial to you.
5. How do social media analytics aid an organization? Give an example of a social media data stream and the type of insight that might be drawn from it.
6. Why is it so difficult to protect intellectual property? Do you think that the Digital Millennium Copyright Act is the type of legislation that should be enacted to protect intellectual property? Why or why not?
7. PricewaterhouseCoopers has an elegant, powerful intranet knowledge management system called Knowledge Curve. It makes available to its consultants and auditors a compendium of best practices, consulting methodologies, new tax and audit
insights, links to external Web sites and news services, online training courses, directories of in‐house experts, and other
forms of explicit knowledge. Yet, according to one of the firm ’ s managing partners, “There ’ s a feeling it ’ s underutilized.
Everybody goes there sometimes, but when they ’ re looking for expertise, most people go down the hall.” 27 Why do you think
that Knowledge Curve is underutilized?
27 Thomas Stewart , “ The Case Against Knowledge Management ,” Business 2.0 (February 2002 ), 81, http://providersedge.com/docs/km_articles/The_ Case_Against_KM.pdf (accessed September 7, 2015).
c12.indd 275 11/30/2015 7:28:45 PM
276 Business Intelligence, Knowledge Management, and Analytics
At a time when most fast‐food restaurants were touting nutrition, Hardee ’ s proudly introduced the Monster Thickburger.
It boasts a phenomenal 1,420 calories and 107 grams of fat. It consists of 2 one‐third‐pound charbroiled 100% Angus beef
patties, three slices of American cheese, a dollop of mayonnaise, and four crispy strips of bacon on a toasted buttery sesame
seed bun. What on earth was CKE Restaurants, the owners of the Hardee ’ s chain, thinking?
Because of its business intelligence system (BIS), CKE was confi dent about introducing the Monster Thickburger across
the United States. A BIS uses data mining, analytical processing, querying, and reporting to process a business ’ s data and
derive insights from them. CKE ’ s BIS, known ironically inside the company as the CKE performance reporting (CPR),
monitored the performance of its Monster Thickburger in test markets to ensure that the burger contributed to increases
in sales and profi ts at restaurants without cannibalizing sales of other more modest burgers. To do so, CKE ’ s BIS studied
■ CASE STUDY 12‐2 Business Intelligence at CKE Restaurants
In 2009, Stop & Shop introduced Scan It!, a portable electronic device for customers shopping in its stores. The device
allowed customers to “scan and bag” products, expediting checkout times at the end of their shopping trip. Additionally,
the device offered deals based on the location of the scanner (and therefore the customer) in the store. Location‐specifi c
discounts in real time became increasingly popular among customers as use of Scan It! grew by 10% in both the fi rst and
second quarters of 2009. The most benefi cial aspect of the Scan It!, however, came with the powerful analytics software built
into the device by Modiv Media in which Stop & Shop owns a minority interest. The software kept track of each customer ’ s
purchasing habits both past and present in order to individualize coupons in real time for the customer.
The scanner resulted in three positive trends for Shop & Stop . Customer loyalty grew, allowing the company to secure
an increased customer base than area demographics would predict. Additionally, each shopper ’ s basket size increased as the
individually tailored coupons enticed customers to buy more. Lastly, Shop & Stop ’ s customer base grew as word of mouth
marketing brought in more customers to try the state‐of‐the‐art device.
However, after a couple of years, Stop & Shop saw customer adoption plateau. In October 2011, the grocer created the
Scan It! app for the iPhone and Android. By eliminating the need to sign in and retrieve a scanner at the store, customer
adoption of the device continued its upward climb. Additionally, as customers became increasingly concerned about saving
money while shopping, Stop & Shop built in budgeting software to allow customers to track their spending more effectively.
Ads for the new app proclaimed, “New Mobile App Allows Customers to Shop, Bag, and Tally Their Grocery Order with
Their Personal iPhone ® and Android™ Devices.” Scan It! was heralded as “a fi rst of its kind grocery app that allows cus-
tomers to use their personal mobile device to scan, tally, and bag their groceries while they shop.” 28
Stop & Shop had bundled an app that not only rewarded customers who shopped at its stores by helping them save money
but also tracked information on sales, which the company loaded into its data warehouse and used to understand its cus-
tomers. Analytics then helped Stop & Shop put the right items on its shelves to maximize sales and create customer loyalty.
Discussion Questions
1. What is the benefit of the Scan It! data to Stop & Shop ? What are some of the questions the company could answer
about its customers?
2. How would you assess the level of capabilities of Stop & Shop ’ s use of analytics? What might the company do differ-
ently with the data to gain more value?
3. What is the benefit of Scan It! for the customers? What concerns might shoppers have about their privacy? How would
you advise Stop & Shop management to respond to these concerns?
Sources: Adapted from http://www.internetretailer.com/2011/10/26/stop‐shop‐expands‐availability‐scan‐it‐mobile‐app (accessed September 6, 2015); http://stopandshop.com/shopping/shopping‐tools/scanit/ (accessed September 6, 2015); http://southeastfarmpress. com/vegetables/supermarket‐guru‐seeking‐next‐big‐trend (accessed September 6, 2015).
28 Adapted from http://www.internetretailer.com/2011/10/26/stop‐shop‐expands‐availability‐scan‐it‐mobile‐app; http://www.stopandshop.com/our_
stores/tools/scan_it_mobile.htm; http://southeastfarmpress.com/vegetables/supermarket‐guru‐seeking‐next‐big‐trend.
c12.indd 276 11/26/2015 6:33:45 PM
277
a variety of factors—such as menu mixes, Monster Thickburger production costs, average unit volumes for the Monster
Thickburger compared with other burgers, gross profi ts and total sales for each of the test stores, and the contribution
that each menu item (including the Monster Thickburger) made to total sales. Because the sales of Monster Thickburger
exceeded expectations in the test markets, CKE developed a $7 million dollar advertising campaign to launch its nationwide
introduction. Monster Thickburger sales exceeded expectations, and Hardee ’ s sales revenues increased immediately, eventu-
ally growing by 8%. “The Monster Thickburger was directly responsible for a good deal of that increase,” says Brad Haley,
Hardee ’ s executive vice president of marketing.
Partially because of its reliance on CPR, CKE was rescued from the brink of bankruptcy. It increased sales at restau-
rants open more than a year, narrowed its overall losses, and fi nally turned a profi t after three years. CPR, its proprietary
system, consists of a Microsoft SQL server database and uses Microsoft development tools to parse and display analytical
information. It uses econometric models to provide context and to explain performance. The company reviews and refi nes
these models each month. The econometric models take into consideration 44 factors, including the weather, holidays,
coupon activity, discounting, free giveaways, and new products. With the click of a button, for example, a sales downturn
can be explained on a screen showing, for example, that 5% of the 8% decrease was due to torrential rain in the Northeast
and 2% was due to free giveaways.
In the competitive restaurant chain industry, companies have to be agile and responsive to the dynamic environment that
they face. They must match their BIS initiatives to their business strategies in order to improve operations and their bottom
lines. BISs assist companies in making strategic decisions about menu items and closures of underperforming stores as well
as tactical matters such as renegotiating contracts with food suppliers, monitoring food costs, and identifying opportunities
to improve ineffi cient processes. To derive value from their BISs, many restaurant chains have successfully reduced the three
biggest barriers to BIS success: voluminous amounts of irrelevant data, poor data quality, and user resistance.
CKE ’ s CIO and Executive Vice President of Strategic Planning Jeff Chasney states: “If you ’ re just presenting information
that ’ s neat and nice but doesn ’ t evoke a decision or impart important knowledge, then it ’ s noise. You have to focus on what
are the really important things going on in your business.”
Chasney stresses that a BIS should be different from the plain‐vanilla standard corporate reporting tools of old. Rather, a
BIS should provide managers insights rather than just data. He believes that the context from which the data were collected
signifi cantly impacts how those data should be interpreted. Systems that just report changes without enough background or
information on what caused those changes are not very useful. Managers don ’ t know what data to trust. Chasney explains,
“If your business intelligence system is not going to improve your decision making and fi nd problem areas to correct and
new directions to take, nobody ’ s going to bother to look at it.”
The fi rst step to developing a BIS is to understand the company ’ s decision‐making processes. Before information is col-
lected, analyzed, and used in the BIS, someone has to identify what information is needed to confi dently make decisions.
For instance, the CEOs of CKE ’ s restaurant chains wanted to understand what made sales fl uctuate while the COOs wanted
to know how to recognize good business opportunities as well as underperforming properties. Then the BIS designer must
determine the appropriate presentation format, be it a report, a chart, or a Web site.
BIS must add value to the executive ’ s decision‐making processes. To do that, attention must be paid to the critical
performance indicators. For CKE , as Chasney learned, those are sales, cost of sales, exceptions (such as high‐performing or
underperforming areas), and business trends.
Discussion Questions
1. How does the business intelligence system (BIS) at CKE add value to the business?
2. What are some tips for developing and using the BIS described in this case?
3. Was the introduction of the Monster Thickburger a good idea or an example of information leading to a wrong decision?
Sources: Christine Lagorio , “ Man vs. Monster Thickburger ” (February 11, 2009 ), http://www.cbsnews.com/news/man‐vs‐monster‐ thickburger/ (accessed September 6, 2015) ; Meredith Levinson , “ The Brain Behind the Big, Bad Burger and Other Tales of Business Intelligence ,” CIO (May 15, 2007 ); http://www.cio.com/article/109454/The_Brain_Behind_the_Big_Bad_Burger_and_Other_Tales_of_ Business_Intelligence (accessed September 6, 2015) .
Case Study
c12.indd 277 11/26/2015 6:33:45 PM
278
13 chapter
Information technology (IT) has created a unique set of ethical issues related to the use and control of information. This chapter addresses those issues from various perspectives using three normative theories (stockholder, stakeholder, and social contract) to understand the responsible use and control of information by business organizations. Social contract the- ory is extended to the evolving issue of responsiveness to foreign governments when ethical tensions emerge. At the individual and corporate levels, Mason ’ s privacy, accuracy, property, accessibility (PAPA) framework is applied to information control. Subsequently, the chapter covers the ethical role of managers in today ’ s dynamic world of social business and security controls to keep information safe and accurate. The chapter concludes with a discussion of green computing.
When TJX Co., Target, and Home Depot fell victim to three of the largest data security breaches
in the history of retailing, each faced a serious ethical dilemma that unfortunately seems to have
plagued a growing number of companies in recent years. The credit card accounts of an estimated
186 million customers worldwide were stolen by these three breaches alone; 90 million for TJX, 40
million for Target , and 56 million for Home Depot . 1 Current laws from multiple state, federal, and
foreign jurisdictions dictate how and when a fi rm must inform affected customers and what correc-
tive steps it must take in such a case; most jurisdictions allow 45 days for a fi rm to act following the
determination of a breach. Any delay beyond 45 days would incur heavy fi nes. However, ethically,
it becomes an even more pressing issue. Should highly visible fi rms such as these inform affected
customers immediately or wait until a breach has been secured and all remedial steps have been
undertaken, which may take weeks?
If a fi rm informs customers immediately, the customers could start taking preventive steps to
protect themselves from identity theft and minimize resulting fi nancial and psychological losses.
However, this means the breach would become public knowledge before the remedial steps were
taken. More hackers would learn about the breach and possibly exploit the weakness in the com-
pany ’ s IT infrastructure. Additionally, the fi nancial markets would lose confi dence in the breached
company and severely punish shareholders. Such loss of image would also affect the company ’ s
ability to attract and retain high‐quality employees in the long run. On the other hand, if it waited for
45 days, the fi nancial stability of many customers would be compromised through misuse of their
credit cards and other private records. This could result in major class‐action litigation, which might
permanently affect the company.
Information collected in the course of operations is important for conducting business and even
creating valuable competitive advantage. But managers must ask ethical questions concerning just
Privacy and Ethical Considerations in Information Management
1 D. Paddon , “ Home Depot: 56 Million Credit Cards Affected by Security Breach, Malware Eliminated ,” Huffington Post Canada (September 18, 2014 ; updated November 18, 2014), http://www.huffingtonpost.ca/2014/09/18/home‐depot‐credit‐cards‐ eliminates_n_5845534.html (accessed September 7, 2015).
c13.indd 278 11/26/2015 6:39:11 PM
279Privacy and Ethical Considerations in Information Management
how that information will be used and by whom whether it is recorded or created inside or outside the organization.
Failing to protect customer information can carry serious consequences, such as damaged shareholder relation-
ships. Target’s stock price fell 9% in the days after the breach was announced, and profit fell a whopping 46% in
the quarter following the breach.2 Likewise, TJX’s stock lost 8% in value the day after the breach was announced.3
Acting responsibly is likely to gain legitimacy in the eyes of key stakeholders. Further, failure to adequately
control information can cause a spillover effect with repercussions for an entire industry. For example, following
the TJX breach, Massachusetts passed legislation with stringent requirements for any organization maintaining
information about its citizens.4 As computer networks and their products come to touch every aspect of people’s
lives and as the power, speed, and capabilities of computers expand, managers are increasingly challenged to gov-
ern those computer networks and to protect information residing on them in an ethical manner.
Following the Target and Home Depot breaches, Congress passed a Cybersecurity Enhancement Bill into law on
December 18, 20145 that supports research and development to establish best practices, increase the public’s aware-
ness of the importance of cybersecurity, supports educational initiatives, and fosters a better‐prepared workforce.
Federal agencies are required to develop and continually update a cybersecurity strategic plan to “(1) guarantee
individual privacy, verify third‐party software and hardware, and address insider threats; (2) determine the origin
of messages transmitted over the internet; and (3) protect information stored using cloud computing or transmit-
ted through wireless services.”6 Additional legislation is expected to be signed into law over the coming years, and
it is likely that legislation will struggle to keep up with the race between protection and breach of large pools of
information for the foreseeable future. Even without any possible new legislation, managers must make decisions
that don’t compromise or put at risk the privacy and security of an individual’s information.
Without guaranteed solutions, managers could easily become perplexed with their charge to manage both techni-
cally and ethically. They must manage the information generated and contained within their systems for the benefit
not only of the corporation but also of society as a whole. The predominant issue, which arises due to the omni-
presence of corporate IS, concerns the just and ethical use of the information that companies collect in the course
of everyday operations. Without official guidelines and codes of conduct, who decides how to use this information?
More and more, this challenge falls on corporate managers. They must understand societal needs and expectations
to determine what they ethically can and cannot do in their quest to learn about their customers, suppliers, and
employees and to provide greater service.
In a society whose legal standards are continually challenged, managers must serve as guardians of the public
and private interest, although many may have no formal legal training and, thus, no firm basis for judgment. This
chapter addresses many such concerns. It begins by expanding on the definition of ethical behavior and introduces
several heuristics that managers can employ to help them make better decisions. Then the chapter elaborates on the
most important issues behind the ethical treatment of information and some newly emerging controversies that will
surely test society’s resolve concerning the increasing presence of IS in every aspect of life.
This chapter takes a high‐level view of ethical issues facing managers in today’s environment. It focuses primar-
ily on providing a set of frameworks the manager can apply to a wide variety of ethical issues. Outside the scope
of this chapter are several important issues such as the digital divide (the impact of computer technology on the
poor or “have‐nots,” racial minorities, and third world nations), cyberwar (politically motivated hacking to conduct
sabotage and espionage), cyberbullying, or social concerns that arise from artificial intelligence, neural networks,
and expert systems. Such problems have no easy answers, and researchers are just beginning to define and under-
stand them, a necessary step in finding future solutions. Although these are interesting and important areas for
concern, the objective in this chapter is to provide managers a way to think about the issues of information ethics
and corporate responsibility.
2 M. McGrath, “Target Profit Falls 46% on Credit Card Breach and the Hits Could Keep Coming,” Forbes (February 26, 2014), http://www.forbes.com/ sites/maggiemcgrath/2014/02/26/target‐profit‐falls‐46‐on‐credit‐card‐breach‐and‐says‐the‐hits‐could‐keep‐on‐coming/ (accessed September 7, 2015). 3 R. Kerber, “Cost of Data Breach at TJX Soars to $256m,” Boston Globe Connection (August 15, 2007), http://www.boston.com/business/articles/2007/08/15/
cost_of_data_breach_at_tjx_soars_to_256m/?page=full (accessed September 7, 2015). 4 M. Culnan and C. Williams, “How Ethics Can Enhance Organizational Privacy: Lessons from the ChoicePoint and TJX Data Breaches,” MIS Quarterly 33, no. 4 (2009), 673–87. 5 https://www.congress.gov/bill/113th‐congress/senate‐bill/1353 (accessed September 7, 2015). 6 Ibid.
c13.indd 279 11/26/2015 6:39:12 PM
280 Privacy and Ethical Considerations in Information Management
Responsible Computing The technological landscape is changing daily. Increasingly, however, technological advances come about in a
business domain lacking ethical clarity. Because of its newness, this area of IT often lacks accepted norms of
behavior or universally accepted decision‐making criteria. Companies daily encounter ethical dilemmas as they
try to use their IS to create and exploit competitive advantages. These ethical dilemmas arise when a decision or
an action reflects competing moral values that may impair or enhance the well‐being of an individual or a group of
people. These dilemmas arise when there is no one clear way to deal with the ethical issue.
Managers must assess current information initiatives with particular attention to possible ethical issues. Collect-
ing customer information in an uncontrolled manner can lead to unintended consequences, such as the increasing
number of breaches that are occurring and invasion of privacy. There are indeed benefits for both buyers and sellers
in storing and using detailed information, making purchases more convenient and presenting products that are truly
interesting to customers. Using high volumes of data that are stored about customers can raise the efficiency of the
browsing and shopping experience. However, managers need to also consider information ethics, or the “ethical issues associated with the development and application of information technologies.”7 Stated more directly, just
because we can do something does not mean we should.
It is useful to consider three theories of ethical behavior in the corporate environment that managers can develop
and apply to the particular challenges they face. These normative theories of business ethics—stockholder theory,
stakeholder theory, and social contract theory—are widely applied in traditional business situations. They are “nor-
mative” in that they prescribe behavior, specifying what people should do. Smith and Hasnas also refer to them as
“intermediate‐level” principles that can be understood by ordinary businesspeople and that can be applied to the
“concrete moral quandaries of the business domain.”8 Following is a description of each theory accompanied by an
illustration of its application using the TJX example, the first of the three widespread retail data breaches outlined
at the beginning of this chapter.
Stockholder Theory
According to stockholder theory, stockholders provide funding for a firm, and expect its managers to act as agents in furthering the stockholders’ goals.9 The nature of this contract binds managers to act in the interest of the share-
holders (i.e., to maximize shareholder value). As Milton Friedman wrote, “There is one and only one social respon-
sibility of business: to use its resources and engage in activities designed to increase its profits so long as it stays
within the rules of the game, which is to say, engages in open and free competition, without deception or fraud.”10
Stockholder theory qualifies the manager’s duty in two salient ways. First, managers are bound to employ legal,
nonfraudulent means. Second, managers must take the long‐term view of shareholder interest (i.e., they are obliged
to forgo short‐term gains if doing so will maximize value over the long‐term).
The stipulation under stockholder theory that the pursuit of profits must be legal and nonfraudulent would not
have prevented TJX from waiting to announce the security breach until it had taken corrective action. The delay
allowed by law might also have a positive impact on TJX’s stock price. Delaying would satisfy the test of maxi-
mizing shareholder value because it would help keep the price of its stock from dropping. Further, a recent survey
indicated that customers are reluctant to shop in stores once data breaches have been announced,11 so delaying may
be important for maintaining a steady stream of revenues for as long as possible. On the other hand, disgruntled
customers would definitely stop shopping at its stores if TJX waited too long.12 Any lost revenues would weigh
7 M. G. Martinsons and D. Ma, “Sub‐Cultural Differences in Information Ethics Across China: Focus on Chinese Management Generation Gaps,”
Journal of AIS 10 (Special Issue) (2009). 8 H. Jeff Smith and John Hasnas, “Ethics and Information Systems: The Corporate Domain,” MIS Quarterly (March 1999), 112. 9 Ibid. 10 M. Friedman, Capitalism and Freedom (Chicago, IL: University of Chicago Press, 1962), 133. 11 Brett Conradt, “Think Shoppers Forget Retail Data Breaches? Nope,” CNBC.com (June 22, 2015), http://www.cnbc.com/2015/06/22/ (accessed
September 12, 2015). 12 There is an interesting presentation of a similar breach with commentaries from the CIOs of ChoicePoint, Motorola, Visa International, and Theft
Resource Center in Eric McNulty, “Boss I Think Someone Stole Our Customer Data,” Harvard Business Review (September 2007), 37–50.
c13.indd 280 11/26/2015 6:39:12 PM
281Responsible Computing
against managers’ success in meeting the ethical obligation to work toward maximizing value. It appears that TJX
took only the actions necessary to bring its practices in line with those expected in industry.13
Stakeholder Theory
Stakeholder theory holds that managers, although bound by their relation to stockholders, are entrusted also with a responsibility, fiduciary or otherwise, to all those who hold a stake in or a claim on the firm.14 The word stake- holder is currently taken to mean any group that vitally affects the survival and success of the corporation or whose interests the corporation vitally affects. Such groups normally include stockholders, customers, employees, sup-
pliers, the local community, and, possibly, many other groups who may hold a stake in the firm. At its most basic
level, stakeholder theory states that management must balance the rights of all stakeholders without impinging on
the rights of any one particular stakeholder.
Stakeholder theory diverges most consequentially from stockholder theory in affirming that the interests of
parties other than the stockholders also play a legitimate role in a firm’s governance and management. As a practical
matter, it is often difficult, if not impossible, to figure out what is in the best interest of each stakeholder group and
then balance any conflicting interests.
When stakeholders feel that their interests haven’t been considered adequately by the managers making the
decisions, their only recourse may be to stop participating in the corporation: Customers can stop buying the com-
pany’s products, stockholders can sell their stock, and so forth. But some stakeholders are not in a position to stop
participating in the corporation. In particular, employees may need to continue working for the corporation even
though they dislike practices of their employers or experience considerable stress due to their jobs.
Viewed in light of stakeholder theory, the ethical issue facing TJX presented a more complex dilemma. John
Philip Coghlan, CEO of Visa USA noted, “A data breach can put an executive in an exceedingly complex situation,
where he must negotiate the often divergent interests of multiple stakeholders.”15 TJX’s shareholders stand to gain in
the short term by delaying an announcement, but what would be the effects on other stakeholders? One stakeholder
group, the customers, definitely could benefit from knowing about the breach and its severity as soon as possible
because they could take steps to protect themselves through a special Web page, toll‐free information hotlines,
or Webcasts. TJX could also offer them a free credit‐monitoring service and compensate those who are injured.
Research has shown that customers who receive adequate compensation after making a complaint are actually more
loyal than those without complaints.16 On the other hand, if the breach were not announced, fewer hackers might
be attracted to the situation or inspired to be a “copy cat” and break into systems. Nonetheless, it probably could be
shown that the costs to customers outweighed the benefits within the larger stakeholder group.
Social Contract Theory
Social contract theory places responsibility on corporate managers to consider the needs of the society (societies) in which the corporation is embedded. Social contract theorists assert that a corporation is permitted legally to
form to create more value to society than it consumes. Thus, society gives legal recognition to the organization and
charges it with enhancing society’s welfare by satisfying particular interests of consumers and workers in exploit-
ing the advantages of the corporate form.17 The social contract comprises two distinct components: social welfare
and justice. Social welfare addresses the issue of providing benefits exceeding their associated costs, and the need for justice addresses the need for corporations to pursue profits legally without fraud or deception and avoid activ- ities that injure society. The social contract obliges managers to pursue profits in ways that are compatible with the
well‐being of society as a whole.
13 Culnan and Williams, “How Ethics Can Enhance Organizational Privacy,” 673–87. 14 Smith and Hasnas, “Ethics and Information Systems,” 115. 15 McNulty, “Boss I Think Someone Stole Our Customer Data.” 16 Ibid. 17 Smith and Hasnas, “Ethics and Information Systems,” 116.
c13.indd 281 11/26/2015 6:39:12 PM
282 Privacy and Ethical Considerations in Information Management
Social contract theory is sometimes criticized because no mechanism exists to actuate it. In the absence of a real
contract whose terms subordinate profit maximization to social welfare, most critics find it hard to imagine that
corporations are willing to lose profitability in the name of altruism. Yet, the strength of the theory lies in its broad
assessment of the moral foundations of business activity.
Applied to the TJX case, social contract theory would demand that the manager ask whether the delay in noti-
fying customers about the security breach could compromise fundamental tenets of fairness or social justice. If
customers were not apprised of the delay as soon as possible, TJX’s actions could be seen as unethical because it
would not seem fair to delay notifying the customers. If, on the other hand, the time prior to notification were used
to take corrective action with the consequence of limiting not only hackers from stealing confidential customer
information but also of forestalling future attacks that would impact society as a whole, the delay conceivably could
be considered ethical.
Although these three normative theories of business ethics possess distinct characteristics, they are not com-
pletely incompatible. All offer useful metrics for defining ethical behavior in profit‐seeking enterprises under free
market conditions. The theories provide managers an independent standard by which to judge the ethical nature of
superiors’ orders as well as their firms’ policies and codes of conduct. Upon inspection, the three theories appear to
represent concentric circles with stockholder theory at the center and social contract theory at the outer ring. Stock-
holder theory is narrowest in scope, stakeholder theory encompasses and expands on it, and social contract theory
covers the broadest area. Figure 13.1 summarizes these three theories.
What, ultimately, did TJX do? It disclosed the breach in January 2007 but did not release a comprehensive
executive summary of the attack until March 2007 when it made a regulatory filing. The preceding December TJX
had actually noticed suspicious software, at which point it hired IBM and General Dynamics to investigate. Three
days later, these investigators determined that TJX’s systems had been compromised due to its failure to imple-
ment adequate information security procedures and detect and limit unauthorized access.18 Further, the attacker
still had access. Unfortunately, it took TJX 17 months to find out that its computer systems had been breached on
numerous occasions on a colossal scale.19 It was over a year later, on February 29, 2008, when President and CEO
Carol Meyrowitz wrote a letter to “valued customers” about the breach that had been announced in January 2007.
The TJX retail chain agreed to pay $24 million and $41 million in restitution to MasterCard‐ and Visa‐issuing
lenders, respectively, who were affected by the breach. TJX also offered free credit monitoring for cardholders and
a $30 store voucher.20 Not until June 2009 did TJX finally reach a settlement of US$9.75 million with 41 states to
compensate them for their investigations of the breach.21 Based on media coverage at that time, one could surmise
that TJX’s overriding approach was more consistent with the stockholder theory than social contract theory. At least
one set of stakeholders, the customers, were not well served.
FIGURE 13.1 Three normative theories of business ethics.
Theory Definition Metrics
Stockholder Maximize stockholder wealth, in a legal and non‐fraudulent manner
Will this action maximize long‐term stockholder value? Can goals be accomplished without compromising company standards and without breaking laws?
Stakeholder Maximize benefits to all stakeholders while weighing costs to competing interests
Does the proposed action maximize collective benefits to the company? Does this action treat one or more of the corporate stakeholders unfairly?
Social contract Create value for society in a manner that is just and non‐discriminatory
Does this action create a “net” benefit for society? Does the proposed action discriminate against any group in particular, and is its implementation socially just?
18 Culnan and Williams, “How Ethics Can Enhance Organizational Privacy,” 673–87. 19 Kevin Murphy, “TJX Hack Is Biggest Ever” (March 29, 2007), Computer Business Review, http://www.cbronline.com/news/tjx_hack_is_biggest_ever (accessed September 7, 2015). 20 Martin Bosworth, “TJX to Pay MasterCard $24 Million for Data Breach,” ConsumerAffaris.com (April 6, 2008), http://www.consumeraffairs.com/
news04/2008/04/tjx_mc.html (accessed July 29, 2008). 21 J. Vijayan, “TJX Reaches $9.75 Million Breach Settlement with 41 States” (June 24, 2009), http://www.computerworld.com/s/article/9134765/TJX_
reaches_9.75_million_breach_settlement_with_41_ states (accessed January 28, 2012).
c13.indd 282 11/26/2015 6:39:12 PM
283Corporate Social Responsibility
Corporate Social Responsibility Application of social contract theory helps companies adopt a broad perspective. In this section, we address a “big
picture” by exploring three areas in which corporate social responsibility is particularly visible: responsible use of
information, ethical tensions with governments, and green computing.
Responsible Use of Information
Beyond the concerns of data breaches, organizations today are sitting on more data than ever before thought imag-
inable. Those data enable a company to profile us, estimate our incomes, predict our needs, and tempt us to make
purchases. Sometimes this activity strikes customers as being a “Big Brother” situation, but the name for this has
become “big data.”
As described in Chapter 12, modern statistical packages provide advanced methods to detect patterns in enor-
mous sets of data. Large data sets are difficult for people to envision, but the larger the data set, the clearer the
picture becomes for detecting and understanding those patterns. The data indicate that many behaviors tend to
cluster together; for example, camera purchases tend to be accompanied by photography accessories. Zip Codes in
affluent neighborhoods tend to predict purchases of more expensive equipment and more accessories. Those who
qualify and who also frequently purchase hiking and sporting goods might be ripe for a new GoProTM complete
with accessories. A merchant who passes up the opportunity to advertise similar waterproof personal travel cam-
eras to carefully targeted individuals will not be in a good position to compete in today’s world. However, there is
a downside to these practices.
Target inadvertently revealed a teen’s concealed pregnancy to her parents by mailing to her home address
ads for maternity clothes and diapers.22 The mailing was triggered by analysis of purchases of unscented soaps,
vitamins, and cotton balls, which matched purchasing patterns of tens of thousands of other pregnant women.
Although Target now sprinkles in other ads to be less blatant, the fact that it is aware of such personal facts is a
stark illustration of the potential for large retailers to learn an alarming amount of private information by keeping
track of purchasers and combining it with other identifying information they receive along the way or from other
organizations.
That story becomes more surprising when consumers consider that even data with concealed but uniquely coded
account numbers can reveal personal information, as a recent study reported in Science reported.23 The researchers found that knowing three other facts, such as time and date, location, and approximate amount spent while visiting
a merchant, 90% of individuals can be identified even with a data set that includes 1.1 million records spread over
three months. Knowing when a person visited a particular restaurant or coffee shop can be discerned quickly with
the use of social media entries and pictures that can establish what a person is eating. Identification of the person’s
identity can, of course, identify all of his or her credit card transactions throughout the entire data set. The message
is quite clear: Be cautious about identifying exactly where you are and exactly when you are there on social media
such as Facebook, Foursquare, and Instagram.
The Science study might imply feelings of futility are in order; that just when a manager tightens security practices to thwart yesterday’s criminals, new threats render those practices inadequate. After all, few would have
expected even disguised data to be a threat to customers. Further, many security professionals warn that it is not
possible to provide 100% assurance of security in any system.24
However, that does not mean that managers should give up. As Chapter 7 discusses, failures often occur when
firms don’t take even basic precautions. TJX used basic WiFi encryption that could be broken into in about a half an
hour in 2005. Hackers sat outside of a Marshall’s store using a laptop and antenna to access data. More surprisingly,
22 K. Hill, “How Target Figured Out a Teen Girl Was Pregnant Before Her Father Did,” Forbes (February 16, 2012), http://www.forbes.com/sites/ kashmirhill/2012/02/16/how‐target‐figured‐out‐a‐teen‐girl‐was‐pregnant‐before‐her‐father‐did/ (accessed September 7, 2015). 23 Y. A de Montjoye, L. Radaelli, V. K. Singh, and A. S. Pentland, “Unique in the Shopping Mall: On the Re‐identifiability of Credit Card Metadata,”
Science 347, no. 6221 (January 30, 2015), 536–39. 24 M. Pringle, “Security Expert: All Systems Vulnerable to Cyberattacks” (December 23, 2014), http://www.wbaltv.com/money/security‐expert‐all‐systems‐
vulnerable‐to‐cyberattacks/30350212 (accessed September 7, 2015).
c13.indd 283 11/26/2015 6:39:12 PM
284 Privacy and Ethical Considerations in Information Management
a security professional reported in 2007 that most major retailers had similar weaknesses.25 The Target hack was
perpetrated by data thieves posing as heating/air conditioning repair professionals; they were able to tap into the
system using their assigned terminals. The Home Depot breach involved installation of malware at self‐service
checkout counters.26
These stories will undoubtedly and unfortunately be augmented by others in the future, but they illustrate that
security personnel should be armed with knowledge of best practices, common sense in handling people who
request access to computer systems, and vigilance at points of vulnerability. Chapter 7 provides specific strategies
to try to carry out a firm’s responsibility for protecting data.
Ethical Tensions with Governments
Organizations are also facing a dilemma reconciling their corporate policies with regulations in countries where
they want to operate. “Managers may need to adopt much different approaches across nationalities to counter the
effects of what they perceive as unethical behaviors.”27 For example, the United Arab Emirates threatened to shut
off BlackBerry messaging, e‐mail, and Web browsing services if the device’s maker, Research in Motion (RIM) did
not provide certain information necessary for national security. RIM managers did not want to disclose confiden-
tial information. But they also didn’t want to endanger UAE’s national security. Even though a compromise was
reached shortly before the shutdown was to go into effect, the case reflects the challenges of dealing with foreign
governments.28
Censorship posed an ethical dilemma for companies such as Sony and Google. Just before planning to release
the film The Interview, Sony Pictures suffered terroristic threats and eventually widespread hacks of their com- puters that President Barak Obama and the NSA blamed on North Korea.29 Sony reacted swiftly to the threats and
postponed plans to release the film. Eventually, the film was released, at first online and then in a small number
of theaters. A firm suffering threats from governmental agencies faces unexpected options requiring quick action.
Enticed by the lure of a gigantic market, Google tried to set up business in China. The Chinese government,
quite accustomed to developing and enforcing regulations, wanted to limit the overseas Web sites that Google’s
search engine could retrieve when operating in China. The Chinese government also interfered with Google’s
e‐mail services, making it difficult for users to gain access to Gmail. Google continues to face the dilemma of how
to deliver the level of services it deems appropriate in the face of stiff government regulation. This dilemma is likely
to become very common with increased globalization. In this case, the balancing act is at an international level.
PAPA: Privacy, Accuracy, Property, and Accessibility In an economy that is rapidly becoming dominated by knowledge workers, the value of information is paramount.
Those who possess the “best” information and know how to use it will win. The recent trends in cloud computing
and big data permit high levels of computational power and storage to be purchased for relatively small amounts
of money. Although this trend means that computer‐generated or stored information now falls within the reach of
a larger percentage of the populace, it also means that collecting and storing information is becoming easier and
more cost effective. Although this circumstance can affect businesses and individuals for the better, it also can affect
them substantially for the worse.
25 G. Ou, “TJX’s Failure to Secure Wi‐Fi Could Cost $1B” (May 7, 2007), http://www.zdnet.com/article/tjxs‐failure‐to‐secure‐wi‐fi‐could‐cost‐1b/
(accessed September 7, 2015). 26 B. Krebs, “Home Depot: 56M Cards Impacted, Malware Contained,” Krebs On Security (September 18, 2014), http://krebsonsecurity.com/2014/09/
home‐depot‐56m‐cards‐impacted‐malware‐contained/ (accessed September 7, 2015). 27 D. Leidner and T. Kayworth, “A Review of Culture in Information Systems Research: Toward a Theory of Information Technology Culture Conflict,”
MIS Quarterly 30, no. 2 (2006), 357–99. 28 “For Data, Tug Grows Over Privacy vs. Security” (August 3, 2010), http://query.nytimes.com/gst/fullpage.html?res=9504E4D6113CF930A3575BC0
A9669D8B63 (accessed January 28, 2012). 29 J. Diamond, “NSA Hacking Since 2010 Led U.S. to Blame North Korea for Sony Attack,” CNN (January 20, 2015), http://www.cnn.com/2015/01/19/
politics/nsa‐north‐korea‐hacking‐2010/ (accessed September 12, 2015).
c13.indd 284 11/26/2015 6:39:12 PM
285PAPA: Privacy, Accuracy, Property, and Accessibility
Consider several areas of information ethics in which the control of information is crucial. Richard O. Mason30
identified four such areas, which can be summarized by the acronym PAPA: privacy, accuracy, property, and acces-
sibility (see Figure 13.2). Mason’s framework has limitations in terms of accommodating the range and complexity
of ethical issues encountered in today’s information‐intensive world. However, this framework helps to understand
information ethics because it is both popular and simple.
Privacy
Many people consider privacy to be the most important area in which their interests need to be safeguarded.
Privacy has long been considered “the right to be left alone.”31 Although it has been argued that so many differ- ent definitions exist that it is hard to satisfactorily define the term,32 it is “fundamentally about protections from
intrusion and information gathering by others.”33 Typically, it has been defined in terms of individuals’ ability to
personally control information about themselves. But requiring individuals to control their own information would
severely limit what is private. In today’s information‐oriented world, individuals really have little control.
In July 2015, the issue of privacy became a frequent subject of discussion due to the discovery of a breach
at marital affair facilitation firm Ashley Madison, revealing account and credit card information for 37 million
users.34 Users had assumed that their covert affairs would remain a secret, but blackmailers demanded money to
keep the information from being published widely.35 Reportedly, the hackers subsequently released information
from 32 million of the users.36 Two suicides have been linked to the breach, underscoring the seriousness of
online privacy.37
FIGURE 13.2 Mason’s areas of managerial control. Source: Adapted from Richard O Mason, “Four Ethical Issues of the Information Age,” MIS Quarterly 10, no. 1 (March 1986), 5.
Area Critical Questions
Privacy What information must people reveal about themselves to others? Are there some things that people do not have to reveal about themselves? Can the information that people provide be used to identify their personal preferences or history when they don’t want those preferences or history to be known? Can the information that people provide be used for purposes other than those for which the people were told that it would be used?
Accuracy Who is responsible for the reliability, authenticity, and accuracy of information? Who is accountable for errors in the information?
Property Who owns the information? Who owns the channels of distribution, and how should they be regulated? What is the fair price of information that is exchanged?
Accessibility What information does a person or organization have a right to obtain, with what protection, and under what conditions? Who can access personal information in the files? Does the person accessing personal information “need to know” the information that is being accessed?
30 Richard O. Mason, “Four Ethical Issues of the Information Age,” MIS Quarterly 10, no. 1 (March 1986). 31 Samuel D. Warren and Louis D. Brandeis, “The Right to Privacy,” Harvard Law Review 4, no. 5 (December 1890), 193–200. 32 Paul Pavlou, “State of the Inform Privacy Literature: Where Are We Now and Where Should We Go?” MIS Quarterly 35, no. 4 (2011), 977–85. 33 E. F. Stone, D. G. Gardner, H. G. Gueutal, and S. McClure, “A Field Experiment Comparing Information‐Privacy Values, Beliefs, and Attitudes Across
Several Types of Organizations,” Journal of Applied Psychology 68, no. 3 (August 1983), 459–68. 34 Daniel Victor, “The Ashley Madison Data Dump, Explained,” The New York Times (August 19, 2015), http://www.nytimes.com/2015/08/20/technol- ogy/the‐ashley‐madison‐data‐dump‐explained.html (accessed September 7, 2015). 35 Jonah Bromwich, “Ashley Madison Users Face Threats of Blackmail and Identity Theft,” The New York Times (August 27, 2015), http://www.nytimes. com/2015/08/28/technology/ashley‐madison‐users‐face‐threats‐of‐blackmail‐and‐identity‐theft.html (accessed September 7, 2015). 36 Rishi Iyengar, “Hackers Release Data from Cheating Website Ashley Madison Online,” Time (August 18, 2015), http://time.com/4002647/ashley‐ madison‐hackers‐data‐released‐impact‐team/ (accessed September 7, 2015). 37 Hilary Shenfield, “Suicides Possibly Linked to Release of Ashley Madison Client Names: Toronto Police,” People (August 25, 2015), http://www. people.com/article/suicides‐possibly‐linked‐to‐ashley‐madison‐hack‐toronto‐police‐say (accessed September 7, 2015).
c13.indd 285 11/26/2015 6:39:12 PM
286 Privacy and Ethical Considerations in Information Management
Privacy Paradox
Managers must consider the privacy paradox, which trades off convenience, irritation, and even entertainment for privacy. For instance, a company might store credit card numbers of its customers so that they do not have to enter
that information every time they visit the firm’s Web site. However, by doing so, there is additional risk of theft of
that information. There is also convenience in tailoring advertisements according to a person’s unique interests.
Rather than suffer with relentless advertisements that have little relevance, ad networks that share information across
sites potentially provide less irritation to consumers. Finally, teenagers and adults alike post private information
about location, friends, and activities, largely for entertainment purposes in spite of abundant warnings.
A study of 15,000 consumers in 15 countries reported that 51% said they would not trade off privacy for
convenience but 27% said they would. Results differed by country with India reporting 40% in the “no” camp and
48% in the “yes” camp. In contrast, Germans were most negative with 71% saying “no” and 12% saying “yes.”38
Interestingly, regardless of the survey results, recent studies reveal that many consumers behave as if they are unconcerned. Teenagers in a study posted sensitive information widely although many regretted their disclosures
later.39 Many people are finding out that talking about their latest bashes in detail on Facebook does not go over
very well with potential employers who access their pages. An interesting study reported that 70% of U.S. recruiters
and human resource professionals have rejected candidates based on data found online.40 Fewer than 20% of Face-
book’s members had adjusted the default privacy settings prior to Facebook’s change in policy (when it came under
fire) to enhance customer privacy.41 The concern about privacy on Facebook (and other Internet sites) varies across
the globe; for example, it is greater in Europe than in the United States.
Even more telling is the fact that privacy notices are widely ignored, perhaps due to their length, legal language,
and uninteresting nature. Facebook’s Terms of Service (TOS) agreement outlines its privacy policy in over 9,000
words, and Pen Pal’s TOS 36,000 tops the number of words in Shakespeare’s Hamlet. 42 A recent prank confirmed a previous University of California–Berkeley survey that found that fewer than 2% of users read license agreements.
Thousands actually agreed to give up their souls by agreeing to an “immortal soul clause” buried in an agreement
notice at a Web site in the United Kingdom.43
The Federal Trade Commission (FTC) is currently seeking more understandable privacy notices for consumers
that will result in more transparency about data provided to firms “in the fine print.” In a recent speech, FTC
Director Jessica Rich warned of corporate practices that compromise privacy, especially in the ways in which big
data can work against consumers.44 Managers must avoid ethical blunders while they seek to provide customers
convenient and useful opportunities.
Taking Control
Although total control is difficult in today’s digital world, individuals can exert control by making efforts to manage
their privacy through choice, consent, and correction. In particular, individuals can choose situations that offer the desired level of access to their information ranging from “total privacy to unabashed publicity.”45
38 S. Lohr, “The Privacy Paradox, a Challenge for Business,” The New York Times (June 12, 2014), http://bits.blogs.nytimes.com/2014/06/12/the‐privacy‐ paradox‐a‐challenge‐for‐business/ (accessed September 7, 2015). 39 Y. Wang, S. Komanduri, P. G. Leon, G. Norcie, A. Acquisti, and L. F. Cranor, “I Regretted the Minute I Pressed Share: A Qualitative Study of Regrets
on Facebook,” Symposium on Usable Privacy and Security (2011), https://cups.cs.cmu.edu/soups/2011/proceedings/a10_Wang.pdf (accessed September
7, 2015). 40 Andrew LaVallee, “Facebook Outlines Privacy Changes” (December 9, 2009), http://blogs.wsj.com/digits/2009/12/09/facebook‐outlines‐privacy‐
changes/ (accessed May 11, 2011). 41 Lori Andrews, “Facebook Is Using You,” The New York Times (February 4, 2012), http://www.nytimes.com/2012/02/05/opinion/sunday/facebook‐is‐ using‐you.html (accessed September 7, 2015). 42 Marc Goodman, Future Crimes (Toronto, Ontario: Random House, 2015). 43 J. Temple, “Why Privacy Policies Don’t Work—and What Might,” SFGate (January 29, 2012), http://www.sfgate.com/business/article/Why‐privacy‐ policies‐don‐t‐work‐and‐what‐might‐2786252.php (accessed September 7, 2015). 44 J. Rich, “The FTC’s Consumer Protection Program: Current Priorities in Advertising and Privacy,” speech at the FTC Privacy and Advertising Law
Summit, June 12, 2014, https://www.ftc.gov/system/files/documents/public_statements/411821/140612kdwspeech.pdf (accessed September 7, 2015). 45 H. T. Tavani and James Moore, “Privacy Protection, Control of Information, and Privacy‐Enhancing Technologies,” Computers and Society (March 2001), 6–11.
c13.indd 286 11/26/2015 6:39:12 PM
287PAPA: Privacy, Accuracy, Property, and Accessibility
Individuals may also exert control when they manage their privacy through consent. When they give their con- sent, they are granting access to otherwise restricted information and they are specifying the purposes for which it
may be used. In granting access, people should recognize that extensive amounts of data that can personally iden-
tify them are being collected and stored in databases and that these data can be used in ways that the individuals
had not intended. When giving their consent, individuals should try to anticipate how their information might be
reused as a result of data mining or aggregation. They should also try to anticipate unauthorized access through
security breaches or internal browsing in companies whose security is lax. Finally, individuals should have con-
trol in managing their privacy by being able to access their personal information and correct it if it is wrong. To
protect the integrity of information collected about individuals, federal regulators have recommended allowing
consumers limited access to corporate information databases. Consumers thus could update their information and
correct errors.
A new online reputation management industry has sprung up in recent years, targeting both individuals (such as CEOs)46 and firms.47 For a fee, firms such as Reputation.com and Elixir continuously search for negative
formal or informal reviews about companies or individuals on Web sites and report results periodically. Experts
advise managers to take an active role in protecting their brand by improving the presentation of search results,
creating and controlling brand pages on popular social networks, participating actively in blogs, and providing
press releases.48
For organizations, the tension between the proper use of personal information and information privacy is con-
sidered to be one of the most serious ethical debates of the Information Age.49 One of the main organizational chal-
lenges to privacy is surveillance of employees.50 For example, to ensure that employees are productive, employers
can monitor their employees’ e‐mail and computer utilization while they are at work even though companies have
not historically monitored employees’ telephone calls.
Individuals are also facing privacy challenges from organizations providing them with services. Their actions
are being traced not only with cookies but perhaps also with “beacons,” “flash cookies,” and even “supercookies” that can follow individuals’ surfing behaviors without them knowing it. Every time someone uses one of the main
search engines or merely visits a site directly, a “cookie,” or small coded text message, is placed on or retrieved
and updated from the at person’s hard drive. The cookie file is sent back to the host company each time the browser
requests a page from the server, 51 enabling these companies to track their surfing habits. Cookies have been ruled
to be legal by U.S. courts.
Although the cookie is accessible only to the server that created it, third‐party services can contribute an adver-
tisement on Web site pages on servers owned by hundreds of different firms, obtaining information about browsing
practices across a wide variety of sites. The cookie can store information about which page a person viewed. For
instance, product pages that he or she views can be identified. The firms obtaining that information then can use it
to determine which advertisements to provide or even to sell their databases to other firms. A revealing examination
of the 50 most popular U. S. Web sites determined that more than two‐thirds of the 3,000 plus tracking files installed
by a total of 131 companies after people visited these Web sites were used to create rich databases of consumer
profiles that could be sold.52
Although cookies are often criticized for their use in actions that violate privacy, they also serve useful purposes.
Without cookies, it would not be possible to have a “shopping cart” when visiting an online store; without cookies,
every click would be considered to be from an arbitrary source and the Web site would not know who it is when
46 C. Connor, “5 New Reasons CEOs Should Maintain Stellar Online Reputation Management,” Forbes (January 18, 2014), http://www.forbes.com/sites/ cherylsnappconner/2014/01/18/5‐new‐reasons‐ceos‐should‐maintain‐a‐stellar‐reputation‐online/ (accessed September 7, 2015). 47 C. Connor, “Top Online Reputation Management Tips for Brand Marketers,” Forbes (March 4, 2014), http://www.forbes.com/sites/cherylsnappconner/ 2014/03/04/top‐online‐reputation‐management‐tips‐for‐brand‐marketers/ (accessed September 7, 2015). 48 Ibid. 49 Pavlou, “State of the Inform Privacy Literature,” 977–85. 50 B. C. Stahl, “The Impact of UK Human Rights Act 1998 on Privacy Protection in the Workplace,” Computer Security, Privacy, and Politics: Current Issues, Challenges, and Solutions (Hershey, PA: Idea Group, 2008), 55–68. 51 Webopedia, http://www.webopedia.com/TERM/c/cookie.html (accessed June 28, 2002). 52 Julia Angwin, “The Web’s New Gold Mine: Your Secrets” (July 30, 2010), http://online.wsj.com/article/SB1000142405274870394090457539507351
2989404.html (accessed January 28, 2010).
c13.indd 287 11/26/2015 6:39:12 PM
288 Privacy and Ethical Considerations in Information Management
the user goes from one page to the next. It is also important to note that the user’s actual identity is not sold to other
parties but that the cookie reveals a person’s browsing practices to determine what ads should be provided as she
or he continues surfing the Web. Another benefit is thus that ads, in theory, should be more interesting and appro-
priate for users. Someone who spends all of his or her spare time browsing digital camera accessories, for example,
would likely find it more useful to see ads for new lenses than ads for clothing. Selling this information can create
a revenue source for a company and provide the user useful leads for potentially valued products.
Apple and Google recently came under fire for collecting and storing unencrypted location information from
both personal computers and mobile devices. The information was obtained after the computer or mobile device
searched for available wireless networks that were nearby. Typically the users gave permission to the companies
to determine the computer’s approximate location, but many people did not know that the information was being
stored. Going against previous policy about keeping information about Internet searches sacrosanct, Google now
combines user information from its sister sites, Gmail, Google +, and YouTube, to direct user searches and sell the
information to advertisers.53
Do customers have a right to privacy while searching the Internet? Courts have decided that the answer is no,
but as society moves ahead, the right to monitor customer habits in terms of their phone usage, location, e‐mailing
behaviors, and a myriad of other behaviors will be affected by how managers decide to use the information that
they have collected.
Why would people be willing to give up this privacy? First, by supplying the information to vendors, they can
receive personalized services in return. For example, the location device on their mobile might alert them that
the restaurant that they are just walking by has a special offer on one of their favorite foods—sushi. Second, they
might be paid for the information at a price that exceeds what they are giving up. Third, they might see providing
information, such as that contained on many Facebook pages, as something that everybody is doing. Some individ-
uals, especially younger ones, share information that would otherwise be considered private simply because they
view it as a way to have their friends know them and to get to know their friends. “Digital natives” who have grown
up in the Internet age do not know a society without the Web. They are comfortable building relationships, and,
consequently, sharing information on the Web that others might consider private. Unfortunately, what’s posted on
the Web is there forever, and it may be fun to share it now, but its presence may have unintended consequences in
the future.
Governments around the world are grappling with privacy legislation. Not surprisingly, they are using differ-
ent approaches for ensuring the privacy of their citizens. The National Security Agency (NSA) computer system
administrator Edward Snowden engaged in “whistle‐blowing” but revealed many government secrets, violating
several laws and perhaps endangering enforcement agents. In the coming years, if he returns to the United States
and engages in extensive dialog, history will draw more definitive and perhaps more holistic conclusions than those
that are available today.
The United States’ so‐called “sectorial” approach relies on a mix of legislation, regulation, and self‐regulation. It
is based upon a legal tradition with a strong emphasis on free trade. In the United States, privacy laws are enacted in
response to specific problems for specific groups of people or specific industries. Examples of the relatively limited
privacy legislation in the United States include the 1974 Privacy Act that regulates the U.S. government’s collection
and use of personal information and the 1998 Children’s Online Privacy Protection Act that regulates the online
collection and use of children’s personal information.
The Gramm–Leach–Bliley Act of 1999 applies to financial institutions. It followed in the wake of banks selling
sensitive information, including account information, Social Security numbers, credit card purchase histories, and
so forth to telemarketing companies. This U.S. law somewhat mitigates the sharing of sensitive financial and
personal information by allowing customers of financial institutions the limited right to “opt out” of the information
sharing by these institutions with nonaffiliated third parties. This means that the financial institution may use the
information unless the customer specifically tells the institution that his or her personal information cannot be used
or distributed.
53 Julia Angwin, “Google Widens Its Tracks” (July 30, 2010), http://online.wsj.com/article/SB10001424052970203806504577181371465957162.
html?mod=djem_jiewr_IT_domainid (accessed January 28, 2012). Also see Goodman, Future Crimes.
c13.indd 288 11/26/2015 6:39:12 PM
289PAPA: Privacy, Accuracy, Property, and Accessibility
Social Business Lens: Personal Data
Social IT, especially Facebook, is redefi ning how people think about themselves and defi ne themselves to others.
Sherry Turkle, the author of Alone Together and a professor at Massachusetts Institute of Technology, says about
Facebook and the new marketplace for personal data: “I can ’ t think of another piece of passive software that has
gotten so embedded in the cultural conversation. . . . It crystallized a set of issues that we will be defi ning for the
next decade—self, privacy, how we connect and the price we are willing to pay for it.”
What many people who supply these data about themselves may not realize is that that data may exist indefi -
nitely in the ether. Furthermore, the data about personal lives and wants may be mined indefi nitely by technology
companies. Lori Andrews, in her book I Know Who You Are and I Saw What You Did : Social Networks and the
Death of Privacy , is concerned that the Internet companies are in business for the money and hence they really
would prefer to keep their customers in the dark about how their personal data are being used to generate
profi ts.
And what is Andrews ’ solution? She proposes a social network constitution that can be used to judge the activ-
ities of social networks. Her constitution has 10 articles and begins with: “We the people of Facebook nation.” Arti-
cles such as “No person shall be discriminated against based on his or her social network activities or profi le” or
“Each individual shall have control over his or her image from a social network, including over the image created
by data aggregation” point to the need for people who supply data to social networks to demand respect for
the data. Her focus is on rights, but not individuals ’ responsibilities in keeping private information private.
It could be argued that individuals need to recognize that surrendering their privacy in exchange for coupons,
free music, and videos or customized products and services may lead to the loss of something of value—And that
the data may remain accessible far longer than they want it to be.
Sources: Lori Andrews , I Know Who You Are and I Saw What You Did: Social Networks and the Death of Privacy (Simon and Schuster , 2012 ) ; J. Wortham , “ It ’ s Not About You, Facebook. It ’ s About Us ,” The New York Times (February 12, 2012 ), http://www. nytimes.com/2012/02/12/business/facebook‐and‐its‐users‐so‐mutually‐dependent.html (accessed September 7, 2015) ; E. Morozov , “ Sharing It All ,” The New York Times (January 29, 2012 ), http://www.socialnetworkconstitution.com/uploads/8/6/6/0/8660362/ morozov_sharing_it_all_nytimes_book_review_01.29.12.pdf (accessed September 7, 2015) ; T. McNichol , “ Fixing the Reputation of Reputation Managers ” (February 2, 2012 ), http://www.businessweek.com/magazine/fixing‐the‐reputations‐of‐reputation‐ managers‐02022012.html (accessed April 5, 2012) .
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is designed to safeguard the electronic
exchange privacy and security of information in the health care industry. Its Privacy Rule ensures that patients ’
health information is properly protected while allowing its necessary fl ow for providing and promoting health care.
HIPAA ’ s Security Rule specifi es national standards for protecting electronic health information from unauthorized
access, alteration, deletion, and transmission.
The Fair Credit Reporting act limits the use of credit reports provided by consumer reporting agencies to
“permissible purposes” and grants individuals the right to access their reports and correct errors in them.
In contrast to the sectorial approach of the United States and with strong encouragement of self‐regulation
by industry, the European Union relies on omnibus legislation that requires creation of government data protec-
tion agencies, registration of databases with those agencies, and, in some cases, prior approval before processing
personal data. The legislation is linked with the continental European legal tradition where privacy is a well‐
established right. 54 Because of pronounced differences in governmental approaches, many U.S. companies were
concerned that they would be unable to meet the European “adequacy” standard for privacy protection specifi ed in
the European Commission ’ s Directive 95/46/EC on Data Protection that went into effect in 1998. This directive sets
standards for the collection, storage, and processing of personal information. It prohibits the transfer of personal
54 Stahl , “ The Impact of UK Human Rights Act 1998 on Privacy Protection in the Workplace ,” 55 – 68 .
c13.indd 289 11/26/2015 6:39:12 PM
290 Privacy and Ethical Considerations in Information Management
data to non‐European Union nations that do not meet the European privacy standards. Many U.S. companies
believed that this directive would significantly hamper their ability to engage in many trans‐Atlantic transactions.
However, the U.S. Department of Commerce (DOC), in consultation with the European Commission, developed
a “safe harbor” framework in 2000 that outlines practices that would protect a firm from prosecution. This frame-
work allows U.S. companies to be placed on a list maintained by the DOC. They must demonstrate through a self‐
certification process that they are enforcing privacy at a level practiced in the European Union.55
Accuracy
The accuracy, or the correctness, of information assumes real importance for society as computers come to dom- inate in corporate record‐keeping activities. When records are entered incorrectly, who is to blame? In December
2010, a couple was told by Bank of America, their mortgage holder, that they would have to vacate their house by
Christmas Eve unless they put their house up for forced sale. The couple was flabbergasted because they had never
missed making a house payment. They had, however, refinanced their home less than a year earlier. Although they
used a conventional mortgage, they had checked out loan rates on the Make Home Affordable Program. Unbe-
known to them, the mere initiation of this type of loan application triggers to the credit world that the applicant is
in bad financial straits. A series of unfortunate errors ensued in which the limit on their credit card was reduced,
their good accounts were canceled, and their credit score was ruined. Earlier that same year, another unit of Bank
of America admitted to erroneously reporting to credit agencies that the couple was seeking a loan modification,
ruining their credit rating and, as a result, putting their mortgage into default. This unit sent a letter of apology and
turned the case over to a special unit at Bank of America that is charged with dealing with severe customer issues.
The special unit was supposed to notify the credit reporting agencies that the couple was a good credit risk. Unfor-
tunately, it didn’t do so, costing the couple much anxiety and financial loss.56 Although this incident may highlight
the need for better controls over the bank’s internal processes, it also demonstrates the risks that can be attributed
to inaccurate information retained in corporate systems. In this case, the bank was responsible for the error, but it
paid little—compared to the family—for its mistake. Although they cannot expect to eliminate all mistakes from
the online environment, managers must establish controls to ensure that situations such as this one do not happen
with any frequency.
Over time, it becomes increasingly difficult to maintain the accuracy of some types of information. Although
a person’s birth date does not typically change (my grandmother’s change of her birth year notwithstanding),
addresses and phone numbers often change as people relocate, and even their names may change with marriage,
divorce, and adoption. The European Union Directive on Data Protection requires accurate and up‐to‐date data and
tries to make sure that data are kept no longer than necessary to fulfill their stated purpose. This is a challenge many
companies don’t even attempt to meet.
Property
The increase in monitoring leads to the question of property, or who owns the data. Now that organizations have the ability to collect vast amounts of data on their clients, do they have a right to share the data with others to create
a more accurate profile of an individual? Consider what happens when a consumer provides information for one
use, say a car loan. This information is collected and stored in a data warehouse and then “mined” to create a profile
for something completely different. And if some other company creates such consolidated profiles, who owns that
information, which in many cases was not divulged willingly for that purpose?
Also consider what happens when you “like” a product. Your face is displayed on your friend’s page when she or
he sees an advertisement for that product, which might surprise you. This raises the question of who owns images
that are posted in cyberspace. The images are by a photographer, of you, and on Facebook’s servers. All can argue
55 U.S. Department of Commerce, “Safe Harbor Overview,” http://export.gov/safeharbor/eu/eg_main_018476.asp (accessed January 28, 2012). 56 G. Gombossy, “Bank of America’s Christmas Present: Foreclose Even Though Not a Payment Missed” (December 24, 2010), http://ctwatchdog.com/
finance/bank‐of‐americas‐christmas‐present‐foreclose‐even‐though‐not‐a‐payment‐missed (accessed February 27, 2012).
c13.indd 290 11/26/2015 6:39:12 PM
291PAPA: Privacy, Accuracy, Property, and Accessibility
ownership to some extent. Further, with ever more sophisticated methods of computer animation, another question
can arise: Can companies use newly “created” images or characters building on models in other media without
paying royalties? Mason suggests that information, which is costly to produce in the first place, can be easily repro-
duced and sold without the individual who produced it even knowing what is happening—and certainly not being
reimbursed for its use. In talking about this information that is produced, Mason notes:
. . . information has the illusive quality of being easy to reproduce and to share with others. Moreover, this replication
can take place without destroying the original. This makes information hard to safeguard since, unlike tangible prop-
erty, it becomes communicable and hard to keep it to one’s self.57
Accessibility
In the age of the information worker, accessibility, or the ability to obtain the data, becomes increasingly important. Would‐be users of information must first gain the physical ability to access online information resources, which
broadly means they must access computational systems. Second and more important, they then must gain access to
the information itself. In this sense, the issue of access is closely linked to that of property. Looking forward, the
major issue facing managers is how to create and maintain access to information for society at large without harm-
ing individuals who have provided much, if not all, of the information.
Today’s managers must ensure that information about their employees and customers is accessible only to
those who have a right to see and use it. Managers should take active measures to see that adequate security and
control measures are in place in their companies. It is becoming increasingly clear that they also must ensure that
adequate safeguards are working in the companies of their key trading partners. The managers at TRICARE, a mil-
itary health provider, were no doubt embarrassed when they reported to 4.9 million active and retired military per-
sonnel and their families that their personal and medical records had been compromised. Back‐up tapes containing
records back to 1992 had been left in the care of an employee of TRICARE’s data contractor, Science Applications
International Corp. The tapes were stolen from the employee’s car in San Antonio, Texas, while they were being
transferred from one federal facility to another.58 Accessibility clearly is an issue that extended beyond TRICARE’s
internal systems.
Accessibility is becoming increasingly important with the surge in identity theft, or “the taking of the victim’s identity to obtain credit, credit cards from banks and retailers, steal money from the victim’s existing accounts,
apply for loans, establish accounts with utility companies, rent an apartment, file bankruptcy or obtain a job using
the victim’s name.”59 Identity theft is covered in Chapter 7, and you can see an obvious link between accessibility
of information and security.
Managers’ Role in Ethical Information Control
Managers must work to implement controls over information highlighted by the PAPA principles. Managers should
not only deter identity theft by limiting inappropriate access to customer information but also respect their cus-
tomers’ privacy. Three best practices can be adopted to help improve an organization’s information control by
incorporating moral responsibility:60
• Create a culture of responsibility: CEOs and top‐level executives should lead in promoting responsibility for protecting both personal information and the organization’s information systems. Internet companies should
post their policies about how they will use private information in understandable language and make a good
case as to why they need the personal data that they gather from customers and clients. Author Mary Culnan
57 Mason, “Four Ethical Issues of the Information Age,” 5. 58 Jim Forsyth, “Records of 4.9 mln Stolen from Car in Texas Data Breach” (September 29, 2011), http://www.reuters.com/article/2011/09/29/us‐data‐
breach‐texas‐idUSTRE78S5JG20110929 (accessed February 28, 2012). 59 Identity Theft Organization, Frequently Asked Questions, http://www.identitytheft.org (accessed April 5, 2012). 60 Culnan and Williams, “How Ethics Can Enhance Organizational Privacy,” 673–87.
c13.indd 291 11/26/2015 6:39:12 PM
292 Privacy and Ethical Considerations in Information Management
noted in CIO magazine about customers providing information: “If there are no benefi ts or if they aren ’ t told why the information is being collected or how it ’ s being used, a lot of people say ‘Forget it.’” 61 The costs of
meaningfully securing the information may outweigh the obvious benefi ts—unless there is a breach. Thus,
it is unlikely that an organization can create a culture of integrity and responsibility unless there is a moral
commitment from the CEO.
• Implement governance processes for information control: In Chapter 9 , we discuss the importance of mech- anisms to identify the important decisions that need to be made and who would make them. Further, control
governance structures, such as Control Objectives for Information and Related Technology (COBIT) and
Information Technology Infrastructure Library (ITIL), can help identify risks to the information and behav-
iors to promote information control. Organizations need governance to make sure that their information
control behaviors comply with the law and refl ect their risk environment.
• Avoid decoupling: Often organizations use complex processes to treat personal privacy issues. Should an apparent confl ict appear, managers can decouple the impact of institutional processes and mechanisms on
individuals. In that way, managers can shift the responsibility away from themselves and onto the company.
It would be much better if the managers were to act as if the customer ’ s information were actually their
own. This would mean that in delicate situations involving privacy or other issues of information control,
managers would ask themselves “How would I feel if my information were handled in this way?” 62
Green Computing Green computing is concerned with using computing resources effi ciently. The need for green computing is becoming more obvious considering the amount of power needed to drive the world ’ s PCs, servers, routers, switches,
and data centers. It was recently estimated that the digital economy uses up 10% of the world ’ s electricity to run
Geographic Lens: Should Subcultures Be Taken into Account When Trying to Understand National Attitudes Toward Information Ethics?
Ethics can naturally be expected to vary across countries. An interesting study of 1,100 Chinese managers showed
that it can also vary over time in the same country, depending upon subcultures resulting from major events
within a country. Maris Martinsons and David Ma studied the responses to PAPA‐based ethical situations made
by three different Chinese generations: republican —people born before the People ’ s Republic of China was
established in 1949; revolution —people born between 1950 and 1970 under Communist rule during Mao Zedong ’ s
Cultural Revolution in 1966 and the Great Leap Forward (1958–1961); and reform —people born after 1970 when
Deng Xiaoping ’ s government introduced the Open Door and the One Child policies as part of economic and
social reforms.
Survey results indicate signifi cant differences in information ethics across generations. The revolution gener-
ation experienced a profound event that appears to have increased its ethical acceptance of both inaccurate
information and intellectual property violations. Chinese managers from the reform generation are much less
accepting of privacy violations than are those from the older generations. They are more conscious of the right to
privacy and less inclined to compromise the privacy of others.
Source: M. G. Martinsons and D. Ma , “ Subcultural Differences in Information Ethics across China: Focus on Chinese Management Generation Gaps ,” Journal of AIS 10 (Special Issue) ( 2009 ), 816 – 33 .
61 “ Saving Private Data ,” CIO Magazine (October 1, 1998 ). 62 Culnan and Williams , “ How Ethics Can Enhance Organizational Privacy ,” 685 .
c13.indd 292 11/26/2015 6:39:13 PM
293Summary
data centers, charge smartphone and tablet batteries, and transmit data globally.63 Usage patterns in 2007 when the
2.4 gigawatts of computing power consumed by the five largest search companies exceeded even the Hoover Dam’s
2 gigawatt capacity seemed to be a “wake‐up call.” The situation was also exacerbated by the cooling systems that
companies added to combat the heat generated by their highest‐performing systems. Since 2007, many firms have
developed sustainability plans that extend from manufacturing to executive travel to information systems use. The
increased focus on sustainability and the use of more energy‐saving technologies have contributed to reduced
energy use, although energy use is still substantial.64
Sustainability measures taken by firms include replacing older systems with more energy‐efficient ones, moving
workloads based on energy efficiency, using the most power‐inefficient servers only at times of peak usage,
improving air flows in data centers, and turning to cloud computing as well as using virtualization. As introduced in
Chapter 6, virtualization lets a computer run multiple operating systems or several versions of the same operating
system at the same time. SAP used virtualization to eliminate 1,400 servers and increased the number of virtual
servers from 37% in 2009 to 49% in 2010.65 SAP noted that green IT “presents some of the greatest opportunities
to increase our efficiency, improve our operations and reach our sustainability goals. It is one of the best examples
of how creating positive impact also benefits our business. By reducing our total energy consumption, we can be
both sustainable and profitable.”66
Google’s high energy needs to power servers has resulted in many ambitious plans to save power.67 Google has
reportedly been very secretive about current plans68 although it did transform a paper mill in Hamina, Finland, into
a data center with massive computing facilities. Part of the appeal of the mill was its underground tunnel system
that pulls water from the Gulf of Finland. Originally, that frigid Baltic water cooled a steam generation plant at the
mill, but Google saw it as a way to cool its servers.69
Green programs can have a triple bottom line (TBL, or 3BL): economic, environmental, and social. That is,
green programs create economic value while being socially responsible and sustaining the environment, or “people,
planet, profit.”
Green computing can be considered from the social contract theory perspective by considering the first two
of these: “people” and “planet.” Managers benefit society by conserving global resources when they make green,
energy‐related decisions about their computer operations. In addition, stockholder theory explains the “profit” side
of a firm’s actions because energy‐efficient computers reduce not only the direct costs of running the computing‐
related infrastructure, but also the costs of complementary utilities, such as cooling systems for the infrastructure
components.
S U M M A R Y
• Because of the asymmetry of power relationships, managers tend to frame ethical concerns in terms of refraining from doing harm, mitigating injury, and paying attention to dependent and vulnerable parties. As a practical matter, ethics
is about maintaining one’s own personal perspective about the propriety of business practices. Managers must make
systematic, reasoned judgments about right and wrong and take responsibility for them. Ethics is about taking decisive
63 B. Walsh, “The Surprisingly Large Energy Footprint of the Digital Economy [UPDATE],” Time (August 14, 2013). http://science.time.com/2013/08/14/ power‐drain‐the‐digital‐cloud‐is‐using‐more‐energy‐than‐you‐think/ (accessed September 7, 2015). 64 Two articles contrast energy use in 2007 and 2011: G. Lawton, “Powering Down the Computing Infrastructure” Computer (February 2007), 16–19, https://www.computer.org/csdl/mags/co/2007/02/r2016.pdf (accessed September 7, 2015); J. Markoff, “Data Centers’ Power Use Less Than Was
Expected, The New York Times (July 31, 2011), http://www.nytimes.com/2011/08/01/technology/data‐centers‐using‐less‐power‐than‐forecast‐report‐ says.html?_r=2 (accessed February 28, 2012). 65 “Data Center Energy Report,” SAP Sustainability Report, http://www.sapsustainabilityreport.com/data‐center‐energy (accessed January 30, 2012). 66 “Total Energy Consumed,” SAP Sustainability Report, http://www.sapsustainabilityreport.com/total‐energy‐consumed (accessed January 30, 2012). 67 J. Mick, “Google Looks at Floating Data Centers for Energy” (September 16, 2008), http://www.dailytech.com/Google+Looks+to+Floating+Data+
Centers+for+Energy/article12966.htm (accessed October 1, 2008). 68 D. Terdiman, “San Francisco’s Bay Barge Mystery: Floating Data Center or Google Glass Store?” Cnet (October 27, 2013), http://www.cnet.com/
news/san‐franciscos‐bay‐barge‐mystery‐floating‐data‐center‐or‐google‐glass‐store/ (accessed September 7, 2015). 69 Cade Metz, “Google Reincarnates Dead Paper Mill as Data Center of Future” (January 26, 2012), http://www.wired.com/wiredenterprise/2012/01/
google‐finland/ (accessed January 28, 2012).
c13.indd 293 11/26/2015 6:39:13 PM
294 Privacy and Ethical Considerations in Information Management
action rooted in principles that express what is right and important and about taking action that is publicly defensible
and personally supportable.
• Three important normative theories describing business ethics are (1) stockholder theory (maximizing stockholder wealth), (2) stakeholder theory (maximizing the benefits to all stakeholders while weighing costs to competing inter-
ests), and (3) social contract theory (creating value for society that is just and nondiscriminatory).
• Social contract theory offers the broad perspective to display corporate responsibility in areas such as green computing and dealing with ethical issues in tensions with foreign governments about IT and its use.
• PAPA is an acronym for the four areas in which control of information is crucial: privacy, accuracy, property, and accessibility.
• To enhance ethical control of information systems, companies should create a culture of responsibility, implement governance processes, and avoid decoupling.
K E Y T E R M S
accessibility (p. 291)
accuracy (p. 290)
cookies (p. 287)
green computing (p. 292)
identity theft (p. 291)
information ethics (p. 280)
online reputation management (p. 287)
privacy (p. 285)
property (p. 290)
social contract theory (p. 281)
stakeholder theory (p. 281)
stockholder theory (p. 280)
D I S C U S S I O N Q U E S T I O N S
1. Private corporate data are often encrypted using a key, which is needed to decrypt the information. Who within the corpo- ration should be responsible for maintaining the “keys” to private information collected about consumers? Is that the same
person who should have the keys to employee data?
2. Check out how Google has profiled you. Using your own computer, go to Ad Preferences: www.google.com/ads/ preferences. How accurate is the picture Google paints about you in your profile?
3. Consider arrest records, which are mostly computerized and stored locally by law enforcement agencies. They have an accu- racy rate of about 50%—about half of them are inaccurate, incomplete, or ambiguous. People other than law enforcement
officials use these records often. Approximately 90% of all criminal histories in the United States are available to public and
private employers. Use the three normative theories of business ethics to analyze the ethical issues surrounding this situation.
How might hiring decisions be influenced inappropriately by this information?
4. The European Community’s Directive on Data Protection strictly limits how database information is used and who has access to it. Some restrictions include registering all databases containing personal information with the countries in which
they are operating, collecting data only with the consent of the subjects, and telling subjects of databases the intended and
actual use of the databases. What effect might these restrictions have on global companies? In your opinion, should these
types of restrictions be made into law? Why or why not? Should the United States bring its laws into agreement with the
EU directive?
5. If you were a consultant to ICANN.org and were asked to create a global Internet privacy policy, what would you include in it? Create a summary of your recommendations.
6. Do you believe sending targeted advertising information to a computer using cookies is objectionable? Why or why not?
c13.indd 294 11/26/2015 6:39:13 PM
295Case Study
Situation 1
Google Glass makes it possible to record video all day in a format that is much less obtrusive than holding a camera in front
of your face. In fact, it might not be detected.
Discussion Questions
1. Argue whether it is reasonable for you to be recording video in the following scenarios, and state why or why not using
the PAPA paradigm.
a. In a bank
b. As you drive your car
c . In a casino
d. In class
e. In a bar
Situation 2
The help desk is part of the group assigned to Doug Smith, the manager of offi ce automation. The help desk has produced
very low‐quality work for the past several months. Smith has access to the passwords for each of the help desk members ’
computer accounts. He instructs the help desk supervisor to go into each hard drive after hours and obtain a sample docu-
ment to check for quality control for each pool member.
Discussion Questions
1. If you were the supervisor, what would you do?
2. What, if any, ethical principles have been violated by this situation?
3. If poor quality was found, could the information be used for disciplinary purposes? For training purposes?
4. Apply PAPA to this situation.
Situation 3
Kate Essex is the supervisor of the customer service representative group for Enovelty.com, a manufacturer of novelty items.
This group spends its workday answering calls from and sometimes placing calls to customers to assist in solving a variety
of issues about orders previously placed with the company. The company has a rule that personal phone calls are allowed
only during breaks. Essex is assigned to monitor each representative on the phone for 15 minutes a day as part of her regular
job tasks. The representatives are aware that Essex will be monitoring them, and customers are immediately informed of
this when they begin their calls. Essex begins to monitor James Olsen and fi nds that he is on a personal call regarding his
sick child. Olsen is not on break.
Discussion Questions
1. What should Essex do?
2. What, if any, ethical principles help guide decision making in this situation?
3. What management practices should be in place to ensure proper behavior without violating individual “rights”?
4. Apply the normative theories of business ethics to this situation.
Situation 4
Jane Mark is the newest hire in the IS group at We_Sell_More.com, a business on the Internet. The company takes in $30
million in revenue quarterly from Web business. Jane reports to Sam Brady, the vice president of IS. Jane is assigned to a
project to build a new capability into the company Web page that facilitates linking products ordered with future offerings
of the company. After weeks of analysis, Jane concluded that the best way to incorporate that capability is to buy a software
package from a small start‐up company in Silicon Valley, California. She convinces Brady to accept her decision and is
■ CASE STUDY 13‐1 Ethical Decision Making
c13.indd 295 11/26/2015 6:39:13 PM
296 Privacy and Ethical Considerations in Information Management
authorized to lease the software. The vendor e‐mails Jane the software in a ZIP fi le and instructs her on how to install it. At
the initial installation, Jane is asked to acknowledge and electronically sign the license agreement. The installed system does
not ask Jane if she wants to make a backup copy of the software, so as a precaution, Jane takes it on herself to copy the ZIP
fi les that were sent to her onto a thumb drive. She stores the thumb drive in her desk drawer.
A year later, the vendor is bought by another company, and the software is removed from the market to prevent further
sale. The new owner believes this software will provide it a competitive advantage that it wants to reserve for itself. The
new vendor terminates all lease agreements and revokes all licenses on their expiration. But Jane still has the thumb drive
she made as backup.
Discussion Questions
1. Is Jane obligated to stop using her backup copy? Why or why not?
2. If We_Sell_More.com wants to continue to use the system, can it? Why or why not?
3. Would your opinion change if the software is a critical system for We_Sell_More.com? If it is a noncritical system?
Explain.
Situation 5
Some of the Internet ’ s biggest companies (i.e., Google, Microsoft, Yahoo, IBM , and Verisign ) implemented a “single sign‐
on” system, called OpenID, that is available at thousands of Web sites. It allows the widespread practice that users who
are logged into Facebook to click a Facebook button for an instant login. The benefi ts are obvious; the system makes it
easier for users to sign on to a number of sites without having to remember multiple user IDs, passwords and registration
information. Under OpenID, the companies share the sign‐on information, personal information such as credit card data,
billing addresses, and personal preferences for any Web user who agrees to participate.
Discussion Questions
1. Discuss any potential and real threats to privacy in this situation. Search for news articles about Facebook to find prob-
lematic incidents, if any.
2. Who would own the data? Explain.
3. Who do you think should have access to the data? How should that access be controlled?
Situation 6
SpectorSoft markets eBlaster as a way to keep track of what your spouse or children are doing online. Operating in stealth
mode, eBlaster tracks every single keystroke from instant messages to passwords entered into a computer. It also records
every e‐mail sent and received and every Web site visited by the unsuspecting computer user. The data are sent anonymously
to an IP address of the person who installed eBlaster. It could also be installed on the computers of a business.
Discussion Questions
1. Do you think it would be ethical for a business to install eBlaster to ensure that its employees are engaged only in work‐
related activities? If so, under what conditions would using it be appropriate? If not, why not?
2. Apply the normative theories of business ethics to this situation.
Situation 7
Google, Inc. had a unique advantage beginning in March 2012. By combining information about user activity from its many
popular applications (such as Gmail, Google+, and YouTube), Google algorithms were able to alert users to things that might
be of interest. This vast amount of information, analyzed properly, gave Google a way to compete. By combining data with
information from Internet searches, Google could better compete against applications such as Facebook .
c13.indd 296 11/26/2015 6:39:13 PM
297
But this was a departure from its earlier privacy policy. In June 2011, the executive chairman of Google had declared,
“Google will remain a place where you can do anonymous searches [without logging in]. We ’ re very committed to having
you have control over the information we have about you.”
This may be possible for users who don ’ t login to a Google account, but for those with Gmail or other personal accounts
or an Android mobile phone, it ’ s more diffi cult to remain anonymous. Offering a counter viewpoint, Chirstopher Soghoian,
an independent privacy and security researcher said, “Google now watches consumers practically everywhere they go on the
Web [and anytime they use an Android phone]. No single entity should be trusted with this much sensitive data.”
Discussion Questions
1. Do you see any ethical issues involved in Google ’ s recent approach to combining information from a particular user?
Why or why not?
2. How might users change their behaviors if they were aware of this new approach?
3. Apply the normative theories of business ethics to Google ’ s new policy about combining user information?
Situation 8
Spokeo is a company that gathers online data for employers, the public, or anybody who is willing to pay for its services.
Clients include recruiters and women who want to fi nd out whether their boyfriends are cheating on them. Spokeo recruits
via ads that urge “HR‐Recruiters—Click Here Now.”
Discussion Questions
1. Do you think it would be ethical for a business to hire Spokeo to find out about potential employees? If so, under what
conditions would it be appropriate? If not, why not?
2. Do you think it is ethical for women to hire Spokeo to see if their boyfriends are cheating on them? Why or why not?
Sources: Situations 2 to 5 are adapted from short cases suggested by Professor Kay Nelson, Southern Illinois University—Carbondale. The names of people, places, and companies have been made up for these stories. Any similarity to real people, places, or com- panies is purely coincidental. Situation 7 is from Julia Angwin , “ Google Widens Its Tracks ,” The Wall Street Journal (July 30, 2010 ), http:// online.wsj.com/article/SB10001424052970203806504577181371465957162.html?mod=djem_jiewr_IT_domainid (accessed on January 28, 2010) . Situation 8 is from Lori Andrews , “ Facebook Is Using You ” (February 5, 2012 ), SR7, http://www.nytimes.com/2012/02/05/opinion/ sunday/facebook‐is‐using‐you.html (accessed September 7, 2015) .
Midwest Family Mutual Insurance Co. , an insurance company with $120 million worth of written premiums in 2014, con-
siders itself to be “environmentally green.” Through a variety of initiatives, it has reduced its annual energy, natural gas,
and paper consumption by 63%, 76%, and 65%, respectively. Ron Boyd, the carrier ’ s CEO, attributes most of the improve-
ments in energy usage to creating a virtual work‐from‐home environment as a result of implementing a series of electronic
processes and applications. These include imaging and workfl ow technology, networking technology, and a Voice over
IP (VoIP) network. In 2006, the year these savings were reported, all but two of Midwest Family Mutual ’ s 65 employees
worked from home. In addition to the energy savings that the company has directly experienced, Boyd estimated that in
2008, the company ’ s telecommuting policy resulted in fuel savings of at least 25,000 gallons.
Although green computing was a commendable goal in itself, Midwest Family Mutual ’ s bottom line also has benefi ted
from the company ’ s socially responsible approach. Over a fi ve‐year period, Midwest Family Mutual ’ s was able to shave its
expense ratio to 25.9% from 33.5%. Its Web site states, “Being green environmentally and operationally CAN [emphasis in
original] equate to being green fi nancially.”
Green computing grew out of Midwest Family Mutual ’ s IT successes, according to Boyd. As the company started realiz-
ing savings from the electronic processes it implemented, management started thinking about telecommuting arrangements
■ CASE STUDY 13‐2 Midwest Family Mutual Goes Green
Case Study
c13.indd 297 11/26/2015 6:39:13 PM
298 Privacy and Ethical Considerations in Information Management
that allowed its employees to work from home. Boyd adds, “It became obvious that many of our jobs could be done wherever
a high‐speed connection existed. . . . VoIP completed the technology requirements for all [employees] to work from home.”
Boyd summarizes that the company “became green as a side benefi t of saving resources and cost.” The company continued
its green policy with its decision to sell its 24,000‐square‐foot offi ce building in Minnetonka, Minnesota. However, to pro-
vide more centralized regional service to agents in the new states in which it was recently licensed (i.e., Arizona, Nevada,
Utah, Colorado, Idaho, Washington, and Oregon), the company built a new home domicile in Chariton, Iowa, in 2012.
Discussion Questions
1. Do you think that the economic benefits that Midwest Family Mutual realized as a result of green computing are
unusual? Do you think that most companies could see similar types of economic gains? Explain.
2. What are some possible disadvantages that the employees of Midwest Family Mutual might be experiencing as a result
of its virtual work‐from‐home office environment?
3. Apply the normative theories of business ethics to this situation.
Sources: Adapted from Anthony O ’ Donnell , “ Plymouth, Minnesota‐Based Midwest Family Mutual ’ s Move to a Paperless, Work‐ at‐Home Operational Paradigm Has Yielded Both Environmental and Bottom‐Line Benefi ts ,” Insurance & Technology (February 24, 2008 ), http://www.insurancetech.com/resources/fss/showArticle.jhtml;jsessionid=AYMVWDKZBGIFIQSNDLOSKHSCJUNN2JVN?article ID=206801556 (accessed April 23, 2008) ; Midwest Family Mutual News Archive, “MFM Announces 2011 Results and Plans for 2012,” https:// midwestfamily.com/news.php?detail=589 (accessed on April 14, 2012); “Midwest Family Goes Green,” https://midwestfamily.com/ page.php?detail=6 (accessed March 11, 2015).
c13.indd 298 11/26/2015 6:39:13 PM
299
Accessibility: An area of information control involved with the ability to obtain data. Accuracy: An area of information control dealing with the correctness of information or lack of errors in
information.
Activity‐based costing (ABC): The costing method that calculates costs by counting the actual activities that go into making a specifi c product or delivering a specifi c service.
Agile (business) processes: Processes designed with the intention of simplifying redesign and reconfi guration by making it possible to make incremental changes in order to easily adapt to the business environment.
Agile development: The term that refers to system development methodologies used to deal with unpredictability. They adapt to changing requirements by iteratively developing systems in small stages and then testing the new
code extensively. They include extreme programming (XP), crystal, scrum, feature‐driven development, and
dynamic system development method (DSDM).
Allocation funding method: The method for funding IT costs by recovering costs based on something other than usage, such as revenues, log‐in accounts, or number of employees.
Antivirus/Antispyware: A software that scans incoming data and evaluates the periodic state of the whole system to detect threats of secret software that can either destroy data or inform a server of destructive software activity.
Application: A software program designed to facilitate a specifi c practical task as opposed to control resources. Examples of applications include Microsoft Word, a word processing application; Lotus 1‐2‐3, a spreadsheet
application; and SAP R/3, an enterprise resource planning application. Contrast with operating system . Application service provider (ASP): An Internet‐based company that offers a software application used through
its Web site. For example, a company might offer small business applications that a small business owner could
use on the Web rather than buying software to load on the company ’ s own computers.
Archetype: A pattern resulting from decision rights allocation. Architecture: The plan that provides a blueprint for translating business strategy into a plan for IS. ASP: See Application service provider . Assumption: The deepest layer of culture or the fundamental part of every culture that helps discern what is real
and important to a group; it is unobservable because it refl ects organizational values that have become so taken
for granted that they guide organizational behavior without any of the groups thinking about them.
Balanced scorecard: The method that focuses attention on the organization ’ s value drivers (which include, but are not limited to, fi nancial performance). Companies use it to assess the full impact of their corporate strategies on
their customers and workforce as well as their fi nancial performance.
Behavior control: A type of formal control in which specifi c actions, procedures, and rules for employees are explicitly prescribed and their implementation is monitored.
Beliefs: The perceptions that people hold about how things are done in their community. Backsourcing: A business practice in which a company takes back in house assets, activities, and skills that are
part of its information systems operations and were previously outsourced to one or more outside IS providers.
Big data: The term used to describe techniques and technologies that make it economical to deal with very large data sets at the extreme end of the scale.
Biometrics: An access tool that scans a body characteristic, such as fi ngerprint, voice, iris, or head or hand geometry.
Glossary
bgloss.indd 299 11/26/2015 7:40:35 PM
300 Glossary
Black hat hackers: The hackers who break into an organization’s Web sites or systems for their own gain or to wreak havoc on a firm.
Blue ocean strategy: A business strategy in which firms try to find new market spaces where they have the “water” to themselves. That is, they enter a market space(s) when the goal is not to beat the competition but to make it
irrelevant.
Bring your own device (BYOD): The term used to refer to the scenario when employees bring their own devices— commonly smart phones, tablets, and laptops—to work and connect to enterprise systems.
Business analytics: The use of data, analysis, and modeling to arrive at business decisions. Some organizations use business analytics to create new innovations or to support the modification of existing products or services.
Business case: A structured document that lays out all the relevant information needed to make a go/no‐go decision. It contains an executive summary, overview, assumptions, program summary, financial discussion and
analysis, discussion of benefits and business impacts, schedule and milestones, risk and contingency analysis,
conclusion, and recommendations.
Business ecosystem: A type of ecosystem that is an economic community where organizations and individuals interact.
Business intelligence: The term for the broad practice of using technology, applications, and processes to collect and analyze data to support business decisions.
Business‐IT maturity model: A framework that displays the demands on the business side and the IT offerings on the supply side to help understand differences in capabilities and suggests the degree to which the IT function
should be engaged with the rest of the organization.
Business process management (BPM): A well‐defined and optimized set of IT processes, tools, and skills used to manage business processes.
Business process reengineering (BPR): A radical change approach in the organization that occurs over a short amount of time.
Business strategy: A plan articulating where a business seeks to go and how it expects to get there. Business technology strategist: The strategic business leader who uses technology as the core tool in creating
competitive advantage and aligning business and IT strategies.
BYOD: See Bring your own device. Capacity‐on‐demand: The availability of additional processing capability for a fee. Captive center: An overseas subsidiary that is set up to serve the parent company. Companies set up captive
centers as an alternative to offshoring.
Centralized architecture: A way of organizing computer hardware and systems in which everything is purchased, supported, and managed centrally, usually in a data center.
Centralized IS organization: The organization structure that brings together all power, staff, hardware, software, data, and processing into a single location/position.
Challenge question: The access tool to a computer account that prompts a user with a follow‐up question such as “Model of first car?”
Chargeback funding method: The method for funding IT costs in which costs are recovered by charging individ- uals, departments, or business units based on actual usage and cost.
Chief analytics officer (CAO): The individual at the helm of an organization’s analytics activities. Chief data officer: An individual who has the responsibility for the data warehouse, organizational databases,
relationships with vendors who supply external data sources, and sometimes the algorithms that use these data
sources.
Chief information officer (CIO): The most senior officer responsible for the information systems activities within the organization. The CIO is a strategic thinker, not an operational manager, is typically a member of the
senior management team, and is involved in all major business decisions that come before that team, bringing an
information systems perspective to the team.
Client: A software program that requests and receives data and sometimes instructions from another software program, usually running on a separate computer.
bgloss.indd 300 11/26/2015 7:40:38 PM
301Glossary
Cloud computing: The style of infrastructure for which capacity, applications, and services (such as development, maintenance, or security) are provided dynamically by a third‐party provider over the Internet, often on a
“fee‐for‐use” basis. Customers go to the Web for the services they need.
COBIT: See Control objectives for information and related technologies. Collaboration: The use of social IT to extend the reach of stakeholders, both employees and those outside the
enterprise walls. Social IT such as social networks enable individuals to find and connect with each other to share
ideas, information, and expertise.
Combination: The mode of knowledge conversion from explicit knowledge to explicit knowledge. Community cloud: Cloud infrastructure that is shared by several organizations and supports the common con-
cerns of a specific community.
Complementor: One of the players in a co‐opetitive environment. It is a company whose product or service is used in conjunction with a particular product or service to make a more useful set for the customer. (See
Value net.) Consumerization of IT: The drive to port applications to personal devices and the ensuing issues involved in mak-
ing them work in business organizations.
Control Objectives for Information and Related Technology (COBIT): The IT governance framework for decision controls that is consistent with the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) and that provides systematic rigor needed for the strong internal controls and Sarbanes–
Oxley compliance.
Cookie: A small coded text message placed on or retrieved and updated from a person’s hard drive to allow companies to track the person’s movements through a site or sites.
Co‐opetition: A business strategy by which companies cooperate and compete at the same time. Corporate budget funding method: The method for funding IT costs in which they fall to the corporate bottom
line rather than being levied to specific users or business units.
Cost leadership strategy: A business strategy by which the organization aims to be the lowest‐cost producer in the marketplace. (See Differentiation strategy; Focus strategy.)
CRM: See Customer relationship management. Cross‐site‐scripting (XSS): The security breach involving booby traps that appear to lead users to their goal, but
in reality lead to a fraudulent site that requires a log‐in.
Crowdsourcing: The act of taking a task traditionally performed by an employee or a contractor and outsourcing it through the form of an open call to an undefined, generally large group of people.
Culture: A set of shared values and beliefs that a group holds and that determines how the group perceives, thinks about, and appropriately reacts to its various environments; a collective programming of the mind that distin-
guishes not only societies (or nations) but also industries, professions, and organizations.
Customer relationship management (CRM): The management activities performed to obtain, enhance, and retain customers. CRM is a coordinated set of activities revolving around the customer.
Cycle plan: A project management plan that organizes project activities in relation to time. It identifies critical beginning and end dates and breaks the work spanning these dates into phases. The general manager tracks the
phases to coordinate the eventual transition from project to operational status, a process that culminates on the
“go‐live” date.
Dashboard: A common management monitoring tool that provides a snapshot of metrics at any given point in time.
Data: A set of specific, objective facts or observations that standing alone have no intrinsic meaning. Database: A collection of data formatted and organized to facilitate ease of access, searching, updating, addition,
and deletion. It is typically so large that it must be stored on disk, but sections may be kept in RAM for quicker
access. The software program used to manipulate the data in a database is also often referred to as a “database.”
Database administrator (DBA): The person within the information systems department who manages the data and the database. Typically, this person makes sure that all the data that go into the database are accurate and
appropriate, and that all applications and individuals who need access have it.
bgloss.indd 301 11/26/2015 7:40:38 PM
302 Glossary
Data center: The place where a firm’s computers, servers, and peripherals are housed together, typically to store, process, and distribute large amounts of data.
Data‐driven culture: The organizational environment that supports and encourages the use of analytics to support decision making.
Data mining: The process of analyzing databases for “gems” that will be useful in management decision making. Typically, data mining is used to refer to the process of combing through massive amounts of customer data to
understand buying habits and to identify new products, features, and enhancements.
Data scientist: A professional who has the skills to use the right analytics with the right data at the right time for the right business problem.
Data warehouse: A centralized collection of data designed to support management decision making. It sometimes includes all the organization’s databases.
Debugging: The process of examining and testing software and hardware to make sure they operate properly under every condition possible. The term is based on calling any problem a “bug”; therefore, eliminating the
problem is called “debugging.”
Decentralized architecture: The arrangement of hardware, software, networking, and data in a way that distrib- utes the processing and functionality between multiple small computers, servers, and devices that rely heavily
on a network to connect them.
Decentralized IS organization: The IS organization structure that scatters power, hardware, software, networks, and data components in different locations/positions to address local business needs.
Decision model: The IS‐based model used by managers for scenario planning and evaluation. The information system collects and analyzes the information from automated processes and presents them to the manager to aid
in decision making.
Decision right: The position(s) in the organization that have been allocated the responsibility to initiate, supply information for, approve, implement, and control a type of decision.
Deep Web: A large part of the Web that includes unindexed Web sites that are accessible only by a browser named “Tor,” which guarantees anonymity and provides access to sites offering both legal and illegal items and services.
Differentiation strategy: A business strategy by which the organization qualifies its product or service in a way that allows it to appear unique in the marketplace. (See Cost leadership strategy; Focus strategy.)
Digital native: An individual who has grown up completely fluent in the use of personal technologies and the Web. Digital signature: A digital code applied to an electronically transmitted message used to prove that the sender of
a message (e.g., a file or e‐mail message) is truly who he or she claims to be.
Direct cutover: The conversion stage in a system development life cycle in which the old system is disconnected and a new system takes its place rather than operating both simultaneously for a period of time.
Dynamic business process: The process that reconfigures itself as it learns while iterating through a constant renewal cycle of design, deliver, evaluate, redesign, and so on.
Economic value added (EVA): The valuation method that accounts for opportunity costs of capital to measure true economic profit and revalues historical costs to give an accurate picture of the true market value of assets.
Ecosystem: A collection of interacting participants, including vendors, customers, and other related parties acting in concert to do business.
E‐mail (electronic mail): A way of transmitting messages over communication networks. Enacted values: The values and norms that are actually exhibited or displayed in employee behavior. Encryption: The translation of data into a code or a form that can be read only by the intended receiver. Data are
encrypted using a key or alphanumeric code and can be decrypted only by using the same key or code.
Engagement: The use of social IT to involve stakeholders in the traditional business of the enterprise social IT such as communities and blogs to provide a platform for individuals to join in conversations, create new conver-
sations, offer support to each other, and engage in other activities that create a deeper feeling of connection to
the company, brand, or enterprise.
Enterprise 2.0: A term used to describe a company using the technologies and practices resulting from Web 2.0 architectures, applications, and services. Enterprise 2.0 typically refers to a flat organization with unimpeded
information flows between all levels and individuals in the organization. Companies adopting these practices
seek to be agile, flexible, user driven, on demand, and transparent.
bgloss.indd 302 11/26/2015 7:40:38 PM
303Glossary
Enterprise architecture (EA): The term used for a “blueprint” for the corporation that includes the business strategy, the IT architecture, the business processes, and the organization structure and how all these components
relate to each other. Often this term is IT‐centric, specifying the IT architecture and all the interrelationships with
the structure and processes.
Enterprise information systems (EIS): Another term for enterprise systems. Enterprise resource planning (ERP) software: A large, highly complex software program that integrates many
business functions under a single application. ERP software can include modules for inventory management,
supply chain management, accounting, customer support, order tracking, and human resource management. ERP
software is typically integrated with a database.
Enterprise system: A set of IS tools that many organizations use to enable information to flow within and between processes across the organization.
Espoused values: The explicitly stated, preferred organization values. Evidence‐based management: An approach in which evidence (data) and facts are analyzed as the first step in
decision making.
Evil twin connection: A bogus WiFi connection that appears to be genuine but is actually a counterfeit connection that is set up to deceive people into providing information unwittingly.
Explicit knowledge: Objective, theoretical, and codified knowledge for transmission in a formal, systematic method using grammar, syntax, and the printed word. (In contrast, see Tacit knowledge.)
Externalization: The mode of knowledge conversion from tacit knowledge to explicit knowledge. Extranet: A network based on the Internet standard that connects a business with individuals, customers, suppliers,
and other stakeholders outside the organization’s boundaries. An extranet typically is similar to the Internet;
however, it has limited access to those specifically authorized to be part of it.
Farshoring: A form of offshoring that involves sourcing service work to a foreign, low‐wage country that is relatively far in distance or time zone (or both) from the client company.
Federalism: The organization structuring approach that distributes power, hardware, software, data, and personnel between a central IS group and IS in business units.
File transfer: The means of transferring a copy of a file from one computer to another over the Internet. Firewall: A security measure that blocks undesirable requests for entrance into a Web site and keeps those on the
“inside” from reaching outside.
Flat organization structure (horizontal organization structure): The organization structure with a less well‐ defined chain of command and with ill‐defined, fluid jobs.
Focus strategy: The business strategy by which the organization limits its scope to a narrower segment of the market and tailors its offerings to that group of customers. This strategy has two variants: cost focus, in which the organization seeks a cost advantage within its segment, and differentiation focus, in which the organization seeks to distinguish its products or services within the segment. This strategy allows the organization to achieve
a local competitive advantage even if it does not achieve competitive advantage in the marketplace overall. (See
Cost strategy; Differentiation strategy.) Folksonomy: The collaborative creation and management of a structure for any type of collection, such as
ideas, data, or documents. The term is the merger of folk and taxonomy, meaning that it is a user‐generated taxonomy.
Full outsourcing: The situation in which an enterprise outsources all its IS functions from desktop services to software development.
Function points: The functional requirements of a software product that can be estimated earlier than total lines of code.
Governance (in the context of business enterprises): The established process of making decisions, defining expectations, granting power, or verifying performance.
Graphical user interface (GUI): The term used to refer to the use of icons, windows, colors, and text as the means of representing information and links on a computer screen. GUIs give the user the ability to control actions by
clicking on objects rather than by typing commands to the operating system.
Green computing: An upcoming technology strategy in which companies become more socially responsible by using computing resources efficiently.
bgloss.indd 303 11/26/2015 7:40:38 PM
304 Glossary
Grey hat hackers: The hackers who test organizational systems without any authorization and notify the IT staff when they find a weakness.
Groupware: The software that enables a group to work together on a project whether in the same room or from remote locations by allowing the group simultaneous access to the same files. Calendars, written documents,
e‐mail messages, discussion tools, and databases can be shared.
Hierarchical organization structure: An organization form or structure based on the concepts of division of labor, specialization, spans of control, and unity of command.
Hybrid cloud: A cloud infrastructure that is a combination of private and public clouds. Hypercompetition: A theory about industries and marketplaces that suggests that the speed and aggressiveness of
moves and countermoves in any given market create an environment in which advantages are quickly gained and
lost. A hypercompetitive environment is one in which conditions change rapidly.
Identity theft: The taking of a victim’s identity to obtain credit and/or credit cards from banks and retailers, steal money from the victim’s existing accounts, apply for loans, establish accounts with utility companies, rent an
apartment, file for bankruptcy, or obtain a job using the victim’s name.
Information: Data endowed with relevance and purpose. Information ethics: The ethical issues associated with the development and application of information
technologies.
Information integration: The coordination involved in determining the information to share, the format of that information, the technological standards used to share it, and the security used to ensure that only authorized
partners access it.
Information model: A framework for understanding what information will be crucial to the decision, how to get it, and how to use it.
Information resource: The available data, technology, people, and processes within an organization to be used by the manager to perform business processes and tasks.
Information system (IS): The combination of technology (the “what”), people (the “who”), and process (the “how”) that an organization uses to produce and manage information.
Information systems (IS) strategy: The plan an organization uses in providing information services. Information Systems Strategy Triangle: The framework connecting business strategy, information system
strategy, and organizational systems strategy.
Information technology: All forms of technology used to create, store, exchange, and use information, usually including hardware, software, data, and networks.
Information technology (IT) asset: Anything, tangible or intangible, that can be used by a firm in its processes for creating, producing, and/or offering its products (goods or services).
Information technology (IT) capability: Something that is learned or developed over time for the firm to create, produce, or offer its products.
Information technology (IT) governance: The established decision rights and accountability framework to encourage desirable behavior in using IT.
Information Technology Infrastructure Library (ITIL): The control framework that offers a set of concepts and techniques for managing information technology infrastructure, development, and operations that was devel-
oped in United Kingdom.
Information technology (IT) portfolio management: The evaluation of new and existing applications collec- tively on an ongoing basis to determine which applications provide value to the business in order to support
decisions to replace, retire, or further invest in applications across the enterprise.
Infrastructure: Everything that supports the flow and processing of information in an organization including hardware, software, data, and network components. It consists of components chosen and assembled in a manner
that best suits the organization’s plan and enables the overarching business strategy.
Innovation: The use of social IT to identify, describe, prioritize, and create new ideas for the enterprise. Social IT offers the community members a forum in which to suggest new ideas, comment on other ideas, and vote for
their favorite idea, giving managers a new way to generate and make decisions on products and services.
Insourcing: The manner in which a firm provides IS services or develops IS from its own in house IS organization.
bgloss.indd 304 11/26/2015 7:40:38 PM
305Glossary
Instant messaging (IM): An Internet protocol (IP)‐based application that provides real‐time text‐based commu- nication between people using a variety of different device types, including computer‐to‐computer and mobile
devices.
Integrated supply chain: An enterprise system that crosses company boundaries and connects vendors and sup- pliers with organizations to synchronize and streamline planning and deliver products to all members of the
supply chain.
Intellectual capital: The knowledge that has been identified, captured, and leveraged to produce high‐value goods or services or some other competitive advantage for the firm.
Intellectual property (IP): The term used to describe a creative information‐based output. It is information based and, unlike physical property, it is nonexclusive and has a negligible marginal cost to produce additional copies.
Internalization: The mode of knowledge conversion from explicit knowledge to tacit knowledge. Internet: The system of computers and networks that together connect individuals and businesses worldwide. The
Internet is a global, interconnected network of millions of individual host computers. Internet of Things: The technology embedded in devices that streams sensor data from those devices to the
Internet to create rich databases of operational data.
Intranet: A network used within a business for individuals and departments to communicate. An intranet is an application on the Internet but is limited to internal business use. It is a password‐protected set of interconnected
nodes under the company’s administrative control. (See Extranet.) IS: See Information system. IT: See Information technology. IT asset: See Information technology asset. IT capability: See Information technology capability. IT governance: See Information technology governance. IT portfolio management: See Information technology portfolio management. ITIL: See Information Technology Infrastructure Library. Joint applications development (JAD): A version of RAD or prototyping in which users as a group are more
integrally involved with the entire development process up to and, in some cases, including coding.
Key logger: A type of surveillance device that hackers use to track keystrokes either through hardware (an unseen thumb drive on a public computer) or software (i.e., a compromised Web site).
Knowledge: The information synthesized and contextualized to provide value. Knowledge capture: The continuous processes of scanning, organizing, and packaging knowledge after it has
been generated.
Knowledge codification: The representation of knowledge in a manner that can be easily accessed and transferred. Knowledge generation: All activities that discover “new” knowledge, whether such knowledge is new to the
individual, the firm, or the entire discipline.
Knowledge management: The processes necessary to capture, codify, and transfer knowledge across the organi- zation to achieve competitive advantage.
Knowledge repository: A physical or virtual place that stores documents with knowledge embedded, such as memos, reports, or news articles so they can be retrieved easily.
Knowledge transfer: The transmission of knowledge from one person or group to another and the absorption of that knowledge.
Legacy system: A mature information system that has worked for a long time (often 20 to 30 years old). List server: A type of e‐mail mailing list to which users subscribe; when any user sends a message to the server,
a copy of the message is sent to everyone on the list. This allows for restricted‐access discussion groups: Only
subscribed members can participate in or view the discussions because they are transmitted via e‐mail.
Local Area Network (LAN): A network of interconnected (often via Ethernet) workstations that reside within a limited geographic area (typically a single building or campus). LANs are typically employed so that the
machines on them such as printers or servers can share resources and/or can exchange e‐mail or other forms of
messages (e.g., to control industrial machinery).
Mainframe: A large, central computer that handles all the functionality of a system.
bgloss.indd 305 11/26/2015 7:40:39 PM
306 Glossary
Managerial levers: The organizational, control, and cultural variables that are used by decision makers to effect changes in their organizations.
Mashup: A term used in the Web 2.0 community to mean the combination of data from multiple sources into one Web page, for example, the combination of Google Maps with real estate data to produce a diagram showing
home price ranges for certain neighborhoods.
Matrix organization structure: An organizational form or structure in which workers are assigned two or more supervisors, each supervising a different aspect of the employees’ work in an effort to make sure multiple dimen-
sions of the business are integrated.
Middleware: The software used to connect processes running in one or more computers across a network. Mission: A clear and compelling statement that unifies an organization’s effort and describes what the firm is all
about (i.e., its purpose).
Mobile device management: A type of security policy that focuses on bring your own device (BYOD) and is related to permitted products and required connection methods.
Mobile workers: Individuals who work from wherever they are. Multifactor authentication: The use of two or more authorization methods to gain access to a computer system. Multisourcing: A type of sourcing in which IT projects and services are allocated to multiple vendors who work
together to achieve the client’s business objectives.
Nearshoring: A form of offshoring service work to a foreign, low‐wage country that is relatively close in distance or time zone (or both) to the client company.
Net present value (NPV): The valuation method that takes into account the time value of money in which cash inflows and outflows are discounted.
Network effect: The increased value of a network node to a person or organization in the network when another joins the network.
Networked organization structure: The organization form or structure in which rigid hierarchies are replaced by formal and informal communication networks that connect all parts of the company; known for its flexibility
and adaptiveness.
Object: An item that encapsulates both the data stored about an entity and the operations that manipulate that data. Observable artifact: The most visible layer of culture that includes physical manifestations such as traditional
dress, symbols in art, acronyms, awards, myths and stories about the group, rituals, and ceremonies.
Offshoring (outsourcing offshore): The situation in which an IS organization uses contractor services or even builds its own data center in a distant land.
Online reputation management: The service provided to a person or company for a fee to find negative formal or informal reviews on Web sites and report results to the client periodically.
Onshoring (inshoring): The situation in which outsourcing work is performed domestically. Open source software (OSS): The software released under a license approved by the Open Source Initiative (OSI). Open sourcing: A development approach in which an Internet community builds and improves “free” software. Operating system (OS): A program that manages all other programs running on, as well as all the resources
connected to, a computer. Examples include Microsoft Windows, DOS, and UNIX.
Oracle: A provider of widely used enterprise resources planning and database systems. Organizational strategy: A plan that answers the question: “How will the company organize to achieve its goals
and implement its business strategy?” It includes the organization’s design as well as the choices it makes to
define, set up, coordinate, and control its work processes.
Organizational systems: The fundamental elements of a business including people, work processes, structure, and the plan that enables them to work efficiently to achieve business goals.
Outcome control: The type of formal control in which the controller/manager explicitly defines intermediate and final goals for an employee.
Outsourcing: The business arrangement in which third‐party providers and vendors manage the activities of the information systems. In a typical outsourced arrangement, the company finds vendors to perform operational,
support, and systems development activities, saving strategic decisions for the internal information systems
personnel.
bgloss.indd 306 11/26/2015 7:40:39 PM
307Glossary
Parallel conversion: The conversion in which both the old system and new system are run at the same time. Payback period: The length of time needed to recoup the cost of an investment. Peer to peer: The description of infrastructure that allows networked computers to share resources without a
central server playing a dominant role.
Personnel control: The type of control that represents a proper fit between a person and a job, often involving picking the right person for the task.
Phishing attack: A type of security breach in which a person receives a convincing e‐mail calling for a response to a phony urgent situation or opportunity, with a link pretending to be a step towards performing the response.
Often the sender is an imposter and the response actually can lead to theft of identity information, account pass-
words, or monetary funds.
Platform: The hardware and software on which applications are run. For example, the iPhone is considered a platform for many applications and services that can be run on it.
Portal: Easy‐to‐use Web sites that provide quick access to search engines, critical information, research, applica- tions, and processes that individuals want.
Privacy: The area of information control involved with the right to be left alone; an individual’s ability to per- sonally control information about himself or herself; it is involved with the protections from intrusion and
information gathering by others.
Private cloud: A cloud infrastructure in which data are managed by the organization itself. Process: An interrelated, sequential set of activities and tasks that turn inputs into outputs and has a distinct
beginning, a clear deliverable at the end, and a set of metrics that are useful to measure performance.
Process perspective: The “big picture” view of a business from the perspective of the business processes per- formed. Typically, the view is made up of cross‐functional processes that traverse disciplines, departments,
functions, and even organizations. (In contrast, see Silo perspective.) Program: A collection of related projects that is often related to a strategic organizational objective. It also refers
to a set of instructions to execute one or more tasks on the computer.
Project: A temporary endeavor undertaken to create a unique product, service, or result. Temporary means that a project has a definite beginning and a definite end.
Project manager: A person who makes sure that an entire project is executed appropriately and coordinated properly and defines project scope realistically and manages the project so that it can be completed on time and
within budget.
Project management office (PMO): The organizational unit within which the expertise for managing projects resides.
Project stakeholder: An individual or organization that is actively involved in a project or whose interests may be affected as a result of project execution or project completion.
Property: An area of information control focused on who owns the data. Protocol: A special, typically standardized, set of rules used by computers to enable communication between them. Prototyping: An evolutionary development method for building an information system. Developers get the gen-
eral idea of what is needed by the users and then build a fast, high‐level version of the system at the beginning
of the project. The idea of prototyping is to quickly get a version of the software in the hands of the users and to
jointly evolve the system through a series of cycles of design and build and then to use and evaluate.
Public cloud: A cloud infrastructure in which data are stored outside of the corporate data centers in the cloud provider’s environment.
Rapid application development (RAD): The process similar to prototyping in that it is an interactive process in which tools are used to speed development. RAD systems typically have tools for developing the user, reusable
code, code generation, and programming language testing and debugging. These tools make it easy for the devel-
oper to build a library of common, standard sets of code that can easily be used in multiple applications.
Really simple syndication (RSS); also Web feeds: The structured file format for porting data from one platform or information system to another.
Real‐time data source: A type of data stream that companies use in analytics programs that capture data as they occur.
bgloss.indd 307 11/26/2015 7:40:39 PM
308 Glossary
Reengineering: A management process of redesigning business processes in a relatively radical manner. Reengineering traditionally meant taking a “blank piece of paper” and designing (then building) a business pro-
cess from the beginning. This was intended to help the designers eliminate any blocks or barriers that a current
process or environment might have. This process is sometimes called business process redesign (BPR), reengi- neering, or business reengineering.
Resource‐based view (RBV): A view that attaining and sustaining competitive advantage comes from creating value using information and other resources of the firm.
Return on investment (ROI): The amount of financial benefit (either revenue or reduced expense) over and above an investment in a particular IS, divided by the investment amount itself. The result is a percentage.
Review board: A committee that is formally designated to approve, monitor, and review specific topics related to the IS department and systems.
Reuse: A relatively small chunk of functionality available for many applications. SAP: The company that produces the leading ERP software, technically named “SAP R/3” but often simply
referred to as SAP.
Sarbanes–Oxley (SoX) Act of 2002: The U.S. act to increase regulatory visibility and accountability of public companies and their financial health.
Scalable: A criterion used to determine how well an infrastructure component can adapt to increased or, in some cases, decreased demands.
SDLC: See Systems development life cycle. Security education/training/awareness (SETA): The training to make business users aware of security policies
and practices and to build a security‐conscious culture.
Selective outsourcing: The action taken when an enterprise chooses which IT capabilities to retain in house and which to give to an outsider.
Sentiment analysis: The type of analytics that uses algorithms to analyze text to extract subjective information such as emotional statements, preferences, likes/dislikes, and so on.
Server-based architecture: A decentralized plan or format that uses numerous servers often located in different physical locations. A server is a software program or computer intended to provide data and/or instructions to another software program or computer. The hardware that a server program runs is often also referred to as “the
server.”
Service‐level agreement (SLA): Portion of the formal service contract between clients and outsourcing providers that describes the level of service including delivery time and expected service performance.
Service‐oriented architecture (SOA): The type of architecture in which business processes are built using ser- vices delivered over a network (typically the Internet). Services are software programs that are distinct units of
business functionality residing on different parts of a network and can be combined and reused to create business
applications.
Silo perspective; also Functional view or perspective: The view of an organization based on the functional departments, typically including manufacturing, engineering, logistics, sales, marketing, finance, accounting,
and human resources. (In contrast, see Process Perspective.) Six sigma: An incremental data‐driven approach to quality management for eliminating defects from a process.
The term comes from the idea that if the quality of all output from a process were to be mapped on a bell‐shaped
curve, the tail of the curve, six sigma from the mean, would be where there were less than 3.4 defects per million.
Social business: An enterprise whose basic business model engages communities as a core competency and builds processes based on capabilities available only through the use of social IT.
Social business strategy: A plan of how a firm will use social IT to engage, collaborate, and innovate. It is aligned with organizational strategy and IS strategy and includes a vision of how the business would operate if it seam-
lessly and thoroughly incorporated social and collaborative capabilities throughout the business model.
Social contract theory: The theory used in business ethics that places responsibility on corporate managers to con- sider the needs of the society (societies) in which a corporation is embedded. Social contract theorists ask what
conditions would have to be met for the members of such a society to agree to allow a corporation to be formed.
Thus, society bestows legal recognition on a corporation to allow it to employ social resources toward given ends.
bgloss.indd 308 11/26/2015 7:40:39 PM
309Glossary
Social IT: The term that refers to technologies used for collaboration, engagement, and innovation over the Web. Typically, these tools enable communities of people to chat, network, and share information. Common exam-
ples are social networks such as Facebook and Linked In, crowdsourcing services such as Kickstarter, blogs or
microblogs such as Twitter, and location‐based applications such as Foursquare.
Social media: The marketing and sales applications of social IT. Social media analytics: A class of tools to measure the impact of social IT investments (i.e., tweets, blogs,
Facebook) on the business.
Social media management: A type of security policy that provides rules about what can be disclosed on social media, such as who can Tweet and how employees can identify themselves.
Social network: An IT‐enabled network that links individuals together in ways that enable them to find experts, get to know colleagues, and see who has relevant experience for projects across traditional organization lines.
Social networking site: A Web site available from a Web‐based service that allows its members to create a public profile within a bounded system, list other users with whom they share a connection, and view and interact with
their list of connections and those made by others within the system. Examples are MySpace, Facebook, and
LinkedIn.
Socialization: The mode of knowledge conversion from tacit knowledge to tacit knowledge using the process of sharing experiences; it occurs through observation, imitation, and practice.
Software‐as‐a‐service (SaaS): The term used to describe a model of software deployment that uses the Web to deliver applications on an “as‐needed” basis. Often when software is delivered as a service, it runs on a computer
on the Internet rather than on the customer’s computer and is accessed through a Web browser.
Spoofing: A security breach in which a hacker counterfeits an Internet address. Stakeholder theory: A theory used in business ethics that suggests that managers, although bound by their rela-
tion to stockholders, are also entrusted with a fiduciary responsibility to all those who hold a stake in or a claim
on the firm, including employees, customers, vendors, neighbors, and so forth.
Standard: The technical specifications to be followed throughout the infrastructure. Often standards are agreed on for development processes, technology, methods, practices, and software.
Steering committee: An IT governance mechanism that calls for joint participation of IT and business leaders in making decisions about IT as a group.
Stockholder theory: A theory used in business ethics suggesting that stockholders advance capital to corporate managers who act as agents in advancing the stockholders’ ends. The nature of this contract binds managers to
act in the interest of the shareholders (i.e., to maximize shareholder value).
Strategic alliance: An interorganizational relationship that affords one or more companies in the relationship a strategic advantage.
Strategy: A coordinated set of actions to fulfill objectives, purposes, and goals. Structured data: The facts gathered from external sources that are clear and easily categorized when stored in
databases or used.
Supply chain management (SCM) system: The system that manages the integrated supply chain; its processes are linked across companies with a companion process used by a customer or supplier.
Synchronized planning: The agreement by partners on a joint design of planning, forecasting, and replenishing activities and what to do with the information.
Systems development life cycle (SDLC): The process of designing and delivering an entire system using these seven phases: initiation of the project, requirements definition phase, functional design phase, technical design
and construction phase, verification phase, implementation phase, and maintenance and review phase.
System software: Software such as Microsoft Windows, Apple OSX, and Linux that provides instructions to the hardware.
Tacit knowledge: The personal, context‐specific knowledge that is hard to formalize and communicate. It consists of experiences, beliefs, and skills and is entirely subjective and often acquired through physically practicing a
skill or activity. (In contrast, see Explicit knowledge.) Tagging: The process in which users list key words that codify information or a document at hand and that create
an ad hoc codification system, sometimes referred to as a folksonomy.
bgloss.indd 309 11/26/2015 7:40:39 PM
310 Glossary
Telecommuting: The combination of telecommunications with commuting. This term usually refers to the practice of individuals who regularly work from home instead of commuting to an office. However, it is often used to
mean anyone who works regularly from a location outside her or his company’s office.
The Open Group Architecture Framework (TOGAF): The framework that includes a methodology and set of resources for developing an enterprise architecture based on the idea of an open architecture whose specifications
are public (as compared to a proprietary architecture whose specifications are not made public).
Token: A small electronic device that generates a new supplementary passkey at frequent intervals. Total cost of ownership (TCO): A costing method that looks beyond initial capital investments to include costs
associated with technical support, administration, training, and system retirement.
Total quality management (TQM): A management philosophy in which quality metrics drive the performance evaluation of people, processes, and decisions. The objective of TQM is to continually, and often incrementally,
improve the activities of the business to reach the goal of eliminating defects (or achieving zero defects) and pro-
ducing the highest‐quality outputs possible.
Unified communications (UC): An evolving communications technology architecture that automates and unifies all forms of human and device communications in context and with a common experience.
Unstructured data: The facts that are embedded (i.e., in blogs, tweets, conversations) that have to be extracted before they can become useful information. They are not straightforward.
User‐centered design: The development approach that uses tools for RAD, JAD, agile development, and proto- typing to provide assurance that users’ needs are being met efficiently and responsively.
Utility computing: The purchasing of an entire computing capability on an as‐needed basis. Value net: The set of players in a co‐opetitive environment including a company and its competitors and comple-
mentors as well as its customers and suppliers and the interactions among all of them. (See Complementor.) Value: A principle or quality that reflects a community’s aspirations about the way things should be done. Video teleconference (videoconference): A set of interactive telecommunication technologies that allow two or
more locations to interact simultaneously via two‐way video and audio transmissions.
Virtual corporation: A temporary network of companies (or individuals) linked by information technology to exploit fast‐changing opportunities.
Virtual private network (VPN): A private network that uses a public network such as the Internet to connect remote sites or users. It maintains privacy through the use of a tunneling protocol and security procedures.
Virtual team: A team of two or more people who (1) work together interdependently with mutual accountability for achieving common goals, (2) do not work in either the same place and/or at the same time, and (3) must use
electronic technology to communicate, coordinate their activities, and complete their team’s tasks.
Virtual world: A computer‐based simulated environment intended for its users to inhabit and interact via avatars. Virtualization: The process that allows a computer to run multiple operating systems or several versions of the
same operating system at the same time; is a virtual infrastructure in which software replaced hardware in a way
that a “virtual machine” or a “virtual desktop system” was accessible to provide computing power.
Voice over Internet protocol (VoIP): A method for taking analog audio signals, such as the kind heard when someone talks on the phone, and turning them into digital data that can be transmitted over the Internet.
Wide Area Network (WAN): A computer network that spans multiple offices, often over a wide geographic area. A WAN typically consists of transmission lines leased from telephone companies.
Weak password: A password such as “123456” that is easy to guess. Web 2.0: The term given to the Internet and its applications that support collaboration, social networking, social
media, RSS, mashups, and a number of other information‐sharing tools. The term is used to distinguish it from
Web 1.0, which was mostly used for transactions and information dissemination. Web 2.0 is not about different
technical specifications but about using the Internet in different ways than was done with Web 1.0.
Web‐based architecture: The format or plan in which significant hardware, software, and possibly data elements reside on the Internet.
Web logs (Blogs): The online journals that link together into a very large network of information sharing.
bgloss.indd 310 11/26/2015 7:40:39 PM
311Glossary
Web services: The software systems that are offered over the Internet and executed on a third party’s hardware. Often the term refers to more fundamental software that uses XML messages and follows simple object access
protocol (SOAP) standards.
White hat hackers: The hackers who break into a firm’s systems to uncover weaknesses. Wiki: The software that allows users to work collaboratively to create, edit, and link Web pages easily. Wireless (mobile) infrastructure: The infrastructure that allows communication from remote locations using a
variety of wireless technologies (e.g., fixed microwave links; wireless LANs; cellular networks; wireless WANs;
satellite links; digital dispatch networks; one‐way and two‐way paging networks; diffused infrared, laser‐based
technology; keyless car entry; and global positioning systems).
Wisdom: The knowledge fused with intuition and judgment that facilitates the ability to make decisions. Workflow: The term that describes activities that take place in a business process. Workflow diagram: A picture or map of the sequence and detail of each step in a process. Zachman framework: The enterprise architecture that determines requirements by providing a broad view that
helps guide the analysis of the detailed view.
Zero-day threat: The brand‐new outbreaks of a security problem. Zero time organization: An organization designed around responding instantly to the demands of customers,
employees, suppliers, and other stakeholders.
bgloss.indd 311 11/26/2015 7:40:39 PM
bgloss.indd 312 11/26/2015 7:40:39 PM
313
A
Abbott, Pamela, 221n
Accessibility, 291
Accuracy, 290
Acharya, Parul, 72n
Acquisti, A., 286n
Activity streams, 84, 112
Activity‐based costing (ABC),
184–185
Adaptability, 140–141
Agarwal, S., 62n
Agile business processes,
104–105
Agile development, 242–243
crystal, 242
dynamic system development
method (DSDM), 242
extreme programming (XP), 242
feature‐driven development, 242
rapid applications development
(RAD), 242
scrum, 242
Alignment, 19
Allocation funding method, 183
complaints about, 183
Amabile, Teresa M., 94n
Amazon.com, 2, 19
American LaFrance (ALF), 117
Analytical capabilities levels, 267
Andersen, Martin, 97
Andrews, Lori, 286n, 289
Angwin, Julia, 287n, 288n
Antivirus/antispyware, 157
Appian, 108–109
Applegate, L. M., 38, 60n, 211n,
248n, 250n
Applications, 28, 129
Archetypes
of accountability and decision
rights, 194–197
definition, 196
IT governance, 194–197
Architecture, 15, 124–146
architectural principles, 135
basic components to be considered,
129
building versus IT, 126 capacity‐on‐demand, 132
cloud computing, 137–138
common configurations of
architecture, 130
enterprise architecture, 136–137
existing architecture,
understanding, 139–140
financial issues, assessing, 142
leap from strategy to architecture
to infrastructure, 126–127
manager ’ s role, 126
“One‐VA” architecture, 132
strategic timeframe, assessing, 140
technical issues, assessing,
140–141
virtualization, 137–138
from vision to implementation,
125–126
Web‐based architectures, 132
Arkes, Hal, 252n
Ashton, K., 13n, 269
Assumptions, 67
Audio Home Recording Act (1992),
273
B
Babin, R., 220
Backsourcing, 223
Bala, H., 95, 132n
Balaji, S., 99n
Balanced scorecard, 178–179
at BIOCO, 190
customer perspective, 179
financial perspective, 179
internal business perspective, 179
learning perspective, 179
Balthrop, Justin, 155n
Banjo, Shelly, 153n
Bargaining power
of buyers, 39
of suppliers, 39
Barki, H., 250n
Barley, S., 76n
Barney, Jay, 45n
Barrish, Jordan, 232n
Basu, Amit, 112n
Batdorf, Chris, 207
Bates, J., 132n
Bean, L. L., 19
Beck, K., 242n
Behavior controls, 84
Beliefs, 66
Benbasat, Izak, 160n
Benlian, Alexander, 216n
Berinato, Scott, 23n
Berkman, Eric, 179n
Bernard, Schoot A., 218n
Bernard, Scott A., 124n
Best‐of‐breed approach, 215
Bhasin, Aditya, 219n
Big data, 268
Biometrics, 156
Black hat hacker, 159
Blogs, 27, 82, 287
Blohm, I., 214
Blown to Bits, 12 Blue ocean strategy, 24
Blumer, Catherine, 252n
“Bolt‐on” systems, 112
Bond, M. H., 69n
Bosworth, Martin, 282n
Boudreau, Marie‐Claude, 91n
Boutin, Paul, 54
Boyd, Ron, 297–298
Bradley, Randy V., 136n
Braganza, A., 200n, 203
Brancatelli, J., 73n
Brandeis, Louis D., 285n
Brandenburg, A., 48n
Breaches
cost of, 153–154
cross‐site scripting, 152–153
password, 151–152
third parties, 153
Bridges, William, 77n
Brin, Sergey, 31
Bring Your Own Device (BYOD),
133, 191, 192
Broadbent, M., 35n, 175n, 188n
Bromwich, Jonah, 285n
Brook, Chris, 152n
Brooks, F., 239n, 240n
Brynjolfsson, Erik, 24n, 59n
Buchanan, Richard D., 140n
Building the Information Age Organization, 25
Bulgurcu, Burcu, 160n
Bureaucracy, 60
Burnham, Kristin, 86n
Bush, Jonathan, 185
Index
bindex.indd 313 11/26/2015 7:43:36 PM
314 Index
Business analytics, 259–261
competing with, 265–267
components of, 265
data sources, 265
data‐driven environment, 266
levels of analytical capabilities, 267
skilled workforce, 267
software tools, 266
Business, assumptions about, 8–10
functional view, 9
hierarchical view of firm, 9
process view, 9–10
Business case, 173–175
benefits in, classification framework for,
174–175
building a business case, 173–175
components of, 173
financial benefits, 174
measurable benefits, 174
observable benefits, 174
quantifiable benefits, 174
Business ecosystem, 34, 224
Business ethics, normative theories of, 282
Business integration with information
systems, 4
Business intelligence (BI), 259–261, 264
caveats for managing, 274
elements, 264
traditional, 264
Business of information technology,
165–190
activities that IT organization should not
do, 170–171
anticipating new technologies, 169
balanced scorecards at BIOCO, 190
building a business case, 173–175
(See also Business case) chief financial officer (CFO), 171
chief information officer (CIO), 171–172
chief information security
officer (CISO), 172
chief knowledge officer (CKO), 172
chief mobility officer (CMO), 172
chief network officer (CNO), 172
chief privacy officer (CPO), 172
chief resource officer (CRO), 172
chief social media officer (CSMO), 172
chief technology officer (CTO), 172
chief telecommunications
officer (CTO), 172
developing and maintaining systems, 169
establishing architecture platforms and
standards, 169
innovating current processes, 169
integrating use of social IT, 170
IT investments, valuing, 176–177
IT portfolio management, 175–176
KLM Airlines, 189–190
manager’s expectation from IT
organization, 168–170
managing data, information, and
knowledge, 169
managing human resources, 169
managing Internet and network
systems, 169
managing supplier relationships, 169
maturity model, 167–168
monitoring IT investments, 177–182
operating data center, 169
organizing to respond to business
demand, 167–168
participating in setting and implementing
strategic goals, 170
planning for business discontinuities, 169
promoting enterprise security, 169
providing general support, 169
understanding IT organization, 168
Business process management (BPM),
107–109
Business process perspective, 102–104
Business process reengineering (BPR), 105
Business strategy, 20, 21
business models versus, 21 and IT, co‐creating, 50
Business strategy frameworks, 19–25
(See also Generic strategies framework)
direct‐to‐customer model, 20
dynamic environment strategies, 23–25
Business technology strategist, 171
Business transformation and IS, 99–123
Appian, 108–109
ARIS, 109
building agile and dynamic business
processes, 104–105
changing business processes, 105–107
enterprise systems, 110–119
hierarchical structure, 101
IBM, 109
NPD process redesign, 99
process perspective, 102–104
silo perspective versus business process perspective, 100–104
workflow and mapping processes,
107–109
Business‐IT dashboards, 181
Business‐IT maturity model, 167–168
Buyers, bargaining power of, 39
Byrd, Terry Anthony, 136n
C
Cairncross, Frances, 59n
Capability Maturity Model (CMM),
219, 221
Capacity‐on‐demand, 132
Captive centers, 210–211
CareerBuilder.com, 85
Carey, Jane, 244n
Carman, Ashley, 151n
Carmel, Erran, 221n, 222, 222n
Carr, David F., 84
Carter, M., 171n
Case studies
Aircraft Communications Addressing
and Reporting System (ACARS),
163–164
Altia Business Park, 226–227
balanced scorecards at BIOCO, 190
Boeing 787 Dreamliner, 122–123
business intelligence at CKE restaurants,
276–277
case of extreme scientists, 146
crowdsourcing at AOL, 225–226
dealing with traffic jams in London,
255–257
Enterprise architecture (EA) at American
Express, 145–146
ethical decision making, 295–297
FBI, 73–74
Google, 31–32
Groupon, Inc., 52–53
implementing enterprise change
management at Southern Company,
254–255
IT governance at university of the
Southeast, 205–206
KLM Airlines, 189–190
Lego, 30–31
Midwest Family Mutual goes green,
297–298
MyJohnDeere platform, 207
Santa Cruz Bicycles, 121–122
Social Networking: How Does IBM
Do It?, 98
Sony Pictures: The Criminals Won, 164
Southwest Airlines, 72–73
Stop & Shop’s Scan It! App, 275–276
Trash and Waste Pickup Services, Inc.
(TWPS’s), 97–98
Zipcar, 53–54
Cash, J. I., 25n, 26, 58, 60n
Cathedral and the Bazaar, The, 246, 246n Cavusoglu, Hasan, 160n
CEMEX, 109
Centralized architecture, 130, 131
Centralized organizational structure,
193–194
advantages, 194
disadvantages, 194
Challenge question, 156, 158
Chan, Jason, 217
Chandran, Nyshka, 155n
Chandrasekaran, N., 56, 60
Chang, Elizabeth, 197n, 198n
Changes, IT‐induced, gaining acceptance
for, 94–96
managing change, 94–95
stages and steps in, 95
technology acceptance model and its
variants, 95–96
bindex.indd 314 11/26/2015 7:43:36 PM
315Index
Chargeback funding method, 182–183
Chasney, Jeff, 277
Cherbakov, L., 172n
Chief analytics officer (CAO), 267
Chief data officer, 267
Chief executive officer (CEO), 166
Chief financial officer (CFO), 166, 171
Chief information officer (CIO), 165–166,
171–172
Chief information security officer
(CISO), 172
Chief knowledge officer (CKO), 172
Chief mobility officer (CMO), 172
Chief network officer (CNO), 172
Chief operating officer (COO), 208
Chief privacy officer (CPO), 172
Chief resource officer (CRO), 172
Chief social media officer (CSMO), 172
Chief technology officer (CTO), 172
Chief telecommunications officer
(CTO), 172
1998 Children’s Online Privacy Protection
Act, 288
Christie, Joel, 153n
Chudoba, K., 92n
Clair, D., 35n
Clean Air Act, 89
Cloud architecture, 132
Cloud computing, 124, 137–138, 216–218
advantages, 217
Netfix, 217, 218
options, 218
public cloud, 218
risks/challenges of, 217
CoActive Digital, 82
Coghlan, Philip John, 281
Cognizant Technology Solutions, 55–57
Coleman, T., 99n
Colin, Michelle, 32
Collaboration, IT supporting, 27
changing, 82–83
Columbus, Louis, 113n
Committee of Sponsoring Organizations
of the Treadway Commission
(COSO), 201, 202
Common project vocabulary, 233, 239
Communication, IT supporting, 64
changing communication patterns, 80–81
Community cloud, 218
Compensation, changes to, 85
Competitive Advantage, 21 Competitive challenges, 4–5
Complexity, 248
Computerworld, 148 Condliff, Jamie, 152n
Confucian work dynamism (future
orientation), 69
Connor, C., 287n
Conradt, Brett, 280n
Consumerization of IT, 133, 191
Contracts, outsourcing, 214–215
Control decisions, governance frameworks
for, 200–204
frameworks for implementing SoX,
201–203
IS and implementation of Sarbanes–
Oxley Act compliance, 203–204
Sarbanes–Oxley Act of 2002, 200–201
(See also individual entry) Control Objectives for Information and
Related Technology (COBIT),
202–203, 292
advantage of, 202
components of, 202
control objective, 202
critical success factor, 202
domain, 202
key goal indicator, 202
key performance indicator, 202
maturity model, 202
Cookies, 287
Co‐opetition, 48
Copyleft rule, 246
Corporate budget funding method, 184
Corporate social responsibility (CSR), 220,
283–284
Cost focus, 22
Cost leadership, 22
Cost of IT, 184–187
activity‐based costing (ABC), 184–185
administration, 187
of informal support, 186
soft cost considerations, 187
technical support, 187
total cost of ownership (TCO),
185–187
training, 187
Cotterman, H., 234n, 238
Couto, Vinay, 219n
Cranor, L. F., 286n
Creative destruction, 24
Critical path method (CPM), 235
Critical success factors, COBIT, 202
Cross‐functional nature of business
processes, 103–104
Zara’s, 104
Cross‐site scripting (XSS), 152
Crowdsourcing, 118, 214
Crystal, 242
Cule, P., 249n
Culnan, M., 279n, 281n, 282n, 291,
291n, 292n
Cultural differences and offshoring, 222
Culture and IS, 58, 66–71
assumptions, 67
beliefs, 66
enacted values, 66
espoused values, 66
IT adoption and diffusion, 68
levels of culture and IT, 67–68
national cultural dimensions and their
application, 68–71
observable artifacts, 66
values, 66
Curran, Chris, 181n
Customer pull, 5
Customer relationship management (CRM),
23, 42, 111, 113–114, 217
Microsoft Dynamics, 113
Oracle, 113
Salesforce.com, 113
SAP, 113, 114
Cyberslacking, 65
Cycle time, 102
D
Daarst‐Brown, Michelle L., 218n
Dagen, H., 241–242, 242n
Daniel, Elizabeth, 173, 173n
D’Arcy, John, 160n
Dashboards, 180–182, 264
architecture of, 182
business‐IT dashboards, 181
executive, 180
FEMA—Infrastructure evaluation
score, 182
improvement dashboard, 181
portfolio dashboards, 181
service dashboard, 181
Data, 10, 27, 129, 130, 261–263
data center, 130
data collection and IS, 63
data mining, 266
data scientist, 267
data warehouses, 265
data‐driven culture, 266
real‐time data sources, 265
security policies, 159
structured and unstructured, 265
Data‐driven decision making, 5
Davenport, Thomas, 12n, 259n, 260, 260n,
261n, 267, 267n, 269n
Davenport, Tom, 10, 261, 261n
Davis, Fred, 95
De Haes, Steven, 189n, 190
de Montjoye, Y. A., 283n
DeBoever, Larry R., 140n
Decentralized architecture, 130, 131
Decentralized organizational structure,
193–194
advantages, 194
disadvantages, 194
Decision rights, 58–59, 194–197
Decision‐making mechanisms, 199–200
(See also Control decisions, governance frameworks for)
C‐level executives, 199
lower‐level steering committees, 199
review board, 199
steering committee, 199
bindex.indd 315 11/26/2015 7:43:36 PM
316 Index
Decisions about IS, participating in, 2–3
manager’s not participating in,
consequences of, 5
skills needed, 6–7
ways to, 7
Decoupling avoidance, 292
Deep Web, 155
Deere, John, 207
Dell, 20
Design of work and IS (See Work design framework)
Dessain, Vincent, 194n
Destroy your business (DYB), 24
Deters, Ralph, 197n
Diamond, J., 284n
Differentiation, 22
Differentiation focus, 22
Digital ecosystem, 197–199
Digital Millennium Copyright Act
(DMCA), 273
Digital natives, 4
D’Innocenzio, Anne, 154n
Direct cutover, 241
DiRomualdo, Anthony, 211n
Disher, Chris, 219n
Diversity challenges, managing, 93–94
Domain Excellence Platforms (DEPs), 62
Donegan, C., 181n, 182
Dorfman, P., 69n
Dourish, P., 76n
Drucker, Peter F., 11n, 261, 261n
Dunaway, G., 50
Duvall, Mel, 122, 141, 141n
Dynamic business processes, 104–105
Dynamic capabilities, 24
Dynamic environment strategies,
23–25
destroy your business (DYB), 24
grow your business (GYB)
strategy, 24
hypercompetition frameworks, 23
Dynamic system development method
(DSDM), 242
E
Earl, Michael J., 168n, 194n, 195
Eaton, Ben, 218n
Eccles, Robert G., 25n, 26, 58
Economic value added (EVA), 177
Economics of information versus economics of things, 12–15
El Sawy, O. A., 181n, 182
Electronic medical record (EMR), 198
Elgin, Ben, 153n
E‐mail (electronic mail), 80, 82–83
Emergent governance, 197–199
Enacted values, 66
Encryption, 158
End‐to‐end NPD process, 99
Engagement, 27
Enterprise architecture (EA), 136–137
components of, 136
The Open Group Architecture Framework
(TOGAF), 136
Zachman framework, 136
Enterprise Architecture as Strategy, 136 Enterprise information systems (EIS), 110
Enterprise resource planning (ERP),
42, 110–112
characteristics of, 112
global versus local ERPs, 113 Enterprise systems, 104, 110–119
advantages, 116–118
between companies, challenges of
integrating, 119
crowdsourcing changes innovation
processes, 118
disadvantages, 116–118
enterprise information systems (EIS), 110
integration versus standardization, 109 Oracle, 110
and processes they automate, 111
SAP, 110
when system drives the transformation,
118–119
Eras model, 34, 35
Espoused values, 66
Ethical considerations in information
management, 278–298
corporate social responsibility (CSR),
283–284
ethical decision making, 295–297
green computing, 292–293
managers’ role in ethical information
control, 291–292
Midwest Family Mutual goes green,
297–298
privacy, accuracy, property, and
accessibility (PAPA), 284–292
responsible computing, 280–282 (See also individual entry)
Evaluation, 64
changes to, 85
Evans, Philip, 12n, 13n
Evidence‐based management approach, 266
Evil twin connection, 152
Executive dashboards, 180
Explicit knowledge, 262–263
External stakeholders, 111
Externalization, 263
Extreme programming (XP), 242
Extreme Programming Explained: Embrace Change, 242n
F
Face‐to face meetings, 92
Fair Credit Reporting, 289
Farshoring, 220
Fear, uncertainty, and doubt (FUD)
factor, 150
Feature‐driven development, 242
Federal Bureau of Investigation (FBI),
73–74
Federalism, 193, 194
federal IT, 195
Feeny, David F., 211n
Field, Tom, 215n
Financial benefits, business case, 174
Financial issues, 142–143
Fincher, David, 258
Firewall, 157
FirstEnergy, 179
Flat organizational structure, 60
Focus, 22
cost focus, 22
differentiation focus, 22
Foecke, T., 231n
Folksonomy, 264
Ford, John C., 176n
Formal reporting relationships, 58–62
flat organizational structure, 60
hierarchical organizational structure,
59–60
matrix organizational structure, 61
networked organizational structure,
61–62
Forsberg, K., 234n, 238
Forsyth, Jim, 291n
Franken, Arnoud, 200n, 203
Free software, 246
Freedman, D., 13n
Frey, C. B., 80n
Friedman, M., 280, 280n
Friedman, Thomas, 81, 81n, 115
Friedmann, D., 231n
Full outsourcing, 215
Function points, 240
Functional (silo) perspective, 101–102
Functional view of business, 9
Funding IT resources, 182–184
allocation funding method, 183
chargeback funding method, 182–183
corporate budget, 184
G
Gahran, Amy, 144
Galal, Hossam, 83n
Galindo, Sergio, 152n
Galletta, D., 64n, 160n
Gantt charts, 235, 237
Gardner, D. G., 285n
Gartenberg, M., 185n
Gary, L. Dain, 154
Gebelt, M., 215n
Geister, Susanne, 87, 87n
Gemino, A., 229n, 240n
Gemke, Dirk, 189n, 190
General public license (GPL), 246
Generally accepted accounting principles
(GAAP), 201
bindex.indd 316 11/26/2015 7:43:36 PM
317Index
Generic strategies framework, 21–23
cost focus, 22
cost leadership, 22
customer relationship management
(CRM), 23
differentiation, 22
focus, 22
value‐based strategy, 23
Genuchten, M., 76n
Geographic flexibility, 91
George, Joey F., 244n
Ghosal, S., 47
Glick, Bryan, 228n, 229n
Global Leadership and Organizational
Behavior Effectiveness (GLOBE)
research program, 69
Goeltz, Don, 43
Goh, M., 62n
Gombossy, G., 290n
Goodman, Marc, 286n
Google, 2, 31–32
Governance, 192 (See also Governance of the information systems
organization)
Governance activities for enterprise IT
(GEIT), 193
Governance of the information systems
organization, 191–207
advantages, 194
archetypes of accountability and decision
rights, 194–197
centralized versus decentralized organizational structures, 193–194
control decisions, governance
frameworks for, 200–204
decision‐making mechanisms,
199–200
disadvantages, 194
emergent governance, 197–199
frameworks, 199
IT governance at university of the
Southeast, 205–206
MyJohnDeere platform, 207
organizational continuum, 193
Gramm–Leach–Bliley Act of 1999, 288
Grant, R., 64n
Graphical user interface (GUI), 243
Gray, P., 181n, 182
1999 Greater London Authority Act, 255
Green computing, 292–293
Greenberg, Andy, 148n, 151n
Greene, Tim, 154n, 217n
Grey hat hacker, 159
Groupon, Inc., 52–53
Groupware, 82
Grover, V., 171n
Grow your business (GYB) strategy, 24
Gruman, Galen, 138n
Gueutal, H. G., 285n
Gurbaxani, Vijay, 211n
H
Hadzic, Maja, 197n, 198n
Hallingby, Hanne Kristine, 218n
Hamblen, M., 215n
Hammer, Michael, 101n
Hanges, P., 69n
Hanset, Ole, 218n
Hardware, 27, 129, 130
Harkins, M., 192n
Harris, J., 259n, 260, 260n, 267, 267n, 269n
Harrison, S., 76n
Hasnas, John, 280n
Hat hackers, 159
black, 159
grey, 159
white, 159
Hattar, Marie, 83
Hay, Gordon, 126n
Hays, Constance, 266n
Health Insurance Portability and
Accountability Act (HIPAA) of
1996, 289
Heating, ventilation, and air conditioning
(HVAC) contractor, 153
Heller, Martha, 199n
Hertel, Guido, 87, 87n
Hierarchical organizational structure, 59–60
Hierarchical structure of business
transformation, 101
Hierarchy, information, 10–12
Hill, K., 283n
Hiltzik, Michael, 151n
Hiring, changes to, 85
Hirsch, Henry, 216n
Hirschheim, Rudy, 215n, 223n
Hof, Robert, 2n
Hofstede dimensions (related GLOBE
dimensions), 69
Hofstede, G., 66n, 68n, 69n
Hogue, F., 19n
Holmes, Allan, 74
Holmes, Stanley, 123
Honan, Brian, 151n
Hookway, J., 50
Horizontal organizational structure, 60
Horner, Kevin, 165–166
Houghton, Robert, 181n, 182
House, R. J., 69n, 70n
Hovav, Anat, 160n
Hu, Q., 190, 215n
Huang, C. D., 190
Hulland, J., 46
Hybrid captive center, 211
Hybrid cloud, 218
Hypercompetition, 23
I
iCloud, 39
Identity theft, 291
Improvement dashboard, 181
In the Age of the Smart Machine: The Future of Work and Power, 79n
Incentives and IS, 66
Incremental change in business
transformation, 106
and radical change, comparison, 107
Individualism/collectivism (societal and in‐
group collectivism), 69
Industry competitors, 40–41
Informal networks, 58, 62–63
Informal support, cost of, 186
Information, 11–12, 261–263
Information Ecology, 10 Information ethics, 280
Information hierarchy, 10–12
characteristics across hierarchical
level, 11
comparison, 11
data, 10
information, 11–12
knowledge, 10, 12
Information processing, changing, 81–82
Information repository, 36, 46
Information resources, 33–54 (See also Strategic use of information
resources)
definition, 36
evolution of, 34–36
Information security infrastructure, 150
Information security investments, 150
Information security policy, 150
Information security strategy, 150
Information systems (IS), 15
Information Systems Audit & Control
Association (ISACA), 202
Information systems strategy triangle
(See Strategy triangle of IS) Information Technologies and Resources
(IT&R), 205, 206
Information technology, 15
Information Technology Infrastructure
Library (ITIL), 203, 292
Informational systems, 175
Infrastructure, 15, 124–146, 175
peer‐to‐peer architecture, 132
wireless (mobile) infrastructure, 132
Infrastructure as a service (IaaS), 218
Innovation, 27
Insourcing, 210–211
Instant messaging (IM), 82, 90, 94
Instone, K., 245n
Integration versus standardization, 109 Intel, 191–192
Intellectual capital, 272
Intellectual property (IP), 273
Intellectual Property Act of 2014, 273
Intellectual property collide, 272
Intellectual property preservation, 247
Internal rate of return (IRR), 176, 177
Internalization, 263
bindex.indd 317 11/26/2015 7:43:37 PM
318 Index
International Business Times, 148 International Standards Organization (ISO),
203
Internet of Things (IoT), 13–15, 269
Intranet, 86, 151, 152, 260
Investments in IT, valuing, 176–177 (See also Valuation methods)
Irwin, Gil, 219n
Isaacson, Walter, 24n
IT governance, 195
IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, 195n, 196n
IT multisourcing, 215–216
IT portfolio management, 175–176
informational systems, 175
infrastructure systems, 175
strategic systems, 175
transactional systems, 175
Ives, B., 36n, 37, 44n, 172n
Iyengar, Rishi, 285n
J
Javidan, M., 69n, 70n
Jeffers, David, 158n
Jiang, J. J., 113
Jobs, Steve, 24
JobShift: How to Prosper in a Workplace without Jobs, 77n
Joint applications development (JAD), 243,
244
Jones, Charisse, 72n
Joshi, A., 181n, 182
JP Morgan Chase, 223
Junod, Tom, 146
K
Kaarst‐Brown, Michelle L., 124n
Kao, Jon, 83n
Kaplan, R., 178–179, 178n
Kavan, C. B., 223n
Kayworth, T., 67n, 69n, 284n
Kazi, Rahnuma, 197n
Keegan, P., 254n
Keil, M., 249n, 251n
Kelley, Diana, 218n
Kellwood, 208, 215, 223
Kelly, Erin, 148n
Kentish, Shenay, 34n
Kerber, R., 279n
Kerr, Paul, 152n
Key logger, 152
Key performance indicators (KPIs), 202
Khosia, Vinod, 158
Kifer, Ron, 213
Kim, W. Chan, 24n
King, Jeremy, 4n
Kinicki, A., 66n
Kirsch, L. J., 84n
Kleing, G., 113
Knorr, Eric, 137n
Knowledge‐Creating Company: How Japanese Companies Create the Dynamics of Innovation, The, 263
Knowledge/knowledge management
processes, 10, 12, 258–277
caveats for managing, 274
externalization, 263
folksonomy, 264
internalization, 263
knowledge capture, 264
knowledge codification, 264
knowledge generation, 264
knowledge transfer, 264
socialization, 263
tacit versus explicit knowledge, 262–263 tagging, 264
value of managing knowledge, 262
Kodak effect, 211
Komanduri, S., 286n
Konradt, Udo, 87, 87n
Kotabe, M., 224n
Kotalarsky, J., 210n
Kotter, John, 94n, 95
Kozmetsky, G., 62n
KP HealthConnect, 17–18
Krcmar, H., 214
Krebs, B., 151n, 153, 153n, 160, 284n
Krigsman, M., 248, 248n
Kumar, Akhil, 112n
Kunda, G., 76n
Kurtzberg, Terri R., 94n
L
Lacity, Mary C., 211n, 223n
Lagorio, Christine, 277
LaVallee, Andrew, 286n
Lawrence, Dune, 153n
Leavitt, Harold, 81, 81n, 82
LeClare, Phil, 137n
Lee, Hau, 115n
Lego, 30–31
Leidner, D., 67n, 69n, 284n
Leimeister, J. M., 214
Lemos, Robert, 91n
Leon, P. G., 286n
Levels of culture and IT, 67–68
IS development, 68
IT adoption and diffusion, 68
IT management and strategy, 68
IT use and outcomes, 68
Levinson, M., 24n
Lewin, K., 94n, 239, 239n
Lewis, Dave, 164
Lidsky, D., 185n
Liew, C.‐M., 210n
Lipson, Howard F., 155n
Loch, Karen, 91n
Lohr, S., 286n
Long, Kathy Chin, 31n
Lunsford, J. Lynn, 123
Lynch, C. G., 82n
Lyytinen, K., 249n
M
Ma, D., 280n, 292
Mainframe computers, 130
Maintainability, 141–142
Majchrzak, A., 172n
Make Home Affordable Program, 290
Maloney, Daniel, 225–226
Mamodia, Raj, 61
Managed security services providers
(MSSP), 159
Management, assumptions about, 8
manager’s role, 9
Mintzberg’s model, 8
Management control systems and IS, 63–66
communication, 64
data collection, 63
evaluation, 64
planning, 64
Management of information systems (IS), 1
business view, 3
competitive challenges, 4–5
customer pull, 5
Managerial issues, 142–143
Managerial levers model, 25–26
Managing IT projects, 228–257
agile development, 242–243
clarity, 249
commitment determinants, 251
complexity, 248
dealing with traffic jams in London,
255–257
gauging success, 252–253
implementing enterprise change
management at Southern Company,
254–255
IT project development methodologies
and approaches, 240–247
managing project risk level, 249–251
operations versus projects, 230 project, definition, 230–231
project elements, 233–239
project management, 231–239
prototyping, 243
risk management in, 247–253 (See also individual entry)
size, 249
sustaining commitment to projects, 251
systems development life cycle (SDLC),
240–242 (See also individual entry)
Mapping processes, 107–109
Markus, M. Lynne, 112n, 119n
Martinsons, M. G., 280n, 292
Masculinity/femininity
(general egalitarianism and
assertiveness), 69
bindex.indd 318 11/26/2015 7:43:37 PM
319Index
Mashups, 11, 247
Mason, Richard O., 285, 285n, 291, 291n
Materials resource planning (MRP), 110
Matlack, Carol, 153n
Matrix organizational structure, 61
Maturity model (See Business‐IT maturity model)
Mauborgne, Renee, 24n
Maxon, T., 73n
Mayor, Tracy, 180n
Maznevski, M. L., 92n
McAfee, A., 24n, 59n, 194n
McCarty, J. H., 231n
McClure, S., 285n
McFarlan, F. W., 38, 248n, 250n
McGrath, M., 279n
McKeen, James D., 175n
McKenney, J. L., 38, 248n, 250n
McNichol, T., 289
McNulty, Eric, 280n, 281n
Measurable benefits, business case, 174
Merlyn, Vaughan, 167
Metz, Cade, 293n
Michael, Sean, 29n
Mick, J., 293n
Middleware, 112
Millar, Victor, 41
Mills, D. Q., 60n
Mintzberg, Henry, 8, 9
Mission, 19, 20
Mobile device management, security
policies, 159
Mobile work, 86–94
Monitoring IT investments, 177–182
balanced scorecard, 178–179
dashboards, 180–182
Monster.com, 85
Montealegre, R., 211n
Moore, Gordon, 88n
Moore, James, 286n
Moore, James F., 224n
Mooz, H., 234n, 238
Morozov, E., 289
Multifactor authentication, 158
Muncaster, Phil, 152n
Muñoz, Rick, 126n
Murphy, Kevin, 282n
Murray, Janet Y., 224n
Mythical Man‐Month: Essays on Software Engineering, The, 239n
N
Nahapiet, J., 47
Nalebuff, B., 48n
National cultural dimensions and their
application, 68–71
Confucian work dynamism (future
orientation), 69
Hofstede dimensions (related GLOBE
dimensions), 69
individualism/collectivism (societal and
in‐group collectivism), 69
masculinity/femininity
(general egalitarianism and
assertiveness), 69
power distance, 69
uncertainty avoidance, 69
Nature of work, IT changing, 78–86
Nearshoring, 220–221
Nelson, Kay, 297
Nesse, Per‐Jonny, 218n
Net present value (NPV), 177
Netfix, 217, 218
Network effects, 34
Networked organizational structure, 61–62
Networking, 27, 36, 129, 130
New product development (NPD), 99–100
end‐to‐end NPD process, 99
reengineered NPD process, 99
Newman, Jared, 15n
Nicholson, B., 220
Nielsen, J., 245n
Nishant, R., 62n
Nohria, Nitin, 25n, 26, 58
Nolan, Richard L., 25n, 26, 58, 83n
Nonaka, Ikujiro, 263, 263n
Norcie, G., 286n
Norman, D., 245n
Normative theories of business ethics, 282
Norton, D., 178–179, 178n
O
Object, 246
Object‐oriented analysis, 243, 246
Observable artifacts, 66
Observable benefits, business case, 174
O’Connor, Fred, 148n
O’Donnell, Anthony, 298
Offshoring, 90, 219
attractiveness, 221
cultural differences, 222
development tiers, 222
selecting an offshore destination,
221–222
Online reputation management, 287
Onshoring, 218–219
Open Source Initiative (OSI), 246, 247
Open source software (OSS), 246
Open sourcing, 246–247
Oracle, 110, 113
Organizational continuum, 193
Organizational culture influences, 234
Organizational decision making, changing,
81–82
Organizational strategies, 25–26
managerial levers model, 25
social business strategy, 27
Organizational strategy and IS, 55–74
complex matrix structure, 56
control variables, 58
cultural variables, 58, 66–71 (See also Culture and IS)
organizational design and IS, 58–62
organizational variables, 58
Orrega, J. M., 76n
Osborn, M., 80n
Oshri, I., 210n
Ou, G., 284n
Outcome controls, 84
Outsourcing, 211–212
business ecosystems, 224
contracting, 214–215
factors in outsourcing decision, 212
full, 215
risks, 212–214
selective, 215
and strategic networks, 224
Overby, S., 208n, 213n, 214n, 221n, 222n,
223n
P
Paddon, D., 278n
Page, Larry, 31
Palafax, Christopher, 75n
Parallel conversion, 241
Password breaches, 151–152
Passwords, 155, 156
keep passwords secret, 159
strong, 152
weak, 152
Pavlou, Paul, 285n, 287n
Payback period, 176, 177
Pearlson, K., 27, 62n, 130n
Peer‐to‐peer architecture, 132
Pentland, A. S., 283n
People and technology work together, 3–4
Peppard, Joe, 173, 173n
Peretz, H., 70
Perez, Even, 161n
Performance measurement and evaluation,
58, 65–66
Personal computer (PC), 193
Personalization and real‐time data streams,
271
Personnel controls, 84
Phishing attack, 151
Physical locks, 156
Piccoli, G., 36n, 37, 44n
Piper, Marc, 216n
Pisano, G., 24n
Planning and IS, 64
Platform, 129
Platform as a service (PaaS), 137, 218
Point‐of‐sale (POS) systems, 194
Polanyi, Michael, 262, 262n
Porter, M., 21n, 22, 22n, 33–34, 38, 41
Portfolio dashboards, 181
Portfolio management, IT, 175–176
informational systems, 175
infrastructure systems, 175
bindex.indd 319 11/26/2015 7:43:37 PM
320 Index
strategic systems, 175
transactional systems, 175
Power distance, 69
Pratt, Renée M. E., 136n
Pringle, M., 283n
Privacy, 285–290
Privacy, accuracy, property, and accessibility
(PAPA), 284–292
accessibility, 291
accuracy, 290
Mason’s areas of managerial
control, 285
personal data, 289
privacy, 285–290
property, 290–291
1974 Privacy Act, 289
Privacy paradox, 286
Private clouds, 218
Process, 102
Process integration versus standardization, 109
Process perspective, 102–104
cross‐functional nature of business
processes, 103–104
metrics, 102
procurement business process, 102
Process view of business, 9–10
Procurement business process, 102
Product life cycle management (PLM),
111, 116
Program, 230–231
Project cycle plan, 233, 235–239
Project, definition, 230–231
Project elements, 233–239
common project vocabulary,
233, 239
organizational culture influences, 234
project cycle plan, 233, 235–239
project leadership versus project management (PM) process, 234
project management, 233–234
project team, 233–235
socioeconomic influences, 234
Project evaluation and review technique
(PERT), 235, 236
Project leadership, 234
Project management, 231–239 (See also Managing IT projects)
cost, 231
organizing for, 232–239
project triangle, 231
quality, 231
scope, 231
scope creep, 231
software, 232
time, 231
Project management office (PMO), 232
function, 233
project leadership versus, 234 responsibilities, 233
Project manager, 233
Project stakeholders, 230
managing, 250–251
Project team, 233–235
Property, 290–291
Prototyping, 243
drawbacks, 243
Prusak, Larry, 261
Prusak, Laurence, 261n
Public clouds, 218
infrastructure as a service (IaaS), 218
platform as a service (PaaS), 218
software as a service (SaaS), 218
Q
Quantifiable benefits, business case, 174
Quinn, Renee, 158n
R
Radaelli, L., 283n
Radical change, 106–107
and incremental improvement,
comparison, 107
Raice, Shayndi, 19n
Ramadorai, S., 56
Ranganathan, C., 99n
Rapid applications development (RAD),
242–244
Raymond, E. S., 246, 246n
Real‐time data sources, 265, 271
Red ocean strategy, 24
Reengineered NPD process, 99
Reich, B. H., 229n, 240n
Reisinger, Don, 232n
Remote work, 86
disconnecting employees, 90
Resource‐based view (RBV), 45–47
Zara stores and, 46–47
Responsible computing, 280–282
information ethics, 280
normative theories of business ethics, 282
social contract theory, 281–282
stakeholder theory, 281
stockholder theory, 280–281
Return on investment (ROI), 176, 177
Review board, 199
Rewards and IS, 66
changes to, 85
Rich, J., 286n
Riley, Michael, 153n
Risk management in IT projects, 247–253
clarity, 249
complexity, 248
gauging success, 252–253
managing project risk level, 249–251
size, 249
sustaining commitment to projects, 251
Rivard, S., 250n
Rivera, B., 226
Robertson, David C., 136, 136n
Robey, Daniel, 91n
Rockart, John F., 168n, 194n
Rohter, Larry, 115n
Roles of manager, 9
decisional, 9
informational, 9
interpersonal, 9
Rosenblatt, Z., 70
Ross, J. W., 109, 136, 136n, 168n, 170n,
193n, 194, 194n, 195, 195n, 196n
Ross, Jim, 245n
Rubenking, Neil J., 152n
Rural Payments Agency (RPA),
228–229, 239
Rutkowski, A. F., 76n
S
Salesforce.com, 113
Sambamurthy, V., 19n
Sandoval, Greg, 44n
Sankin, Aaron, 155n
Santosus, M., 233n
SAP, 110, 113, 114
Sarbanes–Oxley Act compliance,
203–204
implementation of, and IS, 203–204
Sarbanes–Oxley Act (SoX) of 2002,
200–201
Committee of Sponsoring Organizations
of the Treadway Commission
(COSO), 201
Control Objectives for Information and
Related Technology (COBIT),
202–203
frameworks for implementing,
201–203
Sauer, C., 229n, 240n
Saunders, C., 68n, 76n, 93n, 149,
215n, 223n
Scalability, 141
Schall, D., 73n
Schein, E., 67n
Schlagwein, D., 217n
Schmidt, R., 249n
Schwartz, Nelson D., 30n
Scrum, 242
Sectorial approach, 288
SecurClearRecs, 147
Security, 142, 147–164
Aircraft Communications Addressing
and Reporting System (ACARS),
163–164
awareness, 160
breaches and how they occurred,
151–154
decision framework, 149–151
education and training, 160–162
impossibility of 100%, 154–155
infrastructure, 155–158
key information security decisions, 149
bindex.indd 320 11/26/2015 7:43:37 PM
321Index
policy, 159–160
Sony Pictures: The Criminals Won, 164
storage/transmission security tools,
157–158
tools, 156–157
updates promptly, 159
Security education, training, and awareness
(SETA), 150, 160
Selection‐related decisions, 214
Selective outsourcing, 215
Sentiment analysis, 270
Separate unrelated networks, security
policies, 159
Server‐based architecture, 130
Service dashboard, 181
Service level agreements (SLAs), 215
Service‐oriented architecture (SOA),
124, 130, 131
Shenfield, Hilary, 285n
Shivapriya, N., 56n
Short, James E., 192n
Shuen, A., 24n
Sia, S. K., 113
Silo organizations, 101–102
Silverman, R. E., 226n
Simmons, Lakisha L., 136n
Singh, V. K., 283n
Single Payment Scheme system, RPA,
228–229, 239
Six Sigma, 105, 106
Sjman, Anders, 194n
Sloan Valve Company, 99
Slyke, C., 93n
SmallBlue, 84
Smith, Andrew, 152n
Smith, H. Jeff, 280, 280n, 281n
Smith, Heather A., 175n
Social business, 14
Social business strategy, 27
collaboration, 27
engagement, 27
innovation, 27
Social capital, 47
relational dimension, 47
structural dimension, 47
Social contract theory, 281–282
Social IT, 14
Social media, 14, 159
Social media analytics, 269–271
features, 270–271
sentiment analysis, 270
tools, 270
Social networking, 14, 63
Social welfare, 281
Socialization, 263
Socioeconomic influences, 234
Soft costs considerations, 186, 187
administration, 187
technical support, 187
training, 187
Software, 27, 129, 130
applications, 129
system software, 129
Software as a service (SaaS), 218
Software‐as‐a‐service (SaaS), 130, 137
Software‐defined architecture, 130–132
Soh, C., 113
Sourcing, information systems, 208–227
Altia Business Park, 226–227
cloud computing, 216–218
crowdsourcing at AOL, 225–226
deciding where abroad question, 219–222
decisions about successful outsourcing,
214–216
different forms of, 220
make‐or‐buy sourcing decision, 210–212
offshoring, 219, 221–222
onshoring, 218–219
outsourcing, 211–212 (See also Outsourcing)
re‐evaluation—keep as is or change
decision, 222–223
sourcing decision cycle framework,
209–223
strategic networks, 224
Southwest Airlines, 72–73
Spacey, Kevin, 258
Span of control, 60
Spoofing, 162
Stahl, B. C., 65n, 287n, 289n
Stakeholder theory, 281
Stamas, Paul J., 124n, 218n
Standardization, 141
Standish Group, 229
Steering committee, 199
lower‐level, 199
Stewart, Thomas, 275n
Stockholder theory, 280–281
Stoddard, Donna, 83n
Stone, E. F., 285n
Stone, Jeff, 148n
Strassmann, Paul, 223n
Strategic advantage models need, for IS
planning, 25
Strategic alliances, 47–48
Strategic networks, 224
Strategic sourcing, 215
Strategic systems, 175
Strategic use of information resources,
33–54
to attain competitive advantage, 45
bargaining power of buyers, 39
bargaining power of suppliers, 39
business strategy and it, co‐creating, 50
co‐opetition, 48
Eras model, 34, 35
five competitive forces, 37, 38
to influence competitive forces, 37–41
information repository, 36
IS infrastructure, 36
IT asset, 36, 44
IT capability, 36
potential threat of new entrants, 38
risks, 49–50
strategic alliances, 47–48
to sustain competitive advantage, 45–46
threat of substitute products, 39
value chain alteration, 41–43
Zara stores, 33–34, 42–43
Strategy, 19
Strategy triangle of IS, 17–32
business strategy, 18–25 (See also Business strategy frameworks;
Generic strategies framework)
consequences of strategy, 18
convergence, 19
information strategy, 18
IS strategy, 26–28
organizational strategy, 18, 25–26 (See also individual entry)
synchronization, 19
Straub, Detmar, 91n
Strong password, 152
Structured data, 265
Substitute products threat, 39
Supervision, changes to, 85
Suppliers, bargaining power of, 39
Supply chain management (SCM), 42, 111,
114–115
demand‐driven supply networks, 115
Swanson, Stevenson, 97n
System alerts, 157
System hierarchy, 15
architecture, 15
infrastructure, 15
System logs, 157
System software, 129
Systems development life cycle (SDLC),
240–243
cutover phase, 241
functional design phase, 241
implementation phase, 241–242
initiation and feasibility phase, 241
iterative approach to, 242
maintenance and review phase, 241
requirements definition phase, 241
technical design and construction phase,
241
verification phase, 241
T
Tabuchi, Hiroko, 154n
Tacit knowledge, 262–263
Tagging, 264
Takeuchi, Hirotaka, 263, 263n
Talbot, J., 250n
Tallon, Paul P., 192n
Tanis, Cornelis, 112n, 119n
Target attackers, 153
Target Corporation, 2
bindex.indd 321 11/26/2015 7:43:37 PM
322 Index
Tata Consultancy Services (TCS), 55–57
Tavani, H. T., 286n
Taylor, Hugh, 202
Tay‐Yap, J., 113
Team diversity challenge in virtual teams,
82, 93–94
Technological leveling, 62
Technology Acceptance Model (TAM),
95–96
TAM3, 95
Technology challenges
managing, 93
in virtual teams, 92
Technology, changes in, 4
Teece, D. J., 24n
Te’eni, Dov, 244n
Telecommuting, 6, 86, 87, 89, 90
Temple, T., 286n
Teo, T. S. H., 62n
Terdiman, D., 293n
Text message, 156
Thatcher, J. B., 171n
The Open Group Architecture Framework
(TOGAF), 136
Third parties, breaches, 153
Thorogood, A., 217n
Thorp, John, 189n, 190
Throughput, 102
Tjia, Paul, 222, 222n
Token, 156
Toohey, Marty, 49n
Total cost of ownership (TCO),
185–186
component breakdown, 186
as management tool, 186–187
Total quality management (TQM),
105, 231
Toys “R” Us Inc., 2, 6
Trainer, T., 19n
Transactional systems, 175
Trash and Waste Pickup Services, Inc.
(TWPS’s), 97–98
Treadway, James, 201
Triple bottom line (TBL), economic,
environmental, and social, 293
“True‐up” process, 183
U
Uncertainty avoidance, 69
Unity of command, 60
Unstructured data, 265
User‐centered design, 244
Utility computing, 138
V
Valuation methods, 176–177 (See also Monitoring IT investments)
economic value added (EVA), 177
internal rate of return (IRR), 176, 177
net present value (NPV), 177
payback period, 176, 177
return on investment (ROI), 176, 177
weighted scoring methods, 177
Value chain alteration, 41–43
Value system, interconnecting organizations
relationships, 42
Value‐based strategy, 23
Values, 66
Van Grembergen, Wim, 189n, 190
Veltri, N., 223n
Venkatesh, V., 95, 132n
Venkatraman, S., 132n
Victor, Daniel, 285n
Video teleconferencing, 82, 92
Vijayan, J., 282n
Violino, B., 219n
Virtual private network, 158
Virtual teams, 86–94
factors driving use of, 87–89
life cycle of, 87
Virtual world, 30, 80, 85, 92
Virtualization, 124, 137–138
Vogel, D. R., 76n, 93n
Voice over Internet Protocol (VoIP), 297–298
W
Wade, M., 46
Wailgum, T., 117n
Walsh, B., 293n
Walters, J., 132n
Wang, E. T. G., 113
Wang, Y., 286n
Ward, Chris, 245n
Ward, John, 173, 173n
Warmwell, 228n, 229n
Warren, Samuel D., 285n
Ways to connect, changing, 83–84
Weak password, 152
Web 2.0, 3
Web logs (blogs), 82
Web services, 130
Web‐based architecture, 132
Web‐based technologies, 89
Weighted scoring methods, 177
Weill, P., 35n, 136, 136n, 170n, 175–176,
175n, 188n, 193n, 194, 195, 195n,
196, 196n, 197
Welch, Jack, 24
Whang, Seungjin, 115n
Whisler, Thomas, 81, 81n, 82
Whitaker, Bill, 149n, 151n, 154n, 160n
White hat hacker, 159
Wiener, Martin, 68n, 216n
Willcocks, Leslie P., 211n, 217n
Williams, C., 279n, 281n, 282n, 291n, 292n
Wilson, C., 19n
Wingfield, N., 48n
Winkler, Till, 216n
Winning the 3‐Legged Race, 19 Wired equivalent privacy and wireless
protected access (WEP/WPA), 158
Wireless (mobile) infrastructure, 132
Wisdom, 12
Work design framework, 75–98
changes, IT‐induced, gaining acceptance
for, 94–96
key question, 77
mobile work, 86–94
nature of work, IT changing, 78–86
new challenges in managing people, 84–86
new ways to do traditional work, 79–84
new ways to manage people, 84–86
virtual work, 86–94
Work force
new ways to manage people, 84–86
skilled, 267
Workflow, 107–109
workflow diagram, 107
World Intellectual Property Organization
(WIPO), 273
World is Flat, The, 81, 115 Wortham, J., 289
Worthen, B., 201n, 221n
Wurster, Thomas, 12n, 13n
Y
Yeh, R., 62n
Yu Wu, 149
Z
Zachman framework, 136
Zappos.com, 2, 19
Zero‐day threat, 157
Zetter, Kim, 148n, 160n, 164
Zhang, Ping, 244n
Zip Codes, 271, 283
Zipcar, 53–54
Zmud, R., 19n
Zuboff, Shoshana, 79, 79n
Zuckerberg, Mark, 19
bindex.indd 322 11/26/2015 7:43:37 PM
WILEY END USER LICENSE AGREEMENT Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.
- Cover������������
- Title Page�����������������
- Copyright����������������
- Contents���������������
- Preface��������������
- Acknowledgments����������������������
- About the Authors������������������������
- Introduction�������������������
- The Case for Participating in Decisions about Information Systems������������������������������������������������������������������������
- A Business View of Critical Resources
- People and Technology Work Together
- Integrating Business with Information Systems
- Opportunities and New Strategies Derived from Rapid Changes in Technology
- Competitive Challenges
- Customer Pull
- Data-Driven Decision Making
- Securing Key Assets
- What If a Manager Doesn’t Participate?���������������������������������������������
- Information Systems Must Support Business Goals
- Information Systems Must Support Organizational Systems
- Skills Needed to Participate Effectively in Information Technology Decisions�����������������������������������������������������������������������������������
- How to Participate in Information Systems Decisions
- Organization of the Book
- Basic Assumptions������������������������
- Assumptions about Management
- Assumptions about Business
- Assumptions about Information Systems
- Economics of Information versus Economics of Things����������������������������������������������������������
- Social Business Lens���������������������������
- Summary��������������
- Key Terms����������������
- 1 The Information Systems Strategy Triangle��������������������������������������������������
- Brief Overview of Business Strategy Frameworks�����������������������������������������������������
- The Generic Strategies Framework
- Dynamic Environment Strategies
- Why Are Strategic Advantage Models Essential to Planning for Information Systems?
- Business Models versus Business Strategy
- Brief Overview of Organizational Strategies��������������������������������������������������
- Brief Overview of Information Systems Strategy�����������������������������������������������������
- Social Business Lens: Building a Social Business Strategy����������������������������������������������������������������
- Summary��������������
- Key Terms����������������
- Discussion Questions���������������������������
- Case Study 1-1 Lego
- Case Study 1-2 Google
- 2 Strategic Use of Information Resources�����������������������������������������������
- Evolution of Information Resources�����������������������������������������
- Information Resources as Strategic Tools�����������������������������������������������
- How Can Information Resources Be Used Strategically?�����������������������������������������������������������
- Using Information Resources to Influence Competitive Forces
- Using Information Resources to Alter the Value Chain
- Sustaining Competitive Advantage���������������������������������������
- Using the Resource-Based View (RBV)
- Social Business Lens: Social Capital�������������������������������������������
- Strategic Alliances��������������������������
- Co-opetition
- Risks������������
- Geographic Box: Mobile-Only Internet Users Dominate Emerging Countries
- Co-Creating IT and Business Strategy
- Summary��������������
- Key Terms����������������
- Discussion Questions���������������������������
- Case Study 2-1 Groupon
- Case Study 2-2 Zipcar
- 3 Organizational Strategy and Information Systems��������������������������������������������������������
- Information Systems and Organizational Design����������������������������������������������������
- Decision Rights
- Formal Reporting Relationships and Organizational Structures
- Informal Networks
- Social Business Lens: Social Networks��������������������������������������������
- Information Systems and Management Control Systems���������������������������������������������������������
- Planning and Information Systems
- Data and Information Systems
- Performance Measurement, Evaluation, and Information Systems
- Incentives and Rewards and Information Systems
- Information Systems and Culture��������������������������������������
- Levels of Culture and IT
- National Cultural Dimensions and Their Application
- Geographic Lens: Does National Culture Affect Firm Investment in IS Training?������������������������������������������������������������������������������������
- Summary��������������
- Key Terms����������������
- Discussion Questions���������������������������
- Case Study 3-1 The Merger of Airtran by Southwest Airlines: Will the Organizational Cultures Merge?
- Case Study 3-2 The FBI
- 4 Digital Systems and the Design of Work�����������������������������������������������
- Work Design Framework����������������������������
- How Information Technology Changes the Nature of Work������������������������������������������������������������
- Creating New Types of Work
- New Ways to Do Traditional Work
- New Ways to Manage People
- Social Business Lens: Activity Streams���������������������������������������������
- Where Work Is Done and Who Does It: Mobile and Virtual Work Arrangements�������������������������������������������������������������������������������
- Remote Work and Virtual Teams
- Geographic Lens: How Do People Around the World Feel About Working Remotely?�����������������������������������������������������������������������������������
- Geographic Lens: Who Telecommutes? A Look at Global Telecommuting Habits�������������������������������������������������������������������������������
- Gaining Acceptance for IT-Induced Change
- Managing Change
- Technology Acceptance Model and Its Variants
- Summary��������������
- Key Terms����������������
- Discussion Questions���������������������������
- Case Study 4-1 Trash and Waste Pickup Services, Inc.
- Case Study 4-2 Social Networking: How Does IBM Do It?
- 5 Information Systems and Business Transformation��������������������������������������������������������
- Silo Perspective versus Business Process Perspective�����������������������������������������������������������
- Functional (Silo) Perspective
- Business Process Perspective
- Zara’s Cross-Functional Business Processes
- Building Agile and Dynamic Business Processes����������������������������������������������������
- Changing Business Processes����������������������������������
- Incremental Change
- Radical Change
- Workflow and Mapping Processes�������������������������������������
- Business Process Management (BPM)
- Integration versus Standardization�����������������������������������������
- Enterprise Systems�������������������������
- Enterprise Resource Planning (ERP)
- Managing Customer Relationships
- Managing Supply Chains
- Product Life Cycle Management (PLM)
- Advantages and Disadvantages of Enterprise Systems
- When the System Drives the Transformation
- Challenges for Integrating Enterprise Systems Between Companies
- Geographic Lens: Global vs. Local ERPs���������������������������������������������
- Social Business Lens: Crowdsourcing Changes Innovation Processes�����������������������������������������������������������������������
- Summary��������������
- Key Terms����������������
- Discussion Questions���������������������������
- Case Study 5-1 Santa Cruz Bicycles
- Case Study 5-2 Boeing 787 Dreamliner
- 6 Architecture and Infrastructure����������������������������������������
- From Vision to Implementation������������������������������������
- The Manager’s Role
- The Leap from Strategy to Architecture to Infrastructure���������������������������������������������������������������
- From Strategy to Architecture
- From Architecture to Infrastructure
- Framework for the Infrastructure and Architecture Analysis
- From Strategy to Architecture to Infrastructure: An Example������������������������������������������������������������������
- Define the Strategic Goals
- Translate Strategic Goals to Business Requirements
- Translate Business Requirements into Architecture
- Translate Architecture to Infrastructure
- Architectural Principles�������������������������������
- Enterprise Architecture������������������������������
- Virtualization and Cloud Computing�����������������������������������������
- Other Managerial Considerations��������������������������������������
- Understanding Existing Architecture
- Assessing Strategic Timeframe
- Assessing Technical Issues: Adaptability
- Assessing Technical Issues: Scalability
- Assessing Technical Issues: Standardization
- Assessing Technical Issues: Maintainability
- Assessing Technical Issues: Security
- Assessing Financial and Managerial Issues
- Social Business Lens: Building Social Mobile Applications����������������������������������������������������������������
- Summary��������������
- Key Terms����������������
- Discussion Questions���������������������������
- Case Study 6-1 Enterprise Architecture at American Express
- Case Study 6-2 The Case of Extreme Scientists
- 7 Security�����������������
- IT Security Decision Framework�������������������������������������
- Breaches and How They Occurred�������������������������������������
- Password Breaches
- Other Attack Approaches
- The Cost of Breaches
- The Impossibility of 100% Security�����������������������������������������
- What Should Management Do?���������������������������������
- Infrastructure
- Security Policy
- Education, Training, and Awareness
- Summary��������������
- Key Terms����������������
- Discussion Questions���������������������������
- Case Study 7-1 The Aircraft Communications Addressing and Reporting System (ACARS)�����������������������������������������������������������������������������������������
- Case Study 7-2 Sony Pictures: The Criminals Won������������������������������������������������������
- 8 The Business of Information Technology�����������������������������������������������
- Organizing to Respond to Business: A Maturity Model����������������������������������������������������������
- Understanding the IT Organization����������������������������������������
- What a Manager Can Expect from the IT Organization���������������������������������������������������������
- What the IT Organization Does Not Do�������������������������������������������
- Chief Information Officer��������������������������������
- Building a Business Case�������������������������������
- IT Portfolio Management������������������������������
- Valuing IT Investments�����������������������������
- Monitoring IT Investments��������������������������������
- The Balanced Scorecard
- IT Dashboards
- Funding IT Resources���������������������������
- Chargeback
- Allocation
- Corporate Budget
- How Much Does IT Cost?�����������������������������
- Activity-Based Costing
- Total Cost of Ownership
- TCO Component Breakdown
- TCO as a Management Tool
- Summary��������������
- Key Terms����������������
- Discussion Questions���������������������������
- Case Study 8-1 KLM Airlines
- Case Study 8-2 Balanced Scorecards at BIOCO
- 9 Governance of the Information Systems Organization�����������������������������������������������������������
- IT Governance��������������������
- Centralized versus Decentralized Organizational Structures
- Archetypes of Accountability and Decision Rights
- Emergent Governance—The Digital Ecosystem
- Decision-Making Mechanisms
- Governance Frameworks for Control Decisions��������������������������������������������������
- Sarbanes–Oxley Act of 2002
- Frameworks for Implementing SoX
- IS and the Implementation of Sarbanes–Oxley Act Compliance
- Social Business Lens: Governing the Content��������������������������������������������������
- Summary��������������
- Key Terms����������������
- Discussion Questions���������������������������
- Case Study 9-1 IT Governance at University of the Southeast
- Case Study 9-2 The “MyJohnDeere” Platform
- 10 Information Systems Sourcing��������������������������������������
- Sourcing Decision Cycle Framework����������������������������������������
- Starting the Cycle: The Make-or-Buy Sourcing Decision
- Factors in the Outsourcing Decision
- Outsourcing Risks
- Decisions about How to Outsource Successfully
- Deciding Where—In the Cloud, Onshoring, or Offshoring?
- Deciding Where Abroad—Nearshoring or Farshoring?
- Re-evaluation—Keep as Is or Change Decision
- Social Business Lens: Crowdsourcing������������������������������������������
- Geographic Lens: Corporate Social Responsibility�������������������������������������������������������
- Outsourcing in the Broader Context�����������������������������������������
- Strategic Networks
- Business Ecosystems
- Summary��������������
- Key Terms����������������
- Discussion Questions���������������������������
- Case Study 10-1 Crowdsourcing at AOL
- Case Study 10-2 Altia Business Park
- 11 Managing IT Projects������������������������������
- What Defines a Project?������������������������������
- What Is Project Management?����������������������������������
- Organizing for Project Management����������������������������������������
- Project Elements�����������������������
- Project Management
- Project Team
- Project Cycle Plan
- Common Project Vocabulary
- IT Projects������������������
- IT Project Development Methodologies and Approaches����������������������������������������������������������
- Systems Development Life Cycle
- Agile Development
- Prototyping
- Other Development Methodologies and Approaches
- Social Business Lens: Mashups������������������������������������
- Managing IT Project Risk�������������������������������
- Complexity
- Clarity
- Size
- Managing Project Risk Level
- Pulling the Plug
- Gauging Success
- Summary��������������
- Key Terms����������������
- Discussion Questions���������������������������
- Case Study 11-1 Implementing Enterprise Change Management at Southern Company
- Case Study 11-2 Dealing with Traffic Jams in London
- 12 Business Intelligence, Knowledge Management, and Analytics��������������������������������������������������������������������
- Competing with Business Analytics����������������������������������������
- Knowledge Management, Business Intelligence, and Business Analytics��������������������������������������������������������������������������
- Data, Information, and Knowledge���������������������������������������
- Tacit versus Explicit Knowledge
- Knowledge Management Processes�������������������������������������
- Business Intelligence����������������������������
- Components of Business Analytics���������������������������������������
- Data Sources
- Software Tools
- Data‐Driven Environment
- Skilled Workforce
- Levels of Analytical Capabilities
- Big Data���������������
- Internet of Things
- Social Media Analytics�����������������������������
- Intellectual Capital and Intellectual Property
- Social Business Lens: Personalization and Real-Time Data Streams
- Geographic Lens: When Two National Views of Intellectual Property Collide��������������������������������������������������������������������������������
- Caveats for Managing Knowledge and Business Intelligence���������������������������������������������������������������
- Summary��������������
- Key Terms����������������
- Discussion Questions���������������������������
- Case Study 12-1 Stop & Shop’s Scan It! App
- Case Study 12-2 Business Intelligence at CKE Restaurants
- 13 Privacy and Ethical Considerations in Information Management����������������������������������������������������������������������
- Responsible Computing����������������������������
- Stockholder Theory
- Stakeholder Theory
- Social Contract Theory
- Corporate Social Responsibility��������������������������������������
- Responsible Use of Information
- Ethical Tensions with Governments
- PAPA: Privacy, Accuracy, Property, and Accessibility�����������������������������������������������������������
- Privacy
- Accuracy
- Property
- Accessibility
- Managers’ Role in Ethical Information Control
- Social Business Lens: Personal Data������������������������������������������
- Geographic Lens: Should Subcultures Be Taken into Account When Trying to Understand National Attitudes Toward Information Ethics?�����������������������������������������������������������������������������������������������������������������������������������������
- Green Computing����������������������
- Summary��������������
- Key Terms����������������
- Discussion Questions���������������������������
- Case Study 13-1 Ethical Decision Making
- Case Study 13-2 Midwest Family Mutual Goes Green
- Glossary���������������
- Index������������
- EULA
-
- 2019-03-31T08:18:34+0000
- Preflight Ticket Signature
course-text-books/Managing_and_Using_Information_Systems_A.pdf
4TH EDITION
Managing and Using Information Systems A Strategic Approach
KERI E. PEARLSON KP Partners
CAROL S. SAUNDERS University of Central Florida
JOHN WILEY & SONS, INC.
To Yale & Hana
To Rusty, Russell &Kristin
VICE PRESIDENT & EXECUTIVE PUBLISHER Don Fowley EXECUTIVE EDITOR Beth Lang Golub EDITORIAL ASSISTANT Lyle Curry MARKETING MANAGER Carly DeCandia DESIGN DIRECTOR Harry Nolan SENIOR DESIGNER Kevin Murphy SENIOR PRODUCTION EDITOR Patricia McFadden SENIOR MEDIA EDITOR Lauren Sapira PRODUCTION MANAGEMENT SERVICES Pine Tree Composition
This book is printed on acid-free paper.
Copyright ! 2010 John Wiley & Sons, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc. 222 Rosewood Drive, Danvers, MA 01923, website www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, (201) 748-6011, fax (201) 748-6008, website www.wiley.com/go/permissions. To order books or for customer service please, call 1-800-CALL WILEY (225-5945).
ISBN 978-0-470-34381-4
Printed in the United States of America
10 9 8 7 6 5 4 3 2 1
!Preface Information technology and business are becoming inextricably interwoven. I don’t think anybody can talk meaningfully about one without the talking about the other.1
Bill Gates Microsoft
I’m not hiring MBA students for the technology you learn while in school, but for your ability to learn about, use and subsequently manage new technologies when you get out.
IT Executive Federal Express
Give me a fish and I eat for a day; teach me to fish and I eat for a lifetime. Proverb
Managers do not have the luxury of abdicating participation in information systems decisions. Managers who choose to do so risk limiting their future business options. Information systems are at the heart of virtually every business interaction, process, and decision, especially when one considers the vast penetration of the Web in the last few years. Managers who let someone else make decisions about their information systems are letting someone else make decisions about the very foundation of their business. This is a textbook about managing and using information, written for current and future managers as a way of introducing the broader implications of the impact of information systems.
The goal of this book is to assist managers in becoming knowledgeable par- ticipants in information systems decisions. Becoming a knowledgeable participant means learning the basics and feeling comfortable enough to ask questions. It does not mean having all the answers nor having a deep understanding of all the technologies out in the world today. No text will provide managers with everything they need to know to make important information systems decisions. Some texts instruct on the basic technical background of information systems. Others discuss applications and their life cycle. Some take a comprehensive view of the man- agement information systems (MIS) field and offer readers snapshots of current systems along with chapters describing how those technologies are designed, used, and integrated into business life.
This book takes a different approach. This text is intended to provide the reader with a foundation of basic concepts relevant to using and managing information. It is not intended to provide a comprehensive treatment on any one aspect of MIS,
1 http://www.woopidoo.com/business quotes/authors/bill-gates-quotes.htm.
iii
iv Preface
for certainly each aspect is itself a topic of many books. It is not intended to provide readers with enough technological knowledge to make them MIS experts. It is not intended to be a source of discussion of any particular technology. This textbook is written to help managers begin to form a point of view of how information systems will help, hinder, and create opportunities for their organizations.
The idea for this text grew out of discussions with colleagues in the MIS area. Many faculty use a series of case studies, trade and popular press readings, and Web sites to teach their MIS courses. Others simply rely on one of the classic texts, which include dozens of pages of diagrams, frameworks, and technologies. The initial idea for this text emerged from a core MIS course taught at the business school at the University of Texas at Austin. That course was considered an ‘‘appetizer’’ course — a brief introduction into the world of MIS for MBA students. The course had two main topics: using information and managing information. At the time, there was no text like this one, hence students had to purchase thick reading packets made up of articles and case studies to provide them with the basic concepts. The course was structured to provide the general MBA with enough knowledge of the field of MIS that they could recognize opportunities to use the rapidly changing technologies available to them. The course was an appetizer to the menu of specialty courses, each of which went much deeper into the various topics. But completion of the appetizer course meant that students were able to feel comfortable listening to, contributing to, and ultimately participating in information systems decisions.
Today many students are digital natives — people who have grown up using information technologies all of their lives. That means that students come to their courses with significantly more knowledge about things like personal com- puters, cell phones, texting, the Web, social networking, file downloading, online purchasing, and social media than their counterparts in school just a few years ago. This is a significant trend that is projected to continue; students will be increasingly knowledgeable in personally using technologies. That knowledge has begun to change the corporate environment. Today’s digital natives expect to find information systems in corporations that provide at least the functionality they have at home. At the same time, they expect to be able to work in ways that take advantage of the technologies they have grown to depend on for social interaction, collaboration, and innovation. This edition of the text has been completely edited with this new group of students in mind. We believe the basic foundation is still needed for managing and using information systems, but we understand that the assumptions and knowledge base of today’s students is significantly different.
This book includes an introduction, 12 chapters of text and minicases, and a set of case studies and supplemental readings on a Web site. The introduction makes the argument introduced in this preface that managers must be knowledgeable participants in information systems decisions. The first few chapters build a basic framework of relationships between business strategy, information systems strategy, and organizational strategy and explore the links between these strategies. Readers will also find a chapter on how information
Preface v
systems relate to business transformation. Supplemental materials, including longer cases from all over the globe, can be found on the Web. Please visit http://www.wiley.com/college/pearlson for more information.
General managers also need some foundation on how IT is managed if they are to successfully discuss their next business needs with IT professionals who can help them. Therefore, the remaining chapters describe the basics of information architecture and infrastructure, the sourcing of information systems, the organization and governance of the MIS function, the ethical issues, the funding of information systems resources, project management, and business analytics and knowledge management.
No text in the field of MIS is current. The process of writing the chapters, coupled with the publication process, makes a text somewhat out-of-date prior to delivery to its audience. With that in mind, this text is written to summarize the ‘‘timeless’’ elements of using and managing information. Although this text is complete in and of itself, learning is enhanced by coupling the chapters with the most current readings and cases. Students are encouraged to search the Web for examples and current events that further clarify the issues at hand. The format of each chapter begins with an example case and the basic language for a set of important management issues. This is followed up with a set of managerial concerns related to the topic. Each chapter then has a food for thought section on an additional, but relatively new, topic. The chapter concludes with a set of study questions, key words, and case studies.
This is the fourth edition of this text, and this version includes several significant additions and revisions. Gone is the chapter on ‘‘doing business on the Internet’’ because after all, virtually every business now uses the Internet. Instead, this edition has a new chapter on sourcing. Major changes include a new focus on Web 2.0 (Chapter 2); new framework of managerial levers (Chapter 3); new discussion on collaboration (Chapter 4); alignment and business processes (Chapter 5); SOA WOA, SaaS, enterprise architecture, and cloud computing (Chapter 6); sourcing (Chapter 7); new IT governance framework (Chapter 8); security and compliance (Chapter 9); new discussion of business cases (Chapter 10); new focus on managing business projects (Chapter 11); and on business analytics and business intelligence (Chapter 12). Many of the older cases have been replaced with newer examples throughout the text, and many of the food for thought issues are new.
Who should read this book? General managers interested in participating in information systems decisions will find this a good reference resource for the language and concepts of MIS. Managers in the information systems field will find this book a good resource for beginning to understand the general manager’s view of how information systems affect business decisions. And MIS students will be able to use the readings and concepts in this book as the beginning point in their journey to become informed and successful business people.
The information revolution is here. Where do you fit in?
Keri E. Pearlson and Carol S. Saunders
!Acknowledgments Books of this nature are written only with the support of many individuals. We would like to personally thank several individuals who helped with this text. Although we’ve made every attempt to include everyone who helped make this book a reality, there is always the possibility of unintentionally leaving some off. We apologize in advance if that is the case here.
Philip Russell Saunders came to our rescue when we were in a pinch by researching various topics, finding cases, and verifying examples from previous editions. We really appreciate his efforts. We also appreciate the considerable efforts of Mihir Parikh at the University of Central Florida. Mihir wrote many of the new cases that appear in this fourth edition of the text. Thanks also go to Craig Tidwell who updated the teaching materials.
We also want to acknowledge and thank pbwiki.com. Without their incredible, and free, wiki, we would have been relegated to e-mailing drafts of chapters back and forth. For this edition, we wanted to use Web2.0 tools as we wrote about them.
We have been blessed with the help of our colleagues in this and in previous editions of the book. They helped us by writing cases and reviewing the text. Our thanks continue to go out to Jonathan Trower, Espen Andersen, Janis Gogan, Ashok Rho, Yvonne Lederer Antonucci, E. Jose Proenca, Bruce Rollier, Dave Oliver, Celia Romm, Ed Watson, D. Guiter, S. Vaught, Kala Saravanamuthu, Ron Murch, John Greenwod, Tom Rohleder, Sam Lubbe, Thomas Kern, Mark Dekker, Anne Rutkowski, Kathy Hurtt, Kay Nelson, and John Butler. In addition, the students of the spring 2008 Technology Management and summer 2008 Information Resource Management classes at the University of Central Florida provided comments that proved helpful in writing some cases and making revisions. Though we cannot thank them by name, we also greatly appreciate the comments of the anonymous reviewers who have made a mark on this edition.
The book would not have been started were it not for the initial suggestion of a wonderful editor at John Wiley & Sons, Inc., Beth Lang Golub. Her persistence and patience have helped shepherd this book through many months of creation, modification, evaluation, and production, and she will shepherd it through translation into other languages. Special thanks go to Maria Guarascio, who very cheerfully and very competently helped us through the revision process. We also appreciate the help of (Jennifer Snyder, Lorraina Raccuia, Gitti Lindner, and Sujin Hong) and others at Wiley, who have made this edition a reality.
From Keri: Thank you to my husband, Dr. Yale Pearlson, and my daughter, Hana Pearlson. Their patience with me while I worked on this project was incredible. They celebrated and commiserated the ups and downs that came with the process of writing this book. I love you guys!
From Carol: Rusty, thank you for being my compass (always keeping me headed in the right direction) and my release valve (patiently walking me through stressful times). I couldn’t do it without you. I love you, Russell, and Kristin very much! vi
!About the Authors Keri E. Pearlson
Dr. Keri E. Pearlson is president of KP Partners, a consultancy specializing in cre- ating leaders skilled in the strategic use of information systems and organizational design in the Web 2.0 world.
Dr. Pearlson has held various positions in academia and industry. She was a member of the information systems faculty at the Graduate School of Business at the University of Texas at Austin, where she taught management information systems courses to MBAs and executives. She was a research director at the Research Board, held positions at the Harvard Business School, CSC-Index’s Prism Group, nGenera (formerly the Concours Group), AT&T, and Hughes Aircraft Company.
She is co-author of Zero Time: Providing Instant Customer Value — Every Time, All the Time (John Wiley & Sons, 2000). Her work has been published in Sloan Management Review, Academy of Management Executive, Information Resources Management Journal, and Beyond Computing. Many of her case studies have been published by Harvard Business School Publishing and are used all over the world.
Dr. Pearlson holds a Doctorate in Business Administration (DBA) in Man- agement Information Systems from the Harvard Business School and both a Master’s Degree in Industrial Engineering Management and a Bachelor’s Degree in Applied Mathematics from Stanford University.
Carol S. Saunders
Dr. Carol S. Saunders is professor of MIS at the University of Central Florida in Orlando, Florida. She served as General Conference Chair of the International Conference on Information Systems (ICIS) in 1999 and Telecommuting in 1996. She was the chair of the ICIS Executive Committee in 2000. She was editor-in-chief of MIS Quarterly and is a Fellow of the Association of Information Systems (AIS). Her current research interests include the impact of information system on power and communication, virtual teams, virtual worlds, time, information overload, sourcing, and interorganizational linkages.
Her research is published in a number of journals including MIS Quar- terly, Information Systems Research, Journal of MIS, Communications of the ACM, Academy of Management Journal, Academy of Management Review, Communica- tions Research, and Organization Science.
vii
!Contents Introduction 1 The Case for Participating in Decisions about Information Systems 2 What If A Manager Doesn’t Participate? 5 What Skills Are Needed to Participate Effectively in Information
Technology Decisions? 7 Basic Assumptions 9 Food for Thought: Economics of Information Versus Economics of
Things 16 Summary 18 Key Terms 18 Discussion Questions 19 Case Study I-1: Terry Cannon, MBA 19 Case Study I-2: Anyglobal Company Inc. 21
! CHAPTER 1 The Information Systems Strategy Triangle 22
Brief Overview of Business Strategy Frameworks 25 Brief Overview of Organizational Strategies 34 Brief Overview of Information Systems Strategy 37 Food for Thought: The Halo Effect and Other Business Delusions 38 Summary 40 Key Terms 40 Discussion Questions 41 Case Study 1-1: Roche’s New Scientific Method 41 Case Study 1-2: Google 43
! CHAPTER 2 Strategic Use of Information Resources 46
Evolution of Information Resources 47 Information Resources as Strategic Tools 48 How Can Information Resources Be Used Strategically? 52 Strategic Alliances 66 Risks 68 Food for Thought: Co-creating IT and Business Strategy 69
viii
Contents ix
Summary 71 Key Terms 71 Discussion Questions 71 Case Study 2-1: Lear Won’t Take A Backseat 73 Case Study 2-2: Zipcar 74
! CHAPTER 3 Organizational Impacts of Information Systems Use 76
Information Technology and Organizational Design 77 Information Technology and Management Control Systems 85 Information Technology and Culture 89 Food for Thought: Immediately Responsive Organizations 92 Summary 93 Key Terms 94 Discussion Questions 94 Case Study 3-1: US Air and America West Merger Case 94 Case Study 3-2: The FBI 96
! CHAPTER 4 Information Technology and the Design of Work 98
Work Design Framework 101 How Information Technology Supports Communication
and Collaboration 102 How Information Technology Changes the Nature of Work 108 How Information Technology Changes Where Work Is Done and Who
Does It 115 Virtual Teams 120 Gaining Acceptance for IT-Induced Change 125 Food for Thought: Security With Remote Workers 127 Summary 129 Key Terms 130 Discussion Questions 130 Case Study 4-1: Automated Waste Disposal, Inc. 131 Case Study 4-2: Virtually There? 132
! CHAPTER 5 Information Technology and Changing Business Processes 134
Silo Perspective Versus Business Process Perspective 135 The Tools for Change 141 Shared Services 145 Enterprise Systems 147 Integrated Supply Chains 152 Food for Thought: Is ERP a Universal Solution? 155
x Contents
Summary 157 Key Terms 158 Discussion Questions 158 Case Study 5-1: Santa Cruz Bicycles 159 Case Study 5-2: Boeing 787 Dreamliner 160
! CHAPTER 6 Architecture and Infrastructure 162
From Vision to Implementation 163 The Leap from Strategy to Architecture to Infrastructure 165 Architectural Principles 171 Enterprise Architecture 171 Other Managerial Considerations 174 From Strategy to Architecture to Infrastructure: An Example 181 Food for Thought: Cloud Computing 183 Summary 186 Key Terms 187 Discussion Questions 187 Case Study 6-1: Hasbro 188 Case Study 6-2: Johnson & Johnson’s Enterprise Architecture 189
! CHAPTER 7 Information Systems Sourcing 190
Sourcing Decision Cycle Framework 192 Insourcing 193 Outsourcing 193 Outsourcing Abroad 198 Backsourcing 206 Outsourcing Models 207 Food for Thought: Outsourcing and Strategic Networks 211 Summary 212 Key Terms 212 Discussion Questions 213 Case Study 7-1: Sodexho Asia Pacific 213 Case Study 7-2: Overseas Outsourcing of Medical Transcribing 215
! CHAPTER 8 Governance of the Information Systems Organization 218
Understanding the IS Organization 219 What a Manager Can Expect from the IS Organization 224 What the IS Organization Does Not Do 230 IT Governance 231 Food for Thought: CIO Leadership Profiles 240
Contents xi
Summary 241 Key Terms 242 Discussion Questions 242 Case Study 8-1: IT Governance at UPS 242 Case Study 8-2: The Big Fix at Toyota Motor Sales (TMS) 243
! CHAPTER 9 Using Information Ethically 246
Normative Theories of Business Ethics 248 Control of Information 253 Security and Controls 259 IT Governance and Security 262 Sarbanes – Oxley Act of 2002 265 Food for Thought: Green Computing 270 Summary 272 Key Terms 272 Discussion Questions 273 Case Study 9-1: Ethical Decision Making 274 Case Study 9-2: Midwest Family Mutual Goes Green 276
! CHAPTER 10 Funding IT 278
Funding IT Resources 278 How Much Does IT Cost? 281 Building a Business Case 287 IT Portfolio Management 290 Valuing IT Investments 292 Monitoring IT Investments 296 Options Pricing 300 Food For Thought: Who Pays for the Internet? 304 Summary 305 Key Terms 306 Discussion Questions 306 Case Study 10-1: Troon Golf 306 Case Study 10-2: Valuing IT 307
! CHAPTER 11 Project Management 309
What Defines a Project? 310 What is Project Management? 312 Project Elements 314 IT Projects 319 IT Project Development Methodologies 322
xii Contents
Managerial Influences 328 Managing Project Risk 330 The PMO 338 Food for Thought: Open Sourcing 339 Summary 341 Key Terms 342 Discussion Questions 342 Case Study 11-1: Sabre Holdings 343 Case Study 11-2: Dealing with Traffic Jams in London 344
! CHAPTER 12 Managing Business Knowledge 346
Knowledge Management 347 Data, Information, and Knowledge 348 From Managing Knowledge to Business Intelligence 351 Why Manage Knowledge? 352 Knowledge Management Processes 356 Competing with Business Analytics 365 Components of Business Analytics 366 Caveats for Managing Knowledge 368 Food for Thought: Business Experimentation 369 Summary 370 Key Terms 371 Discussion Questions 371 Case Study 12-1: GSD&M’s Virtual Crowd Uses Analytics 372 Case Study 12-2: The Brain Behind the Big, Bad Burger 373
Glossary 375
Index 385
!INTRODUCTION Why do managers need to understand and participate in the information decisions of their organizations? After all, most corporations maintain entire departments dedicated to the management of information systems (IS). These departments are staffed with highly skilled professionals devoted to the field of technology. Shouldn’t managers rely on experts to analyze all the aspects of IS and to make the best decisions for the organization? The answer to that question is no. Managing information is a critical skill for success in today’s business environment. All decisions made by companies involve, at some level, the management and use of IS. Managers today need to know about their organization’s capabilities and uses of information as much as they need to understand how to obtain and budget financial resources. The ubiquity of personal computers (PCs) and the Internet highlights this fact because together they form the backbone for virtually all new business models. Further, the proliferation of supply chain partnerships has extended the urgent need for business managers to be involved in technology decisions. In addition, the availability of seemingly free (or at least very inexpensive) applications and collaboration in the consumer area has changed the landscape once again, increasing the integration of IS and business processes. A manager who does not understand the basics of managing and using information cannot be successful in this business environment.
Consider the now-historic rise of companies such as Amazon.com and Google. Amazon.com began as an online bookseller and rapidly outpaced traditional brick-and-mortar businesses like Barnes and Noble, Borders, and Waterstones. Management at the traditional companies responded by having their IS support personnel build Web sites to compete. But upstart Amazon.com moved on ahead, keeping its leadership position on the Web by leveraging its new business model into other marketplaces, such as music, electronics, health and beauty products, lawn and garden products, auctions, tools and hardware, and more. It cleared the profitability hurdle in the fourth quarter of 2001 by achieving a good mix of IS and business basics: capitalizing on operational efficiencies derived from inventory software and smarter storage, cost cutting, and effectively partnering with such companies as Toys ‘‘R’’ Us Inc. and Target Corporation.1 In 2008, Amazon.com once again changed the basis of competition in another market, but this time it was the Web services business. Amazon.com Web services offers clients the extensive technology platform used for Amazon.com, but in an on-demand fashion for developing and running the client’s own applications.
1 Robert Hof, ‘‘How Amazon Cleared the Profitability Hurdle,’’ BusinessWeek Online (February 4, 2002), http://www.businessweek.com/magazine/content/02 05/b3768079.htm (accessed May 23, 2002).
1
2 Introduction
Likewise, Google played an important role in revolutionizing the way infor- mation is located and used as well as revolutionizing the world of advertising and publishing. Google began in 1999 as a basic search company but quickly learned that a unique business model was a critical factor for future success. The com- pany changed the way people thought about Web content by making it available in a searchable format with an incredibly fast response time. Further, Google’s keyword-targeted advertising program revolutionized the way companies adver- tise. By 2001, Google announced its first quarter of profitability, solidifying the way the world finds information, publishes, and advertises.2 By 2008, Google had expanded into a complete suite of Web-based applications, such as calendaring, e-mail, collaboration, shopping, and maps. Further, like Amazon.com, Google also offers clients similar on-demand services.3
These and other online businesses are able to succeed where traditional companies were not, in part because their management understood the power of information, IS, and the Web. They did not succeed because their managers could build Web pages or assemble an IS network. Quite the contrary. The executives in these new businesses understood the fundamentals of managing and using information and could marry that knowledge with a sound, unique business vision to achieve domination of their intended market spaces.
The goal of this book is to provide the foundation to help the general business manager become a knowledgeable participant in IS decisions because any IS decision in which the manager does not participate can greatly affect the organization’s ability to succeed in the future. This introduction outlines the fundamental reasons for taking the initiative to participate in IS decisions. Moreover, because effective participation requires a unique set of managerial skills, this introduction identifies the most important ones. These skills will be helpful not just in making IS decisions, but all business decisions. We describe how a manager should participate in the decision-making process and outline how the remaining chapters of this book develop this point of view. Finally, the introduction presents current models for understanding the nature of a business and that of an information system to provide a framework for the discussions that follow in subsequent chapters.
! THE CASE FOR PARTICIPATING IN DECISIONS ABOUT INFORMATION SYSTEMS
Experience shows that business managers have no problem participating in most organizational decisions, even those outside their normal business expertise. For example, ask a plant manager about marketing problems, and the result will probably be a detailed opinion on both key issues and recommended solutions. Dialogue among managers routinely crosses all business functions in formal as
2 Adapted from information at www.google.com/corporate/history.html (accessed June 17, 2005). 3 For more information on the latest services by these two companies, see http://www.amazon.com and http://code.google.com/.
The Case for Participating in Decisions about Information Systems 3
Reasons
IS must be managed as a critical resource. IS enable change in the way people work together. IS are part of almost every aspect of business. IS enable business opportunities and new strategies. IS can be used to combat business challenges from competitors.
FIGURE I.1 Reasons why business managers should participate in information systems decisions.
well as informal settings, with one general exception: IS. Management continues to tolerate ignorance in this area relative to other specialized business functions. Culturally, managers can claim ignorance of IS issues without losing prestige among colleagues. On the other hand, admitting a lack of knowledge regarding marketing or financial aspects of the business will earn colleagues’ contempt.
These attitudes are attributable to the historic role that IS played in businesses. For many years, technology was regarded as a support function and treated as administrative overhead. Its value as a factor in important management decisions was minimal. It often took a great deal of technical knowledge to understand even the most basic concepts. However, in today’s business environment, maintaining this back-office view of technology is certain to cost market share and could ultimately lead to the failure of the organization. Technology has become entwined with all the classic functions of business — operations, marketing, accounting, finance — to such an extent that understanding its role is necessary for making intelligent and effective decisions about any of them. Furthermore, a general understanding of key IS concepts is possible without the extensive technological knowledge required just a few years ago. Finally, with the robust number of consumer applications available on the Web, many decisions made by the IS group are increasingly being made by individuals.
Therefore, understanding basic fundamentals about using and managing information is worth the investment of time. The reasons for this investment are summarized in Figure I.1 and are discussed next.
A Business View Information technology (IT) is a critical resource for today’s businesses. It both supports and consumes a significant amount of an organization’s resources. Just like the other three major types of business resources — people, money, and machines — it needs to be managed wisely.
IT spends a significant portion of corporate budgets. Worldwide IT spending topped $3 trillion in 2007, a jump of 8% from the previous year. It’s projected to continue to increase.4 U.S. corporations spent about $3,500 per worker in 1994
4 www.cio.com/article/144551/IT Spending to Surpass Trillion (accessed July 31, 2008).
4 Introduction
on IT and about $8,000 in 2005.5 Industry-level research from the Gartner group found that the typical level of IT operating budget as a percentage of gross revenue ranges from 2.3% to 2.5% for consumer packaged goods companies and even higher for pharmaceuticals (4% to 6%) and logistics companies (5% to 6%).
These resources must return value, or they will be invested elsewhere. The business manager, not the IS specialist, decides which activities receive funding, estimates the risk associated with the investment, and develops metrics for evaluating the performance of the investment. Therefore, the business manager needs a basic grounding in managing and using information. On the flip side, IS managers need a business view.
People and Technology Work Together In addition to financial issues, a manager must know how to mesh technology and people to create effective work. Collaboration is increasingly common, especially with the rise of social networking. Companies are reaching out to individual customers using social media. In fact, the term Web 2.0 has emerged to describe the use of the World Wide Web (the Internet) to enhance creativity, information sharing, and collaboration among users.6 Technology facilitates the work that people do and the way they interact with each other. Correctly incorporating IS into the design of a business enables people to focus their time and resources on issues that bear directly on customer satisfaction and other revenue- and profit-generating activities. Adding IS to an existing organization, however, requires the ability to manage change. The skilled business manager must balance the benefits of introducing new technology with the costs associated with changing the existing behaviors of people in the workplace. Making this assessment does not require a detailed technical knowledge. It does require an understanding of what the short-term and long-term consequences are likely to be and why adopting new technology may be more appropriate in some instances than in others. Understanding these issues also helps managers know when it may prove effective to replace people with technology at certain steps in a process.
Integrating Business with Technology IS are now integrated with almost every aspect of business. For example, as CEO of Wal-Mart Stores International, Bob L. Martin described IS’s role, ‘‘Today technology plays a role in almost everything we do, from every aspect of customer service to customizing our store formats or matching our merchandising strategies to individual markets in order to meet varied customer preferences.’’7 IS place information in the hands of Wal-Mart associates so that decisions can be made
5 A. McAfee and E. Brynjolfsson, ‘‘Investing in the IT that Makes a Competitive Difference,’’ Harvard Business Review (2008). 6 Wikipedia, www.wikipedia.com (accessed July 31, 2008). 7 ‘‘The End of Delegation? Information Technology and the CEO,’’ Harvard Business Review (September – October 1995), 161.
What If a Manager Doesn’t Participate? 5
closer to the customer. IS help simplify organizational activities and processes such as moving goods, stocking shelves, or communicating with suppliers.
Rapid Change in Technology The proliferation of new technologies creates a business environment filled with opportunities. The changing demographics of the workforce and the integration of ‘‘‘digital natives,’’ individuals who have grown up completely fluent in the use of personal technologies and the Web, also increase the rate of adoption of new technologies beyond the pace of traditional organizations. Even today, new uses of the Internet produce new types of online businesses that keep every manager and executive on alert. New business opportunities spring up with little advance warning. The manager’s role is to frame these opportunities so that others can understand them, to evaluate them against existing business needs, and finally to pursue any that fit with an articulated business strategy. The quality of the information at hand affects the quality of both the decision and its implementation. Managers must develop an understanding of what information is crucial to the decision, how to get it, and how to use it. They must lead the changes driven by IS.
Competitive Challenges Competitors come from both expected and unexpected places. General managers are in the best position to see the emerging threats and utilize IS effectively to combat ever-changing competitive challenges. Further, general managers are often called on to demonstrate a clear understanding of how their own technology programs and products compare with those of their competitors.
! WHAT IF A MANAGER DOESN’T PARTICIPATE?
Decisions about IS directly affect the profits of a business. The basic formula Profit=Revenue – Expenses can be used to evaluate the impact of these decisions. Adopting the wrong technologies can cause a company to miss business opportu- nities and any revenues those opportunities would generate. Inadequate IS can cause a breakdown in servicing customers, which hurts sales. On the expense side, a poorly calculated investment in technology can lead to overspending and excess capacity. Inefficient business processes sustained by ill-fitting IS also increase expenses. Lags in implementation or poor process adaptation each reduce profits and therefore growth. IS decisions can dramatically affect the bottom line.
Failure to consider IS strategy when planning business strategy and organi- zational strategy leads to one of three business consequences: (1) IS that fail to support business goals, (2) IS that fail to support organizational systems, and (3) a misalignment between business and organizational strategies. These consequences are discussed briefly in this section and in more detail in later chapters. While exam- ining IS-related consequences in greater detail, consider their potential effects on an organization’s ability to achieve its business goals. How would each consequence change the way people work? Which customers would be most affected and how? Would the organization still be able to implement its business strategy?
6 Introduction
Information Systems Must Support Business Goals IS represent a major investment for any firm in today’s business environment. Yet poorly chosen IS can actually become an obstacle to achieving business goals. If the systems do not allow the organization to realize its goals, or if IS lack the capacity needed to collect, store, and transfer critical information for the business, the results can be disastrous. Customers will be dissatisfied or even lost. Production costs may be excessive. Worst of all, management may not be able to pursue desired business directions that are blocked by inappropriate IS. Toys ‘‘R’’ Us experienced such a calamity when its well-publicized Web site was unable to process and fulfill orders fast enough. It not only lost those customers, but it also had a major customer relations issue to manage as a result. Consider the well-intended Web designer who was charged with building a Web site to disseminate information to investors, customers, and potential customers. If the business goal is to do business over the Web, then the decision to build an informational Web site, rather than a transactional Web site, is misdirected and could potentially cost the company customers by not taking orders online. Even though it is possible to redesign a Web site, the task requires expending additional resources that might have been saved if business goals and IS strategy were discussed together.
Information Systems Must Support Organizational Systems Organizational systems represent the fundamental elements of a business — its people, work processes, and structure — and the plan that enables them to work efficiently to achieve business goals. If the company’s IS fail to support its organizational systems, the result is a misalignment of the resources needed to achieve its goals. It seems odd to think that a manager might add functionality to a corporate Web site without providing the training these same employees need to use the tool effectively, and yet this mistake — and many more costly ones — occur in businesses every day. Managers make major decisions, such as switching to a new major IS or implementing a standard that prohibits access to an external Web site, without informing all the affected staff of necessary changes in their daily work. For example, when companies put in an enterprise resource planning (ERP) system, the system often dictates how many business processes are executed. Deploying technology without thinking through how it actually will be used in the organization — who will use it, how they will use it, how to make sure the applications chosen actually accomplish what is intended — results in significant expense without a lot to show for it. In another example, a company may decide to prohibit access to the Internet, thinking that they are prohibiting employees from accessing offensive or unsecure sites. But that decision also means that employees can’t access social networking sites, which may be useful for collaboration, or new Web-based applications, which may offer functionality to make the business more efficient. The general manager, who, after all, is charged with ensuring that company resources are used effectively, must ensure that the company’s IS support its organizational systems and that changes made in one system are reflected in
Skills Needed to Participate Effectively in Information Technology Decisions 7
other related systems. For example, a company that plans to institute a wide-scale telecommuting program needs an information system strategy compatible with its organization strategy. Desktop PCs located within the corporate office are not the right solution for a telecommuting organization. Instead, laptop computers, applications that are accessible online anywhere and anytime, and networks that facilitate information sharing are needed. If the organization only allows the purchase of desktop PCs and only builds systems accessible from desks within the office, the telecommuting program is doomed to failure.
! SKILLS NEEDED TO PARTICIPATE EFFECTIVELY IN INFORMATION TECHNOLOGY DECISIONS
Participating in IT decisions means bringing a clear set of skills to the table. Managers are asked to take on tasks that require different skills at different times. Those tasks can be divided into visionary tasks, or tasks that provide leadership and direction for the group; informational/interpersonal tasks, or tasks that provide information and knowledge the group needs to have to be successful; and structural tasks, tasks that organize the group. Figure I.2 lists basic skills required of managers who wish to participate successfully in key IT decisions. This list emphasizes understanding, organizing, planning, and solving the business needs of the organization. Individuals who want to develop fully as managers will find this an excellent checklist for professional growth.
These skills may not look much different from those required of any suc- cessful manager, which is the main point of this book: General managers can be successful participants in IS decisions without an extensive technical background. General managers who understand a basic set of IS concepts and who have out- standing managerial skills, such as those listed in Figure I.2, are ready for the digital economy.
How To Participate in Information Systems Decisions Technical wizardry is not required to become a knowledgeable participant in the IS decisions of a business. What a manager needs includes curiosity, creativity, and the confidence to question in order to learn and understand. A solid framework that identifies key management issues and relates them to aspects of IS provides the background needed to participate.
The goal of this book is to provide that framework. The way in which managers use and manage information is directly linked to business goals and the business strategy that drive both organizational and IS decisions. Business, organizational, and information strategies are fundamentally linked in what is called the Information Systems Strategy Triangle. Failing to understand this relationship is detrimental to a business. Failing to plan for the consequences in all three areas can cost a manager his or her job. This book provides managers with a foundation for understanding business issues related to IS from a managerial perspective.
8 Introduction
Managerial Role
Visionary
Informational and Interpersonal
Structural
Skill
Creativity—the ability to transform resources and create something entirely new to the organization Curiosity—the ability to question and learn about new ideas, applications, technologies, and business models Confidence—the ability to believe in oneself and assert one’s ideas at the proper time Focus on Business Solutions—the ability to bring experience and insight to bear on current business opportunities and challenges Flexibility—the ability to change rapidly and effectively, such as by adapting work processes, shifting perspectives on an issue, or adjusting a plan to achieve a new goal
Communication—the ability to share thoughts through text, images, and speech Information gathering—the ability to gather thoughts of others through listening, reading, and observing Interpersonal skills—the ability to cooperate and collaborate with others on a team, among groups, or across a chain of command to achieve results
Project management—the ability to plan, organize, direct, and control company resources to effectively complete a project Analytical skills—the ability to break down a whole into its elements for ease of understanding and analysis Organizational skills—the ability to bring together distinct elements and combine them into an effective whole Planning skills—the ability to develop objectives and to allocate resources to ensure objectives are met
FIGURE I.2 Skills of successful managers.
Organization of the Book To be a knowledgeable participant, managers must know about both using infor- mation and managing information. The first five chapters offer basic frameworks to make this understanding easier. Chapter 1 explains the Information Systems Strategy Triangle and provides a brief overview of relevant frameworks for business strategy and organizational strategy. It is provided as background for those who have not formally studied organization theory or business strategy. For those who
Basic Assumptions 9
have studied these areas, this chapter is a brief refresher of major concepts used throughout the remaining chapters of the book. Subsequent chapters provide frameworks and sets of examples for understanding the links between IT and business strategy (Chapter 2), organizational forms (Chapter 3), collaboration and individual work (Chapter 4), and business process transformation (Chapter 5).
The rest of the text looks at issues related to building IS strategy itself. Chapter 6 provides a framework for understanding the four components of IS architecture: hardware, software, networks, and data. Chapter 7 discusses sourcing and where companies look for IS resources. Chapter 8 looks at the governance and organization of IS resources. Chapter 9 presents some of the ethical issues that need to be considered. Chapter 10 focuses on the economics of managing IS. Chapter 11 discusses project management in general and the management of IS projects specifically. Finally, Chapter 12 provides an overview of how companies manage knowledge and create a competitive advantage using business analytics.
! BASIC ASSUMPTIONS
Every book is based on certain assumptions, and understanding those assumptions makes a difference in interpreting the text. The first assumption made by this text is that managers must be knowledgeable participants in the IS decisions made within and affecting their organizations. That means that the general manager must have a basic understanding of the business and technology issues related to IS. Because technology changes rapidly, this text also assumes that the technology of today is different from the technology of yesterday, and most likely, the technology available to readers of this text today differs significantly from that available when the text was written. Therefore, this text focuses on generic concepts that are, to the extent possible, technology independent. It provides a framework on which to hang more current information, such as new uses of the Internet or new networking technologies. It is assumed that the reader will seek out current sources to learn about the latest technology.
Although some may debate this next assumption, a second assumption is that the role of a general manager and the role of an IS manager are distinct. The general manager must have a basic knowledge of IS to make decisions that may have serious implications for the business. In addition to general business knowledge, the IS manager must have more in-depth knowledge of technology to manage IS and to partner with general managers who must use the information. As the digital natives take on increasingly more managerial roles in corporations, this second assumption may have to be altered. But for this text, we will assume a different skill set for the IS manager. Assumptions are also made about how business is done and what IS are in general. Knowing what assumptions are made about each will support an understanding of the material to come.
Assumptions about Management The classic view of management includes four activities, each dependent on the others: planning, organizing, leading, and controlling (see Figure I.3). A manager
10 Introduction
Classic Management Model
Planning Managers think through their goals and actions in advance. Their actions are usually based on some method, plan, or logic, rather than a hunch or gut feeling.
Organizing Managers coordinate the human and material resources of the orga- nization. The effectiveness of an organization depends on its ability to direct its resources to attain its goals.
Leading Managers direct and influence subordinates, getting others to per- form essential tasks. By establishing the proper atmosphere, they help their subordinates do their best.
Controlling Managers attempt to assure that the organization is moving toward its goal. If part of their organization is on the wrong track, managers try to find out why and set things right.
FIGURE I.3 Classic management model. Source: Adapted from James A. F. Stoner, Management, 2nd ed. (Upper Saddle River, NJ: Prentice Hall, 1982).
performs these activities with the people and resources of the organization to attain the established goals of the business. Conceptually, this simple model provides a framework of the key tasks of management, which is useful for both general business and IS management activities. Although many books have been written describing each of these activities, organizational theorist Henry Mintzberg offers a view that most closely details the perspective relevant to IS management.
Mintzberg’s model describes management in behavioral terms by categorizing the three major roles a manager fills: interpersonal, informational, and decisional (see Figure I.4). This model is useful because it considers the chaotic nature of the environment in which managers actually work. Managers rarely have time to be reflective in their approaches to problems. They work at an unrelenting pace, and their activities are brief and often interrupted. Thus, quality information becomes even more crucial to effective decision making. The classic view is often seen as a tactical approach to management, whereas some describe Mintzberg’s view as more strategic.
Assumptions about Business Everyone has an internal understanding of what constitutes a business, which is based on readings and experiences in different firms. This understanding forms a model that provides the basis for comprehending actions, interpreting decisions, and communicating ideas. Managers use their internal model to make sense of otherwise chaotic and random activities. This book uses several conceptual models of business. Some take a functional view and others take a process view.
Basic Assumptions 11
Type of Roles
Interpersonal
Informational
Decisional
Manager’s Roles
Figurehead Leader
Liaison
Monitor
Disseminator
Spokesperson
Entrepreneur
Disturbance handler
Resource allocator
Negotiator
IS Examples
CIO greets touring dignitaries. IS manager puts in long hours to help motivate project team to complete project on schedule in an environment of heavy budget cuts. Chief information officer works with the marketing and human resource vice presidents to make sure that the reward and compensation system is changed to encourage use of new IS supporting sales.
Division manager compares progress on IS project for the division with milestones developed during the project’s initiation and feasibility phase. Chief information officer conveys organization’s business strategy to IS department and demonstrates how IS strategy supports the business strategy. IS manager represents IS department at organization’s recruiting fair.
Division manager suggests an application of a new technology that improves the division’s operational efficiency. Division manager, as project team leader, helps resolve design disagreements between division personnel who will be using the system and systems analysts who are designing it. CIO allocates additional personnel positions to various departments based upon business strategy. IS manager negotiates for additional personnel needed to respond to recent user requests for enhanced functionality in a system that is being implemented.
FIGURE I.4 Manager’s roles. Source: Adapted from H. Mintzberg, The Nature of Managerial Work (New York: Harper & Row, 1973).
Functional View The classical view of a business is based on the functions that people perform, such as accounting, finance, marketing, operations, and human resources. The business organizes around these functions to coordinate them and to gain economies of scale within specialized sets of tasks. Information first flows vertically up and down
12 Introduction
O pe
ra tio
ns
A cc
ou nt
in g
S al
es a
nd S
up po
rt
Executive Management
M ar
ke tin
g
In fo
rm at
io n
flo w
s
FIGURE I.5 Hierarchical view of the firm.
between line positions and management; after analysis it may be transmitted across other functions for use elsewhere in the company (see Figure I.5).
Process View Michael Porter of Harvard Business School describes a business in terms of the primary and support activities that are performed to create, deliver, and support a product or service (see Figure I.6). The primary activities of inbound logistics, operations, outbound logistics, marketing and sales, and service are chained together in sequences that describe how a business transforms its raw materials into value-creating products. This value chain is supported by common activities shared across all the primary activities. For example, general management and legal services are distributed among the primary activities. Improving coordination among activities increases business profit. Organizations that effectively manage core processes across functional boundaries will be winners in the marketplace. IS are often the key to this process improvement and cross-functional coordination.
Inbound Logistics
Outbound Logistics
Operations Marketing & Sales
Service
Firm Infrastructure
Human Resource Management
Technology Development
Procurement
M argin
M argin
FIGURE I.6 Process view of the firm: the value chain. Source: M. Porter, Competitive Advantage (New York: Free Press, 1985).
Basic Assumptions 13
Both the process and functional views are important to understanding IS. The functional view is useful when similar activities must be explained, coordinated, executed, or communicated. For example, understanding a marketing information system means understanding the functional approach to business in general and the marketing function in particular. The process view, on the other hand, is useful when examining the flow of information throughout a business. For example, understanding the information associated with order fulfillment or product development or customer service means taking a process view of the business. This text assumes that both views are important for participating in IS decisions.
Assumptions about Information Systems Consider the components of an information system from the manager’s viewpoint, rather than from the technologist’s viewpoint. Both the nature of information and the context of an information system must be examined to understand the basic assumptions of this text.
Information Hierarchy The terms data, information, and knowledge are often used interchangeably, but have significant and discrete meanings within the knowledge management domain (and are more fully explored in Chapter 12). Tom Davenport, in his book Informa- tion Ecology, pointed out that getting everyone in any given organization to agree on common definitions is difficult. However, his work (summarized in Figure I.7) pro- vides a nice starting point for understanding the subtle but important differences.
The information hierarchy begins with data, or simple observations. Data are a set of specific, objective facts or observations, such as ‘‘inventory contains 45 units.’’ Standing alone, such facts have no intrinsic meaning, but can be easily captured, transmitted, and stored electronically.
Information is data endowed with relevance and purpose.8 People turn data into information by organizing it into some unit of analysis (e.g., dollars, dates, or customers). For example, a mashup of location data and housing prices adds something beyond what the data provides individually, and that makes it information. Deciding on the appropriate unit of analysis involves interpreting the context of the data and summarizing it into a more condensed form. Consensus must be reached on the unit of analysis.
To be relevant and have a purpose, information must be considered within the context that it is received and used. Because of differences in context, information needs vary across the function and hierarchical level. For example, when considering functional differences related to a sales transaction, a marketing department manager may be interested in the demographic characteristics of buyers, such as their age, gender, and home address. A manager in the accounting department probably won’t be interested in any of these details, but instead will
8 Peter F. Drucker, ‘‘The Coming of the New Organization,’’ Harvard Business Review (January – February 1988), 45 – 53.
14 Introduction
Definition
Characteristics
Example
Data
Simple observations of the state of the world
• Easily structured • Easily captured on machines • Often quantified • Easily transferred • Mere facts
Daily inventory report of all inventory items sent to the CEO of a large manufacturing company
Information
Data endowed with relevance and purpose
• Requires unit of analysis • Data that have been processed • Human mediation necessary
Daily inventory report of items that are below economic order quantity levels sent to inventory manager
Knowledge
Information from the human mind (includes reflection, synthesis, context)
• Hard to structure • Difficult to capture on machines • Often tacit • Hard to transfer
Inventory manager knowing which items need to be reordered in light of daily inventory report, anticipated labor strikes, and a flood in Brazil that affects the supply of a major component.
FIGURE I.7 Comparison of data, information, and knowledge. Source: Adapted from Thomas Davenport, Information Ecology (New York: Oxford University Press, 1997).
want to know details about the transaction itself, such as method of payment and date of payment. Similarly, information needs may vary across hierarchical levels. These needs are summarized in Figure I.8 and reflect the different activities performed at each level. At the supervisory level, activities are narrow in scope and focused on production or the execution of the business’s basic transactions. At this level, information is focused on day-to-day activities that are internally oriented and accurately defined in a detailed manner. The activities of senior management are much broader in scope. Senior management performs long-term planning and needs information that is aggregated, externally oriented, and more subjective. The information needs of middle managers in terms of these characteristics fall between the needs of supervisors and senior management. Because information needs vary across levels, a daily inventory report of a large manufacturing firm may serve as information for a low-level inventory manager, whereas the CEO would consider such a report to be merely data. A report does not necessarily mean information. The context in which the report is used must be considered.
Knowledge is information that is synthesized and contextualized to provide value. It is information with the most value. Knowledge consists of a mix of contextual information, values, experiences, and rules. For example, the mashup of locations and housing prices means one thing to a real estate agent, another
Basic Assumptions 15
Time Horizon
Level of Detail
Orientation
Decision
Top Management
Long: years
Highly aggregated Less accurate More predictive
Primarily external
Extremely judgmental Uses creativity and analytical skills
Middle Management
Medium: weeks, months, years
Summarized Integrated Often financial
Primarily internal with limited external Relatively judgmental
Supervisory and Lower-Level Management
Short: day to day
Very detailed Very accurate Often nonfinancial
Internal
Heavy reliance on rules
FIGURE I.8 Information characteristics across hierarchical level.
thing to a potential buyer, and yet something else to an economist. It is richer and deeper than information and more valuable because someone thought deeply about that information and added his or her own unique experience, judgment, and wisdom. Knowledge also involves the synthesis of multiple sources of information over time.9 The amount of human contribution increases along the continuum from data to information to knowledge. Computers work well for managing data, but are less efficient at managing information.
Some people think there is a fourth level in the information hierarchy, wisdom. In this context, wisdom is knowledge, fused with intuition and judgment that facilitates the ability to make decisions. Wisdom is that level of the information hierarchy used by subject matter experts, gurus, and individuals with a high level of experience who seem to ‘‘just know’’ what to do and how to apply the knowledge they gain.
System Hierarchy An information system comprises three main elements: technology, people, and process (see Figure I.9). When most people use the term information system, they actually refer only to the technology element as defined by the organization’s infrastructure. In this text the term infrastructure refers to everything that supports the flow and processing of information in an organization, including hardware, software, data, and network components, whereas architecture refers to the strategy implicit in these components. These ideas will be discussed in greater detail in Chapter 6. Information system is defined more broadly as the combination of technology (the ‘‘what’’), people (the ‘‘who’’), and process (the
9 Thomas H. Davenport, Information Ecology (New York: Oxford University Press, 1997), 9 – 10.
16 Introduction
Management
Information Systems
People Technology Process
FIGURE I.9 System hierarchy.
‘‘how’’) that an organization uses to produce and manage information. In contrast, information technology (IT) focuses only on the technical devices and tools used in the system. We define information technology as all forms of technology used to create, store, exchange, and use information.
Above the information system itself is management, which oversees the design and structure of the system and monitors its overall performance. Management develops the business requirements and the business strategy that the information system is meant to satisfy. The system’s architecture provides a blueprint that translates this strategy into components, or infrastructure.10
! FOOD FOR THOUGHT: ECONOMICS OF INFORMATION VERSUS ECONOMICS OF THINGS
In their book, Blown to Bits, Evans and Wurster argued that every business is in the information business.11 Even those businesses not typically considered to be information businesses have business strategies in which information plays a critical role. The physical world of manufacturing is shaped by information that dominates products as well as processes. For example, a high-end Mer- cedes automobile contains as much computing power as a midrange personal computer. Information-intensive processes in the manufacturing and marketing of the automobile include market research, logistics, advertising, and inventory management.
10 Gordon Hay and Rick Muñoz, ‘‘Establishing an IT Architecture Strategy,’’ Information Systems Management 14 (Summer 1997), 67 – 69. 11 Philip Evans and Thomas Wurster, Blown to Bits (Boston: Harvard Business School Press, 2000).
Food for Thought: Economics of Information Versus Economics of Things 17
Things Information
Wear out Doesn’t wear out, can become obsolete or untrue
Are replicated at the expense of the manufacturer
Is replicated at almost zero cost without limit
Exist in a tangible location Does not physically exist When sold, possession changes hands When sold, seller may still possess and sell
again Price based on production costs Price based on value to consumer
FIGURE I.10 Comparison of the economics of things with the economics of information.
As our world is reshaped by information-intensive industries, it becomes even more important for business strategies to differentiate the timeworn economics of things from the evolving economics of information. Things wear out; things can be replicated at the expense of the manufacturer; things exist in a tangible location. When sold, the seller no longer owns the thing. The price of a thing is typically based on production costs. In contrast, information never wears out, though it can become obsolete or untrue. Information can be replicated at virtually no cost without limit; information exists in the ether. When sold, the seller still retains the information, but this ownership provides little value if the ability of others to copy it is not limited. Finally, information is often costly to produce, but cheap to reproduce. Rather than pricing it to recover the sunk cost of its initial production, its price is typically based on the value to the consumer. Figure I.10 summarizes the major differences between the economics of goods and the economics of information.
Evans and Wurster suggest that traditionally the economics of information has been bundled with the economics of things. However, in this Information Age, firms are vulnerable if they do not separate the two. The Encyclopædia Britannica story serves as an example. Bundling the economics of things with the economics of information made it difficult for Encyclopædia Britannica to gauge the threat posed by Encarta, the encyclopedia on CD-ROM that was given away to promote the sale of computers and peripherals. Britannica focused on its centuries-old tradition of providing information in richly bound tomes sold to the public through a well-trained sales force. Only when it was threatened with its very survival did Encyclopædia Britannica grasp the need to separate the economics of information from economics of things and sell bits of information online. Clearly, Encyclopædia Britannica’s business strategy, like that of many other companies, needed to reflect the difference between the economics of things from the economics of information.12
12 Ibid.
18 Introduction
! SUMMARY The explosive growth of Internet-based businesses highlights the need for all managers to be skilled in managing and using IS. It is no longer acceptable to delegate IS decisions to the management information systems (MIS) department alone. The general manager must be involved to both execute business plans and protect options for future business vision. This chapter makes the case for general managers’ full participation in strategic business decisions concerning IS. It outlines the skills required for such participation, and it makes explicit certain key assumptions about the nature of business, management, and IS that will underlie the remaining discussions. Subsequent chapters are designed to build on these concepts by addressing the following questions.
Frameworks and Foundations
• How should information strategy be aligned with business and organizational strate- gies? (Chapter 1)
• How can a business achieve competitive advantages using its IS? (Chapter 2) • What does it mean to align IT decisions with organizational decisions? (Chapter 3) • How is the work of the individual in an organization affected by decisions concern-
ing IS? (Chapter 4) • How might IS enable business transformation? (Chapter 5)
IS Management Issues
• What are the components of an IT architecture? (Chapter 6) • How should IS services be provided? (Chapter 7) • What is an IS organization? How can a manager effectively manage IS?
(Chapter 8) • What ethical and moral considerations bind the uses of information in business?
(Chapter 9) • How are IS funded within an organization? What are the total costs of ownership of
IS? (Chapter 10) • What does it mean to manage a project? (Chapter 11) • How should knowledge be managed within an organization? (Chapter 12)
! KEY TERMS architecture (p. 15) data (p. 13) information (p. 13) information system (p. 15)
information technology (p. 16)
infrastructure (p. 15) knowledge (p. 14)
mashup (p. 13) Web 2.0 (p. 4) wisdom (p. 15)
Case Study 19
! DISCUSSION QUESTIONS 1. Why is it important for a general manager to be knowledgeable about information tech- nology?
2. Indicate whether each of the following is information, data, or knowledge: a. A daily sales report of each sales transaction that is sent to the chief operating officer b. A daily sales report of each sales transaction over $100,000 that is sent to the division marketing manager c. A monthly production report that is sent to shop floor supervisors who don’t use the report because they believe the figures reported are outdated and inaccurate d. An exception report of all accounts that are more than 90 days past-due, which is sent to the Accounts Receivable Manager e. A list of Social Security numbers f. The contact list in an individual’s LinkedIn account
3. Why, in your opinion, did the term Web 2.0 emerge? What is different in the way the Web is used today from the ‘‘Web 1.0’’ world?
CASE STUDY I-1
TERRY CANNON, MBA13
Terry Cannon, a typical MBA, was about to graduate from a top-ten business school with an MBA and a desire to change the world while growing a significant savings account. Terry was debating among three job opportunities, each of which would be a big step up the professional ladder from the associates job held when working for Impressive Consulting Group (ICG) prior to returning to school to get an MBA. Terry wasn’t sure which job to take, in part because Terry didn’t feel the MBA classes at the business school had provided enough preparation in information systems.
Terry started business school after four years of experience at Impressive Consulting Group (ICG), a global consulting organization with practices in virtually every major city in the world. Terry worked in the Dallas office as an associate right out of undergraduate school, with a degree in business with a concentration in marketing. Terry had worked on a number of interesting strategic marketing projects while at ICG. Terry was just completing a standard MBA program after two years of full-time study and a summer working for MFG Corporation, a large manufacturing company in the Midwest. The internship at MFG Corporation involved working with the new Web marketing group, which Terry chose to see just how a company like MFG takes advantage of the Web. At the same time, Terry hoped to become more proficient in Web and Internet technologies. The experience at
13 The names in this case are fictitious. This case is written to highlight administrative issues relevant to general managers, and any resemblance to real individuals or organizations is coincidental.
20 Introduction
MFG’s Web marketing group, however, only made Terry more anxious, highlighting how much more was involved in information systems and the Web than Terry had previously thought. Terry returned to business school in the fall of the second year wondering just how much information systems knowledge would be needed in future jobs. Further, Terry felt that becoming a knowledgeable participant in information decisions was critical to success in the fast-paced Internet-based business world waiting after graduation.
Terry wondered just what type of information systems knowledge was needed for each of the three jobs under consideration. All three jobs involved a competitive salary, a signing bonus, and stock/retirement benefits, so the decision came down to the knowledge needed to be a success on the job. The three jobs are summarized as follows.
1. Return to ICG as a consultant. This job was attractive to Terry because it meant returning to a former employer. Terry had left in good standing and liked the company that rewarded innovation and supported learning and growth among consultants. Terry figured a partnership was possible in the future. As a consultant, Terry could live anywhere and travel to the client site four days a week. The fifth day each week, Terry would be able to work at home, or if desired, in a company office. As a consultant, Terry initially thought engagements in strategic marketing would be the most interesting. ICG had a strong programming group that was brought into each engagement to do the programming and systems analysis work. The consultant role involved understanding client concerns and assisting in building a marketing strategy. Virtually all the projects would have some Internet component, if not entirely about building an Internet presence. This challenge interested Terry, but based on the summer job experience, Terry wondered just how much technical skill would be required of the consultants in this arena.
2. Join start-up InfoMicro. Several of Terry’s friends from business school were joining together to form a new start-up company on the Internet. This business plan for this company projected that InfoMicro would be one of only two Internet start-ups in their marketplace, giving the company a good position and great opportunity for growth. The business plan showed the company intending to go public through an IPO as early as three years after inception, and Terry believed they could do it. Terry would join as VP of marketing, supplementing the other three friends who would hold president, VP of finance, and VP of operations positions. The friends who would be president and finance VP were just completing a techno-MBA at Terry’s school and would provide the technical competence needed to get InfoMicro on the Web. Terry would focus on developing customers and setting marketing strategy, eventually building an organization to support that operation as necessary. Because InfoMicro was a Web-based business, Terry felt a significant amount of information systems knowledge would be required of a successful marketing executive.
3. Return to MFG Corporation. The job would be to join the marketing department as a manager responsible for new customer development. Many of MFG corporation’s customers were older, established companies like MFG Corporation itself, but new customers were likely to be start-ups and up-and-coming companies, or highly successful new companies like Google or Whole Foods. Terry felt that some knowledge of information systems would be necessary simply to provide innovative interaction mechanisms such as customer Web pages. Terry knew that discussions with the MFG information systems group would be necessary to build these new interfaces. How knowledgeable must Terry be on information systems issues to hold this job?
Case Study 21
As spring break approached, Terry knew a decision had to be made. Recruiters from all three companies had given Terry a deadline of the end of break week, and Terry wasn’t at all sure which job to take. All sounded interesting, and all were reasonable alternatives for Terry’s next career move.
! Discussion Questions
1. For each position Terry is considering, what types of information systems knowledge do you think Terry would need?
2. How could Terry be a knowledgeable participant in each of the three jobs? What would it mean to be a knowledgeable participant in each job? Give an example for each job.
3. As a marketing major and an MBA, is Terry prepared for the work world awaiting? Why or why not?
CASE STUDY I-2
ANYGLOBAL COMPANY INC.14
Memo
To: Chris Bytemaster, CIO
From: Ms. Hazel Hasslefree, CEO
It seems that the article ‘‘IT Doesn’t Matter’’ by Nicholas Carr (Harvard Business Review, May 2003) has caught the attention of several members of our Board of Directors. I have been asked to prepare a short presentation about what the article means to our company and whether IT does, in fact, matter in our company.
Would you please prepare a short report, about a page or two, that I can use as a basis for my presentation to them? Would you please summarize the Carr article and respond to the major points that he raises?
Thanks.
14 We appreciate the suggestions provided to us by Ron Murch at the University of Calgary concerning this case.
!CHAPTER 1 THE INFORMATION SYSTEMS STRATEGY TRIANGLE
When the Eastern United States was hit with an ice storm in 2007, most airlines cancelled flights much earlier than JetBlue. JetBlue, overly optimistic about the weather and its ability to fly its planes, wanted to keep the revenues flowing and its customers happy. So it delayed cancelling flights as long as it could. A crisis erupted when it finally had to cancel 1,000 flights over a five-day period. At one point up to nine airplanes full of passengers were stranded on the tarmac at John F. Kennedy International Airport in New York for six hours or more. JetBlue’s founder and Chairman, David Neeleman, credited the problems JetBlue experienced to an inadequate reservation system and a shoestring communication system.
The reservation system was hopelessly overwhelmed, and customers were unable to get through to human agents to check on the status of their flight or to obtain an alternative routing. Most reservations agents lived in Salt Lake City — far away from the storm. Many were women who worked from their homes. And yet, they were unavailable to respond to the pleas of stranded passengers. After this crisis, Neeleman realized that JetBlue needed to adjust its work agreement to require reservation agents to work longer hours during difficult periods, such as those created by bad weather.1
This case emphasizes the point made in the Introduction: General managers must take a role in decisions about information systems (IS). Even though it is not necessary for a general manager to understand all technologies, it is necessary to aggressively seek to understand the consequences of using technologies relevant to the business’s environment. General managers who leave IS decisions solely to their IS professionals often put themselves and their companies at a disadvan- tage. Although IS can facilitate the movement and exchange of information, an information system that is inappropriate for a given operating environment can actually inhibit and confuse that same exchange. This is especially true in crisis
1 Jeff Bailey, ‘‘JetBlue’s C.E.O. Is ‘Mortified’ After Fliers are Stranded,’’ New York Times, February 19, 2007, www.nytimes.com/2007/19/businesss/19jetblue.html.
22
The Information Systems Strategy Triangle 23
environments, such as the ice storm that paralyzed JetBlue’s information ex- changes. The IS organization is not an island within a firm. The IS organization manages an infrastructure that is essential to the firm’s functioning. Further, this case illustrates that a firm’s IS must be aligned with the way it manages its employees. In JetBlue’s case, it became clear that personnel policies needed to be adjusted to have some, if not most, of JetBlue’s 2,000 reservation agents working longer hours in times of crisis.
This chapter introduces a simple framework for understanding the impact of IS on organizations. This framework is called the Information Systems Strategy Triangle because it relates business strategy with IS strategy and organizational strategy. This chapter also presents key frameworks from organization theory that describe the context in which IS operate, as well as the business imperatives that IS support. Students with extensive background in organizational behavior and busi- ness strategy will find this a useful review of key concepts. The Information Systems Strategy Triangle presented in Figure 1.1 suggests three key points about strategy.
Successful firms have an overriding business strategy that drives both orga- nizational strategy and IS strategy. The decisions made regarding the structure, hiring practices, and other components of the organizational strategy, as well as decisions regarding applications, hardware, and other IS components, are all driven by the firm’s business objectives, strategies, and tactics. Successful firms carefully balance these three strategies — they purposely design their organization and their IS strategies to complement their business strategy.
IS strategy can itself affect and is affected by changes in a firm’s business and organizational strategies. To perpetuate the balance needed for successful operation, changes in the IS strategy must be accompanied by changes in the organizational strategy and must accommodate the overall business strategy. If a firm designs its business strategy to use IS to gain strategic advantage, the leadership position in IS can only be sustained by constant innovation. The business, IS, and organizational strategies must constantly be adjusted.
IS strategy always involves consequences — intended or not — within business and organizational strategies. Avoiding harmful unintended consequences means remembering to consider business and organizational strategies when designing IS deployment. For example, placing computers on employee desktops without an accompanying set of changes to job descriptions, process design, compensation plans, and business tactics will fail to produce the anticipated productivity
Business Strategy
Organizational Strategy Information Strategy
FIGURE 1.1 The Information Systems Strategy Triangle.
24 Chapter 1 The Information Systems Strategy Triangle
improvements. Success can only be achieved by specifically designing all three components of the strategy triangle.
In the JetBlue case discussed earlier, the IS Strategy Triangle was out of alignment at the time of the ice storm. The organizational strategy (e.g., personnel policies about working hours) did not support the IS strategy (e.g., dispersed network of systems that allowed a geographically dispersed workforce, but was not able to handle the high volume of exchanges in a crisis situation). Both of these strategies did not adequately support the business strategy (low cost but a high level of customer service).2
Of course, once a firm is out of alignment, it does not mean that it has to stay that way. To correct the misalignment described earlier, JetBlue changed its personnel policy by extending working hours during crisis situations, replaced Neeleman with Dave Barger as CEO, and implemented an ‘‘Operational Recovery System.’’ This system offers planners the ability to more easily reroute planes in the case of any disruption. It not only offers a solution to disruptions, but it also calculates the costs of various alternatives.
What does alignment mean? A recently published book entitled Winning the 3-Legged Race defines alignment as the situation in which a company’s current and emerging business strategy is enabled, supported, and unconstrained by technology. The authors suggest that although alignment is good, there are higher states, namely synchronization and convergence, toward which companies should strive. With synchronization, technology not only enables current business strategy but also anticipates and shapes future business strategy. Convergence goes one step further by exhibiting a state in which business strategy and technology strategy are intertwined and the leadership team members operate almost interchangeably. Although we appreciate the distinction and agree that firms should strive for synchronization and convergence, alignment in this text means any of these states, and it pertains to organizational strategy, IS strategy, and business strategy.3
A word of explanation is needed here. This chapter and subsequent chapters address questions of IS strategy squarely within the context of business strategy. Studying business strategy alone is something better done in other texts and courses. However, to provide foundation for IS discussions, this chapter summarizes several key business strategy frameworks, as well as organizational theories. Studying IS alone does not provide general managers with the appropriate perspective. To be effective, managers need a solid sense of how IS are used and managed within the organization. Studying details of technologies is also outside the scope of this text. Details of the technologies are relevant, of course, and it is important that any organization maintain a sufficient knowledge base to plan for and operate applications. However, because technologies change so rapidly, keeping a text current is impossible. Therefore this text takes the perspective that understanding
2 We are indebted to a reviewer for this comment 3 F. Hogue, V. Sambamurthy, R. Zmud, T. Trainer, and C. Wilson, Winning the 3-Legged Race, (Upper Saddle River, NJ: Prentice Hall, 2005).
Brief Overview of Business Strategy Frameworks 25
what questions to ask is a skill more fundamental to the general manager than understanding any particular technology. This text provides readers with an appreciation of the need to ask questions, a framework from which to derive the questions to ask, and a foundation sufficient to understand the answers received. The remaining book chapters all build on the foundation provided in the Information Systems Strategy Triangle.
! BRIEF OVERVIEW OF BUSINESS STRATEGY FRAMEWORKS
A strategy is a coordinated set of actions to fulfill objectives, purposes, and goals. The essence of a strategy is setting limits on what the business will seek to accomplish. Strategy starts with a mission. A mission is a clear and compelling statement that unifies an organization’s effort and describes what the firm is all about (i.e., its purpose). In a few words the mission statement sums up what is unique about the firm. Figure 1.2 demonstrates that even though IBM, Dell, and Apple are all in the computer industry, they view their missions quite differently. For example, IBM says it focuses on services and solutions, Dell on customer experiences, and Apple on innovation and personal computing experience.
Are these companies accomplishing their missions? It is hard to determine whether Dell’s customers are receiving the ‘‘best customer experience.’’ That is why Dell, like other firms, sets measurable objectives and performance targets. Once the objectives and performance targets are set, the measurable objectives
Company Mission Statement
IBM At IBM, we strive to lead in the creation, development, and manufacture of the industry’s most advanced information technologies, including computer systems, software, networking systems, storage devices, and microelectron- ics. We translate these advanced technologies into value for our customers through our professional solutions and services businesses worldwide.a
Dell Dell’s mission is to be the most successful computer company in the world at delivering the best customer experience in markets we serve.b
Apple Apple ignited the personal computer revolution in the 1970s with the Apple II and reinvented the personal computer in the 1980s with the Macintosh. Apple is committed to bringing the best personal computing experience to students, educators, creative professionals, and consumers around the world through its innovative hardware, software, and Internet offerings.c
ahttp://www.ibm.com/investor/company/ bhttp://www.dell.com/content/topics/global.aspx/corp/investor/en/faqs?c=us&l=en&s= corp#faq8 chttp://www.corporate-ir.net/ireye/ir site.zhtml?ticker=aapl&script=1800&layout= 7#corpinf
FIGURE 1.2 Mission statements of computer companies.
26 Chapter 1 The Information Systems Strategy Triangle
and performance targets can help ensure that a firm is accomplishing its mission. And then the firm needs to decide on a business strategy to meet its objectives and performance targets.
A business strategy is a plan articulating where a business seeks to go and how it expects to get there. It is the means by which a business communicates its goals. Management constructs this plan in response to market forces, customer demands, and organizational capabilities. Market forces create the competitive situation for the business. Some markets, such as those faced by airlines, makers of personal computers, and issuers of credit cards, are characterized by many competitors and a high level of competition such that product differentiation becomes increasingly difficult. Other markets, such as those for package delivery and automobiles, are similarly characterized by high competition, but product differentiation is better established. Customer demands comprise the wants and needs of the individuals and companies who purchase the products and services available in the marketplace. Organizational capabilities include the skills and experience that give the corporation a currency that can add value in the marketplace.
Until recently Dell’s business strategy was to sell personal computers directly to the customer without going through a middleman. Reaching customers in this way is less expensive and time consuming than selling the computers in retail stores. The Internet, combined with Dell’s well-designed IS infrastructure, allows customers to electronically contact Dell, who then designs a PC for a customer’s specific needs. Dell’s ordering system is integrated with its production system and shares information automatically with each supplier of PC components. This IS enables the assembly of the most current computers without the expense of storing large inventories. Cost savings are passed on to the customer, and the direct-to-customer model allows Dell to focus its production capacity on building only the most current products. With small profit margins and new products arriving quickly to replace existing products, this creative use of IS is aligned with Dell’s business strategy. This strategic use of IS ultimately results in cost savings, reflected in the price of systems. In addition, Dell executives achieve a strategic advantage in reducing response time, building custom computers for one of the industry’s lowest costs, and eliminating inventories that could become obsolete before they are sold. Thus, this business strategy is consistent with Dell’s mission of delivering the best customer experience in the markets it serves.
But things aren’t always as they seem. If the direct-to-customer strategy is so effective, why is Dell now also selling its computers at major retail outlets such as Wal-Mart and Best Buy? It is likely that the sales figures and profit margins were not measuring up to Dell’s stated objectives and performance targets. Consequently, Dell adjusted its business strategy.
Several well-accepted models frame the discussions of business strategy. We review (1) the Porter generic strategies framework and two variants of its
Brief Overview of Business Strategy Frameworks 27
differentiation, and (2) D’Aveni’s hypercompetition model.4 The end of this section introduces key questions a general manager must answer to understand the strategy of the business.
The Generic Strategies Framework Companies sell their products and services in a marketplace populated with competitors. Michael Porter’s framework helps managers understand the strate- gies they may choose to build a competitive advantage. In his book Competitive Advantage, Porter claims that the ‘‘fundamental basis of above-average perfor- mance in the long run is sustainable competitive advantage.’’5 Porter identified three primary strategies for achieving competitive advantage: (1) cost leadership, (2) differentiation, and (3) focus. These advantages derive from the company’s relative position in the marketplace, and they depend on the strategies and tactics used by competitors. Figure 1.3 summarizes these three strategies for achieving competitive advantage.
Cost leadership results when the organization aims to be the lowest-cost pro- ducer in the marketplace. The organization enjoys above-average performance by minimizing costs. The product or service offered must be comparable in quality to those offered by others in the industry so that customers perceive its relative value. Typically, only one cost leader exists within an industry. If more than one organi- zation seeks an advantage with this strategy, a price war ensues, which eventually may drive the organization with the higher cost structure out of the marketplace.
Differentiation Overall Cost Leadership
Focus
Uniqueness Perceived by Customer Low Cost Position
Industry-wide
Particular Segment Only
FIGURE 1.3 Three strategies for achieving competitive advantage. Source: M. Porter, Competitive Strategies (New York: Free Press, 1998).
4 Another popular model by Michael Porter, the value chain, provides a useful model for discussing internal operations of an organization. Some find it a useful model for understanding how to link two firms together. This framework is used in Chapter 3 to examine business process design. For further information, see Michael E. Porter, Competitive Advantage (New York: Free Press, 1985). 5 Michael E. Porter, Competitive Advantage (New York: Free Press, 1985).
28 Chapter 1 The Information Systems Strategy Triangle
Through mass distribution, economies of scale, and IS to generate operating efficiencies, Wal-Mart epitomizes the cost-leadership strategy.
Through differentiation, the organization qualifies its product or service in a way that allows it to appear unique in the marketplace. The organization identifies which qualitative dimensions are most important to its customers and then finds ways to add value along one or more of those dimensions. For this strategy to work, the price charged customers by the differentiator must seem fair relative to the price charged by competitors. Typically, multiple firms in any given market employ this strategy. Progressive Insurance is able to differentiate itself from other automobile insurance companies by breaking out of the industry mold. Its representatives are available 24/7 (i.e., 24 hours a day, 7 days a week) to respond to accident claims. They arrive at an accident scene shortly after the accident with powerful laptops, intelligent software, and the authority to settle claims on the spot. This strategy spurred Progressive’s growth and widened its profit margins.
Focus allows an organization to limit its scope to a narrower segment of the market and tailor its offerings to that group of customers. This strategy has two variants: (1) cost focus, in which the organization seeks a cost advantage within its segment, and (2) differentiation focus, in which it seeks to distinguish its products or services within the segment. This strategy allows the organization to achieve a local competitive advantage, even if it does not achieve competitive advantage in the marketplace overall. As Porter explained,
The focuser can thus achieve competitive advantage by dedicating itself to the seg- ments exclusively. Breadth of target is clearly a matter of degree, but the essence of focus is the exploitation of a narrow target’s differences from the balance of the industry. Narrow focus in and of itself is not sufficient for above-average performance.6
Marriott International demonstrates focus in the business and related IS strategies of two of its hotel chains. To better serve its business travelers and cut operational expenses, Marriott properties have check-in kiosks that interface with their Marriott Rewards loyalty program. A guest can swipe a credit card or Marriott Rewards card at the kiosk in the lobby and receive a room assignment and keycard from the machine. She can also print airline boarding passes at the kiosks. Further, the kiosks help the Marriott chain implement its cost focus. The kiosk system is integrated with other systems such as billing and customer relationship management (CRM) to generate operating efficiencies and enhanced corporate standardization.
In contrast, kiosks in the lobby would destroy the feeling that the Ritz-Carlton chain, acquired by Marriott in 1995, is trying to create. To the Ritz-Carlton chain, CRM means capturing and using information about guests, such as their preference for wines, a hometown newspaper, or a sunny room. Each Ritz-Carlton employee is expected to promote personalized service by identifying and recording
6 Michael E. Porter, Competitive Strategies (New York: Free Press, 1998).
Brief Overview of Business Strategy Frameworks 29
individual guest preferences. To demonstrate how this rule could be implemented, a waiter, after hearing a guest exclaim that she loves tulips, could log the guest’s comments into the Ritz-Carlton CRM system called ‘‘Class.’’ On her next visit to a Ritz-Carlton hotel, tulips could be placed in the guest’s room after querying Class to learn more about her as her visit approaches. Class, the CRM, is instrumental in implementing the differentiation-focus strategy of the Ritz-Carlton chain.7 And its strategy allows the Ritz-Carlton chain to live up to its very unique motto (mission): ‘‘We are ladies and gentlemen serving ladies and gentlemen.’’8 JetBlue appears to have adopted a cost focus strategy. At just over six cents per passenger seat mile, JetBlue has the lowest cost in the airline industry. Even though it is the lowest in the entire industry, it could be argued that JetBlue has far fewer destinations than many of its competitors. These larger competitors are saddled with higher pay scales from having been in the business longer and higher maintenance costs for their fleets of older planes that they needed to acquire to sustain their growth. Should its plans for growth be fully realized, while maintaining its low cost structure, JetBlue could move from its cost focus based on serving a limited, but growing, number of market segments to a cost leadership strategy.9
While sustaining a cost focus, JetBlue’s chairman believes that JetBlue can compete on more than price. That is why the airline continually strives to keep customers satisfied with frills such as extra leg room, leather seats, prompt baggage delivery, DirectTV, and movies. It has been recognized with many awards for customer satisfaction in the North American airlines industry. Thus, it could be argued that JetBlue also has used a differentiation focus.
Variants on the Differentiation Strategy Porter’s generic strategies are fundamental to an understanding of how organiza- tions create competitive advantage. Several variations of his differentiation strategy, including the shareholder value model and the unlimited resources model, are useful for further analyzing sources of advantage. D’Aveni also described these ‘‘arenas of competition’’ as the timing and know-how advantage and the deep pockets advantage.
The shareholder value model holds that the timing of the use of specialized knowledge can create a differentiation advantage as long as the knowledge remains unique.10 This model suggests that customers buy products or services from an organization to have access to its unique knowledge. The advantage is static, rather than dynamic, because the purchase is a one-time event.
7 Scott Berinato, ‘‘Room for Two,’’ CIO.com, May 15, 2002, http://www.cio.com/archive/051502/two content.html. 8 http://corporate.ritzcarlton.com/en/About/GoldStandards.htm (accessed February 13, 2008). 9 Chuck Salter, ‘‘And Now the Hard Part,’’ Fast Company.com, December 19, 2007, http:www. fastcompany.com/node/48871/print (accessed February 13, 2008). 10 William E. Fruhan, Jr., ‘‘The NPV Model of Strategy — The Shareholder Value Model,’’ in Financial Strategy: Studies in the Creation, Transfer, and Destruction of Shareholder Value (Homewood, IL: Richard D. Irwin, 1979).
30 Chapter 1 The Information Systems Strategy Triangle
The unlimited resources model utilizes a large base of resources that allows an organization to outlast competitors by practicing a differentiation strategy. An organization with greater resources can manage risk and sustain losses more easily than one with fewer resources. This deep-pocket strategy provides a short-term advantage only. If a firm lacks the capacity for continual innovation, it will not sustain its competitive position over time.
Porter’s generic strategies model and its variants are useful for diagnostics, or understanding how a business seeks to profit in its chosen marketplace, and for prescriptions, or building new opportunities for advantage. They reflect a careful balancing of countervailing competitive forces posed by buyers, suppliers, competitors, new entrants, and substitute products and services within an industry. As is the case with many models, they offer managers useful tools for thinking about strategy. However, the Porter models were developed at a time when competitive advantage was sustainable because the rate of change in any given industry was relatively slow and manageable. Since the late 1980s when this framework was at the height of its popularity, several newer models were developed to take into account the increasing turbulence and velocity of the marketplace. In particular, the hypercompetition model offers managers an especially useful tool for conceptualizing their organization’s strategy in turbulent environments.
Hypercompetition Framework Discussions of hypercompetition11 take a perspective different from the previous models. Those models focus on creating and sustaining competitive advantage, whereas hypercompetition models suggest that the speed and aggressiveness of the moves and countermoves in any given market create an environment in which advantages are ‘‘rapidly created and eroded.’’12 Firms seek to achieve this relatively transitory competitive advantage under hypercompetition in four ways: (1) cost/quality, (2) timing/know-how, (3) strongholds, and (4) deep pockets. The hypercompetition framework is based on the following assumptions:
• Every advantage is eroded. Advantages only last until competitors have duplicated or outmaneuvered them. Once an advantage is no longer an advantage, it becomes a cost of doing business.
• Sustaining an advantage can be a deadly distraction. Some companies can extend their advantages and continue to enjoy the benefits, but sustaining an advantage can take attention away from developing new ones.
• The goal of advantage should be disruption, not sustainability. A company seeks to stay one step ahead through a series of temporary advantages that erode competitors’ positions, rather than by creating a sustainable position in the marketplace.
11 R. D’Aveni, Hypercompetition: Managing the Dynamics of Strategic Maneuvering (New York: Free Press, 1994). 12 Ibid.
Brief Overview of Business Strategy Frameworks 31
• Initiatives are achieved with a series of small steps. Competitive cycles are shorter now, and new advantages must be achieved quickly. Companies focus on creating the next advantage before the benefits of the current advantage erode.
D’Aveni’s framework suggests seven approaches an organization can take in its business strategy. Figure 1.4 summarizes this framework. Companies can use these approaches to disrupt competition, depending on their particular capabilities to seize initiative and pursue tactics that can create a series of temporary advantages. For the purposes of this book, we briefly summarize D’Aveni’s 7 Ss13 in Figure 1.5.
JetBlue has clearly implemented some of the 7 Ss. It particularly employed the superior stakeholder satisfaction when it installed DirectTV on its planes, provided almonds as a low-carbohydrate snack in response to passenger requests, and
Vision for Disruption
Identifying and creating opportunities for temporary advantage through understanding - Stakeholder Satisfaction - Strategic Soothsaying directed at identifying new ways to serve existing customers better or new customers that are not currently served by others
Capability for Disruption
Sustaining momentum by developing flexible capacities for - Speed - Surprise that can be applied across actions to build temporary advantages
Tactics for Disruption
Seizing the initiative to gain advantage by - Shifting the rules - Signaling - Simultaneous and sequential strategic thrusts with actions that shape, mold, or influence the direction or nature of the competitor's response
Market Disruption
FIGURE 1.4 Disruption and the new 7 Ss. Source: R. D’Aveni, Hypercompetition: Managing the Dynamics of Strategic Maneuvering (New York: Free Press, 1994).
13 The ‘‘old’’ 7 Ss of competitive advantage — structure, strategy, systems, style, skills, staff, and superordinate goals — entered business literature in a paper by R. Waterman, T. Peters, and J. Phillips, ‘‘Structure Is Not Organization,’’ Business Horizons (June 1980). D’Aveni used these as a point of reference in deriving his ‘‘new’’ 7 Ss under hypercompetition.
32 Chapter 1 The Information Systems Strategy Triangle
Approach Definition
Superior stakeholder satisfaction Understanding how to maximize cus- tomer satisfaction by adding value strategically
Strategic soothsaying Seeking out new knowledge that can predict or create new windows of oppor- tunity
Positioning for speed Preparing the organization to react as quickly as possible
Positioning for surprise Preparing the organization to respond to the marketplace in a manner that will surprise competitors
Shifting the rules of competition Finding new ways to serve customers which transform the industry
Signaling strategic intent Communicating the intended actions of a company, in order to stall responses by competitors
Simultaneous and sequential strategic thrusts Taking a series of steps designed to stun and confuse competitors in order to disrupt or block their efforts
FIGURE 1.5 D’Aveni’s new 7 Ss.
enacted a policy that the last bag from a flight would be placed on the conveyor belt no later than 20 minutes after the plane arrived at the gate. To position for speed and to accommodate its sizable growth plans, JetBlue places on the corporate intranet a checklist of each activity, with deadlines as needed, when JetBlue enters a new market. Another way JetBlue positions itself for speed is its ‘‘Operational Recovery System,’’ described earlier as a way to respond quickly to problems. It shifted the rules of competition when it issued its Customer Bill of Rights, which clearly defines when customers will receive coupons and vouchers in the event of delays.14
The 7 Ss are a useful framework for identifying different aspects of a busi- ness strategy and aligning them to make the organization competitive in the hypercompetitive arena of business in the new millennium. This framework helps assess competitors’ strengths and weaknesses, as well as build a road map for the company’s strategy itself. Using this framework, managers can identify new organizational responses to their competition, as well as new opportunities that extend their current strengths. This framework is particularly useful in markets in which the rate of change makes sustaining a business strategy difficult. It suggests that a business strategy must be continuously redefined to be successful.
14 Salter, ‘‘And Now the Hard Part.’’
Brief Overview of Business Strategy Frameworks 33
Since the 1990s a competitive dynamic has emerged in the marketplace that is characterized by wider gaps between industry leaders and laggards, more concen- trated ‘‘winner-take-all’’ environments, and greater churn among sector rivals. This pattern of turbulent ‘‘creative destruction’’ was first predicted over 60 years ago by the economist Joseph Schumpeter. Coincidentally (or maybe not), the accelerated competition has occurred concomitantly with sharp increases in the quality and quantity of information technology (IT) investment. The changes in competitive dynamics are particularly striking in sectors that spend the most on IT.15
An application of the hypercompetition model is the destroy your business (DYB) (i.e., ‘‘creative destruction’’) approach to strategic planning that was imple- mented by Jack Welch at General Electric (GE). Welch recognized that GE could only sustain its competitive advantage for a limited time as competitors attempted to outmaneuver GE. He knew that if GE didn’t identify its weaknesses, its com- petitors would relish doing so. DYB is an approach that places GE employees in the shoes of their competitors.16 Through the DYB lenses, GE employees develop strategies to destroy GE’s competitive advantage. Then, in light of their revelations, they apply the grow your business (GYB) strategy to find fresh ways to reach new customers and better serve existing ones. The goal of the DYB planning approach is the complete disruption of current practices, so that GE can take actions to protect its business before competitors hone in on its weaknesses. The implicit assumption underlying DYB is that GE would not be able to sustain its position in the marketplace over the long term.
Why Are Strategic Advantage Models Essential to Planning for Information Systems? A general manager who relies solely on IS personnel to make IS decisions may not only give up any authority over IS strategy, but also may hamper crucial future business decisions. In fact, business strategy should drive IS decision making, and changes in business strategy should entail reassessments of IS. Moreover, changes in IS potential should trigger reassessments of business strategy — as in the case of the Internet, where companies that failed to understand or consider its implications for the marketplace were quickly outpaced by competitors who had. For the purposes of our model, the Information Systems Strategy Triangle, understanding business strategy means answering the following questions:
1. What is the business goal or objective? 2. What is the plan for achieving it? What is the role of IS in this plan? 3. Who are the crucial competitors and partners, and what is required of a
successful player in this value net?
15 Andrew McAfee and Erik Brynjolfsson ‘‘Investing in the IT That Makes a Competitive Difference,’’ Harvard Business Review (July 2008), http://harvardbusinessonline.hbsp.harvard.edu (accessed July 27, 2008). 16 M. Levinson, ‘‘Destructive Behavior,’’ CIO Magazine, July 15, 2000, http://www.cio.com/archive/ 071500 destructive content.html.
34 Chapter 1 The Information Systems Strategy Triangle
Framework Key Idea Application to Information Systems
Porter’s Generic Strate- gies Framework
Firms achieve competitive advantage through cost lead- ership, differentiation, or focus
Understanding which strategy is chosen by a firm is critical to choos- ing IS to complement the strategy
D’Aveni’s Hypercompe- tition Model
Speed and aggressive moves and countermoves by a firm create competitive advantage
The 7 Ss give the manager sug- gestions on what moves and coun- termoves to make. IS are critical to achieving the speed needed for moves and countermoves. IS are in a constant state of flux or develop- ment.
FIGURE 1.6 Summary of key strategy frameworks.
Porter’s generic strategies and D’Aveni’s hypercompetition framework (sum- marized in Figure 1.6) are revisited in the next few chapters. They are especially helpful in discussing the role of IS in building and sustaining competitive advan- tages (Chapter 2) and for incorporating IS into business strategy. The next section of this chapter establishes a foundation for understanding organizational strategies.
! BRIEF OVERVIEW OF ORGANIZATIONAL STRATEGIES
Organizational strategy includes the organization’s design as well as the choices it makes to define, set up, coordinate, and control its work processes. The organizational strategy is a plan that answers the question: ‘‘How will the company organize to achieve its goals and implement its business strategy?’’ A few of the many models of organizational strategy are reviewed in this section.
A simple framework for understanding the design of an organization is the business diamond, introduced by Leavitt and embellished by Hammer and Champy.17 Shown in Figure 1.7, the business diamond identifies the crucial components of an organization’s plan as its business processes, its values and beliefs, its management control systems, and its tasks and structures. This simple framework is useful for designing new organizations and for diagnosing organizational troubles. For example, organizations that try to change their cultures but fail to change the way they manage and control cannot be effective.
JetBlue can be used to demonstrate the Business Diamond. Processes are obviously are very important at JetBlue. Every morning CEO Barger reviews details about the previous day’s flights with the operations team, and each process is carefully inspected to see if it can be made more efficient. Based on a list of ‘‘focus flights’’ the operations teams also deconstruct the ten worst delays to find ways to improve problematic processes. Values and beliefs are also very important
17 M. Hammer and J. Champy, Reengineering the Corporation (New York: HarperBusiness, 1994).
Brief Overview of Organizational Strategies 35
Business Processes
Management and Measurement Systems
Tasks and Structures Values and Beliefs
FIGURE 1.7 The business diamond. Source: M. Hammer and J. Champy, Reengineering the Corporation (New York: Harper Business, 1994).
to JetBlue’s senior executives, who are actively attempting to infuse the values and beliefs throughout the organization. In particular, Chairman Neeleman uses a visible, ‘‘one-on-one’’ leadership style that allows him to interact freely with the employees. The company is guided by five primary principles: ‘‘Treat your people right,’’ ‘‘Communicate with your team,’’ ‘‘Inspire greatness in others,’’ ‘‘Encourage initiative and innovation,’’ and ‘‘Do the right thing.’’ When it looked as if growth was negatively affecting the company’s management, a new training program, Principles of Leadership (POL), was initiated to teach the five primary principles to managers at every level. Another part of the measurement and management system is a detailed set of metrics for a variety of operations. For example, the time it takes to deliver bags to the passengers is measured with a goal of delivering them no later than 20 minutes after the plane has reached the gate. Finally, tasks are defined such that everyone pitches in and helps. When a plane lands, every employee on the plane from the stewardess, to the pilot, to staff who are deadheading, to the chairman, will pitch in to clean the plane and get it ready for the next set of passengers. Pilots are also expected to participate in the business.18
A complementing framework to the business diamond for organizational design can be found in the book by Cash, Eccles, Nohria, and Nolan, Building the Information Age Organization.19 This framework, shown in Figure 1.8, suggests that the successful execution of a business’s organizational strategy comprises the best combination of organizational, control, and cultural variables. Organizational variables include decision rights, business processes, formal reporting relationships, and informal networks. Control variables include the availability of data, the nature and quality of planning, and the effectiveness of performance measurement and evaluation systems, and incentives to do good work. Cultural variables comprise the values of the organization. These organizational, control, and cultural variables
18 Salter, ‘‘And Now the Hard Part.’’ 19 James I. Cash, Robert G. Eccles, Nitin Nohria, and Richard L. Nolan, Building the Information Age Organization (Homewood, IL: Richard D. Irwin, 1994).
36 Chapter 1 The Information Systems Strategy Triangle
Organizational effectivenessStrategy
Organization Control
Culture
Performance measurement
and evaluation
Incentives and rewardsValues
Formal reporting
relationships Planning
Business processes
Decision rights
Data
Informal networks
People, Information, and
Technology
Execution
FIGURE 1.8 Managerial levers. Source: Cash, Eccles, Nohria, and Nolan, Building the Information Age Organization (Homewood, IL: Richard D. Irwin, 1994).
are managerial levers used by decision makers to effect changes in their organizations. These managerial levers are discussed in detail in Chapter 3.
Our objective is to give the manager a set of frameworks to use in evaluating various aspects of organizational design. Using these frameworks, the manager can review the current organization and assess which components may be missing and what options are available looking forward. Understanding organizational strategy means answering the following questions:
1. What are the important structures and reporting relationships within the organization?
2. Who holds the decision rights to critical decisions? 3. What are the characteristics, experiences, and skill levels of the people
within the organization? 4. What are the key business processes? 5. What control systems are in place? 6. What is the culture of the organization?
The answers to these questions inform any assessment of the organization’s use of IS. Chapters 3, 4, and 5 use the organizational strategy frameworks, summarized in Figure 1.9, to assess the impact of management information systems (MIS) on the firm. Chapter 8 and 9 look at answers from the first two questions to understand the MIS governance and its impact on ethics.
Brief Overview of Information Systems Strategy 37
Framework Key Idea Usefulness in IS Discussions
Business diamond There are 4 key compo- nents to an organization: business processes, values and beliefs, management control systems, and tasks and structures.
Using IS in an organization will affect each of these components. Use this framework to identify where these impacts are likely to occur.
Managerial levers Organizational variables, control variables, and cultural variables are the levers managers can use to affect change in their organization.
This is a more detailed model than the Business diamond and gives specific areas where IS can be used to manage the organization and to change the organization.
FIGURE 1.9 Summary of organizational strategy frameworks.
! BRIEF OVERVIEW OF INFORMATION SYSTEMS STRATEGY
IS strategy is the plan an organization uses to provide information services. IS allow a company to implement its business strategy. JetBlue’s vice president for people explains it nicely: ‘‘We define what the business needs and then go find the technology to support that.’’20
Business strategy is a function of competition (What does the customer want and what does the competition do?), positioning (In what way does the firm want to compete?), and capabilities (What can the firm do?). IS help determine the company’s capabilities. An entire chapter is devoted to IT architecture, but for now a more basic framework will be used to understand the decisions related to IS that an organization must make.
The purpose of the matrix in Figure 1.10 is to give the manager a high-level view of the relation between the four IS infrastructure components and the other resource considerations that are key to IS strategy. Infrastructure includes hardware, such as desktop units and servers. It also includes software, such as the programs used to do business, to manage the computer itself, and to communicate between systems. The third component of IS infrastructure is the network, which is the physical means by which information is exchanged among hardware components, such as through a modem and dial-up network (in which case, the service is actually provided by a vendor such as AT&T), or through a private digital network (in which case the service is probably provided by an internal unit). Finally, the fourth part of the infrastructure is the data. The data includes the bits and bytes stored in the system. In current systems, data are not necessarily stored alongside
20 Hogue et al., Winning the 3-Legged Race, 111.
38 Chapter 1 The Information Systems Strategy Triangle
What Who Where
Hardware List of physical components of the system
System users and managers
Physical location
Software List of programs, applications, and utilities
System users and managers
What hardware it resides on and physical location of hardware
Networking Diagram of how hardware and software components are connected
Systems users and managers; com- pany that provides the service
Where the nodes are located, and where the wires and other trans- port media are located
Data Bits of information stored in the system
Owners of data; data administrators
Where the infor- mation resides
FIGURE 1.10 Information systems strategy matrix.
the programs that use them; hence, it is important to understand what data are in the system and where they are stored. Many more detailed models of IS infrastructure exist, and interested readers may refer to any of the dozens of books that describe them. For the purposes of this text, the matrix will provide sufficient information to allow the general manager to assess the critical issues in information management.
! FOOD FOR THOUGHT: THE HALO EFFECT AND OTHER BUSINESS DELUSIONS
When Dell was flying high in February 2005 and ranked number one among Fortune magazine’s list of the Most Admired Companies, everyone claimed it was due to their excellent management and strategy. There are even a few such examples in this chapter. However, two years later, when Dell’s performance slumped, critics were quick to blame it on a variety of poor management practices: complacency, pride in making acquisitions, being ‘‘stuck in a rut,’’ and poor leadership. How could Dell have gone from excellent performance to such problematic performance so quickly?21
Phil Rosenzweig suggested that the Dell case illustrates a common error of distortion that many make when evaluating company performance. The error is
21 Phil Rosenzweig, ‘‘Misunderstanding the Nature of Company Performance: The Halo Effect and Other Business Delusions,’’ California Management Review 49, no. 4, Summer 2007, 6 – 20.
Food for Thought: the Halo Effect and Other Business Delusions 39
based on ‘‘halo effect,’’ which is ‘‘the basic human tendency to make specific inferences on the basis of a general impression’’22 (Rosenzweig, page 7) When Dell was successful, many marveled at its strategy and leadership skills. When it stumbled, things were seen in a negative light. Although the halo effect may seem harmless, it undermines an understanding of the forces that make a company either successful or unsuccessful. Rosenzweig claimed that the error was especially problematic in three popular business books: In Search of Excellence, Built to Last, and Good to Great because these books have diverted attention from an accurate understanding about successful company performance.
Rosensweig described three misconceptions that are created by the halo effect in general and these three books most specifically.
1. There exists a formula or blueprint that companies can apply and become high performers. In fact, many of the causal relationships that were reported were unfounded. Further, business performance is inherently relative, not absolute. For example, Kmart’s performance declined steeply in the 1990s, and it declared bankruptcy in 2002. Yet, on several objective measures such as inventory management, procurement, logistics, and automated reordering, it actually improved during this time period. The problem for Kmart was that Wal-Mart and Target improved even more rapidly.
2. Firm performance is driven entirely by internal factors. Rosenzweig argued that although strategic choice is important, it is also important to consider what the competition is doing.
3. Because a decision may turn out badly does not necessarily mean that it was poorly made. There is much uncertainty in strategic decisions. Decision makers must make decisions under risk — and sometimes things don’t always work out well.
Rosenzweig concluded with cautionary notes: Journalists should be more cir- cumspect in what they write; Managers should be skeptical of formulas, recognize that performance is relative, think of business decisions in terms of probabilities, and carefully evaluate decision-making processes and not just their outcomes.
In relating his analysis to Dell, Rosenzweig noted that between 2005 and 2007, Dell was neither complacent nor ‘‘stuck in a rut.’’ Rather, it looked for new avenues of growth and sought to leverage its capabilities in other products. Its decline was not absolute, but rather relative. During that same time period, its rival, Hewlett Packard (HP), hired an effective new CEO, and Lenovo became a strong competitor. Rosenzweig suggested that HP and Lenovo’s performance was the direct result of Dell’s previous excellence. That doesn’t mean that Dell can’t perform well in the future. It depends on its strategy. That strategy is based on choice, and choice is based on risk.
22 Ibid., 7.
40 Chapter 1 The Information Systems Strategy Triangle
! SUMMARY The Information Systems Strategy Triangle represents a simple framework for under- standing the impact of IS on businesses. It relates business strategy with IS strategy and organizational strategy and implies the balance that must be maintained in business planning. The Information Systems Strategy Triangle suggests the following management principles.
Business Strategy Business strategy drives organizational strategy and IS strategy. The organization and its IS should clearly support defined business goals and objectives.
• Definition: A well-articulated vision of where a business seeks to go and how it expects to get there
• Models: Porter’s generic strategies model; D’Aveni’s hypercompetition model
Organizational Strategy Organizational strategy must complement business strategy. The way a business is organized either supports the implementation of its business strategy or it gets in the way.
• Definition: The organization’s design, as well as the choices it makes to define, set up, coordinate, and control its work processes
• Models: Business diamond; managerial levers
IS Strategy IS strategy must complement business strategy. When IS support business goals, the business appears to be working well. IS strategy can itself affect and is affected by changes in a firm’s business and organizational strategies. Moreover, information systems strategy always has consequences — intended or not — on business and organizational strategies.
• Definition: The plan the organization uses in providing information systems and services
• Models: A basic framework for understanding IS decisions relating architecture (the ‘‘what’’) and the other resource considerations (‘‘who’’ and ‘‘where’’) that represent important planning constraints
Strategic Relationships Organizational strategy and information strategy must complement each other. They must be designed so that they support, rather than hinder each other. If a decision is made to change one corner of the triangle, it is necessary to evaluate the other two corners to ensure that balance is preserved. Changing business strategy without thinking through the effects on the organizational and IS strategies will cause the business to struggle until balance is restored. Likewise, changing IS or the organization alone will cause an imbalance.
Case Study 41
! KEY TERMS business diamond (p. 34) business strategy (p. 26) cost leadership (p. 27) differentiation (p. 28) focus (p. 28) hypercompetition (p. 30) IS strategy (p. 37)
Information Systems Strategy Triangle (p. 23)
managerial levers (p. 36) mission (p. 25) organizational strategy
(p. 34)
shareholder value model (p. 29)
strategy (p. 25) unlimited resources
model (p. 30)
! DISCUSSION QUESTIONS 1. Why is it important for business strategy to drive organizational strategy and IS strategy? What might happen if business strategy was not the driver?
2. Suppose managers in an organization decided to hand out laptop computers to all salespeople without making any other formal changes in organizational strategy or business strategy. What might be the outcome? What unintended consequences might occur?
3. Consider a traditional manufacturing company that wanted to take advantage of the Internet and Web 2.0 tools. What might be a reasonable business strategy, and how would organizational and IS strategy need to change?
4. This chapter describes key components of an IS strategy. Describe the IS strategy of a consulting firm using the matrix framework.
5. What does this tip from Fast Company mean: ‘‘The job of the CIO is to provide organi- zational and strategic flexibility’’?23
CASE STUDY 1-1
ROCHE’S NEW SCIENTIFIC METHOD
For years, the Swiss pharmaceutical giant Roche Group worked hard to create an ultra-competitive culture that pitted scientific teams against one another in fighting for scarce resources. Roche had believed that this culture was instrumental in creating such blockbuster drugs as Valium and Librium. But, on the downside, this approach made it almost impossible for scientists to abandon faltering projects that they felt were pivotal for their careers. Rather, it led them to hoard their technical expertise and findings. In 1998, the company turned to a more collaborative style of teamwork — especially for its teams working in the new field of genomics. Roche began running ads in Science magazine for a young new breed of researchers who could reinvent themselves as their job opportunities rapidly changed.
It was the new breakthroughs in genomics and molecular biology that pushed Roche to change the way it hunted for drugs. Roche knew it had to speed up the discovery process
23 ‘‘20 Technology Briefs: What’s New? What’s Next? What Matters,’’ Fast Company, March 2002, http://www.fastcompany.com/online/56/fasttalk.html.
42 Chapter 1 The Information Systems Strategy Triangle
for new drugs and size up toxicity risks earlier than ever. Projects needed to be managed in a totally different way.
Roche can now churn out 1 million genomics experiments a day. Whereas research teams once spent years looking for a single good idea, they now must consider hundreds or even thousands of candidates daily. The data that is generated is overwhelming not only for the researchers, but also for Roche’s large infrastructure of computers.
Despite the daunting task, the potential is too great for Roche to ignore. At a recent media briefing, Roche Group chairman and CEO Franz Humer declared, ‘‘Look at this revolution of genetics, genomics, and proteomics. It’s becoming ever clearer that we will be able to identify early the predisposition of people to disease — and to monitor and treat them more effectively. We’ll develop markers for cancer. That will lead to better test kits and to new pharmaceuticals.’’
Thus, Roche’s U.S. pharmaceuticals headquarters is making adjustments to deal with having ‘too much data, too fast.’ Roche’s management has recognized that it needs to rethink the best ways to build teams, hire people, and create a culture where failure is all right, as long as it is fast. Roche has had to embrace an organizational revolution to accommodate the technological revolution.
Learning to Swim in a Deluge of Data
At the heart of the genomics explosion is the GeneChip. This carefully mounted piece of darkened glass, about the size of a thumbnail, can contain up to 12,000 tiny marks. Each mark represents a human gene — one amino acid at a time. When specific genes are activated in an experiment, they light up against the chip’s dark background. The genes that light up might be markers for disease. The GeneChip is a true innovation that must be used effectively throughout Roche.
For example, computer capacity must be used effectively. Each sample run on a GeneChip set generates 60 million bytes of raw data. Basic analysis on each GeneChip set adds 180 million bytes of computer storage for each set. Given that Roche ran 1,000 GeneChip experiments in both 1999 and 2000, it is not hard to believe that the storage requirements were mind-boggling. ‘‘Every six months, the IT guys would come to us and say, ‘You’ve used up all of your storage,’’’ states Jiayi Ding, a Roche scientist. In early 1999, Roche’s computer-services experts at Nutley were already concerned that ten researchers working on GeneChip experiments (out of the 300 employees at the site) were hogging 90% of the company’s total computer capacity.
Fail Fast, So You Can Succeed Sooner
One of the biggest challenges in drug research — or in any field — is to let go of ideas that are no longer promising and to move on to brighter prospects that aren’t being given enough attention. When new hire Lee Babiss arrived from archrival Glaxo to head preclinical research, he preached a simple message: Fail fast. He knew that the best hope of finding the right new drugs was to spend less time on dead-ends.
Screening was needed to sift though the massive number of drugs to find the few promising drugs that offered the greatest likelihood of success. To solve its screening bottleneck, Roche installed an ultra-high-throughput machine made by Carl Zeiss at a cost of more than $1 million. ‘‘We can test 100,000 compounds a day,’’ says Larnie Myer, the technical robotics expert who runs and maintains the screening machine. Though most of those compounds don’t work out, identifying just a few ‘‘hits’’ within several weeks of testing
Case Study 43
can speed up Roche’s overall efforts. The Zeiss machine ultimately has led to changes in the entire research process.
Change Everything — One Piece at a Time
Genomics could dramatically change things at Roche: In Palo Alto, researcher Gary Peltz built a computerized model of the mouse genome that allows him to simulate classical lab studies in a matter of minutes. In Iceland, Roche teamed up with Decode, a company which researches Icelandic genealogical records. Decode used the data it had collected to identify and locate genes that are associated with stroke and schizophrenia. In Nutley, genomic data is being used to size up a drug’s side effects before embarking on lengthy animal experiments.
Each of these initiatives runs on a different timeline. Some parts of Roche will see dramatic business changes in a year or two, while others will not see changes for much longer ‘‘This isn’t just a matter of turning on a light switch,’’ says Klaus Lindpaintner, Roche’s global head of genetics research.
Discussion Questions
1. How does the business strategy affect information systems and organizational decisions? 2. What generic strategy does Roche appear to be using based on this case? Provide a ratio-
nale for your response. 3. Apply the hypercompetition model to Roche. Which of the 7 Ss are demonstrated in this
case? 4. How do information systems support Roche’s business strategy?
Source: Excerpted from G. Anders, ‘‘Fresh Start 2002: Roche’s New Scientific Method,’’ Fast Company (January 2002), available at http://www.fastcompany.com/online/54/roche.html.
CASE STUDY 1-2
Started in the late 1990s, Google grew rapidly to become one of the leading companies in the world. Google’s mission is ’’to organize the world’s information and make it universally accessible and useful.’’ It is operating on a simple but innovative business model of attracting Internet users to its free search services and earning revenue from targeted advertising. In the winner-takes-all business of Internet search, Google has captured considerably more market share than its next highest rival, Yahoo!. This has turned Google’s Web pages into the Web’s most valuable real (virtual) estate. Through its two flagship programs, AdWords and AdSense, Google has capitalized on this leadership position to capture the lion’s share in advertisement spending. AdWords enables businesses to place ads on Google and its network of publishing partners for as low as 25 cents per thousand impressions. On the other hand, it uses AdSense to push advertisements on publishing partners’ Web sites targeting specific audience and share ad revenue with the publishing partner. This creates a win – win situation for both advertisers and publishers and developed Google into one giant sucking machine for ad revenue.
44 Chapter 1 The Information Systems Strategy Triangle
Even as a large company, Google continues to take risks and expand into new markets. It currently offers over 120 products or services. Sergey Brin and Larry Page, the founders, declared in Google’s IPO prospectus, ’’We would fund projects that have a 10 percent chance of earning a billion dollars over the long term. Do not be surprised if we place smaller bets in areas that seem very speculative or even strange. As the ratio of reward to risk increases, we will accept projects further outside our normal areas, especially when the initial investment is small.’’
Google promotes a culture of creativity and innovation in a number of ways. IT encourages innovation in all employees by allowing them to spend 20 percent of their time on a project of their own choosing. In addition, it offers benefits such as free meals, on-site gym, on-site dentist, and even washing machines at the company for busy employees.
Despite open and free work culture, a rigid and procedure-filled structure is imposed for making timely decisions and executing plans. For example, when designing new features, the team and senior managers meet in a large conference room. They use the right side of the conference room walls to digitally project new features and the left side to project any transcribed critique with a timer clock giving everyone 10 minutes to lay out ideas and finalize features. Thus, Google utilizes rigorous, data-driven procedures for evaluating new ideas in the midst of a chaotic innovation process.
Google’s vice president for search products and user experience, Marissa Mayer, outlines nine notions of innovations embedded in the organizational culture, processes, and structure of Google (from BusinessWeek article, ‘‘Champions of Innovation’’)
1. Ideas come from everywhere: Google expects everyone to innovate, even the finance team.
2. Share everything you can: Every idea, every project, every deadline — it’s all accessible to everyone on the intranet.
3. You’re brilliant, we’re hiring: Founders Larry Page and Sergey Brin approve hires. They favor intelligence over experience.
4. A license to pursue dreams: Employees get a ‘‘free’’ day a week. Half of new launches come from this ‘‘20% time.’’
5. Innovation, not instant perfection: Google launches early and often in small beta tests, before releasing new features widely.
6. Don’t politic, use data: Mayer discourages the use of ‘‘I like’’ in meetings, pushing staffers to use metrics
7. Creativity loves restraint: Give people a vision, rules about how to get there, and dead- lines.
8. Worry about usage and users, not money: Provide something simple to use and easy to love. The money will follow.
9. Don’t kill projects — morph them: There’s always a kernel of something good that can be salvaged.
Keeping up with the organizational strategy of Google, its IT department provides free and open access to IT for all employees. Rather than keeping tight control, Google allows employees to choose from several options for computer and operating systems, download software themselves, and maintain official and unofficial blog sites. Google’s intranet provides employees information about every piece of work at any part of Google. In this way employees can find and join hands with others working on similar technologies or features.
Case Study 45
In building the necessary IT infrastructure, Google’s IT department balances buying and making its own software depending on its needs and off-the-shelf availability. For example, it uses Oracle’s accounting software, whereas it built its own customer relationship management (CRM) software, which it then integrated with its ad systems. It also supports open source projects both by extensively using open source software within the organization and by paying college students to contribute to them through programs like Summer of Code. In addition, Google also develops generic applications such as GoogleApps for both internal and external use.
Given the nature of business, security of information resources is critical for Google. For instance, its master search algorithm is considered a more valuable secret formula than Coca-Cola’s. However, rather than improving IT security by stifling freedom through preventive policy controls, Google puts security in the infrastructure and focuses more on detective and corrective controls. Its network management software tools combined with 150 security engineers constantly look for viruses and spyware, as well as strange network traffic patterns associated with intrusion.
Discussion Questions
1. How is Google’s mission statement related to its business strategy? 2. How does Google’s information systems strategy support its business strategy? 3. How does Google’s organizational strategy support its business strategy? 4. Which of Porter’s three generic strategies does Google appear to be using based on this
case? Provide a rationale for your response. 5. Using D’Aveni’s Hypercompetitive Framework, analyze Google’s strategy and the type
of market disruption it has created.
Source: Excerpted from: “Champions of Innovation” by Michelle Colin, Business Week, June 19, 2006, Issue 3989, pp.18 – 26; and ‘‘Pleasing Google’s Tech-Savvy Staff’’ by Vauhini Vara, Wall Street Journal, March 18, 2008, p.B6.
!CHAPTER 2 STRATEGIC USE OF INFORMATION RESOURCES1
Zara is a Spanish manufacturer with a business model that provides them a significant strategic advantage in the highly competitive retail and apparel industry. At the heart of their model is a set of business processes and a simple, some might call outdated, information system that links demand to manufacturing and manufacturing to distribution. The strategy at Zara stores is simply to have a continuous flow of new products that are typically in limited supply. As a result, regular customers visit their stores often — on an average of 17 times a year, whereas most stores can only entice their customers inside on an average of four times a year. If customers see something they like, they buy it on the spot because they know it will probably be gone the next time they visit the store. The result is a very loyal and satisfied customer base and a wildly profitable business model.
How can this be? It is in part made possible because Zara aligns its information system strategy with its business strategy. The entire process from factory to shop floor is coordinated from Zara’s headquarters using information systems. The point-of-sale system records the information from each sale, and the information is transmitted to headquarters at the end of each business day. The Zara shop managers also report back daily to the designers at headquarters to let them know what has sold and what the customers wanted but couldn’t find. The information is used to determine which product lines and colors should be kept and which should be altered or dropped. The designers communicate directly with the production staff to plan for the incredible number of designs — more than 11,000 — that will be manufactured every year.
The shop managers have the option of ordering new designs twice a week using handheld computers. Before ordering, they can use their handheld computers to check out the new designs. Once an order is received at the manufacturing plant at headquarters, a large computer-controlled piece of equipment calculates how
1 The authors wish to acknowledge and thank W. Thomas Cannon, MBA 1999, for his help in researching and writing earlier drafts of this chapter.
46
Evolution of Information Resources 47
to position patterns to minimize scrap and cut up to 100 layers of fabric at a time. The cut fabric is then sent from Zara factories to external workshops for sewing. The completed products are sent to distribution centers, where miles of automated conveyor belts are used to sort the garments and recombine them into shipments for each store. Zara’s information technology (IT) department wrote the applications controlling the conveyors, often in collaboration with vendors of the conveyor equipment.
As the Zara example illustrates, innovative use of a firm’s information resources can provide companies with substantial advantages over competitors. This chapter uses the business strategy foundation from Chapter 1 to help general managers visualize how to use information resources for competitive advantage. This chapter briefly recounts the evolving strategic use of information resources and highlights the difference between simply using information systems (IS) and using IS strategically. Then, this chapter explores the use of information resources to support the strategic goals of an organization.
The material in this chapter will enable a general manager to understand the link between business strategy and information strategy on the Information Systems Strategy Triangle. General managers want to find answers to questions: Does using information resources provide a sustainable competitive advantage? What tools are available to help shape their strategic use? What are the risks of using information resources to gain strategic advantage?
! EVOLUTION OF INFORMATION RESOURCES
The Eras model shows how organizations have used IS over the past decades. Figure 2.1 summarizes this view and provides a road map for a general manager to use in thinking strategically about the current use of information resources within the firm.
IS strategy from the 1960s to the 1990s was driven by internal organizational needs. First came the need to lower existing transaction costs. Next was the need to provide support for managers by collecting and distributing information. An additional need was to redesign business processes. As competitors built similar systems, organizations lost any advantages they held from their IS, and competition within a given industry once again was driven by forces that existed prior to the new technology.
As each era begins, organizations adopt a strategic role for IS to address not only the firm’s internal circumstances but its external circumstances as well. Thus, in the ubiquitous era, companies seek those applications that again provide them with an advantage over competition. They also seek applications that keep them from being outgunned by start-ups with innovative business models or traditional companies entering new markets. For example, a plethora of ‘‘dot-coms’’ challenged all industries and traditional businesses by entering the marketplace armed with Internet-based innovative systems.
48 Chapter 2 Strategic Use of Information Resources
Era I 1960s Era II 1970s Era III 1980s Era IV 1990s Era V 2000 +
Primary role of IT
Efficiency Effectiveness Strategic Strategic Value creation
Automate existing paper-based processes
Solve problems and create opportunities
Increase individual and group effectiveness
Transform industry/ organization
Create collaborative partnerships
Justify IT expenditures
ROI Increasing productivity and better decision quality
Competitive position
Competitive position
Adding value
Target of systems
Organization Organization/ group
Individual manager/ group
Business processes ecosystem
Customer/ supplier ecosystem
Information models
Application specific
Data-driven User-driven Business- driven
Knowledge- driven
Dominate technology
Mainframe, ‘‘centralized intelligence’’
Minicomputer, mostly ‘‘centra- lized intelligence’’
Microcomputer, ‘‘decentralized intelligence’’
Client Server, ‘‘distributed intelligence’’
Internet, global ‘‘ubiquitous intelligence’’
Basis of value Scarcity Scarcity Scarcity Plentitude Plentitude
Underlying economics
Economics of information bundled with economics of things
Economics of information bundled with economics of things
Economics of information bundled with economics of things
Economics of information separated from economics of things
Economics of information separated from economics of things
FIGURE 2.1 Eras of information usage in organizations.
The Information System Strategy Triangle introduced in Chapter 1 reflects the link between IS strategy and organizational strategy and the internal requirements of the firm. The link between IS strategy and business strategy reflects the firm’s external requirements. Maximizing the effectiveness of the firm’s business strategy requires that the general manager be able both to identify and use information resources. This chapter looks at how information resources can be used strategically by general managers.
! INFORMATION RESOURCES AS STRATEGIC TOOLS
Crafting a strategic advantage requires the general manager to cleverly combine all the firm’s resources, including financial, production, human, and information resources, and to consider external resources such as the Internet and opportunities in the global arena. Information resources are more than just the infrastructure. This generic term, information resources, is defined as the available data, technology, people, and processes within an organization to be used by the manager to perform business processes and tasks. Information resources can
Information Resources as Strategic Tools 49
either be assets or capabilities. An IT asset is anything, tangible or intangible, that can be used by a firm in its processes for creating, producing, and/or offering its products (goods or services). An information technology (IT) capability is something that is learned or developed over time for the firm to create, produce, or offer its products. An IT capability makes it possible for a firm to use its IT assets effectively.2
An IS infrastructure (a concept that is discussed in detail in Chapter 6) is an IT asset. It includes each of an information resource’s constituent components (i.e., data, technology, people, and processes). The infrastructure provides the foundation for the delivery of a firm’s products or services. Another IT asset is an information repository, which is logically related data that is captured, organized, and retrievable by the firm.
In the ever-expanding Web 2.0 space, the view of IT assets is broadening to include potential resources that are available to the firm, but that are not necessarily owned by the firm. These additional information resources are often available as a service, rather than as a system to be procured and implemented internally. For example, a Web-based software such as SalesForce.com offers managers the opportunity to find new ways to manage their customer information with an externally based IT resource. Social networking systems such as Facebook or Linked-In offer managers the opportunity to find expertise or an entire network of individuals ready to participate in the innovation processes of the corporate using relatively little capital or expense.
The three major categories of IT capabilities are technical skills, IT man- agement skills, and relationship skills. Technical skills are applied to designing, developing, and implementing information systems. IT management skills are critical for managing the IT function and IT projects. They include an under- standing of business processes and the ability to oversee the development and maintenance of systems to support these processes effectively. Relationship skills can either be externally focused or spanning across departments. An externally focused relationship skill includes the ability to respond to the firm’s market and to work with customers and suppliers. The relationship between a firm’s IS managers and its business managers is a spanning relationship skill. Even though it focuses on relationships in the firm, it requires spanning beyond the IT department. Relationship skills develop over time and require mutual respect and trust. They, like the other information resources, can create a unique advantage for a firm. Figure 2.2 summarizes the different types of information resources and provides examples of each.
Committing and developing information resources require substantial financial resources. Therefore, a general manager evaluating an information resource might
2 G. Piccoli and B. Ives, ‘‘IT-Dependent Strategic Initiatives and Sustained Competitive Advantage: A Review and Synthesis of the Literature,’’ MIS Quarterly 29, no. 4 (2005), 747 – 776.
50 Chapter 2 Strategic Use of Information Resources
Type of Informa- tion Resource
Definition Example
IT ASSET Anything that can be used by a firm in its processes for creating, producing, and/or offering its products (goods or services)
IS infrastructure Base foundation of the IT portfolio shared through the firm3
Hardware, software, network, data components, proprietary technol- ogy, Web-based services
Information repository
Data that is logically related and organized in a struc- tured form accessible and usable for decision making purposes.
Critical information about cus- tomers that can be used to gain strategic advantage. Much of this information is increasingly avail- able on the Web.
IT CAPABILITY Something that is learned or developed over time and used by the firm to create, produce, or offer its products using IT assets
Technical skill Ability applied to designing, developing, and implement- ing information systems
Proficiency in systems analysis and design; programming skills
IT management skills
Ability to manage IT func- tion and IT projects
Being knowledgeable about busi- ness processes and managing systems to support them; evaluat- ing technology options; envisioning creative IS solutions to business problems
Relationship skills
Ability of IS specialists to work with parties outside the IS department.
Spanning: having a good relation- ship between IT and business managers. Externally focused: have a good relationship with an outsourcing vendor
FIGURE 2.2 Information resources.4
consider the following questions to better understand the type of advantage the information resource can create:5
• What makes the information resource valuable? In Eras I through III, the value of information was tied to the physical delivery mechanisms. In these eras, value was derived from scarcity reflected in the cost to produce the information. Information, like diamonds, gold, and MBA degrees,
3 Adapted from M. Broadbent, P. Weill, and D. St. Clair, ‘‘The Implications of Information Technology Infrastructure for Business Process Redesign,’’ MIS Quarterly 23, no. 2 (1999), 163. 4 Adapted from Piccoli and Ives, ‘‘IT-Dependent Strategic Initiatives,’’ 755. 5 Adapted from David J. Collis and Cynthia A. Montgomery, ‘‘Competing on Resources: Strategy in the 1990s,’’ Harvard Business Review (July – August 1995), reprint no. 95403.
Information Resources as Strategic Tools 51
was more valuable because it was found in limited quantities. However, the networked economy prevalent in Era IV drives a new model of value — value from plenitude. Network effects offer a reason for value derived from plenitude. The value of a network node to a person or organization in the network increases when others join the network. For example, an e-mail account has no value without another e-mail account that could receive the e-mail. As e-mail accounts become relatively ubiquitous, the value of having an e-mail account increases as its potential for use increases. Further, copying additional people on an e-mail is done a very low cost (virtually zero) highlighting that as the cost of producing an additional copy of an information product becomes trivial, the value of the network that invents, manufactures, and distributes it increases.6 Therefore, rather than using the extremely low production costs to guide the determination of price, information products or services must be priced to reflect their value to the buyer. Different organizational buyers have different information needs depending on their competitive position within an industry.
• Who appropriates the value created by the information resource? The value chain model can help determine where a resource’s value lies and how the appropriation can be improved in a firm’s favor. The resource-based view describes the attributes of information resources that make it possible for them to create and sustain competitive advantage.
• Is the information resource equally distributed across firms? At the beginning of the life cycle of a new technology, early adopters may experience a competitive advantage from using an information resource. For example, a manager who has mastered the value from internal wikis may find uses for them that give his or her firm a momentary advantage. However in the longer term, a general manager is unlikely to possess a resource that is completely unique. But the experience gained when using the information resource may cause inequities between firms. By surveying the firms within an industry, he or she may establish that the value received by a resource is distributed unequally. The value of a resource that is unequally distributed tends to be higher because it can create strategic advantage. The value of information mushrooms under conditions of information asymmetries. The possessor of information may use it against, or sell it to, companies or individuals who are not otherwise able to access the information.
• Is the information resource highly mobile? A reliance on the individual skills of IT professionals exposes a firm to the risk that key individuals will leave the firm, taking the resource with them. Developing unique
6 Kevin Kelly, ‘‘New Rules for the New Economy,’’ Wired (September 1997), http://www.wired.com/wired/5.09/newrules pr.html.
52 Chapter 2 Strategic Use of Information Resources
knowledge-sharing processes and creating an organizational memory can help reduce the impact of the loss of a mobile employee. Recording the lessons learned from all team members after the completion of each project is one attempt at lowering this risk.
• How quickly does the information resource become obsolete? ‘‘Things’’ wear out, whereas information does not. However, information can become obsolete, untrue, or even unfashionable. Like most other assets, information resources lose value over time. A general manager should understand the rate of this decline of value, as well as what factors may speed or slow it. For example, consider a database of customer infor- mation. How long, on average, is the current address of each customer valid? What events in the customers’ lives might change their purchasing pattern and reduce the forecasting capability of the current information?
Information resources exist in a company alongside other resources. The general manager is responsible for organizing all resources so that business goals are met. Understanding the nature of the resources at hand is a prerequisite to using them effectively. By aligning the organization’s IS strategy with its business strategy, the general manager maximizes its profit potential. Meanwhile, the firm’s competitors are working to do the same. In this competitive environment, how should the information resources be organized and applied to enable the organization to compete most effectively?
! HOW CAN INFORMATION RESOURCES BE USED STRATEGICALLY?
The general manager confronts many elements that influence the competitive environment of his or her enterprise. Overlooking a single element can bring about disastrous results for the firm. This slim tolerance for error requires the manager to take multiple views of the strategic landscape. We discuss three such views that can help a general manager align IS strategy with business strategy. The first view uses the five competitive forces model by Michael Porter to look at the major influences on a firm’s competitive environment. Information resources should be directed strategically to alter the competitive forces to benefit the firm’s position in the industry. The second view uses Porter’s value chain model to assess the internal operations of the organization and partners in its supply chain. Information resources should be directed at altering the value-creating or value-supporting activities of the firm. This chapter explores this view further to consider the value chain of an entire industry to identify opportunities for the organization to gain competitive advantage. The third view specifically focuses on the types of IS resources needed to gain and sustain competitive advantage. These three views provide a general manager with varied perspectives from which to identify strategic opportunities to apply the firm’s information resources.
How Can Information Resources Be Used Strategically? 53
Using Information Resources to Influence Competitive Forces Porter provides the general manager with a classic view of the major forces that shape the competitive environment of a firm. These five competitive forces are shown in Figure 2.3, along with some examples of how information resources can be applied to influence each force. This view reminds the general manager that competitive forces result from more than just the actions of direct competitors. Each force now will be explored in detail from an IS perspective.
Potential Threat of New Entrants Existing firms within an industry often try to reduce the threat of new entrants to the marketplace by erecting barriers to entry. Barriers to entry help the firm create a stronghold by offering products or services that are difficult to displace in the eyes of customers based on apparently unique features. Such barriers include controlled access to limited distribution channels, public image of a firm, and government regulations of an industry. Information resources also can be used to build barriers that discourage competitors from entering the industry. For example, Massachusetts Mutual Life Insurance Company created an IS infrastructure that connects the local sales agent with comprehensive information about products and
Bargaining power of suppliers
3 Bargaining power
of buyers
2
Strategic use • Cost-effectiveness • Market access • Differentiation of product or service
Strategic use • Switching costs • Access to distribution channels • Economies of scale
Strategic use • Selection of supplier • Threat of backward integration
Strategic use • Buyer selection • Switching costs • Differentiation
Strategic use • Redefine products and services • Improve price/performance
Potential threat of new entrants
1
Threat of substitute products
4
Industry competitors
5
FIGURE 2.3 Five competitive forces with potential strategic use of information resources. Source: Adapted from Michael Porter, Competitive Strategy (New York: The Free Press, 1998); and Lynda M. Applegate, F. Warren McFarlan, and James L. McKenney, Corporate Information Systems Management: The Issues Facing Senior Executives, 4th ed. (Homewood, IL: Richard D. Irwin, 1996).
54 Chapter 2 Strategic Use of Information Resources
customers. An insurance company entering the marketplace would have to spend millions of dollars to build the telecommunications and IS required to provide its sales force with the same competitive advantage. Therefore, the system at Mass Mutual may be a barrier to entry for new companies.
Bargaining Power of Buyers
Customers often have substantial power to affect the competitive environment. This power can take the form of easy consumer access to several retail outlets to purchase the same product or the opportunity to purchase in large volumes at superstores like Wal-Mart. Information resources can be used to build switching costs that make it less attractive for customers to purchase from competitors. Switching costs can be any aspect of a buyer’s purchasing decision that decreases the likelihood of ‘‘switching’’ his or her purchase to a competitor. Such an approach requires a deep understanding of how a customer obtains the product or service. For example, Amazon.com’s One Click encourages return purchases by making buying easier. Amazon.com stores buyer information, including contact information and credit card numbers, so that it can be accessed with one click, saving consumers the effort of data reentry. Similarly, Apple’s iTunes simple-to-use interface and proprietary software on the iPod make it difficult for customers to use other formats and technologies than the iPod.
Another good example of the power of buyers can be found at Facebook. On November 6, 2007, Facebook announced an exciting new service, Beacon. Press releases from Facebook shouted that ‘‘users gain ability to share their actions from 44 participating sites with their friends on Facebook.’’ The concept was called ‘‘Social Distribution’’ and gave Facebook information from the participating sites that would be posted on the Facebook customer’s page. Customers erupted in protest, and one month later, on December 6, CEO Mark Zuckerberg, personally issued an apology for the way Facebook handled the new feature. ‘‘We simply did a bad job with this release, and I apologize for it. While I’m disappointed with our mistakes, we appreciate all the feedback we have received from our users. I’d like to discuss what we have learned and how we have improved Beacon.’’ Zuckerberg continued by sharing why they built Beacon in the first place (to let people share with their friends a lot of information across sites) and why it was designed the way it was (to be as easy to use as possible and so users ‘‘didn’t have to touch it to make it work.’’). But the blogosphere quickly lit up with issues of privacy, control, and security as well as general dislike of the strategy, forcing the company to respond.
Bargaining Power of Suppliers
Suppliers’ bargaining power can reduce a firm’s profitability. This force is strongest when a firm has few suppliers from which to choose, the quality of supplier inputs is crucial to the finished product, or the volume of purchases is insignificant to the supplier. For example, steel firms lost some of their power over the automobile industry because car manufacturers developed technologically advanced quality control systems. Manufacturers can now reject steel from suppliers when it does not
How Can Information Resources Be Used Strategically? 55
meet the required quality levels. Through the Internet, firms continue to provide information for free as they attempt to increase their share of visitors to their Web sites. This decision reduces the power of information suppliers and necessitates finding new ways for content providers to develop and distribute information. Many Internet firms are integrating backward within the industry by creating their own information supply and reselling it to other Internet sites. Well-funded firms simply acquire these content providers, which is often quicker than building the capability from scratch. One example is eBay’s acquisition of PayPal, the system used to transact payment for goods and services all over the Web.
Threat of Substitute Products
The potential of a substitute product in the marketplace depends on the buyers’ willingness to substitute, the relative price-to-performance of the substitute, and the level of switching costs a buyer faces. Information resources can create advantages by reducing the threat of substitution. For example, Internet auction site eBay used innovative IT to create a set of services for their small businesses, a major source of revenue for the online auctioneer. At a time when customers were beginning to complain, sellers were wondering about the fees, and competition was trying to lure them both away, eBay brought out ProStores, a service to help all sellers build their own Web site. eBay managers noticed that many sellers did not have any Web presence other than eBay, and the move was another way to lock in these customers to the eBay environment. ‘‘The more those sellers are locked into an eBay environment, the less likely they will work with rivals,’’ according to one Web site.7 It seemed to work. One seller, a Tennessee-based, wholesale distributor of ball bearings and chains, reportedly doubled its eBay sales four months after its ProStores site was launched.8 For competitors to be successful, they needed to offer not just a substitute, but also a better service to these sellers. So far none has.
Substitutes that cause a threat are not just products offered from the initial company or products that are similar but offered by a competitor. The threat often comes from potentially new innovations that make the previous product obsolete. Consider how digital cameras have made film (and the cameras that use them) obsolete. CDs and more recently digitally based MP3 files have made vinyl records (and the record players that use them) obsolete. Free Web-based applications are a threat to software vendors who charge for their products and who do not have Web-based delivery. Managers must watch for potential substitutes from many different sources to fully manage this competitive threat.
Industry Competitors
Rivalry among the firms competing within an industry is high when it is expensive for a firm to leave the industry, the growth rate of the industry is declining, or
7 Evan Shumann, StorefrontBacktalk.com, http://www.storefrontbacktalk.com/story/062605ebay.php 8 Gwen Moran, ‘‘ The Pros of Opening an eBay ProStore,’’ www.entrepreneur.com, March 24, 2006.
56 Chapter 2 Strategic Use of Information Resources
products have lost differentiation. Under these circumstances, the firm must focus on the competitive actions of a rival to protect market share. Intense rivalry in an industry ensures that competitors respond quickly to any strategic actions. The banking industry illustrates this point. When a large Philadelphia-based bank developed an ATM network, several smaller competitors joined forces and shared information resources to create a competing network. The large bank was unable to create a significant advantage from its system and had to carry the full costs of developing the network by itself. Information resources were committed quickly to achieve neutralizing results due to the high level of rivalry that existed between the local bank competitors in Philadelphia.
As firms within an industry begin to implement standard business processes and technologies — often using enterprisewide systems such as those of SAP and Oracle — the industry becomes more attractive to consolidation through acquisi- tion. Standardizing IS lowers the coordination costs of merging two enterprises and can result in a less-competitive environment in the industry.
One way competitors differentiate themselves with an otherwise undifferen- tiated product is through creative use of IS. Information provides advantages in such competition when added to an existing product. For example, FedEx adds information to its delivery service helping it differentiate its offerings from those of other delivery services. FedEx customers are able to track their packages, know exactly where their package is in transit, see who signed for the package, and know exactly when it was delivered. Competitors offer some of the same information, but FedEx was able to take an early lead by using information to differentiate their services. Figure 2.4 summarizes these five forces working simultaneously at the retailer and manufacturer Zara.
General managers can use the five competitive forces model to identify the key forces currently affecting competition, to recognize uses of information resources to influence forces, and to consider likely changes in these forces over time. The changing forces drive both the business strategy and IS strategy, and this model provides a way to think about how information resources can create competitive advantage for a business unit and, even more broadly, for the firm. They also can reshape a whole industry — compelling general managers to take actions to help their firm gain or sustain competitive advantage. Consider an example of a large grocery retailer. Because of many factors, including the number of items on the shelves of the store, the complexity of managing customers, and the logistics necessary to keep inventory moving and reordered as necessary, these retailers are no longer are able to compete without information systems. The basis of competition has changed in part because of the innovative use of information systems by industry leaders. Keeping track of inventory is a given, but large chains must also intimately know their customers and find new ways to provide innovative services to keep their loyalties. The entire industry has changed from one of locally providing groceries to one of managing information about every aspect of their business. The alternative perspective presented in the next section provides the general manager with an opportunity to select the proper mix of
How Can Information Resources Be Used Strategically? 57
Competitive Force IT Influence on Competitive Force
Threat of New Entrant
Zara’s IT supports its tightly knit group of designers, market specialists, production managers, and production planners. New entrants are unlikely to provide IT to support relationships that have been built over time. Further, it has a rich information repository about customers that would be hard to replicate.
Bargaining Power of Buyers
With its constant infusion of new products, buyers are drawn to Zara stores. Zara boasts more than 11,000 new designs a year, whereas competitors typically offer only 2,000 – 4,000. Fur- ther, because of the low inventory that the Zara stores stock, the regular customers buy products they like when they see them because they are likely to be gone the next time they visit the store. More recently Zara has employed laser technology to measure 10,000 women volunteers so that it can add the mea- surements of ‘‘real’’ customers into its information repositories. This means that the new products will be more likely to fit Zara customers.
Bargaining Power of Suppliers
Its computer-controlled cutting machine cuts up to 1000 layers at a time. It then sends the cut materials to suppliers who sew the pieces together. The suppliers’ work is relatively simple, and many suppliers can do the sewing. Thus, the pool of suppliers is expanded, and Zara has greater flexibility in choosing the sewing companies. Further, because Zara dyes 50% of the fabric in its plant, it is less dependent on suppliers and can respond more quickly to midseason changes in customer color preferences.
Industry Competitors Industry competitors long marketed the desire of durable, classic lines. Zara focuses on meeting customer preferences for trendy, low-cost fashion. It has the highest sales per square foot of any of its competitors. It does so with virtually no advertising and only 10% of stock is unsold. It keeps its inventory levels very low and offers new products at an amazing pace for the industry (i.e., 15 days from idea to shelves). Zara has extremely efficient manufacturing and distribution operations.
Threat of Substitute Products
IT helps Zara offer extremely fashionable lines that are only expected to last for approximately 10 wears. IT enables Zara to offer trendy, appealing apparel at hard-to-beat prices, making substitutes difficult.
FIGURE 2.4 Application of five competitive forces model for zara.
information resources and to apply them to achieve strategic advantage by altering key activities.
Using Information Resources to Alter the Value Chain The value chain model addresses the activities that create, deliver, and support a company’s product or service. Porter divided these activities into two broad
58 Chapter 2 Strategic Use of Information Resources
Organization
Human Resources
Technology
Purchasing
Inbound Logistics
Outbound Logistics
Operations Marketing and Sales
Service
Materials handling Delivery
Manufacturing Assembly
Order processing Shipping
Product Pricing Promotion Place
Customer service Repair
P ri
m ar
y ac
tiv iti
es S
up po
rt a
ct iv
iti es
FIGURE 2.5 Value chain of the firm. Source: Adapted from Michael Porter and Victor Millar, ‘‘How Information Gives You Competitive Advantage,’’ Harvard Business Review (July – August 1985), reprint no. 85415.
categories, as shown in Figure 2.5: support and primary activities. Primary activities relate directly to the value created in a product or service, whereas support activities make it possible for the primary activities to exist and remain coordinated. Each activity may affect how other activities are performed, suggesting that information resources should not be applied in isolation. For example, more efficient IS for repairing a product may increase the possible number of repairs per week, but the customer does not receive any value unless his or her product is repaired, which requires that the spare parts be available. Changing the rate of repair also affects the rate of spare parts ordering. If information resources are focused too narrowly on a specific activity, then the expected value increase may not be realized, as other parts of the chain are not adjusted.
The value chain framework suggests that competition stems from two sources: lowering the cost to perform activities and adding value to a product or service so that buyers will pay more. To achieve true competitive advantage, a firm requires accurate information on elements outside itself. Lowering activity costs only achieves an advantage if the firm possesses information about its competitors’ cost structures. Even though reducing isolated costs can improve profits temporarily, it does not provide a clear competitive advantage unless a firm can lower its costs below a competitor’s. Doing so enables the firm to lower its prices as a way to grow its market share.
Adding value can be used to gain strategic advantage only if a firm possesses accurate information regarding its customer. Which product attributes are valued, and where can improvements be made? Improving customer service when its products fail was a goal behind Otis Elevator’s Otisline system. The customer’s service call is automatically routed to the field technician with the skill and knowledge to complete the repair. Otis Elevator knows that customers value a fast response to minimize the downtime of the elevator. This goal is achieved by using information resources to move the necessary information between activities.
How Can Information Resources Be Used Strategically? 59
When customers call for service, their requests are automatically and accurately entered and stored in the customer service database and communicated to the technician linked to that account. This technician is then contacted immediately over the wireless handheld computer network and told of the problem. That way the service technician can make sure he or she has both the parts and knowledge to make repairs. This approach provides Otis with an advantage because the response is fast, and the technician arrives at the job properly prepared to fix the problem.
Although the value chain framework emphasizes the activities of the individual firm, it can be extended, as in Figure 2.6, to include the firm in a larger value system. This value system is a collection of firm value chains connected through a business relationship and through technology. From this perspective, a variety of strategic opportunities exist to use information resources to gain a competitive advantage. Understanding how information is used within each value chain of the system can lead to new opportunities to change the information component of value-added activities. It can also lead to shakeouts within the industry, as the firms that fail to provide value are forced out and as new business models are adopted by the surviving firms.
Opportunity also exists in the transfer of information across value chains. Amazon.com began by selling books directly to customers over the Internet and bypassing the traditional industry channels. Customers who valued the time saved by shopping from home rather than driving to physical retail outlets flocked to Amazon.com’s Web site to buy books. Industry competitors Barnes and Noble and Borders Books were forced to develop their own Web sites, thus driving up
Supplier’s value
chains
Firm’s value chain
Channel’s value
chains
Buyer’s value
chains
FIGURE 2.6 The value system: interconnecting relationships between organizations.
60 Chapter 2 Strategic Use of Information Resources
their cost of doing business. The new paradigm for Barnes and Noble and Borders means rethinking how their value chain works with the value offered to their customers through their traditional business.
CRM is a natural extension of applying the value chain model to customers. Customer relationship management (CRM) includes management activities performed to obtain, enhance relationships with, and retain customers. CRM is a coordinated set of activities designed to learn more about customers’ needs and behaviors to develop stronger relationships with them and to enhance their value chains. CRM consists of technological components, as well as a process that brings together many pieces of information about customers, sales, marketing effectiveness, responsiveness, and market trends. CRM can lead to better customer service, more efficient call centers, product cross-selling, simplified sales and marketing efforts, more efficient sales transactions, and increased customer revenues. In Chapter 1 we described the Ritz-Carlton’s CRM, Class, which captures information about guest preferences and enables providing enhanced customized service during future visits.
In an application of the value chain model to the Zara example discussed earlier in the chapter, Figure 2.7 describes the value added to primary and support activities provided by information systems at Zara. The focus in Figure 2.7 is on value added to Zara’s processes, but suppliers and customers in its supply chain also realize the value added by information systems. Most notably, the customer is better served as a result of the information systems. For example, the stores place orders twice a week over personal digital assistants (PDAs). Each night, managers use their PDAs to learn about newly available garments. The orders are received and promptly processed and delivered. In this way Zara can be very timely in responding to customer preferences.
Supply Chain Management Supply chain management (SCM) is an approach that improves the way a company finds raw components it needs to make a product or service, manufac- tures that product or service, and delivers it to customers. Technology, especially Web-based technology, allows the supply chains of a company’s customers and suppliers to be linked through a single network that optimizes costs and oppor- tunities for all companies in the supply chain. By sharing information across the network, guesswork about order quantities for raw materials and products can be reduced, and suppliers can make sure they have enough on hand if demand for their products unexpectedly rises.
Sharing information across firms requires collaboration and, increasingly, the IT to support its seamless processing across firm boundaries. If a firm wants to limit its collaboration with its trading partners, it can use technologies such as electronic marketplaces where only minimal information such as product characteristics, delivery addresses, and billing addresses need to be exchanged over the Internet. However, when firms start sharing information about production schedules, valued customers, or how complex systems work, a much higher level of collaboration
How Can Information Resources Be Used Strategically? 61
Activity Zara’s Value Chain PRIMARY ACTIVITIES
Inbound Logistics IT-enabled Just-in-Time (JIT) strategy results in inventory being received when needed. Most dyes are purchased from its own subsidiaries to better support JIT strategy and reduce costs.
Operations Information systems support decisions about the fabric, cut, and price points. Cloth is ironed and products are packed on hangers so they don’t need ironing when they arrive at stores. Price tags are already on the products. Zara produces 60% of its merchandise in-house. Fabric is cut and dyed by robots in 23 highly automated Spanish factories.
Outbound Logistics Clothes move on miles of automated conveyor belts at distribu- tion centers and reach stores within 48 hours.
Marketing and Sales Limited inventory allows low percentage of unsold inventory (10%); POS at stores linked to headquarters to track how items are selling; customers ask for what they want, and this informa- tion is transmitted daily from stores to designers over handheld computers.
Service No focus on service on products SUPPORT ACTIVITIES
Organization IT supports tightly knit collaboration among designers, store managers, market specialists, production managers, and produc- tion planners.
Human Resources Managers are trained to monitor what’s selling and report data to designers ever day. The manager is key to making customers feel listened to, and to communicating with headquarters to keep each store and the entire Zara clothing line at the cutting edge of fashion.
Technology Technology is integrated to support all primary activities. Zara’s IT staff works with vendors to develop automated conveyor to support distribution activities.
Purchasing Vertical integration reduces amount of purchasing needed.
FIGURE 2.7 Application of value chain model to Zara.
(and trust) is needed. Such collaboration is often made possible by reengineering operations to mirror or complement each other and working extensively to make one company’s computer system talk with the other’s.
Collaboration paid off for supply-chain partners Wal-Mart and Procter & Gamble (P&G). Until these two giants linked their software systems in the 1980s, they shared little information. Now their integrated systems automatically alert P&G to ship more P&G products when Wal-Mart’s distribution centers run low.
62 Chapter 2 Strategic Use of Information Resources
The SCM system also allows P&G to monitor shelves at individual Wal-Mart stores through real-time satellite linkups that send messages to the factory whenever a P&G item is scanned at the register. This real-time information aids P&G in manufacturing, shipping, and displaying products for Wal-Mart. Invoicing and payments are automatically processed. Because of high volumes and operating efficiencies derived from the SCM software, P&G can offer discounted prices to help Wal-Mart offer its ‘‘low, everyday prices.’’
In some cases the collaboration does not pay off equally for all parties in the supply chain. Although Wal-Mart realized operational efficiencies from its use of radio frequency identification (RFID) technology, it will not realize the greatest benefits until all its distribution centers install the technology. Nonetheless, Wal-Mart switched course and decided to first complete the installations of RFID technology in its stores so that it can better collaborate with suppliers that need to monitor the flow of inventory and respond to problems or spikes in demand. Further, it subsidized its smaller suppliers by offering an RFID solution for less than $5,000. Because of economies of scale, Wal-Mart reaped far more benefit from RFID technology than many of its smaller suppliers. Thus, Wal-Mart made it enticing for its more hesitant supply chain partners to adopt RFID by offering them information from its stores or subsidizing their purchase of the technology.9
Unlike the five competitive forces model, the focus of the value chain is on activities. Yet, in applying the value chain, competitive forces may be affected to the extent that the proposed technology may add value to suppliers, customers, or even competitors and potential new entrants.
Using the Resource-Based View to Attain and Sustain Competitive Advantage The resource-based view10 is useful in determining whether a firm’s strategy has created value. Unlike Porter’ competitive forces framework, this view maintains that competitive advantage comes from the information and other resources of the firm. On the other hand, Porter’s competitive forces framework argues that aspects of the firm’s industry create sources of competitive advantage. Like the value chain model, the resource-based view concentrates on what adds value to the firm. However, whereas the value chain model focuses on a firm’s activities, the resource-based view focuses on the resources that it can manage.
9 Marc L. Songini, Wal-Mart Shifts RFID plans (2007, February 26), Computer World: http://www.computerworld.com/action/article.do?command = viewArticleBasic&articleId = 284115 (accessed April 28, 2008). 10 The resource-based view was originally proposed by management researchers, most prominently Jay Barney, ‘‘Firm Resources and Sustained Competitive Advantage,’’ Journal of Management 17, no. 1 (1991), 99 – 120; and J. Barney, ‘‘Is the Resource-Based ‘View’ a Useful Perspective for Strategic Management Research? Yes,’’ Academy of Management Review 26, no. 1 (2001), 41 – 56. M. Wade and J. Hulland, ‘‘Review: The Resource-Based View and Information Systems Research: Review, Extension and Suggestions for Future Research,’’ MIS Quarterly 28, no. 1 (2004), 107 – 142) reviewed its application in the MIS literature and derived a framework to better understand its application to IS resources.
How Can Information Resources Be Used Strategically? 63
The RBV has been applied in the area of IS to help identify two subsets of information resources: those that enable a firm to attain competitive advantage and those that enable a firm to sustain the advantage over the long term. In the first subset are both valuable and rare resources that firms must leverage to establish a superior resource position. A resource is considered valuable when it enables the firm to become more efficient or effective. It is rare when other firms do not possess it. For example, many banks today would not think of doing business without ATMs. ATMs are very valuable to the banks in terms of their operations. A bank’s customers expect it to provide ATMs in many convenient locations. However, because many other banks also have ATMs, they are not a rare resource, and they do not offer a strategic advantage. Many systems in Eras I and II, and especially Era III, were justified on their ability to provide a rare and valuable resource.
But as many firms moved into subsequent eras, they as quickly learned that gaining a competitive advantage does not automatically mean that you can sustain it over the long term. The only way to do that is to continue to innovate or to protect against resource imitation, substitution, or transfer. For example, Wal-Mart’s complex logistics management is deeply embedded in both its own and its supplier’s operations that imitations by other firms is unlikely. It was not easy for eBay customers to find a substitute for ProStores, discussed earlier in this chapter. UPS was able to build a competing information system to the one FedEx uses, but by the time it was up and running, FedEx has innovated far beyond and continued to enjoy advantages. Finally, to sustain competitive advantage, resources must be difficult to transfer, or relatively immobile. Some resources such as computer hardware and software can be easily bought and sold. However, technical knowledge, especially that relates to the firm’s operation, a gung-ho company culture, and managerial experience in the firm’s environment is less easy to obtain and, hence, considered harder to transfer to other firms.
From the IS perspective,11 some types of resources are better than others for creating attributes that enable a firm to attain and sustain competitive value (i.e., value, rarity, low substitutability, low mobility, low imitability). For example, externally focused relationship skills can build advantages. Consider the ability to work with buyers and suppliers, the ability to read the market, the ability of IS to manage partnerships with the business units (spanning relationship management), and the ability to plan and work with the business units in undertaking change (IT management skills). These relationship resources that span departmental and organizational boundaries tend to have more initial and enduring impact on the firm than resources focused only within IT departments, such as IT infrastructure or technical skills. This is due, in part, because it takes time to develop the trust and respect underlying the relationship.
Some IT management skills are general enough in nature to make them easier to transfer and imitate relationship skills. Although it clearly is important for IS executives to manage internally oriented resources such as IS infrastructure,
11 Ibid.
64 Chapter 2 Strategic Use of Information Resources
systems development, and running cost-effective IS operations, these skills can be acquired in many different forums. They are basic IT management skills possessed by virtually all good IS managers. Other skills, however, are unique to a firm and require considerable time and resources to develop. For example, it takes time to learn how the firm operates and to understand critical processes and socially complex working relationships. However, the message posed by the resource-based view is that IS executives must look beyond their own IT shop and concentrate on cultivating resources that help the firm understand changing business environments and allow them to work well with all their external stakeholders.
Even when considering internally oriented information resources, there are differences in the extent to which they add value. Many argue that IS personnel are willing to move, especially when offered higher salaries by firms needing these skills. Yet, some technical skills, such as knowledge of a firm’s use of technology to support business processes and technology integration skills are not easily moved to another firm. Further, hardware and many software applications can be purchased or out- sourced, making them highly imitable and transferrable, and not very rare over time. Because it is unlikely that two firms will have exactly the same strategic alternatives, resources at one firm have only moderate substitutability in the other firm.
It is harder to rate the value attributes of an information repository. Some information repositories are filled with internally oriented information designed to improve the firm’s efficiency. Consistent with our earlier arguments, these repos- itories are of less value than those that tap the external environment and contain significant knowledge about the industry, the competitors, and the customers. Although most firms have these types of information repositories, not all firms use them effectively. They tend to be unique to the firm and thus less imitable, substitutable, or transferrable.
Figure 2.8 indicates the extent to which the attributes of each information resource may add value to Zara. Zara’s advantage does not come from the specific hardware or software technologies they use. Management spends five to ten times less than its rivals on technology. It uses relatively old POS equipment to communicate over modems each night to headquarters. The handheld computers, automated conveyors, and large computer-controlled equipment to cut patterns are used skillfully by Zara, but they could eventually be purchased by or imitated by competitors. If the contractual arrangements exclude the option of selling to competitors, then this makes the externally focused skill more difficult to transfer, but not impossible. Hence, IT infrastructure in terms of value creation (i.e., value and rarity) has a moderate rating. It is easy to imitate and transfer and only moderately difficult to substitute, considering the automated conveyors; hence Zara’s infrastructure would not be a particular good resource for maintaining strategic value. The technical skills, although not exceptionally valuable or rare, may offer some sustainable value because they are used to integrate across Zara’s range of systems and would thus not be overly easy to imitate, substitute, or transfer.
In contrast, Zara has created considerable value from its information repository with customers’ preferences and body types, and from its IT management skills
How Can Information Resources Be Used Strategically? 65
VALUE CREATION VALUE SUSTAINABILITY
Value Rarity Imitation Substitution Transfer INFORMATION ASSET
IT Infrastructure M M H M H
Information Repository
H M M L M
INFORMATION CAPABILITY
Technical Skills M L M M M
IT Manage- ment Skills
H H L L M
RELATIONSHIP SKILLS
Externally Focused H M L M L-M
Spanning H H L L L
FIGURE 2.8 Information resources at Zara, by attribute. Source: Adapted from M. Wade and J. Hulland, ‘‘The Resource-Based View and Information Systems Research: Review, Extension and Suggestions for Future Research,’’ MIS Quarterly 28, no. 1 (2004), 107 – 142.
and spanning relationships skills. Not only do Zara store managers communicate daily with designers about customer preferences, but also the information, which is stored in Zara’s information repository, is easily retrievable by the designers, market specialists, procurement planners, and production managers. It would be a challenge for other companies to develop and apply the rich information not only because of the volume of data, but also because of the working relationships that have been shaped to use it. Thus the information repository has great value to Zara and is relatively rare because of its integration with Zara’s operations and personnel. It is also relatively difficult to imitate or transfer, extremely difficult to substitute. The tight-knit teams at headquarters are very unusual and allow Zara the ability to correctly interpret and quickly respond to customers’ needs. IT is integrally involved in supporting the way work is performed. These working relationships and managerial skills are not easy to replicate or purchase in the marketplace. They would all be very difficult to imitate. Overall, Zara is able to create high value from its IT management and relationship skills. It would be moderately to extremely difficult to substitute or transfer them.
Most firms don’t really have a choice of creating competitive advantage by manipulating industry forces or by adding value, either through their use of information resources or IT-enhanced activities. Rather, all affect the firm, though the relative impact may differ depending on the firm’s industry, environment, and executives’ choice.
66 Chapter 2 Strategic Use of Information Resources
! STRATEGIC ALLIANCES
The value chain helps a firm focus on adding value to the chains of its partners. The resource-based view considers the value created using externally oriented relationships skills. The latest era of information resources evolution emphasizes the importance of collaborative partnerships, and the increasing number of Web applications focused on collaboration and social networking only foreshadow even more emphasis. These partnerships can take many forms, including joint ventures, joint projects, trade associations, buyer – supplier partnerships, or cartels. Often such partnerships use information technologies to support strategic alliances and integrate data across partners’ information systems. A strategic alliance is an interorganizational relationship that affords one or more companies in the relationship a strategic advantage. IT can help produce the product developed by the alliance, share information resources across the partners’ existing value systems, or facilitate communication and coordination among the partners. For example, Delta formed a strategic alliance with e-Travel Inc., a travel service software company that targets large corporations, to promote Delta’s online reservations system. The alliance was strategic because it helped Delta reduce agency reservation fees and offered e-Travel new corporate leads. As introduced earlier, SCM is another frequently discussed type of IT-facilitated strategic alliance.
Strategic alliances often are based on trust and respect that can only develop over time as a result of a repeating pattern of interactions. Ring and Van de Ven have developed a four-stage model that demonstrates the importance of repeating patterns. The first stage in the cycle is the negotiation stage. in which individuals in two or more companies talk with one another and try to understand what each individual is seeking — both as a representative of the company and also as a person with individual goals. An agreement is made that calls for one party to deliver a product or service and to receive payment in return. These agreements, which are created in the commitment stage, can be either formal or informal. Formal agreements are called contracts. The product is delivered and payment is received in the execution stage. Both parties assess what has happened during the ongoing assessment stage, and if happy, they repeat the cycle, sometimes negotiating for even more products or services and receiving more rewards for delivering. With enough repetition, roles are created that continue to be followed, even if the original employees who started the negotiations leave the organization. (See Figure 2.9.)
Co-opetition Clearly, not all strategic alliances are formed with suppliers or customers as partners. Rather, co-opetition is becoming an increasingly popular alternative model. As defined by Brandenburg and Nalebuff in their book of the same name, co-opetition is a strategy whereby companies cooperate and compete at the same
Strategic Alliances 67
NEGOTIATIONS
of joint expectations risk & trust through
formal bargaining
informal sense making
EXECUTIONS
of commitments through
role interactions
personal interactions
COMMITMENTS
for future action through
formal legal contract
psychological contract
ASSESSMENTS
based on:
efficiency
equity
FIGURE 2.9 Four-stage model by Ring and Van de Ven. Source: Developmental processes of cooperative interorganizational relationships. Ring, Peter S.; Van de Ven, Andrew H., Academy of Management Review. 1994 Jan, Vol 19(1) pg 97.
time with companies in its value net.12 The value net includes a company and its competitors and complementors, as well as its customers and suppliers, and the interactions among all of them. A complementor is a company whose product or service is used in conjunction with a particular product or service to make a more useful set for the customer. For example, Goodyear is a complementor to Ford and GM because tires are a complementary product to automobiles. Likewise, hardware and software companies are complementors.
Co-opetition, then, is the strategy for creating the best possible outcome for a business by optimally combining competition and cooperation. It frequently creates competitive advantage by giving power in the form of information to other organizations or groups. For example, Covisint, the auto industry’s e-marketplace, grew out of a consortium of competitors General Motors, Ford, and Daimler- Chrysler, Nissan and Renault. By addressing multiple automotive functional needs across the entire product life cycle, Covisint offers support for collaboration, supply
12 A. Brandenburg and B. Nalebuff, Co-opetition (New York: Doubleday, 1996).
68 Chapter 2 Strategic Use of Information Resources
chain management, procurement, and quality management. Thus, co-opetition as demonstrated by Covisint, not only streamlines the internal operations of its backers, but also has the potential to transform the automotive industry.
! RISKS
As demonstrated throughout this chapter, information resources may be used to gain strategic advantage, even if that advantage is fleeting. When information systems are chosen as the tool to outpace their firm’s competitors, executives should be aware of the many risks that may surface. Some of theses risks include the following:
• Awaking a sleeping giant. A firm can implement IS to gain competitive advantage, only to find that it nudged a larger competitor with deeper pockets into implementing an IS with even better features. FedEx offered its customers the ability to trace the transit and delivery of their packages online. FedEx’s much larger competitor, UPS, rose to the challenge. UPS not only implemented the same services, but also added a new set of features. Both the UPS and FedEx sites passed through multiple Web site iterations as the dueling delivery companies continue to struggle for competitive advantage. Netflix awoke a sleeping giant and ended up with a new partner. Despite its size and merchandising savvy, Wal-Mart was stymied by Netflix’s head start in the rapidly expanding niche of online DVD rentals. Wal-Mart turned over its online DVD business to Netflix in 2005 and still offers access to Netflix from its Web site. Netflix, in turn, reminds its customers that they can purchase DVDs at Wal-mart.com.
• Demonstrating bad timing. Sometimes customers are not ready to use the technology designed to gain strategic advantage. For example, Momenta Corp. experienced monumental failure when it attempted to sell pen-based technology in the early 1990s. A decade later pen-based computing is well accepted by PDA users.
• Implementing IS poorly. Stories abound of information systems that fail because they are poorly implemented. Typically these systems are complex and often global in their reach. In its zeal to implement a system to streamline supply chain communications and lower operating costs, Nike’s implementation team allegedly performed customization that extended beyond the recommendations of its software supplier, i2 Tech- nologies. The resulting missed and duplicated orders may have cost Nike as much as a $100 million. Another implementation fiasco took place at Hershey Foods, when it attempted to implement its supply and inventory system. Hershey developers brought the complex system up too quickly and then failed to test it adequately. Related systems problems crippled shipments during the critical Halloween shopping season, resulting in large declines in sales and net income.
Food for Thought: Co-creating IT and Business Strategy 69
• Failing to deliver what users want. Systems that do not meet the needs of the firm’s target market are likely to fail. Streamline.com (also called Streamline Inc.) experienced the effects of this risk when using the Web to provide home delivery of groceries and pick-up/drop-off ser- vices for movie rentals, dry cleaning, and film. Streamline charged a $30-per-month subscription fee and worked from ‘‘personal shopping lists’’ customers submitted through its Web site. But Streamline failed to convince a large number of shoppers that Streamline’s services matched their lifestyle. Streamline may have failed because its once-a-week delivery was too infrequent, or because its customers wanted to inspect the produce when bags were dropped off. More recently, Webvan thought it had learned from Streamline. Webvan invested heavily in an infrastructure that would allow its employees to take customers’ orders online and deliver them within 30 minutes. Unfortunately for Webvan, many of its customers worked during the day and wanted their groceries delivered at home at night. This made the 30-minute delivery window — and the related infrastructure expenses — unnecessary.
• Web-based alternative removes advantages. With increasingly more applications moving to Web-based platforms, managers must consider the risk of losing any advantage obtained by an information resource that later becomes available as a service on the Web. The Web-based alternative may be much less expensive to use, be more easily available, and include a similar set of advantages.
• Running afoul of the law. Using IS strategically may promote litigation if the IS results in the violation of laws or regulations. Years ago, American Airlines’ reservation system, Sabre, was challenged by American Airlines’ competitors on the grounds that it violated antitrust laws. Napster filed for bankruptcy as a consequence of BMG Entertainment, AOL Time Warner, EMI, Sony, and Vivendi International jointly suing it for copyright infringement. The suit led to Napster’s court-ordered shutdown. More recently, Apple experienced a problem over their proprietary software, which violates legislation passed in France and possibly Scandinavia, where governments insist on more open systems.
Every business decision has risks associated with it. However, with the large expenditure of IT resources needed to create sustainable, strategic advantages, the manager will want to carefully identify and then design a mitigation strategy to manage the associated risks.
! FOOD FOR THOUGHT: CO-CREATING IT AND BUSINESS STRATEGY
Throughout this chapter we have discussed the alignment of IT strategy with business strategy. Certainly they must be carefully aligned to ensure that maximum
70 Chapter 2 Strategic Use of Information Resources
value is achieved from IT investments. However in the fast-paced business environment where information is increasingly a core component of the product or service offered by the firm, we are seeing the co-creating of IT and business strategy. That is to say that IT strategy is business strategy; one cannot be created independent of the other. In many cases they are now one in the same.
For companies whose main product is information, such as financial services companies, it’s clear that how information is managed is the core of the business strategy itself. How an investment firm manages the clients’ account, how their clients interact with the company, and how investments are made are all done through the management of information. A financial services company must co-create business and IT strategy.
But consider a company like FedEx, most well known as the package delivery company. Are customers paying to have a package delivered or to have information about that package’s delivery route and timetable? One could argue that they are one in the same, and that increasingly the company’s business strategy is its information systems strategy. Certainly there are components of the operation that are more than just information. There are actual packages to be loaded on actual trucks and planes, which are then actually delivered to their destinations. However, to make it all work, the company must rely on information systems. Should the information systems go down, FedEx would be unable to do business. A company like this must co-create IT strategy and business strategy.
This was not true a few years ago. Companies could often separate information systems strategy from business strategy, in part because their products or services did not have a large information component. For example, a few years ago, should the information system of a trucking company stop working, the trucks would still be able to take their shipments to their destination and pick up new shipments. It might be slower or a bit more chaotic, but the business wouldn’t stop. Today, that’s not the case. Complicated logistics are the norm, and information systems are the foundation of the business, such as seen at FedEx.
As the number and type of applications increase on the Web and on future technologies that we can only fantasize at this point, we expect to see only co-creation of business and IT strategy. Managers who think they can build a business model without considering the opportunities and impact of information systems, both the resources owned by the firm and those available on the Web will find they have significant difficulties creating any type of sustainable advantage in their marketplace.
This raises the question, however, of whether IS is always necessary for strategic advantage. Some experts believe that companies do not have to use IT to gain strategic advantage, although many companies will. There are strategies that can be competently executed without a major IT component, where perhaps IT is just a utility like the lights and electricity in a business. IT is necessary to create components of the strategy, but not a major focus of the business strategy. In an increasingly Web-enabled world, this debate is just beginning.
Discussion Questions 71
! SUMMARY • Information resources include data, technology, people, and processes within an
organization. Information resources can be either assets or capabilities. • Three major categories of IT capabilities are technical skills, IT management skills,
and relationship skills. • Using IS for strategic advantage requires an awareness of the many relationships
that affect both competitive business and information strategies. • The five competitive forces model implies that more than just the local competitors
influence the reality of the business situation. Analyzing the five competitive forces — new entrants, buyers, suppliers, industry competitors, and substitute products — from both a business view and an information view helps general managers use information resources to minimize the effect of these forces on the organization.
• The value chain highlights how information systems add value to the primary and support activities of a firm’s internal operations, as well as to the activities of its cus- tomers, and other components of its supply chain.
• CRM systems are a coordinated set of activities designed to help an organization better know and understand their customers.
• The resource-based view (RBV) helps a firm understand the value created by their strategy. RBV maintains that competitive advantage comes from the information resources of the firm. Resources enable a firm to attain and sustain competitive advantage.
• IT can facilitate strategic alliances. Supply chain management (SCM) is one example of a mechanism for creating strategic alliances.
• Co-opetition is the complex arrangement through which companies cooperate and compete at the same time with other companies in its value net.
• Numerous risks are associated with using information systems to gain strategic advantage: awaking a sleeping giant, demonstrating bad timing, implementing poorly, failing to deliver what customers want, and running afoul of the law.
! KEY TERMS customer relationship
management (CRM) (p. 60)
co-opetition (p. 66) information resources
(p. 48)
IT asset (p. 49) IT capability (p. 49) network effects (p. 51) resource-based view
(RBV) (p. 62) strategic alliance (p. 66)
supply chain management (SCM) (p. 60)
Web 2.0 (p. 49)
! DISCUSSION QUESTIONS 1. How can information itself provide a competitive advantage to an organization? Give two or three examples. For each example, describe its associated risks.
72 Chapter 2 Strategic Use of Information Resources
2. Use the five competitive forces model as described in this chapter to describe how infor- mation technology might be used to provide a winning position for each of these businesses:
a. A global airline b. A local dry cleaner c. An appliance service firm (provides services to fix and maintain appliances) d. A bank e. A Web-based wine retailer
3. Using the value chain model, describe how information technology might be used to provide a winning position for each of these businesses:
a. A global airline b. A local dry cleaner c. An appliance service firm (provides services to fix and maintain appliances) d. A bank e. A Web-based wine retailer
4. Use the resource-based view as described in this chapter to describe how information technology might be used to provide and sustain a winning position for each of these busi- nesses:
a. A global airline b. A local dry cleaner c. An appliance service firm (provides services to fix and maintain appliances) d. A bank e. A Web-based wine retailer
5. Some claim that no sustainable competitive advantages can be gained from IT other than the capability of the IS organization itself. Do you agree or disagree? Defend your position.
6. Cisco Systems has a network of component suppliers, distributors, and contract manu- facturers that are linked through Cisco’s extranet. When a customer orders a Cisco product at Cisco’s Web site, the order triggers contracts to manufacturers of printed circuit board assemblies when appropriate and alerts distributors and component suppliers. Cisco’s con- tract manufacturers are aware of the order because they can log on to Cisco’s extranet and link with Cisco’s own manufacturing execution systems. What are the advantages of Cisco’s strategic alliances? Does this Cisco example demonstrate SCM? Why or why not?
7. Tesco, the UK retail grocery chain, used their CRM system to generate annual incremental sales of £100 million. Using a frequent-shopper card, a customer got discounts at the time of purchase, and the company got information about their purchases, creating a detailed database of customer preferences. Tesco then categorized customers and customized discounts and mailings, generating increased sales and identifying new products to expand their offerings. At the individual stores, data showed which products must be priced below competitors, which products had fewer price-sensitive customers, and which products must have regular low prices to be successful. In some cases, prices are store-specific, based on the customer information. The information system has enabled Tesco to expand beyond groceries to books, CDs, DVDs, consumer electronics, flowers, and wine. The chain also offers services such as loans, credit cards, savings accounts, and travel planning. What can Tesco management do now that they have a CRM that they
Case Study 73
could not do prior to the CRM implementation? How does this system enable Tesco to increase the value provided to customers?
CASE STUDY 2-1
LEAR WON’T TAKE A BACKSEAT
For decades, Lear Corp. made car seats. Today, with the help of virtual reality and other digital technologies, Lear makes a whole lot more — and makes it a whole lot faster. Lear Corp. used virtual reality to envision the interior of the Chevrolet Express LT, a new luxury van that Lear helped design and build. Within two years, the first models started coming off a GM assembly line near St. Louis.
In the automotive world, that kind of turnaround time is almost impossibly quick. Even when the shell of a vehicle already exists, as it did in this case, the vehicle design schedule traditionally spans about three years. Between the initial concept and the production-ready design lies a painstaking clay-modeling process that typically involves at least a half-dozen costly iterations. But by shifting much of that process to a virtual reality environment, Lear cut the product development period to a year and a half.
GM awarded Lear the lucrative contract for the Express LT largely because of the speed and flexibility that Lear’s use of technology makes possible. ‘‘We always thought of Lear as a great seating company,’’ says Linda Cook, 45, GM’s planning director for commercial trucks and vans. ‘‘We didn’t realize how much else it could do. Lear really needed that technology to get our attention.’’
Lear, based in Southfield, Michigan, has roots that go back to 1917. By the 1990s, it had become the world’s biggest manufacturer of automotive seating. (If you’ve sat in anything from a Chevy to a Ferrari recently, then you’ve probably enjoyed the comfort of a Lear product.) But in the mid-1990s, the auto parts industry entered a period of aggressive consolidation. Instead of relying on thousands of small vendors to make each part separately, automakers wanted to buy complete systems from a few big suppliers. So Lear snapped up smaller companies and combined them into an operation that was capable of making an entire vehicle interior. It also invested heavily in the latest computer-aided design (CAD) software and in other new technologies. By 2000, thanks to acquisitions and expansion into new product areas, sales had climbed to $14.1 billion.
CAD first appeared in the auto industry in the late 1970s, but it didn’t reach a critical mass of power and capability until the mid-1990s. That’s when Lear decided to invest in an animated virtual reality package from Alias|Wavefront, a software subsidiary of Silicon Graphics. By 1998, the Reality Center was under construction, complete with a triple-projection screen and three digitized drawing boards. Out went the chisel; in came the cursor. Thanks to this technology, Lear has all but eliminated the slow, muck-filled process of building prototype after prototype from brownish-orange sculpting clay. However, Lear typically makes at least one physical prototype of every product that it develops in the Reality Center in order to test tactile issues.
In exploring new technologies, the Lear team was tempted at first by the prospect of using them to change long-standing ways of working together. Take the Internet. By digitizing much of the design process, Lear made it possible for designers to send their work back and forth over the Net — thereby creating a virtual workplace that brings together
74 Chapter 2 Strategic Use of Information Resources
people from all around the world. In November 1998, for example, Rothkop traveled to a Volvo design center in Sweden and used the Net to work with colleagues at the Reality Center back in Southfield. Where the Internet extends or enhances communication, the Lear team has embraced it. For the most part, though, the real work of designing auto parts remains an up-close-and-personal business.
For that reason, when it came to building the Reality Center, Lear put a premium on creating an environment that would foster collaboration. The team considered a stereoscopic ‘‘cave,’’ a space in which people can sit and be completely surrounded by a screen. While that arrangement simulates being in a car, ‘‘it can kind of make people nauseated,’’ Rothkop says. Worse yet, only one or two people at a time can sit in the cave — a situation that has dismal implications for collaboration. Instead, the Lear team chose a simpler design for its virtual reality room, one that has a flatter screen and a more open space. There’s even room in front of the screen for a full-sized truck, so Lear designers can bring together the real and the virtual whenever their work calls for that.
Another temptation that Lear executives faced was to think that CAD and VR would let them break down traditional job barriers and combine the roles of designer, sculptor, and animator into a single worker. But, in Lear’s experience, the seemingly artificial barriers between jobs often turn out to be quite natural. So Lear drew back from the notion of combining jobs.
Discussion Questions
1. What is the strategic advantage afforded to Lear from virtual reality? How does this technology help it compete?
2. How long is Lear’s window of opportunity for the strategic advantage given by the virtual reality system? That is, do you think that competitors will follow suit and implement a similar system. If yes, when?
3. Do you think the CAD system offers Lear strategic advantage? Explain. 4. Apply the value chain to demonstrate how the virtual reality system adds value for Lear
and for General Motors. 5. What other types of competitive advantages might Lear executives seek from IS in
general?
Source: Adapted from Fara Warner, ‘‘Lear Won’t Take a Backseat,’’ Fast Company 47 (June 2001), p. 178, available at http://www.fastcompany.com/online/47/bestpractice.html.
CASE STUDY 2-2
ZIPCAR
Zipcar was an answer for customers who want to rent a car for a few hours in their home city, rather than for a few days from a traditional rental agency. Car reservations were for a specific pick up time and location around the city, often in neighborhoods so the customers need only to walk to pick up their reserved car. Customers applied for a Zipcard, which enabled them to reserve a car online and unlock their car when they arrive at the car’s location.
Case Study 75
The company operated with a very small staff compared to traditional rental agen- cies. Very little human interaction was required between the customer and Zipcar for a transaction. A customer reserved a car online, entered into the reserved car by waving the RFID-enabled Zipcard against the card reader mounted behind the windshield on the driver side, returned the car to the same location, and was billed on the credit card already on file. The customer could check all rental records and print receipts from the online reservation system. The system also had a color-coded time chart showing availability and location of all rental cars in the vicinity. This transparent information exchange allows a customer to pick the car he or she wants, if available, or delay the reservation until the car was returned by another customer. Zipcar also created and installed a GPS-enabled wireless device in each car, which allowed members to find and reserve a nearest vehicle using a cell phone.
All the cars were outfitted with patented wireless technology. Their proprietary IT platform carried information flow between customers, vehicles, and the company. It was used to monitor car security, fulfill reservations, record hourly usage, and maintain mileage information. It also relayed vital technical information such as battery voltage and fuel level. It even informed the central system if a customer forgot to turn off headlights, which can quickly drain battery power.
This business model provided unique advantages over traditional car rentals. The customer did not have to stand in line or fill out papers to rent a car. The customer knew exactly which make and model he or she would be getting. Unlike most off-airport rental agency locations, which were only open during business hours, Zipcar locations were open 24 hours. The Zipcar rates also included the cost of gas and insurance, as well as reserved parking spots at some locations.
Additionally, the company used social networking technologies to develop an online community of Zipcar members — Zipsters. It encouraged Zipsters to talk about their Ziptrips (i.e., share their personal experiences with Zipcar).
Thus, information technology was not only the key enabler of this business model but also was a facilitator in creating a buzz and encouraging community development around the concept. Zipcar changed the rules of the rental car industry by bringing the new Web 2.0 mind-set of focusing on automation, customer empowerment, transparency, and community. Zipcar has been very successful, with over 200,000 paying members and renting over 5,000 vehicles in 50 markets in the United States, Canada, and the UK.
Discussion Questions
1. Analyze the business model of Zipcar using Porter’s five forces model. 2. Discuss the synergy between the business strategy of Zipcar and information
technology. 3. What network effects are part of the strategy of Zipcar? How do they add value? 4. As the CEO of Zipcar, where is your most threatening competition? What would you do
to sustain a competitive advantage?
Source: Adapted from ‘‘A Self-Service Rental Car,’’ by Paul Boutin, BusinessWeek, May 4, 2006; ‘‘RFID: A Ticket to Ride,’’ by Mary K. Pratt, ComputerWorld, December 18, 2006; www.zipcar.com.
!CHAPTER 3 ORGANIZATIONAL IMPACTS OF INFORMATION SYSTEMS USE
Started in mid-1990s, Cognizant Technology Solutions grew quickly to become a $1.4 billion revenue company providing IT outsourcing services. However, growing at such a breakneck speed, it had to reinvent its organization structure multiple times. Initially, its India-centric structure located the managers of each group in India along with software engineers. Employees at customer locations worldwide reported to the managers. As the company grew and its focus shifted from simple, cost-based solutions to complex, relationship-based solutions, this model had to be changed. Under the redesigned reporting structure, the managers were moved to customer locations, while software engineers remained in India. This change improved customer relations but brought in new headaches on the technical side. Under the new arrangement, managers had to spend daytime with customers and unexpectedly ended up spending nighttime with software engineers to clarify customer requirements and fix bugs. This placed a tremendous strain on managers, who threatened to quit. Thus, either type of organizational structure was not working. According to Francisco D’Souza, CEO, ‘‘Frankly, we were out of ideas [about what to do].’’
However, they found that despite these problems, some groups were working well and providing solid performance. After an extensive analysis of those groups, the company decided to adopt their informal management structure of coman- agement throughout the company. In this matrix structure, each project has two managers equally responsible for the project. One manger is in India, and the other is at the client site. They work out among themselves how and when to deal with issues. And both are equally responsible for customer satisfaction, project deadlines and group revenue.1
The point is simple: Information systems (IS) comprise a fundamental orga- nizational component that affects the way managers design their organizations. 1 Excerpted from J. McGregor ‘‘For Cognizant, Two’s Company.’’ BusinessWeek, January 17, 2008.
76
Information Technology and Organizational Design 77
When used appropriately, IS and information technology (IT) leverage human resources, capital, and materials to create an organization that optimizes perfor- mance. A synergy results from designing organizations with IT in mind that cannot be achieved when IT is just added on.
Chapter 1 introduced a simple framework for understanding the impact of IS on organizations. The Information Systems Strategy Triangle relates business strategy with IS strategy and organizational strategy. In an organization that operates successfully, an overriding business strategy drives both organizational strategy and information strategy. The most effective businesses optimize the interrelationships between the organization and IT, thus maximizing efficiency and productivity.
Organizational strategy includes the organization’s design, as well as the managerial choices that define, set up, coordinate, and control its work processes. As discussed in Chapter 1, many models of organizational strategy are available, such as the business diamond, which identifies four primary components of an organization: its business processes, its tasks and structures (or organizational design), its management and measurement (control) systems, and its values and beliefs (culture). Figure 3.1 summarizes complementary design variables from the managerial levers framework. Optimized organizational design and management control systems support the most advantageous business processes, and they, in turn, reflect the firm’s values and culture.
This chapter builds on the managerial levers model. Of primary concern is the ways in which IT can improve organizational design, management control, and organizational culture. This chapter looks at some innovative organizational designs that made extensive use of IT, explores how IT can facilitate management control at the organizational and individual levels, and concludes with some ideas about how culture affects organizational design. It focuses on organizational-level issues related to strategy. The next two chapters complement it with a discussion of new approaches to work and organizational processes.
! INFORMATION TECHNOLOGY AND ORGANIZATIONAL DESIGN
This section examines how IT enables or inhibits the design of an organization’s physical structure. Ideally an organization is designed to facilitate the communi- cation and work processes necessary for it to accomplish its goals. In this section we will talk about decision rights that underlie formal structures, formal reporting relationships, and information network. Also of importance are organizational processes. We will study processes in more detail in Chapter 5.
Decision Rights Decision rights indicate who in the organization has the responsibility to initiate, supply information for, approve, implement, and control various types of decisions. Ideally the individual who has the most information about a decision and who is in
78 Chapter 3 Organizational Impacts of Information Systems Use
Variable Description
Organizational variables Decision rights Authority to initiate, approve, implement, and control various
types of decisions necessary to plan and run the – business. Business processes The set of ordered tasks needed to complete key objectives of
the business. Formal reporting relationships
The structure set up to ensure coordination among all units within the organization; reflects allocation of decision rights.
Informal networks Mechanism, such as ad hoc groups, which work to coordi- nate and transfer information outside the formal reporting relationships.
Control variables Data The facts collected, stored, and used by the organization. Planning The processes by which future direction is established, com-
municated, and implemented. Performance measure- ment and evaluation
The set of measures that are used to assess success in the execution of plans and the processes by which such measures are used to improve the quality of work.
Incentives The monetary and nonmonetary devices used to motivate behavior within an organization.
Cultural variables Values The set of implicit and explicit beliefs that underlies decisions
made and actions taken; reflects aspirations about the way things should be done.
FIGURE 3.1 Organizational design variables. Source: James I. Cash, Robert G. Eccles, Nitin Nohria, and Richard L. Nolan, Building the Information Age Organization (Homewood, IL: Richard D. Irwin, 1994).
the best position to understand all the relevant issues should be the person who has the decision right for the decision. Much of the discussion of IT governance in Chapter 8 is based on who has the decision right for critical IT decisions. And, when talking about accountability and responsibility in the chapter on ethics (Chapter 9), one has to start with the person who is responsible for the decision — that is, the person who has the decision right for the decision. Organizational design is all about making sure that decision rights are properly allocated — and reflected in the structure of formal reporting relationships.
Consider the case of Zara from Chapter 2. Each of its 1,000 stores order clothes in the same way, using the same digital form, using the same outdated PDAs, following a rigid weekly timetable for ordering. Most other large retailers use forecasting and inventory control models to determine what clothes should be sent to the stores. That is, the ordering decisions are made at headquarters. However, with Zara, the decision rights for ordering have been moved to the
Information Technology and Organizational Design 79
Zara store managers. By giving them the decision rights for ordering, Zara store managers can place orders that reflect the tastes and preferences of customers in their localized areas.2
Formal Reporting Relationships and Organization Structures Organization structure is the way of designing an organization so that decision rights are correctly allocated. The structure of reporting relationships typically reflects the flow of communication and decision making throughout the organization. Traditional organization structures are hierarchical, flat, or matrix (see Figure 3.2).
Position for industry 1 in region 1
Position for industry 1 in region 2
Position for industry 1 in region 3
Region 1Regions Region 2 Region 3
Position for industry 2 in region 1
Position for industry 2 in region 2
Position for industry 2 in region 3
Position for industry 3 in region 1
Industry 1
Industry
Industry 2
Industry 3 Position for industry 3 in region 2
Position for industry 3 in region 3
Matrix Organization Structure
Flat Organization Structure
Hierarchical Organization Structure
FIGURE 3.2 Hierarchical, flat, and matrix organization structures.
2 Andrew McAfee and Erik Brynjolfsson, ‘‘Investing in the IT That Makes a Competitive Difference,’’ Harvard Business Review, http://harvard businessonline.hbsp.harvard.edu 2008 (accessed July 21, 2008).
80 Chapter 3 Organizational Impacts of Information Systems Use
Description
Characteristics
Type of Environment Best Supported
Basis of Structuring
Power Structure
Key Technologies Supporting This Structure
Bureaucratic form with defined levels of management
Division of labor, specialization, unity of command, formalization
Stable Certain
Primarily function
Centralized
Mainframe, centralized data and processing
Decision making pushed down to the lowest level in the organization
Informal roles, planning and control; often small and young organizations
Dynamic Uncertain
Primarily function
Centralized
Personal computers
Workers assigned to two or more supervisors in an effort to make sure multiple dimensions of the business are integrated
Dual reporting relationships based on function and purpose
Dynamic Uncertain
Functions and purpose (i.e., location, product, customer)
Distributed (matrix managers)
Networks
Formal and informal communication networks that connect all parts of the company
Known for flexibility and adaptability
Dynamic Uncertain
Networks
Distributed (network)
Intranets and Internet
Hierarchical Flat Matrix Networked
FIGURE 3.3 Comparison of organizational structures.
The networked structure is a newer organizational form. A comparison of these four types of organization structures may be found in Figure 3.3.
Hierarchical Organization Structure As business organizations entered the twentieth century, they found themselves growing and needing to devise systems for processing and storing information. A new class of worker — the clerical worker — flourished. From 1870 to 1920 alone, the number of clerical workers mushroomed from 74,200 to more than a quarter
Information Technology and Organizational Design 81
of a million.3 Factories and offices structured themselves using the model that Max Weber observed when studying the Catholic Church and the German army. This model, called a bureaucracy, was based on a hierarchical organization structure.
Hierarchical organization structure is an organizational form based on the concepts of division of labor, specialization, and unity of command. Decision rights are highly specified and centralized. When work needs to be done, it typically comes from the top and is segmented into smaller and smaller pieces until it reaches the level of the business in which it will be done. Middle managers do the primary information processing and communicating, telling their subordinates what to do and telling senior managers the outcome of what was done. Jobs within the organization are specialized and often organized around particular functions, such as marketing, accounting, manufacturing, and so on. Unity of command means that each person has a single supervisor, who in turn has a supervisor, and so on. A number of rules are established to handle the routine work performed by employees of the organization. When in doubt about how to complete a task, workers turn to rules. If a rule doesn’t exist to handle the situation, workers turn to the hierarchy for the decision. Key decisions are made at the top and filter down through the organization in a centralized fashion. IS are typically used to store and communicate information along the lines of the hierarchy and to support the information management function of the managers. Hierarchical structures are most suited to relatively stable, certain environments where the top-level executives are in command of the information needed to make critical decisions.
Two common organizational forms are based on the hierarchical organization structure: functional and divisional. The functional form is a structure that groups common activities together. The division of labor is based on key functions, such as accounting, marketing, finance, engineering, and production. Because the training, work, and values are typically similar for people in the same function, their collaboration and efficiency is promoted within the function. This creates economies of scale and enables in-depth knowledge and skill development. At the same time, coordination and cooperation with other departments is more difficult. The functional form was used in practically every business up to World War II. It is still used in many small and medium-sized companies, especially if they only have one or a few products or services. In contrast is the divisional form that was ‘‘invented’’ by General Motors and DuPont. The divisional form cuts across functional lines and, instead, organizes according to outputs. Each division is responsible for a different set of customers, products, geographical markets, and so forth. Within the divisional unit, diverse functions such as manufacturing and marketing are represented, but employees tend to relate more to their division than to the functional area. The divisional form is good for coordinating organizational activities across functions, especially in unstable or dynamic environments. Typically it is more customer focused. Cognizant’s original
3 Frances Cairncross, The Company of the Future (London: Profile Books, 2002).
82 Chapter 3 Organizational Impacts of Information Systems Use
India-centric organizational structure described at the beginning of the chapter is an example of a divisional form.
Flat Organization Structure In contrast, in the flat organization structure, decision making is centralized, with the power often residing in the owner or founder. In flat organizations, everyone does whatever needs to be done to complete business. For this rea- son, flat organizations can respond quickly to dynamic, uncertain environments. Entrepreneurial organizations often use this structure because they typically have fewer employees, and even when they grow, they initially build on the premise that everyone must do whatever is needed. To increase flexibility and innovation, decision rights may not be clearly defined. As the work grows, new individuals are added to the organization, and eventually a hierarchy is formed where divisions are responsible for segments of the work processes. Many companies strive to keep the ‘‘entrepreneurial spirit,’’ but in reality work gets done in much the same way as with the hierarchy described previously. Flat organizations often use IS to off-load certain routine work to avoid hiring additional workers. As a hierarchy develops, the IS become the glue tying together parts of the organization that otherwise would not communicate.
Matrix Organization Structure The third popular form, the matrix organization structure, typically assigns workers to two or more supervisors in an effort to make sure multiple dimensions of the business are integrated. Each supervisor directs a different aspect of the employee’s work. For example, a member of a matrix team from marketing would have a supervisor for marketing decisions and a different supervisor for a specific product line. The team member would report to both, and both would be responsible in some measure for that member’s performance and development. That is, the marketing manager would oversee the employee’s development of marketing skills, and the product manager would make sure that the employee developed skills related to the product. Thus, decision rights are shared between the managers. In some cases the matrix might even reflect still a third dimension (or more), such as the customer relations segment. IS reduce the operating complexity of matrix organizations by allowing information sharing among the different managerial functions. For example, a salesperson’s sales would be entered into the information system and appear in the results of all managers to whom he or she reports. The matrix structure allows organizations to concentrate on both functions and purpose. It is especially suited to dynamic, uncertain environments and to complex decision making. Cognizant likely moved to the matrix structure from the hierarchical, divisional structure because the complexity of its projects had increased.
The matrix organization structure carries its own set of weaknesses. Though theoretically each boss has a well-defined area of authority, employees often find the matrix organization structure frustrating and confusing because they are
Information Technology and Organizational Design 83
often subjected to dual authority. Consequently, working in a matrix organization structure can be time consuming because confusion must be dealt with through frequent meetings and conflict resolution sessions. Matrix organizations also often make it difficult for managers to achieve their business strategies because they flood managers with more information than they can process.
Networked Organization Structure Made possible by new IS, a fourth type of organizational structure emerged: the networked organization structure (see Figure 3.4). Networked organizations characteristically feel both flat and hierarchical at the same time. An article published in the Harvard Business Review describes this type of organization: ‘‘Rigid hierarchies are replaced by formal and informal communication networks that connect all parts of the company.. . . [This type of organizational structure] is well known for its flexibility and adaptiveness.’’4 It is particularly suited to dynamic, unstable environments.
Networked organization structures are those that rely on highly decentralized decision rights and utilize distributed information and communication systems to replace inflexible hierarchical controls with controls based in IS. Networked organizations are defined by their ability to promote creativity and flexibility while maintaining operational process control. Because networked structures are dis- tributed, many employees throughout the organization can share their knowledge and experience and participate in making key organizational decisions. IS are fundamental to process design; they improve process efficiency, effectiveness, and
FIGURE 3.4 The networked organization.
4 L. M. Applegate, J. I. Cash, and D. Q. Mills, ‘‘Information Technology and Tomorrow’s Manager,’’ Harvard Business Review, (November – December 1988), 128 – 136.
84 Chapter 3 Organizational Impacts of Information Systems Use
flexibility. As part of the execution of these processes, data are gathered and stored in centralized data warehouses for use in analysis and decision making. In theory, at least, decision making is more timely and accurate because data are collected and stored instantly. The extensive use of communications technologies and net- works also renders it easier to coordinate across functional boundaries. In short, the networked organization is one in which IT ties together people, processes, and units.
The organization feels flat when IT is used primarily as a communication vehicle. Traditional hierarchical lines of authority are used for tasks other than communication when everyone can communicate with everyone else, at least in theory. The term used is technological leveling because the technology enables individuals from all parts of the organization to reach all other parts of the organization.
Some organizations take the networked structure one step further. When IT is used extensively as a design tool for the organization, a different organizational form called the T-form organization is possible. The ‘‘T’’ stands for ‘‘technology-based’’ or ‘‘technology-oriented.’’ In T-form organizations, IT is combined with traditional organizational components to form new types of components, such as electronic linking, production automation, electronic workflows, electronic customer/supplier relationships, and self-service Internet portals. Although the original T-form organization was created long before the Internet was popular, this structure has been adopted by many Internet-based companies today. Work is often coordinated automatically in the T-form organization. Systems enable information to more easily move around an organization and among individuals, making decisions possible wherever they are needed, rather than only at senior levels of the organization. Business processes are typically designed differently, relying on the technology for more mundane, repetitive tasks and enabling employees to take on more people-oriented and unstructured responsibilities. Technology is integrated with all components of the business, not just communications networks, as in a traditional networked organization.
Informal Networks The organization structure reflects the authority derived from formal reporting relationships. However, informal relationships also exist and can play an important role in the functioning of an organization. Some informal relationships are designed by management. For example, when working on a special project, an employee might be asked to let the manager in another department know what is going on. This is considered an informal reporting relationship. Or a company may have a job rotation program. Part of the rationale for such programs is that it allows employees to get a broad-based training in a variety of areas. That way the employees can learn about and appreciate the work that is done in the multiple departments where they have worked. It also allows them to make contacts, and even friends, in these departments where they work. Long after they have moved on to another job, they may keep in touch informally or call on their past coworkers when a situation arises in which their input may be helpful.
Information Technology and Management Control Systems 85
Not all informal relationships are a consequence of a plan by management. Some networks unintended by management develop because of a variety of other factors, including work proximity, friendship, shared interests, and family ties. They can also arise for political reasons. Employees can cross over departmental, functional, or divisional lines in an effort to create political coalitions to further their goals.
Some informal networks even cross organizational boundaries. As computer and information technologies facilitate collaboration across distances, social net- works are formed. Many of these prove useful in getting a job done, even if not all members of the network belong to the same organization.
! INFORMATION TECHNOLOGY AND MANAGEMENT CONTROL SYSTEMS
Not only does IT change the way organizations are structured, it also profoundly affects the way managers control their organizations. By management control, we mean how planning is performed in organizations and how people and processes are monitored, evaluated, and compensated or rewarded. Management control is similar to room thermostats. Thermostats register the desired temperature. A sensing device within the thermostat determines if the temperature in the room is within a specified range of the desired temperature. If the temperature is beyond the desired range, a mechanism is activated to adjust the temperature. For instance, if the thermostat is set at 78 and the temperature in the room is 76, then the heater can be activated (if it is winter) or the air conditioning can be turned off (if it is summer).
Similarly management control systems must respond to the goals established through planning. Measurements must be taken periodically, and if the variance is too great, adjustments must be made to organizational processes or practices. For example, operating processes might need to be changed to achieve the desired goals.
IS plays three important roles in management control processes:
1. Data Collection They enable the collection of information that may not be collectible other ways. This information helps managers determine if they are satisfactorily progressing toward realizing the organization’s mission as reflected in its stated goals.
2. Evaluation They facilitate the analysis of information in ways that may not be possible otherwise. The evaluation compares actual performance with the desired performance that is established as a result of planning.
3. Communication They speed the flow of information from where it is gen- erated to where it is needed. This allows an analysis of the situation and a determination about what can be done to correct the situation.
Managers need to control work done at the process level. The process itself needs continuous improvement, and although the various methods of process
86 Chapter 3 Organizational Impacts of Information Systems Use
improvement lie outside the scope of this book, it is important to understand that IS can play a crucial role. IS provide decision models for scenario planning and evaluation. For example, the airlines routinely use decision models to study the effects of changing routes or schedules. IS collect and analyze information from automated processes, which can then be used to make automatic adjustments to the processes. For example, a paper mill uses IS to monitor the mixing of ingredients in a batch of paper and to add more ingredients or change the temperature of the boiler as necessary. IS collect, evaluate, and communicate information, leaving managers free to make decisions.
Planning and Information Technology In the first chapter, the importance of aligning organizational strategy with the business strategy was discussed. An output of the strategizing process is a plan to guide in achieving the strategic objectives. Information technology can play a role in planning in three ways:
• IS can provide the necessary data to develop the strategic plan. They can be especially useful in collecting data from organizational units and trans- forming the data into information for the strategic decision makers.
• Some IS actually automate the planning process. • In some instances, IS can lie at the heart of a strategic initiative. That is,
as discussed in Chapters 1 and 2, information systems can be used to gain strategic advantage.
Data Collection and Information Technology In addition to focusing on organizational-level planning and control, the next three subsections in this chapter focus on the individual level. An important part of management control lies in making sure individuals perform appropriately. At the individual level, IS can streamline the process of data collection (i.e., monitoring) and support performance measurement and evaluation, as well as compensation through salaries, incentives, and rewards.
Monitoring work can take on a completely new meaning with the use of information technologies. IS make it possible to collect such data as the number of keystrokes, the precise time spent on a task, exactly who was contacted, and the specific data that passed through the process. For example, a call center that handles customer service telephone calls is typically monitored by an information system that collects data on the number of calls each representative received and the length of time each representative took to answer each call and then to respond to the question or request for service. Managers at call centers can easily and nonintrusively collect data on virtually any part of the process. In contrast, a manager of field representatives might also use IS to monitor work, but the use may be more obvious and, thus, more intrusive. For example, having field sales personnel complete documents detailing their progress adds work for them.
Information Technology and Management Control Systems 87
The organizational design challenge in data collection is twofold: (1) to embed monitoring tasks within everyday work, and (2) to reduce the negative impacts to workers being monitored. Workers perceive their regular tasks as value adding, but have difficulty in seeing how value is added by tasks designed to provide information for management control. Often these tasks are avoided, or worse, data recorded are inaccurate, falsified, or untimely. Collecting monitoring data directly from work tasks — or embedding the creation and storage of performance information into software used to perform work — renders them more reliable.
A large number of software products are available for companies to monitor employees. Software monitoring products are installed by companies to obtain specific data about what employees are doing. Although the intention may seem both ethical and in the best interest of business, in practice the reverse may actually be true. In many cases employees are not informed that they are being monitored or that the information gleaned is being used to measure their productivity. In these cases, monitoring violates both privacy and personal freedoms. To protect their freedoms and to gain their acceptance, employees should be informed when they are monitored, and their bonuses or other rewards should be linked to increases in productivity derived from the monitoring.
However, prior notice about monitoring may heighten employee stress levels and highlight an increase in the level of control that employers are exerting over their employees. As employees become aware of monitoring activities, productivity and morale may fall. Also, tracking job performance in terms of discrete, measurable tasks can serve to disconnect workers from the larger business process in which they are involved, giving them less opportunity to broaden their skills and advance in the organization. Breaking down jobs into simple tasks counters an organizational philosophy that seeks to empower individuals to make significant contributions to the company as a whole. Although the side effects of monitoring may seem peripheral or minor, its importance can only increase as technology further intrudes into the workplace and shapes working conditions. Today’s managers must be concerned with creating a work atmosphere that is amenable to IS and responsive to employees’ needs.
Performance Measurement, Evaluation, and Information Technology IS make it possible to evaluate data against reams of standard or historical data as desired. Models can be built and simulations designed. Thus, managers can more easily and completely understand work progress and performance. In fact, the ready availability of so much information catches some managers in ‘‘analysis paralysis’’: analyzing too much or too long. In our example of the call center, a manager can compare a worker’s output to that of colleagues, to earlier output, and to historical outputs reflecting similar work conditions at other times. Even though evaluation constitutes an important use of IS, how the information is used has significant organizational consequences. Information collected for evaluation may be used to provide feedback so the worker can improve personal performance; it also can be used to determine rewards and compensation. The former use — for
88 Chapter 3 Organizational Impacts of Information Systems Use
improvement in performance — is nonthreatening and generally welcome. Using the same information for determining compensation or rewards, however, can be threatening. Suppose the call center manager is evaluating the number and duration of calls that service representatives answer on a given day. The manager’s goal is to make sure all calls are answered quickly, and he or she communicates that goal to his or her staff. Now think about how the evaluation information is used. If the manager simply provides the workers with information about numbers and duration, then the evaluation is not threatening. Typically, each worker will make his or her own evaluation and respond by improving call numbers and duration. A discussion may even occur in which the service representative describes other important dimensions, such as customer satisfaction and quality. Perhaps the representative takes longer than average on each call because of the attention devoted to the customer. On the other hand, if the manager uses the information about number of calls and duration to rank workers so that top workers are rewarded, then workers may feel threatened by the evaluation and respond accordingly. The representative not on the top of the list may shorten calls or deliver less quality, consequently decreasing customer satisfaction. The lesson for managers is to take care concerning what is monitored and how the information the systems make available is used. Metrics for performance must be meaningful in terms of the organization’s broader goals, but these metrics are harder to define when work is decentralized and monitored electronically.
How feedback is communicated in the organization plays a role in affecting behavior. Some feedback can be communicated via IS themselves. A simple example is the feedback built into an electronic form that will not allow it to be submitted until it is properly filled out. For more complex feedback, IS may not be the appropriate vehicle. For example, no one would want to be told they were doing a poor job via e-mail or voice mail. Negative feedback of significant consequence often is best delivered in person.
IS can allow for feedback from a variety of participants who otherwise could not be involved. Many companies do a ‘‘360-degree’’ feedback, into which the individual’s supervisors, subordinates, and coworkers all provide input. IS make it relatively easy to solicit feedback from anyone who has access to the system. Because that feedback is received more quickly, improvements can be made faster.
Incentives and Rewards and Information Technology Incentives and rewards are the ways organizations encourage good performance. A clever reward system can make employees feel good without paying them more money. IS can affect these processes, too. Some organizations use their Web sites to recognize high performers. Others reward them with new technology. At one organization, top performers get new computers every year, whereas lower performers get the ‘‘hand-me-downs.’’
IS make it easier to design complex incentive systems, such as shared or team-based incentives. An information system facilitates keeping track of contri- butions of team members and, in conjunction with qualitative inputs, can be used
Information Technology and Culture 89
to allocate rewards according to complex formulas. For example, in the call center example, tracking metrics, such as ‘‘average time per call’’ and ‘‘number of calls answered,’’ allows the manager to monitor agents’ performance. This quantitative data makes for useful comparisons, but it cannot account for qualitative variables: for example, agents who spend more time handling calls may be providing better customer service. Agents who know they will be evaluated by the volume of calls they process may rush callers and provide poorer service to maximize their performance according to the narrow metric. Agents providing the poorest service could, in fact, be compensated best if the firm’s performance evaluation and compensation strategy is linked only to such metrics. The manager must consider both the metrics and qualitative data in assigning compensation and rewards.
! INFORMATION TECHNOLOGY AND CULTURE
The third managerial lever is culture. Culture is playing an increasingly important role in information system development and use. Hence, it is important to consider culture when devising organizational strategy. Culture is defined as a shared ‘‘set of values and beliefs about what is desirable and undesirable in a community of people.’’5 Beliefs are the perceptions that people hold about how things are done in their community, whereas values reflect the community’s aspirations about the way things should be done.
Culture has been compared to an iceberg because, like an iceberg, only part of the culture is visible from the surface. It is possible to see formal ceremonies, traditional dress, symbols in art, and other cultural artifacts. What is not visible are unspoken rules, values, and beliefs that are so deep-seated they are hard to express.6 Further, culture is something of a moving target because it is not static. It evolves over time.
There are different levels of culture. Culture can occur across countries, across organizations, or even within organizations. For instance, Google works hard to create a culture of creativity throughout its organization. Employees get a ‘‘free’’ day a week to pursue their dream project and are encouraged to share their ideas with other employees. They can do so with technology or during one of the free meals at the company cafeteria or in the company laundry room when they move their clothes from the washer to the dryer.
An example at the organizational level is when IS developers have different values from the clients in the same organization for whom they are developing systems. Clients may favor computer-based development practices that encourage reusability of components that allow flexibility and fast turnaround. Developers, on the other hand, may prefer a development approach that favors stability and control, but tends to be slower.
5 Mansour Javidan and R. J. House, ‘‘Cultural Acumen for the Global Manager,’’ Organizational Dynamics 29, no. 4 (2001), 292. 6 E. Schein, Organizational Change and Leadership, 3rd ed. (New York: Wiley, 2004).
90 Chapter 3 Organizational Impacts of Information Systems Use
Differences in national culture may also affect system development and use. For example, when one of this book’s authors was designing a database in Malaysia, she asked questions that required a ‘‘yes’’ or ‘‘no’’ response. In trying to reconcile the strange set of responses she received, the author learned that Malaysians are hesitant to ever say ‘‘No.’’ Cultural differences have been noted in terms of development practices, Web design, change request strategies, adherence to schedules, incentive schemes, and many other aspects of IS development and use.
Certainly one of the best-known (and prolific) researchers in the area dif- ferences in the values across national cultures is Geert Hofstede. Hofstede7 originally identified four major dimensions of national culture: power distance, uncertainty avoidance, individualism-collectivism, and masculinity-femininity. To correct for a possible bias toward Western values, a new dimension, Confucian Work Dynamism, also referred to as ‘‘short-term vs. long-term orientation,’’ was later added.8 Many others have used, built upon, or tried to correct problems related to Hofstede’s four dimensions. One notable project is the GLOBE (Global Leadership and Organizational Behavior Effectiveness) research program which is a team of 150 researchers who have collected data on cultural values and practices and leadership attributes from over 18,000 managers in 62 countries. The GLOBE project has uncovered nine cultural dimensions, six of which have their origins in Hofstede’s pioneering work. The GLOBE dimensions and their relationship to Hofstede’s dimensions are summarized in Figure 3.5.
Even though the world may be becoming ‘‘flatter,’’ cultural differences have not totally disappeared. When people from different cultures come together, they may converge on some things. Yet, culturally based idiosyncrasies may surface. Having an understanding and appreciation for cultural values, practices, and subtleties can help in smoothing the challenges that occur in dealing with these idiosyncrasies. An awareness of the Hofstede or GLOBE dimensions may help improve communications and reduce conflict.
Effective communication means listening, framing the message in a way that is understandable to the receiver, and responding to feedback. Effective cross-cultural communication involves all of these plus searching for an integrated solution that can be accepted and implemented by members of diverse cultures. This may not be as simple as it sounds. For instance typical American managers, noted for their high-performance orientation, prefer direct and explicit language full of facts and figures. However, managers in lower-performance-oriented coun- tries like Russia or Greece tend to prefer indirect and vague language that encourages the exploration of ideas.9 In countries with high levels of uncer- tainty avoidance, such as Switzerland and Austria, meetings should be planned in
7 G. Hofstede, Culture’s Consequences: International Differences in Work-Related Values (London: Sage, 1980). 8 G. Hofstede and M. H. Bond, The Confucius Connection: From Cultural Roots to Economic Growth, Organizational Dynamics 16 (1988), 4021. 9 Javidan and House, ‘‘Cultural Acumen for the Global Manager.’’
Information Technology and Culture 91
GLOBE Relationship to Dimensions Description Hofstede Dimension
Uncertainty Avoidance
Extent to which members of an organiza- tion or society strive to avoid uncertainty by reliance on social norms, rituals, and bureaucratic practices to alleviate the unpre- dictability of future events.
Same as Uncertainty Avoidance
Power Distance Degree to which members of an organization or society expect and agree that power should be equally shared.
Same as Power Dis- tance
Collectivism I: Societal Collec- tivism
Degree to which organizational and societal institutional practices encourage and reward collective distribution of resources and col- lective action.
Same as Individualism/ Collectivism
Collectivism II: In-Group Collec- tivism
Degree to which individuals express pride, loyalty, and cohesiveness in their organiza- tions or families
Type of Collectivism focused on small in-groups
General Egalitar- ianism
Extent to which an organization or society minimizes gender role differences and gen- der discrimination
Modified version of Masculinity/Femininity
Assertiveness Degree to which individuals in organizations or societies are assertive, confrontational, and aggressive in social relationships
Modified version of Masculinity/Femininity
Future Orienta- tion
Degree to which individuals in organizations or societies engage in future-oriented behav- iors such as planning, investing in the future, and delaying gratification
Similar to Confucian Work Dynamism by Hofstede and Bond (1988)
Performance Ori- entation
Extent to which an organization or society encourages and rewards group members for performance improvement and excellence
Humane Orien- tation
Degree to which individuals in organizations or societies encourage and reward individuals for being fair, altruistic, friendly, generous, caring, and kind to others.
Similar to Kind Heart- edness by Hofstede and Bond (1988)
FIGURE 3.5 National Cultural Dimensions. Source: Adapted from R. House, M. Javidan, P. Hanges, and P. Dorfman, ‘‘Understanding cultures and implicit leadership theories across the globe: An introduction to project GLOBE,’’ Journal of World Business 37. no. 1 (2002), 3 – 10.
92 Chapter 3 Organizational Impacts of Information Systems Use
advance with a clear agenda. The managers in Greece or Russia who come from low uncertainty avoidance cultures often shy away from agendas or planned meetings.
Knowing that a society tends to score high or low on certain dimensions helps a manager anticipate how a person from that society might react. However, it only provides a starting point, because each person is different. Without being aware of cultural differences, though, a manager is sure to have a hard time in dealing effectively with members of other cultures.
! FOOD FOR THOUGHT: IMMEDIATELY RESPONSIVE ORGANIZATIONS
IS in general, and the Web in particular, have enabled organizations to speed up the way they operate. Organizations are now able to create the ability to respond instantly to customer demands, supplier issues, and internal communication needs. IS are enabling even more advanced organization forms such as the adaptive organization, the horizontal organization and a relatively new form, the zero time organization.10 Common to all these designs is the idea of agile, responsive organizations that can configure their resources and people quickly and are flexible enough to sense and respond to changing demands.
The zero time organization, for example, describes the concept of instant ‘‘cus- tomerization,’’ or the ability to respond to customers immediately. To accomplish this goal, the organization must master five disciplines:
1. Instant value alignment understanding the customer so well that the company anticipates and is therefore ready to provide exactly what the customer wants.
2. Instant learning building learning directly into the company’s tasks and processes and making sure that requisite information is readily at hand when it is needed.
3. Instant involvement using IS to communicate all relevant information to suppliers, customers, and employees and making sure everyone is prepared to deliver their products, services, or information instantly.
4. Instant adaptation creating a culture and structure that enable all workers to act instantly and to make decisions to respond to customers.
5. Instant execution building business processes that involve as few people as possible (no touch), electronically cross organizational boundaries, and result in cycle times so short that they appear to execute instantly when the customer needs their outputs.
Building in the capability to respond instantly means designing the organization so that each of the key structural elements are able to respond instantly. For example, instant learning means building learning into the business processes. It
10 R. Yeh, K. Pearlson, and G. Kozmetsky, Zero Time: Providing Instant Customer Value Everytime — All the Time (Hoboken, NJ: John Wiley & Sons, 2000).
Summary 93
means using IS to deliver small modules of learning directly to the point where the process is being done. For example, at Dell Computers, assembly line workers have access to a terminal directly above their workstations. As an assembly comes to their stations, its bar code tells the information system what type of assembly it is and which instructions to display. When the assembly reaches the table, the instructions are already there. The worker does not have to ask for the instructions, nor go anyplace to find them. IS allow this type of instant learning to happen.
Further, Web-based applications that are easily configured by the user, rather than by an IS specialist, enable organizations to quickly build systems that meet the businesses needs, then to reconfigure or completely redesign the systems as the business needs change.
Few companies qualify as zero time organizations with all of their processes designed in a way that allows them to respond instantly to every interaction. However, as described in Chapter 6, Web-based architectures combined with human resources from the net-generation (those who have grown up using the Internet and have the ability to conduct most of their professional life on the Net) create the foundation for instantly responsive organizations. As IS and agile technologies become ubiquitous and customers demand increasingly instant service, zero time characteristics will become even more common in business.
! SUMMARY • Incorporating information systems as a fundamental organizational design compo-
nent is critical to company survival. Organizational strategy includes the organiza- tion’s design, the organization’s culture, and the manager’s choices that define, set up, coordinate, and control its work processes.
• Organizational designers today must have a working knowledge of what information systems can do and how the choice of information system will affect the organiza- tion itself.
• Organization structures can facilitate or inhibit information flows. • Organizational design should take into account decision rights, organization struc-
ture, and informal networks. • Structures such as flat, hierarchical, and matrix organizations are being enhanced
by information technology resulting in networked organizations that can bet- ter respond to dynamic, uncertain organizational environments. IT supports networked organizations.
• Information technology affects managerial control mechanisms: planning, data, performance measurement and evaluation, and incentives and rewards.
• Management control at the individual level is concerned with monitoring (i.e., data collection), evaluating, providing feedback, compensating, and rewarding. It is the job of the manager to ensure the proper control mechanisms are in place and the interactions between the organization and the information systems do not undermine the managerial objectives.
• Organizational and national culture should be taken into account when designing and using IS.
94 Chapter 3 Organizational Impacts of Information Systems Use
! KEY TERMS beliefs (p. 89) culture (p. 89) decision rights (p. 77) divisional form (p. 81) flat organization structure
(p. 82)
functional form (p. 81) hierarchical organization
structure (p. 81) matrix organization
structure (p. 82)
networked organization structure (p. 83)
organizational strategy (p. 77)
values (p. 89)
! DISCUSSION QUESTIONS 1. How might IT change a manager’s job?
2. Is monitoring an employee’s work on a computer a desirable or undesirable activity from a manager’s perspective? From the employee’s perspective? Defend your position.
3. Consider the brief description of the zero time organization. What is an example of a control system that would be critical to manage for success in the zero time organization? Why?
4. Mary Kay, Inc., sells facial skin care products and cosmetics around the globe. The business model is to provide one-on-one, highly personalized service. More than 500,000 Independent Beauty Consultants (IBCs) sell in 29 markets worldwide. Each IBC runs his or her own business by developing a client base and then providing services and products for sale to those clients. Recently the IBCs were offered support through an e-commerce system with two major components: mymk.com and Mary Kay InTouch. Mymk.com allows IBCs to create instant online sites where customers can shop anytime directly with their personal IBC. Mary Kay InTouch streamlines the ordering process by automatically calculating discounts, detecting promotion eligibility, allowing the IBCs to access up-to-date product catalogs, and providing a faster way to transact business with the company.11
a. How would the organizational strategy need to change to respond to Mary Kay’s new business strategy? b. What changes would you suggest Mary Kay, Inc. managers make in their manage- ment systems order to realize the intended benefits of the new systems? Specifically, what types of changes would you expect to make in the evaluation systems, reward systems, and feedback systems?
CASE STUDY 3-1
US AIR AND AMERICA WEST MERGER CASE
Facing increasingly tough competition from low-fare airlines and high operational cost structure, US Airways agreed to be acquired by America West to create synergies and reduce cost through enhanced economies of scale. Termed as the largest low-cost airline in
11 Adapted from ‘‘Mary Kay, Inc.,’’ Fortune, Microsoft supplement (November 8, 1999), 5.
Case Study 95
the world, the merger was initially deemed a success and heralded a path for other airlines to follow. However, the problems started unraveling within few months. Even two and half years after the merger, the succeeding airline, US Airways, failed to operate as one airline. The new airline needed to first consolidate diverse IS across the both airlines and then integrate them to receive a single operating certificate from the Federal Aviation Agency. However, in addition to feuding pilot unions of both airlines, IS integration issues had been a key reason behind the problems. The IS integration issues were a result of underlying organizational issues: different organizational structures and cultures at the two airlines and different IT department management styles.
Although the resulting airline retained the name of the acquired airline, US Airways, most of the management team came from America West, including CEO Doug Parker. The headquarters was moved from Arlington, Virginia, to Tempe, Arizona. Experienced in operating a small airline with mostly West Coast operations, the management team failed to adjust its organizational structure and processes to accommodate the complexity involved in operating a large airline on the East Coast. The result was delayed baggage, unexpected overtime expenses, less-than-optimal hiring of airport workers, and added hotel expenses for accommodating stranded passengers. Additionally, unresolved seniority issues led to nightmares in rescheduling shifts and routes. Even if the aircraft were identical, the crew could not be switched because a joint contract had not been signed, and crew rankings had not been finalized.
The two airlines had extremely different organizational cultures. US Airways had an older workforce with highly structured bureaucracy, whereas America West had a much younger workforce with an entrepreneurial culture. During past financial difficulties, US Airways laid off thousands of workers and sought concessions from employees. On the other hand, America West protected employees and sought concessions from vendors and the government.
Even IT departments at the two airlines had radically different approaches to IT management; one centered on insourcing; the other excelled at outsourcing. Most IT activities, such as application support, systems support, desktop support, HR, payroll, financial systems, reporting, and accounting, were handled in-house at America West. These activities, however, were outsourced to EDS at the old US Airways. Thus, the IT department at America West was structured to handle IT issues internally, whereas the old US Airways IT department’s role was primarily to oversee the work performed by EDS staff. These differences in IT management styles led to completely different department structures and processes. Rather than choosing one or the other approach, the new company decided to take a hybrid approach by outsourcing some work and insourcing others. This added to even more difficulties.
Key information systems used by the two airlines also differed. For example, old US Airways had been using the SABRE reservation system, whereas America West used the SHARES system. New US Airways decided to switch over from SABRE to the SHARES system. EDS, which provides infrastructure for both systems, was brought in to facilitate the integration of different reservation systems of the predecessor airlines. Given the millions of transactions per year, integrating the two systems is not easy, especially when they both must continue to operate in real-time during the integration process. Out of 7 million reservations transferred to the new system, about 1.5 million ‘‘didn’t sync up’’ correctly. The airline executives blamed the troubles on the legacy architecture of the reservations systems. However, external experts blamed the airline for failing to recognize the complexity and resource requirements of integrating two systems.
96 Chapter 3 Organizational Impacts of Information Systems Use
With the separate procedures of the predecessor airlines and the lack of experience in integrating two diverse organizational and IS cultures, the company lacked ‘‘a com- mon focus as to what’s important to fix,’’ as COO Robert Isom put it. Recently, the airline set concrete metrics and goals for each work group through a standard departure checklist — ‘‘Countdown to Departure.’’ It also centralized some key operational decision making. For example, airport station managers can no longer arbitrarily delay a flight for connecting passengers. They have to clear those decisions through a centralized operations control center. This resulted in a significant improvement in on-time performance met- rics. CEO Parker acknowledged, ‘‘Just putting two airlines together doesn’t automatically create value.’’
Discussion Questions
1. How did different organizational structures create problems in the merger? What steps did the new US Airways take to reduce these problems?
2. When two companies merge, what steps should be taken to combine organizational structures and processes?
3. How did the differences in culture create problems for the new US Airways? What, if anything, could the executives have done to lessen these problems?
4. If you were a consultant brought in to advise on the merger, what advice you have given to CEO Parker?
Sources: Melanie Trottman, ‘‘Can US Airways Pass Test of Time?’’ The Wall Street Journal, December 26, 2007, P. A6; Stan Gibson, ‘‘Airline Flies with Hybrid IT Plan,’’ eWeek, October 24, 2005; and Stephanie Overby, ‘‘How to Save an Airline,’’ CIO, February 15, 2006.
CASE STUDY 3-2
THE FBI
The Federal Bureau of Investigation of the U.S. government, the FBI, was forced to scrap its $170 million virtual case file (VCF) management system. Official reports blamed numerous delays, cost overruns, and incompatible software. But a deeper examination of the cause of this failure uncovered issues of control, culture, and incompatible organizational systems.
Among its many duties, the FBI is charged with the responsibility to fight crime and terrorism. To do so requires a large number of agents located within the Unites States and around the world. That means agents must be able to share information among themselves within the bureau and with other federal, state, and local law enforcement agencies. But sharing information has never been standard operating procedure for this agency. According to one source, ‘‘agents are accustomed to holding information close to their bulletproof vests and scorn the idea of sharing information.’’
Enter the FBI’s efforts to modernize its infrastructure, code-named ‘‘Trilogy.’’ The efforts included providing agents with 30,000 desktop PCs, high-bandwidth networks to connect FBI locations around the world, and the VCF project to facilitate sharing of case information worldwide. The FBI director explained to Congress that VCF would provide ‘‘an electronic means for agents to globally send field notes, documents, pieces of intelligence and other evidence so they could hopefully act faster on leads.’’ It was designed
Case Study 97
to replace a paper-intensive process with an electronic, Web-based process. With such a reasonable goal, why didn’t it work?
The CIO of the FBI offered one explanation. He claimed that ‘‘the FBI must radically change the agency’s culture if the Bureau is ever going to get the high-tech analysis and surveillance tools it needs to effectively fight terrorism. We must move from a decentralized amalgam of 56 field offices that are deeply distrustful of technology, outsiders and each other to a seamlessly integrated global intelligence operation capable of sharing information and preventing crimes in real-time.’’
A former project manager at the FBI further explained, ‘‘They work under the idea that everything needs to be kept secret. But everything doesn’t have to be kept secret. To do this right, you have to share information.’’
The VCF system has been shut down, but the CIO is working on a new approach. He is busy trying to win buy-in from agents in the field so that the next case management system will work. In addition, he is working to establish a portfolio management plan that will cover all of the FBI’s IT projects, even those begun in decentralized offices. His team has been designing an enterprise architecture that will lay out standards for a bureauwide information system. The Director of the FBI has helped too. He reorganized the governance of IT, taking IT budget control away from the districts and giving total IT budget authority to the CIO.
The FBI announced that it will build a new case management system called Sentinel in four phases. The new system, according to the CIO, will include workflow, document management, record management, audit trails, access control, and single sign-on. To manage the expectations of the agents, the CIO plans to communicate often and significantly increase the training program for the new system. The CIO commented, ‘‘We want to automate those things that are the most manually cumbersome for the agents so they can see that technology can actually enhance their productivity. That is how to change their attitudes.’’
Discussion Questions
1. What do you think were the real reasons why the VCF system failed? 2. What were the points of alignment and misalignment between the Information Systems
Strategy and the FBI organization? 3. What do you think of the CIO’s final comment about how to change attitudes? Do you
think it will work? Why or why not? 4. If you were the CIO, what would you do to help the FBI modernize and make better use
of information technology?
Source: Adapted from Allan Holmes, ‘‘Why the G-Men Aren’t IT Men,’’ CIO Magazine (June 15, 2005), 42 – 45.
!CHAPTER 4 INFORMATION TECHNOLOGY AND THE DESIGN OF WORK1
Best Buy, the leading U.S. retailer in electronics, completely transformed its view of the ordinary workday. Once known for killer hours and herd-riding bosses, it ushered in a new approach to work: Results-Only Work Environment (ROWE). ROWE was the brainchild of two passionate employees who thought that Best Buy managers were mired in analog-age inertia and did not recognize that employees could use technology to perform work from a variety of places. The ROWE developers thought implementing a flextime program ‘‘stigmatizes those who use it . . . and keeps companies acting like the military (fixated on schedules) when they should behave more like MySpace (social networks where real-time innovation can flourish).’’2
ROWE is a program that allows limitless flexibility when it comes to work hours. Employees can choose where and when they will do their work — as long as project goals are satisfied. Employee decisions about working hours and location are framed by 13 guideposts — the most surprising of which is ‘‘Every meeting is optional.’’
Can Best Buy’s approach work? Best Buy claims that productivity soared 41% between 2005 and 2007 on ROWE teams, and voluntary turnover plummeted 90%. This helped Best Buy save $16 million each year. Is their approach unusual? Best Buy clearly has adopted one of the most accommodating approaches to work hours, but 79% of employers now allow their employees some flexibility. A third or more of IBM and AT&T employees have no official office, and Sun Microsystems Inc. calculates that it has saved over $400 million in real estate costs by allowing nearly half of its employees to work anywhere they want.3
1 The authors wish to acknowledge and thank David K. Wolpert, MBA 1999, for his help in researching and writing early drafts of this chapter. 2 M. Conlin, ‘‘Smashing the Clock,’’ BusinessWeek, December 11, 2006, www.businessweek.com/ print/magazine/content/06 50/b4013001.htm?chan=gl downloaded 6/25/2008 3 ‘‘Finding Freedom at Work,’’ Time, May 30, 2008, www.time.com/time/printout/0,8816,1810690,00 .html downloaded June 25, 2008.
98
Information Technology and the Design of Work 99
The Best Buy example illustrates how the nature of work is changing before our eyes — and information technology is supporting, if not propelling, the changes. In preindustrial societies, work was seamlessly interwoven into everyday life. Activities all revolved around nature’s cyclical rhythms (i.e., the season, day and night, the pangs of hunger) and the necessities of living. The Industrial Revolution changed this. With the advent of clocks and the ability to divide time into measurable, homogeneous units for which they could be paid, people started to separate work from other spheres of life. Their workday was distinguished from family, community and leisure time by punching a time clock or responding to the blast of a factory whistle. Work was also separated into space as well as time as people started going to a particular place to work.4
Technology has now brought the approach to work full circle in that the time and place of work are increasingly blended with other aspects of living. People now can do their work in their own homes at times that accommodate home life and leisure activities. They are able to enter cyberspace — a virtually unlimited space full of opportunities.5 Paradoxically, however, they want to create a sense of belonging within that space. That is, they wish to create a sense of ‘‘place,’’ which is a bounded domain in space that structures their experiences and interactions of others that they meet in this ‘‘place.’’ People learn to identify with these places, or locations in space, based on a personal sharing of experiences with others within the space. Over time visitors to the place associate with it a set of appropriate behaviors. Increas- ingly places are being constructed in space with Web 2.0 tools that encourage collaboration, allowing people to easily communicate on an ongoing basis.
The Information Systems Strategy Triangle, discussed in Chapters 1 and 3, suggests that changing information systems (IS) results in changes in organizational characteristics. Because work and organizing are highly interdependent, significant changes in the nature of work are bound to coincide with significant changes in the way that organizations are structured and how people experience work in their daily lives.6 Virtual organizations provide one of the clearest examples of this. A virtual organization is a structure that makes it possible for individuals to work for an organization and live anywhere. The Internet and corporate intranets create the opportunity for individuals to work from any place they can access a computer — from home, satellite offices, customer sites, and hotel rooms.
The structure of a virtual organization is networked. Everyone has access to everyone else using technology. Hierarchy may be present in the supervisory roles, but work is done crossing boundaries. For work that can be done on a computer or work that makes extensive use of telecommunications and the Internet make it possible to design a work environment anywhere. E-mail is the most widely used means of communication, making it possible for even the newest member of a
4 S. Barley and G. Kunda, ‘‘Bringing Work Back In,’’ Organizational Science 12, no. 1 (2001), 76 – 95. 5 S. Harrison and P. Dourish, ‘‘Re-Place-ing Space: The Roles of Place and Space in Collaborative Systems,’’ CSCW Proceedings (1996), 1 – 11. 6 Barley and Kunda, ‘‘Bringing Work Back In.’’
100 Chapter 4 Information Technology and the Design of Work
team to communicate with the most senior person in the organization. Increasingly popular are social networking tools that not only enhance communication and collaboration, but also help employees get to know each other and identify each other’s skills and experiences.
The basis of success in a virtual organization is the amount of collaboration that takes place between individuals. In a traditional organization, individuals mainly collaborate by holding face-to-face meetings. They use IS to communicate and to supplement these meetings, but the culture requires ‘‘looking at eyeballs’’ to get work done. By contrast, a virtual organization uses its IS as the basis for collaboration.
VeriFone, a leading manufacturer of credit verification systems, is well known for its virtual organization.7 The company was founded in 1981 by an entrepreneur who hated bureaucracy. By 1990, it was the leading company for transaction automation with products and services used in more than 80 countries. VeriFone’s office building in northern California houses a nominal corporate headquarters. In several plants around the world, its processing systems are made, and its distribution centers facilitate rapid delivery to customers. Most corporate functions, however, occur at multiple global locations, including Texas, Hawaii, India, and Taiwan. The company seeks to put its people in close proximity to customers and emerging markets, which results in about a third of the employees traveling roughly half of the time. This strategy gives VeriFone firsthand information about business opportunities and competitive situations worldwide.
At the heart of the company culture is constant and reliable sharing of information. It is a culture that thrives on the chief executive officer’s ban on secretaries and paper correspondence. Every day the chief information officer (CIO) gathers yesterday’s results and measures them against the company’s plans. Systems post travel itineraries of everyone in the company and track which people speak what languages. Using IS for simulation and analysis, the CIO pulls together information from databases around the company for an e-mail newsletter to everyone in the company. The newsletter describes the latest products, competitive wins, and operating efficiencies. The top 15 salespeople are often listed, along with their sales figures. More than just managing the IS, VeriFone’s CIO provides the ‘‘information glue’’ that holds the virtual organization together.
A story is told of a new salesperson who was trying to close a particularly big deal. He was about to get a customer signature on the contract when he was asked about the competition’s system. Being new to the company, he did not have an answer, but he knew he could count on the company’s information network for help. He asked his customer for 24 hours to research the answer. He then sent a note to everyone in the company asking the questions posed by the customer. The next morning, he had several responses from others around the company. He went to his client with the answers and closed the deal.
7 Hossam Galal, Donna Stoddard, Richard Nolan, and Jon Kao, ‘‘VeriFone: The Transaction Automation Company,’’ Harvard Business School case study 195 – 088.
Work Design Framework 101
What is interesting about this example is that the ‘‘new guy’’ was treated as a colleague by others around the world, even though they did not know him personally. He was also able to collaborate with them instantaneously. It was standard procedure, not panic time, because of the culture of collaboration in this virtual organization. The information infrastructure provided the means, but the organization built on top of it consisted of processes designed for individuals at a geographical remove.
Chapter 3 explored how IT influences organizational design. This chapter examines how IT is related to changing the nature of work, the rise of new work environments, and IT’s impact on different types of workers and how they work with one another. This chapter looks at how IT enables and facilitates a shift toward collaborative work. It examines how work has changed, how work supports communication and collaboration, where work is done, and how work is managed. The terms IS and IT are used interchangeably in this chapter, and only basic details are provided on technologies used. The point of this chapter is to look at the impact of IS on the way work is done by individuals and teams. This chapter should help managers understand the challenges in designing technology-intensive work and develop a sense of how to address these challenges and overcome resistance to IT.
! WORK DESIGN FRAMEWORK
As the place and time of work becomes less distinguishable from other aspects of people’s lives, the concept of ‘‘jobs’’ is changing and being replaced by the concept of work. Prior to the Industrial Revolution, a job meant a discrete task of a short duration with a clear beginning and end.8 By the mid-20th century the concept of job had evolved into an ongoing, often unending stream of meaningful activities that allowed the worker to fulfill a distinct role. More recently organizations are moving away from organization structures built around particular jobs to a setting in which a person’s work is defined in terms of what needs to be done.9 In many organizations it is no longer appropriate for people to establish their turfs and narrowly define their jobs to only address specific functions. Yet, as jobs ‘‘disappear,’’ IT can enable workers to better perform in tomorrow’s workplace; that is, IT can help workers function and collaborate in accomplishing work that more broadly encompasses all the tasks that need to be done.
In this chapter a simple framework is used to assess how emerging technologies may affect work. As suggested by the Information Systems Strategy Triangle (in Chapter 1), this framework links the organizational strategy with IS decisions. This framework is useful in designing key characteristics of work by asking key questions and helping identify where IS can affect how the work is done. Consider the following questions:
8 William Bridges, JobShift: How to Prosper in a Workplace without Jobs (New York: Addison-Wesley, 1995). 9 Ibid.
102 Chapter 4 Information Technology and the Design of Work
• What work will be performed? Understanding what tasks are needed to complete the process being done by the worker requires an assessment of specific desired outcomes, inputs, and the transformation needed to turn inputs into outcomes. Understanding changes in tasks helps better understand changes in the nature of work.
• What is the best way to do the work? Some things are best done by people, and other things are best done by computers. For example, dealing directly with customers is often best done by people because the unpredictability of the interaction may require a complex set of tasks that cannot be automated. Further, most people want to deal directly with other people. On the other hand, computers are much better at keeping track of inventory, calculating compensation, and many other repetitious tasks that are opportunities for human error. ITs provide increasing support for communication and collaboration tasks among workers.
• Who is going to do the work? If a person is going to do the work, who should that person be? What skills are needed? From what part of the organization should that person come? If a team is going to do the work, many of these same questions need to be asked. However, they are asked within the context of the team: Who should be on the team? What skills do the team members need? What parts of the organization need to be represented by the team?
• Where will the work be performed? With the increasing availability of net- works, Web 2.0 tools, and the Internet, managers can now design work for workers who are not physically near them. Does the work need to be per- formed locally? Remotely? By a geographically dispersed work group?
• How can IT increase the effectiveness of the workers doing the work? How can IT help workers communicate with other workers to get the work done? How can IT support collaboration? What can be done to increase the acceptance of IT-induced change?
Figure 4.1 shows how these questions can be used in a framework to incorpo- rate IS into the design of work. Although it is outside the scope of this chapter to discuss the current research on either work or job design, the reader is encouraged to read these rich literatures.
! HOW INFORMATION TECHNOLOGY SUPPORTS COMMUNICATION AND COLLABORATION
Though it may seem like putting the cart before the horse, the discussion will respond to the last question in Figure 4.1 first. This is because many of the changes that are described in later sections of this chapter have been supported, if not propelled, by IT. Some of these technologies such as social networking and blogs seem to have been introduced into the workplace by digital natives when they
How Information Technology Supports Communication and Collaboration 103
Where is that person when doing the work?
How can IT enhance the effectiveness of the worker
doing the work?
How can IT enhance the effectiveness of the group
doing the work?
Where is the group doing the work? (together or
geographically dispersed)
Who is going to do the work?
What is the best way to do the work (person or computer)?
What work will be performed?
Automate the work
ComputerPerson
An individual A group
FIGURE 4.1 Framework for work design.
started their first full-time jobs. This section describes major technologies that have affected communications and collaboration in today’s work environment.
IT to Facilitate Communication The IT support for communication is considerable and growing. It includes e-mail, intranets, instant messaging, VoIP, video teleconferencing, unified communica- tions, RSS, virtual private networks, and file transfer.
E-mail (electronic mail) is a way of transmitting messages over communication networks. It was one of the first uses of the Internet and still constitutes a good portion of Internet traffic. Most e-mail messages consist strictly of text, but e-mail can also be used to transfer images, video clips, sound clips, and other types of computer files. A permutation of e-mail is the mailing list server. Users subscribe to a mailing list; when any user sends a message to the server, a copy of the message is sent to everyone on the list. This service allows for restricted-access discussion groups; only subscribed members can participate in or view the discussions that are transmitted via e-mail. Popular mailing list providers include ListServ and Majordomo.
An intranet looks and acts like the Internet, but it is comprised of information used exclusively with a company and unavailable to the general public via the Internet. It is a password-protected set of interconnected nodes that is under the company’s administrative control. Employees at AT&T, for example, can use company computers to access an employee handbook (containing links to such
104 Chapter 4 Information Technology and the Design of Work
things as employee data, benefit information and procedures for dealing with irate callers) via the company’s intranet that is separated from the Internet by a security ‘‘firewall.’’
Instant messaging (IM) is an Internet protocol (IP) – based application that provides convenient communication between people using a variety of different device types, including computer-to-computer and mobile devices, such as digital cellular phones.10 It can identify which ‘‘buddies’’ have a ‘‘presence’’ and are able to receive messages at the moment. If a ‘‘buddy’’ is available, the sender’s typed message pops up on the receiver’s computer screen. Failing to respond quickly to the message typically is perceived to be rude. Although initially a communication tool used exclusively by teenagers, IM now serves as an internal communication systems in large companies and even allows managers to verify whether their telecommuting employees are logged on to their computer at their homes. With most systems, people need to agree to be on a potential sender’s buddy list, and they can set their status to ‘‘busy’’ or ‘‘away’’ if they do not want to be disturbed. Even then, IM is sometimes criticized for being distracting and reducing privacy, especially by people who are not good at doing a number of things at the same time.
Voice over Internet Protocol (VoIP) is ‘‘a method for taking analog audio signals, like the kind you hear when you talk on the phone, and turning them into digital data that can be transmitted over the Internet.’’11 It is rapidly gaining in popularity because the free VoIP software that is available with proprietary systems such as Skype allows people to make free Internet phone calls without using the phone company. VoIP also reduces costs to organizations because numerous calls can be transmitted over the same Internet connection, and phone connections are shared on the same network as personal computers. For example, Western Digital, which sells hard drives, uses VoIP as a way of reducing the costs of worldwide telephone calls.12 VoIP is especially beneficial for organizations with underused network capacity that can accommodate adding VoIP to their current network. It is also being used increasingly to communicate with remote workers. Although there are no complaints about its costs, there are some about VoIP’s reliability and inability to function in power outages.
Video teleconference (also called videoconference) is ‘‘a set of interactive telecommunication technologies which allow two or more locations to interact via two-way video and audio transmissions simultaneously.’’13 Although analog and digital conferencing has been available for decades, video teleconferencing (and
10 IEC definition of instant messaging available from http://www.iec.org/online/tutorials/instant msg/ (accessed on September 9, 2002) 11 Adapted from http://computer.howstuffworks.com/ip-telephony (accessed August 3, 2005 12 Microsoft Case Studies, ‘‘Western Digital Improves Productivity, www.microsoft.com/uc/ voipasyouare/default.aspx 13 ‘‘Videoconferencing,’’ Wikipedia http://en.wikipedia.org/wiki/Videoconferencing downloaded July 15, 2008.
How Information Technology Supports Communication and Collaboration 105
also Web conferencing) using Internet Protocol made its debut in the mid-1990s. Advanced video teleconferencing technologies gave birth to the field known as ‘‘telemedicine.’’ Telemedicine enables doctors working on virtual teams to confer with distant colleagues, share data, and examine patients in remote locations without losing the time and money to travel. For example, Arizona’s Telemedicine Program has a teletrauma service that recently helped save a young child’s life. A bad car crash near Douglas left three persons dead and an 18-month-old baby with severe trauma to the head and multiple fractures. A skilled trauma surgeon in Tucson utilized the teletrauma connection to provide direct supervision miles away to the local Douglas physician through multiple interventions. Another part of the Arizona Telemedicine Program enables the delivery of medical services to prisoners in ten Arizona rural prisons. This program saves not only lives, but also millions of dollars.14
Unified communications (UC) are an ‘‘evolving communications technol- ogy architecture which automates and unifies all forms of human and device communications in context, and with a common experience.’’15 Unified commu- nications offer a streamlined interface in which such technologies as cell phones, fax machines, personal computers, VoIP, instant messaging, file transfers, collabo- rative workspaces, teleconferencing, e-mail, and videoconferencing meld together to form a collaborative communications environment. Nissan’s UC includes VoIP desk and cell phones, Web conferencing, telepresence, and networked collabora- tive workspaces provided by Cisco.16 As a result, its employees are more accessible to one another, and its collaborative workspaces for tasks like concept car drafting afford a level of coordination not previously available.
Really Simple Syndication or RSS (also called Web feeds) refers to a structured file format for porting data from one platform or information system to another. It is an umbrella term that refers to several different XML (Extensible Markup Language) formats. The main benefit of RSS Web feeds is that the user can aggregate frequently updated data such as news, blog entries, changing stock prices, and recent changes on wiki pages into one easily manageable location. Thus, the user does not have to go to each individual Web site to lookup that data or have multiple browsers open to view each of the Web sites. Second, the user receives regular data updates at timely intervals. For example, the user can receive a summary of articles from a publisher on a prespecified topic of interest. Once alerted, the user can choose to link to and read the full version. Third, RSS Web feeds provide a cheaper electronic alternative to mailing lists for publishers.
14 Arizona Telemedicine: Telemedicine Updates (June 16, 2005), available at http://www.telemedicine .arizona.edu/updates/page1.htm. 15 ‘‘Unified Communications.’’ Wikipedia. 27 June 2008 http://en.wikipedia.org/wiki/Unified communications. 16 ‘‘Global Automobile Company Collaborates Using UC,’’ newsroom.cisco.com, 14 Apr 2008. Cisco Systems, Inc. 27 Jun 2008, http://newsroom.cisco.com/Newsroom/flash/evp/Flash7/main.html? videoXML=.. / xml/high/453B633ED75C6173310E2198711889B6 video.xml&defaultTopic= Technologies&defaultSubTopic=Unified%20Communications.
106 Chapter 4 Information Technology and the Design of Work
A virtual private network (VPN) is a private network that uses a public network such as the Internet to connect remote sites or users. With a VPN, users at remote sites are treated as if they were on a local network. If the various sites of the VPN are owned by a single company, they are often referred to as a corporate intranet; However, if they are owned by different companies, the VPN may be called an extranet.17 A VPN maintains privacy through the use of a tunneling protocol and security procedures.Until fairly recently companies had to use the much more expensive dedicated connections such as leased lines instead of VPN’s ‘‘virtual’’ connections. VPNs are also used to support both remote access to an intranet and connections between multiple intranets within the same organization. Telecommuters often use a Virtual Private Network (VPN) requiring Secure Socket Layer (SSL) authentication as a way of enhancing security.
File transfer consists simply of transferring a copy of a file from one computer to another on the Internet. The most common procedure, file transfer protocol (FTP), allows entire files — even large ones — to be transferred over the Internet more quickly and securely than with e-mail. Besides dedicated file transfer services such as FTP, there are numerous ways to transfer files over a network (e.g., file transfers over instant messaging systems or between computers and peripheral systems, distributed file transfers over peer-to-peer networks).
IT to Facilitate Collaboration Collaboration is a key task in many work processes, and IS greatly changes how collaboration is done. It is important for an organization’s survival. Thomas Friedman argues that collaboration is the way that small companies can ‘‘act big’’ and flourish in today’s flat world. The key to success is for such companies is ‘‘to take advantage of all the new tools for collaboration to reach farther, faster, wider and deeper.’’18 Collaboration tools include social networking sites, virtual worlds, web logs (blogs), wikis, and groupware.
A social networking site is a Web-based service that allows its members to create a public profile with their interests and expertise, post text and pictures and all manner of data, list other users with whom they share a connection, and view and communicate openly or privately with their list of connections and those made by others within the system. These sites are particularly useful for forming ad hoc groups. Popular social networking services for personal uses are MySpace and Facebook. LinkedIn, which boasts over 23 million users in 150 countries,19 invites members to create profiles summarizing their professional accomplishments so that they can be contacted for business opportunities. It also can be used to locate potential business allies or search for jobs.
17 ‘‘Extranets,’’ Wikipedia, retrieved from http://en.wikipedia.org/wiki/Extranet. on September 26, 2008. 18 Thomas L. Friedman, The World is Flat (New York: Farrar, Straus and Giroux, 2005), 145. 19 Jessica Guynn, ‘‘Professional Networking Site LinkedIn Valued at $1 Billion,’’ June 18, 2008, http://www.latimes.com/business/la-fi-linkedin18-2008jun18,0,6631759.story.
How Information Technology Supports Communication and Collaboration 107
A virtual world is ‘‘a computer-based simulated environment intended for its users to inhabit and interact via avatars.’’20 These avatars are usually depicted as two-dimensional or three-dimensional graphical representations capable of inter- acting with other avatars, manipulating objects, and moving about the virtual world. Most virtual worlds are characterized by creativity, interactivity, collaboration, and three-dimensionality.21 Sites like Second Life allow users to collaborate virtually by having their avatars meet and talk on the screen.
Web logs (blogs) are online journals that link together into a very large network of information sharing. Blogs discuss topics ranging from poetry to vacation journals to constitutional law to political opinions. Blogs provide news and information in the moment to potentially thousands of individuals connected with an event or situation. For example, when the tsunami hit Thailand, early reports were from blogs. Business Week calls it ‘‘Micro-news’’ when a blog is devoted to a niche topic. Companies such as Plaxo, an Internet-contact management company, use blogs as a key part of their marketing and promotion strategy. General Motors uses them to connect with the press. The vice chairman has launched his own blog site and receives numerous suggestions and criticisms from customers. Further, when a conflict arose between an outside company and GM, journalists were sent to a blog run by GM for details. GM is taking a lead in experimenting with this technology to manage the media. But the biggest application for blogs is advertising. Some companies have even begun to create fake blogs, using made-up names, to jump-start the buzz around products or services. For example, Captain Morgan, the rum distributor, was said to have created a fake blog for its rum drinks.
A wiki is software that allows users to work collaboratively to create, edit, and link web pages easily. Anyone who has access to the wiki can contribute or modify content. They are especially good for their ability to support multimedia content and for keeping track of multiple revisions of a document. The best known wiki effort is the collaborative encyclopedia Wikipedia.
Groupware22 is software that enables group members to work together on a project, even from remote locations, by allowing them to simultaneously access the same files. Calendars, documents, e-mail messages, databases, and meet- ings are popular applications. Groupware is often broken down into categories describing whether the members work together in real-time (i.e., synchronously) or at different times (i.e., asynchronously). For example, products such as Lotus Notes, Lotus Domino, and Microsoft Exchange enable groups to share infor- mation asynchronously, whereas products such as Microsoft Office Groove and Webex enable groups to share information, such as an electronic presentation, synchronously.
20 ‘‘Virtual World,’’ Wikipedia http://en.wikipedia.org/wiki/Virtual world downloaded July 16, 2008 21 Doing Business in Second Life http://blip.tv/file/242816 downloaded July 16, 2008. 22 Adapted from http://whatis.techtarget.com (accessed August 3, 2005)
108 Chapter 4 Information Technology and the Design of Work
! HOW INFORMATION TECHNOLOGY CHANGES THE NATURE OF WORK
Advances in IT provide an expanding set of tools that make individual workers more productive and broaden their capabilities. They transform the way work is performed — and the nature of the work itself. This section examines three ways in which new IT alters employee life: by creating new types of work, by creating new ways to do traditional work, and by presenting new challenges in human resource management brought about by the use of IT.
Creating New Types of Work IT often leads to the creation of new jobs or redefines existing ones. The high-tech field emerged in its entirety over the past 60 years and has created a wide range of positions in the IT sector, such as programmers, analysts, IT managers, hardware assemblers, Web site designers, software sales personnel, and IT consultants. A study based on the Bureau of Labor Statistics places the number of IT workers in the United States at 3.7 million workers in 2006, with projections for this number to grow 25.2% to 4.0 million by 2016.23 Even within traditional non-IT organizations, the growing reliance on IS creates new types of jobs, such as knowledge managers who manage firms’ knowledge systems (see Chapter 12 for more on knowledge management). IS departments also employ individuals who help create and manage the technologies, such as systems analysts, database administrators, network administrators, and network security advisors. The Internet has given rise to many other types of jobs, such as Web masters and site designers. Virtually every department in every business has someone who ‘‘knows the computer’’ as part of their job.
New Ways to Do Traditional Work Changing the Way Work Is Done
IT has changed the way work is done. Many traditional jobs are now done by computers. For example, computers can check spelling of documents, whereas traditionally that was the job of an editor or writer. Jobs once done by art and skill are often greatly changed by the introduction of IT, such as the jobs described at the beginning of this chapter. Workers at one time needed an understanding of not only what to do, but also how to do it; now their main task often is to make sure the computer is working because the computer does the task for them. Workers once were familiar with others in their organization because they passed work to them; now they may never know those coworkers because the computer routes the work. In sum, the introduction of IT into an organization can greatly change the day-to-day tasks performed by the workers in the organization.
23 Ray Panko, ‘‘IT Employment Prospects: Beyond the Dotcom Bubble, ’’ European Journal of Information Systems (2008).
How Information Technology Changes the Nature of Work 109
Zuboff describes a paper mill, where papermakers’ jobs were radically changed with the introduction of computers.24 The papermakers mixed big vats of paper and knew when the paper was ready by the smell, consistency, and other subjective attributes of the mixture. For example, one worker could judge the amount of chlo- rine in the mixture by sniffing and squeezing the pulp. They were masters at their craft, but they were not able to explicitly describe to anyone else exactly what was done to make paper. The company, in an effort to increase productivity in the paper- making process, installed an information and control system. Instead of the workers looking at and personally testing the vats of paper, the system continuously tested parameters and displayed the results on a panel located in the control room. The papermakers sat in the control room, reading the numbers, and making decisions on how to make the paper. Many found it much more difficult, if not impossible, to make the same quality paper when watching the control panel instead of person- ally testing, smelling, and looking at the vats. The introduction of the information system resulted in different skills needed to make paper. Abstracting the entire process and displaying the results on electronic readouts required skills to interpret the measurements, conditions, and data generated by the new computer system.
In another example, salespeople have portable terminals that not only keep track of inventory, but also help them in the selling function. Prior to the information system, the salespeople used manual processes to keep track of inventory in their trucks. When visiting customers, it was only possible to tell them what was missing from their shelves and to replenish any stock they wanted. With IT, the salespeople have become more like marketing and sales consultants, helping the customers with models and data of previous sales, floor layouts, and replenishment as well as forecasting demand based on analysis of the data histories stored in the IS. The salespeople need to do more than just be persuasive. They now must also do data analysis and floor plan design, in addition to using the computer. Thus, the skills needed by the salespeople have greatly changed with the introduction of IT.
The Internet enables changes in many types of work. For example, within minutes, financial analysts can download an annual report from a corporate Web site and check what others have said about the company’s growth prospects. They can automatically receive RSS Web feeds for stock updates from Google every few seconds. Librarians can check the holdings of other libraries online and request that particular volumes be routed to their own clients, or download the articles from a growing number of databases. Marketing professionals can pretest the reactions of consumers to potential products in virtual worlds such as Second Life. Sales jobs are radically changing to complement online ordering systems. Technical support agents diagnose and resolve problems on client computers using the Internet and software from Motive Communications. The cost and time required to access information has plummeted, increasing personal productivity and giving workers new tools.
24 Shoshana Zuboff, In the Age of the Smart Machine: The Future of Work and Power (New York: Basic Books, 1988), 211.
110 Chapter 4 Information Technology and the Design of Work
Changing Communication Patterns
All one has to do is observe people walking down a busy downtown street or a college campus to note changes in communication patterns over a period as short as the last decade. Many of the people are talking on their cell phones. Or observe what happens when a plane lands. It is possible that as many as half the people on the plane whip out their BlackBerrys or cell phones as soon as the plane touches down. They are busy making arrangements to meet the people who are picking them up at the airport or checking to see the calls they missed while in flight. Finally, consider meeting a friend at a busy subway station in Hong Kong. It is virtually impossible, without the aid of a cell phone, to locate one another.
Similarly, IT is changing the communication patterns of workers. There are still some workers who do not need to communicate with other workers for the bulk of their workday; however, that workday is defined. For example, many truck drivers do not interact with others in their organization. But consider the example of a Wal-Mart driver who picks up goods dropped off by manufacturers at the Wal-Mart distribution center and then delivers those goods in small batches to each of the Wal-Mart stores. Wal-Mart has connected its drivers with radios and satellites so that they can pick up goods from manufacturers on the return trip after they have dropped off their goods at the Wal-Mart stores. In this way, Wal-Mart saves the delivery charges from that manufacturer and conserves energy in the process. Wal-Mart drivers use IT to save money by enhancing their communications with suppliers.25
Changing Organizational Decision Making and Information Processing
IT changes not only organizational decision-making processes, but also the infor- mation used in making those decisions. Data processed to create more accurate and timely information are being captured earlier in the process. Through technologies such as RSS Web feeds, information that they need to do their job can be pushed to them.
IT can change the amount and type of information available to workers. For example, salespeople can use technology to get quick answers to customer questions, much as the new VeriFone salesman at the beginning of this chapter did. Further, Web 2.0 tools allow salespeople to search for best practices on a marketing topic over a social network and to benefit from blogs and wikis written by informed employees in their company. Furthermore, organizations now maintain large historical business databases, called data warehouses, which can be mined by using tools to analyze patterns, trends, and relationships in the data warehouses. For example, Fingerhut, a $2 billion mail-order business, maintains a data warehouse generated from 50 years of sales transactions. Using data-mining techniques, Fingerhut’s marketing team recently found that customers who change their residence triple their purchasing in the 12 weeks after their move,
25 Friedman, The World is Flat.
How Information Technology Changes the Nature of Work 111
with the most buying taking place in the first 4 weeks They purchase furniture, telecommunications equipment, and decorations, but abstain from jewelry and home electronics purchase. Marketers at Fingerhut now offer a customized ‘‘mover’s catalog’’ to movers and don’t send other catalogs during that 12-week window.26 Thus, the work of marketers at Fingerhut changed to reflect the greater information available to them.
In their classic 1958 Harvard Business Review article, Leavitt and Whisler boldly predicted that IT would shrink the ranks of middle management by the 1980s.27 Because of IT, top-level executives would have access to information and decision-making tools and models that would allow them to easily assume tasks previously performed by middle managers. Other tasks clearly in the typical job description of middle managers at the time would become so routinized and programmed because of IT that they could be performed by lower-level managers. As Leavitt and Whisler predicted, the 1980s saw a shrinking in the ranks of middle managers. This trend was partly attributable to widespread corporate downsizing. However, it was also attributable to changes in decision making induced by IT. Since the 1980s, IT has become an even more commonly employed tool of executive decision makers. IT has increased the flow of information to these decision makers and provided tools for filtering and analyzing the information.
Changing Collaboration
Whereas decision making in organizations is often viewed as deliberate and distinct acts, an increasing amount of work being performed by teams is definitely more fluid.28 Teams have learned to collaborate by continually structuring and restructuring their work — constantly adjusting their highly entwined actions — to respond to their ever-evolving environments.
IT helps make work more team oriented and collaborative. Workers can more easily share information with their teammates. They can send documents over computer networks to others, and they can more easily ask questions using e-mail or instant messaging. The president of a New York-based marketing firm, CoActive Digital, recently decided to implement a wiki to have a common place where 25 to 30 people could go to share a variety of documents ranging from large files to meeting notes and PowerPoint presentations.29 An added benefit is that the wiki is encrypted, protected, and used with a VPN. The president recognized that the challenge for implementing the wiki would be to change a culture in which e-mail
26 David Pearson, ‘‘Marketing for Survival,’’ CIO Magazine (April 15, 1998), available at http://www.cio .com/archive/041598/finger content.html. 27 Harold Leavitt and Thomas Whisler, ‘‘Management in the 1980s,’’ Harvard Business Review (November – December 1958), 41 – 48. 28 Barley and Kunda, ‘‘Bringing Work Back In.’’ 29 C. G. Lynch, ‘‘How a Marketing Firm Implemented an Enterprise Wiki,’’ CIO.com retrieved from www.cio.com/artilce/print/413063 (accessed on July 9, 2008).
112 Chapter 4 Information Technology and the Design of Work
had long been the staple for communication. Consequently, he decided to work closely with the business leader of the business development group. This group handles inquiries from customers and coordinates how the work (i.e., marketing campaigns) will get done internally. The group has lots of meetings and lots of work that needs to be shared. He populated the wiki site with documents that had been traded over e-mail, such as meeting notes, and with relevant documents and asked the business leader to encourage her group members to use the wikis. It took some effort, but eventually the group learned to appreciate the benefits of the wiki for collaboration.
The Internet greatly enhances collaboration. Technologies, such as blogs, virtual worlds, wikis, social networking, and video teleconferencing, provide col- laborative applications that facilitate creating groups that form around a large number of goals at a rate much faster than ever before. One might say that with the lowered transaction costs of group formation ( with many of the social network- ing sites, it’s virtually free), there are many more possible social connections.30 For example, Wachovia is implementing a social networking service to link over 110,000 of its employees.31 It allows users to upload pictures as well as personal and professional background information. In this way, employees can get to know a more personal side of others in their organization with whom they communicate on a daily basis. Networking in this way can give employees insight about whom they should contact to get an answer for varying types of questions, as well as to determine their availability at a given moment.
Beyond sharing and conversation, teams can also use the Internet and Web 2.0 to create something together. An example here is the well-known Web-based site Wikipedia. Further, teams can undertake collective action or the behavior that creates a situation for its members to share something and make something happen. Collective action was taken in 2007 when the international bank HSBC was the recipient of a large number of complaints after they removed a free overdraft policy and began charging students a new fee. Hundreds of angry students posted their feelings on a Facebook group set up by one disgruntled person. Within a very short time, 6,000 graduates signed onto the page to protest the new fees. The bank was forced to rescind their new policy shortly afterwards.32
The preceding examples show how IS are a key component in the design of work. IT can greatly change the day-to-day tasks, which in turn change the skills needed by workers. The examples show that adding IS to a work environment changes the way work is done.
30 Clay Shirky, Here Comes Everybody: The Power of Organizing without Organizations (Johannesburg, South Africa: The Penguin Press, 2008). 31 Edward Cone, ‘‘Social Networks at Work Promise Bottom-Line Results,’’ CIO Insight, October 8, 2007. http://www.cioinsight.com/c/a/Trends/Social-Networks-at-Work-PromisebrBottomLine- Results/. 32 Fay Schlesinger, ‘‘Swivelchair Activism,’’ The Guardian, December 11 2007, http://www.guardian.co .uk/education/2007/dec/11/students.studentpolitics, Accessed 7/29/08.
How Information Technology Changes the Nature of Work 113
New Challenges in Managing People New working arrangements create new challenges in how workers are supervised, evaluated, compensated, and even hired. When most work was performed indi- vidually in a central location, supervision and evaluation were relatively easy. A manager could directly observe the salesperson who spent much of his or her day in an office. It was fairly simple to ascertain whether the employee was present and productive.
Now modern organizations, especially virtual organizations, often face the challenge of managing a workforce that is spread across the world, working in isolation from direct supervision, and working more in teams. Rather than working in a central office, many salespeople work remotely and rely on laptop computers, Web 2.0, cellular phones, and pagers to link them to customers and their office colleagues. The technical complexity of certain products, such as enterprise software, necessitates a team-based sales approach combining the expertise of many individuals; it can be difficult to say which individual closed a sale, making it difficult to apportion individual-based rewards.
One technological solution, electronic employee monitoring (introduced in Chapter 3), replaces direct supervision by automatically tracking certain activ- ities, such as the number of calls processed, e-mail messages sent, or time spent surfing the Web. Direct employee evaluation can be replaced, in part, by pay-for-performance compensation strategies that reward employees for deliver- ables produced or targets met, as opposed to subjective factors such as ‘‘attitude’’ or ‘‘teamwork.’’ These changes are summarized in Figure 4.2.
The introduction of ROWE at Best Buy illustrates the need to change from an approach where managers watch employees and count the hours they spend at their desks, to one that focuses instead on the work they actually do. Best Buy’s Senior Vice President, John ‘‘J.T.’’ Thompson admitted, ‘‘For years I had been focused on the wrong currency. I was always looking to see if people were here. I should have been looking at what they were getting done.’’33 He changed his mind when he realized that the benefits the ROWE program offered — and the managerial changes that it commanded.
Hiring is also different because of IT for three reasons. First, in IT-savvy firms, workers must either know how to use the technologies that support the work of the firm before they are hired, or they must be trainable in the requisite skills. Hiring procedures incorporate activities that determine the skills of applicants. For example, a company may ask a candidate to sit at a computer to answer a basic questionnaire, take a short quiz, or simply browse the Web to evaluate the applicant’s skill level, or they may only accept applications submitted to a Web site. Second, IT utilization affects the array of nontechnical skills needed in the organization. Certain functions — many clerical tasks, for example — can be handled more expeditiously, so fewer workers adept in those skills are required.
33 Conlin, ‘‘Smashing the Clock.’’
114 Chapter 4 Information Technology and the Design of Work
Traditional Approach: Subjective Observation
Newer approach: Objective Assessment
Supervision Personal and informal. Manager is usually present or relies on others to ensure employee is present and productive.
Electronic or assessed by deliver- able. As long as the employee is producing value, he does not need formal supervision.
Evaluation Focus is on process through direct observation. Manager sees how employee performs at work. Sub- jective (personal) factors are very important.
Focus is on output by deliverable (e.g., produce a report by a cer- tain date) or by target (e.g., meet a sales quota). As long as deliver- ables are produced and/or targets achieved, the employee is meeting performance expectations ade- quately. Subjective factors may be less important and are harder to gauge.
Compensation and Rewards
Often individually based. Often team-based or contractually spelled out.
Hiring Personal with little reliance on computers. Often more reliance on clerical skills.
Often electronic with recruiting Web sites and electronic test- ing. More informated work that requires a higher level of IT skills.
FIGURE 4.2 Changes to supervision, evaluations, compensation, and hiring.
IT-savvy companies can eliminate clerical capabilities from their hiring practices and focus on more targeted skills. Third, IT has become an essential part of the hiring process for many firms. Advertisements for positions are posted on the Web, and applicants send their resumes over the Web or send potential employers to their Web sites. Companies, when researching candidates, often look at their Facebook or MySpace pages (and in many cases, they do not like what they see). Social networking also involves informal introductions and casual conversations in cyberspace. Virtual interviews can be arranged in virtual worlds to reduce recruiting costs. A face-to-face interview is eventually required, but recruiters can significantly increase their chances of finding the right applicant with initial virtual interviews. Not surprisingly, the new CEO of Linden Labs (the company that created Second Life) was interviewed virtually in Second Life.34
The design of the work needed by an organization is a function of the skill mix required for the firm’s work processes and of the flow of those processes themselves. Thus, a company that infuses technology effectively and employs a
34 Alana Semuel, ‘‘ ‘Second Life’ operator Linden Lab gets new CEO,’’ Los Angeles Times, April 24, 2008.
How Information Technology Changes Where Work Is Done and Who Does IT 115
workforce with a high level of IT skills designs itself differently from another company that does not. The skill mix required by an IT-savvy firm reflects greater capacity for using the technology itself. It requires less of certain clerical and even managerial skills that are leveraged by technical capacity. It may also deploy skills according to different ratios in central and local units.
New IT also challenges employee skills. Employees who cannot keep pace are increasingly unemployable. As many lower-level service or clerical jobs become partially automated, only those workers able to learn new technologies and adapt to changing work practices can anticipate stability in their long-term employment. Firms institute extensive training programs to ensure their workers possess the skills to use IT effectively.
As workforce demographics shift, so too do the IT needs and opportunities to change work. Digital natives, those employees who have grown up using computers, texting, and the Web as a normal, integrated part of their daily lives, are finding new and innovative ways to do their work. There are all sorts of impacts from the skills these employees bring to their work, including how to do their work in a new, and often more efficient, manner.
IT has drastically changed the landscape of work today. As a result of IT, many new jobs were created. In the next section, we examine how IT can change where work is done and who does it.
! HOW INFORMATION TECHNOLOGY CHANGES WHERE WORK IS DONE AND WHO DOES IT
This section examines another important effect of IT on work: the ability of some workers to work anywhere, at any time. At the individual level, we focus on telecommuters and mobile workers. At the group level we focus on virtual teams.
Telecommuting and Mobile Work The terms telecommuting and mobile worker are often used to describe these types of work arrangements. Telecommuting, sometimes called teleworking, refers to work arrangements with employers that allow employees to work from home, at a customer site, or from other convenient locations instead of coming into the corporate office. The term telecommute is derived from combining ‘‘telecommuni- cations’’ with ‘‘commuting,’’ hence these workers use telecommunications instead of commuting to the office. Mobile workers are those who work from wherever they are. They are outfitted with the technology necessary for access to coworkers, company computers, intranets, and other information sources.
Factors Driving Telecommuting and Mobile Work
Telecommuting has been around since the 1970s, but since the late 1990s it has steadily been gaining popularity. In 2006, according to World at Work, more than 45 million Americans telecommuted in some fashion. This number is expected to
116 Chapter 4 Information Technology and the Design of Work
increase to 100 million in 2010 as more work is performed from remote locations.35 A recent survey indicates that currently 12% of organizational workforces are at remote locations, and this number is expected to grow.36 Several factors that drive this trend are shown in Figure 4.3.
First, work is increasingly knowledge based. The U.S. and many other world economies continue to shift from manufacturing to service industries. Equipped with the right IT, employees can create, assimilate, and distribute knowledge as effectively at home as they can at an office. The shift to knowledge-based work thus tends to minimize the need for a particular locus of activity.
Second, telecommuters often time-shift their work to accommodate their life- styles. For instance, parents modify their work schedules to allow time to take their children to school and extracurricular activities. Telecommuting provides an attrac- tive alternative for parents who might otherwise decide to take leaves of absence from work for child rearing. Telecommuting also enables persons housebound by illness, disability, or the lack of access to transportation to join the workforce.
Telecommuting also may provide employees with enormous geographic flexi- bility. The freedom to live where one wishes, even at a location remote from one’s corporate office, can boost employee morale and job satisfaction. As a workplace policy, it may also lead to improved employee retention. For example, Best Buy workers use the ROWE program as part of its recruiting pitch. Further, produc- tivity and employee satisfaction for those on the ROWE program are markedly
Driver Effect
Shift to knowledge-based work Eliminates requirement that certain work be performed in a specific place.
Changing demographics and lifestyle pref- erences
Provides workers with geographic and time-shifting flexibility.
New technologies with enhanced band- width
Makes remotely performed work practical and cost effective
Reliance on Web Provides workers with the ability to stay connected to coworkers and customers, even on a 24/7 basis.
Energy concerns Reduces the cost of commuting for telecom- muters and reduces energy costs associated with real estate for companies
FIGURE 4.3 Driving factors of telecommuting and virtual teams.
35 The actual statistics for the number of telecommuters is hard to find. The figures were obtained from Suite Commute, http://www.suitecommute.com/Statistics.htm downloaded on July 15, 2008. 36 IDG Research Services with Custom Solutions Group, Today’s Enterprise Workforces: Remote but Not Isolated, retrieved from www.interactive-intelligence.com/re.cfm.
How Information Technology Changes Where Work Is Done and Who Does IT 117
higher, and voluntary turnover is down. Many employees can be more productive at home, and they actually work more hours than if they commuted to an office. Furthermore, such impediments to productivity as traffic delays, canceled flights, bad weather, and mild illnesses become less significant. Companies enjoy this benefit, too. Those who build in telecommuting as a standard work practice are able to hire workers from a much larger talent pool than those companies who require geographical presence. JetBlue’s entire force of 550 reservation agents, for instance, work from their homes, generating savings that helped the airline report its first profit a mere six months after its first flight.37
The third driving factor of telecommuting is that the new technologies, which make work in remote locations viable, are becoming better and cheaper. For example, prices of personal computers continue to drop, and processing power roughly doubles every 18 months.38 The drastic increase in capabilities of portable technologies make mobile work more effective and productive. Telecom- munication speeds are increasing exponentially at the same time that the costs for connectivity are plummeting. The Web offers an easy-to-use ‘‘front-end’’ to sophisticated ‘‘back-office’’ applications used by major corporations, such as those that run on mainframe computers.
A fourth driving factor is the increasing reliance on Web-based technologies by all generations, but especially the younger generations. The younger genera- tions are at ease with Web-based social relationships and are adept at using social networking tools to grow these relationships. Web-based tools allow them to stay connected with their coworkers and customers. Further, as more and more organi- zations turn to flexible working hours such as the ROWE program implemented by Best Buy and as 24/7 becomes the norm in terms of service, the Web becomes the standard platform to allow workers to respond to customers’ increasing demands.
A fifth factor is the mounting emphasis on conserving energy. As the cost of gasoline continues to skyrocket, employees are looking for ways to save money. Telecommuting is quite appealing in such a scenario, especially when public transportation is not readily available. Companies can also experience lower energy costs from computing. Many telecommuters no longer need to be tethered to official desks. Thus, real estate needs of their employers are shrinking. Further, energy is no longer needed to heat or cool these office spaces. Companies are realizing that they can comply with the Clean Air Act and be praised for their ‘‘green computing’’ practices at the same time they are reaping considerable cost savings.
Disadvantages of Telecommuting and Mobile Work
Telecommuting also has some disadvantages. Remote work challenges managers in addressing performance evaluation and compensation. Managers of telecommuters
37 Joan Raymond, ‘‘Next Frontiers: Moving into the Future,’’ Newsweek (April 29, 2002), 40, 42. 38 Gordon Moore, head of Intel, observed that the capacity of microprocessors doubled roughly every 12 to 18 months. Even though this observation was made in 1965, it still holds true. Eventually, it became known in the industry as Moore’s law.
118 Chapter 4 Information Technology and the Design of Work
must evaluate employee performance in terms of results or deliverables. Virtual offices make it more difficult for managers to appreciate the skills of the people reporting to them, which in turn makes performance evaluation more difficult. For the many telecommuting tasks that do not produce well-defined deliverables or results, or those where managerial controls typically prove inadequate, managers must rely heavily on the telecommuter’s self-discipline. As a result, managers may feel they are losing control over their employees, and some telecommuting employees do, in fact, abuse their privileges. Managers accustomed to traditional work models in which they are able to exert control more easily may strongly resist telecommuting. In fact, managers are often the biggest impediment to implementing telecommuting programs.
Workers who go to an office or who must make appearances at customer locations have a structure that gets them up and out of their home. Telecommuters, on the other hand, must exert a high level of self-discipline to ensure they get the work done. Working from home, in particular, is full of distractions such as personal phone calls, visitors, and inconvenient family disruptions. A remote worker must carefully set up a home work environment and develop strategies to enable quality time for the work task.
Telecommuters often opt for the increased flexibility in work hours that remote work offers them. They are lured by the promise of being able to work around the schedules of their children or other family members. Paradoxically, because of their flexible work situation, it is often difficult for them to separate work from their home life. Consequently, they may work many more hours than the standard nine-to-five worker, or experience the stress of trying to separate work from play. As a matter of fact, one of the reasons higher-ups at Best Buy were not immediately informed about the ROWE experiment is because employees were concerned that overbearing bosses would expect them to always be working, and middle of the night phone calls would become routine.39
Working remotely can disconnect an employee from his or her company’s culture and make them feel isolated. The casual, face-to-face encounters that take place in offices transmit extensive cultural, political, and other organizational information. These encounters are lost to an employee who seldom, if ever, works at the office. Consequently, telecommuters need to undertake special efforts to stay connected. They must engage in forms of conversation to replace ‘‘water cooler’’ talk. This could take the form of instant messaging, telephone calls/conferences, e-mail, blogs, or even video conferencing or unified communications.
Virtual work also raises the specter of offshoring, or foreign outsourcing of software development and computer services. Once a company establishes an infrastructure for remote work, the work often can be performed abroad as easily as domestically. U.S. immigration laws limit the number of foreigners who may work in the United States since the terrorist attacks in New York City and Washington, D.C., on September 11, 2001. However, no such limitations exist on work performed outside this country by workers who then transmit their work to
39 Conlin, ‘‘Smashing the Clock.’’
How Information Technology Changes Where Work Is Done and Who Does IT 119
Employee Advantages of Telecommuting Potential Problems
Reduced stress due to increased ability to meet schedules and less work-related dis- tractions
Increased stress from inability to separate work life from home life
Higher morale; lower absenteeism Harder to evaluate performance
Geographic flexibility Employee may become disconnected from company culture
Higher personal productivity Telecommuters are more easily replaced by offshore workers
Housebound individuals can join the work- force
Not suitable for all jobs or employees
FIGURE 4.4 Advantages and disadvantages of telecommuting.
the United States electronically. Because such work is not subject to minimum wage controls, companies may have a strong economic incentive to outsource work abroad. Companies find it particularly easy to outsource clerical work related to electronic production, such as data processing and computer programming. Benefits and drawbacks of telecommuting are summarized in Figure 4.4.
Managerial Issues in Telecommuting and Mobile Work
Telecommuting requires managers to undertake special planning, staffing, and supervising activities. In terms of planning, business and support tasks must be redesigned to support mobile and remote workers. Everyday business tasks such as submitting employee expense reports in person (as is common when an original signature is needed on the form) and attending daily progress meetings are inap- propriate if most of the workers are remote. Support tasks such as fixing computers by dispatching someone from the central IS department may not be feasible if the worker is in a hotel in a remote city. Basic business and support processes must be designed with both the remote worker and the worker remaining in the office in mind. Because telecommuters may not be able to deal with issues requiring face-to-face contact, nontelecommuters may find that they are asked to assume additional tasks. Training should be offered to telecommuters and nontelecom- muters alike so that they can anticipate and understand the new work environment.
Not all jobs are suitable for telecommuting. Some jobs may require the worker to be at the work location. Basically only those job aspects that can be performed independently at remote locations are the most suitable for telecommuting. Further, the employees selected to staff telecommuting jobs must be self-starters. They must be responsible for completing work tasks without being in the corporate office. New employees who need to be socialized into the organization’s practices and culture are not good candidates for mobile or remote work.
Managers must find new ways to evaluate and supervise those employees without seeing them every day in the office. Typically this means judging their work
120 Chapter 4 Information Technology and the Design of Work
on the basis of targeted output, and not based on how telecommuters do the work. They must also work to coordinate schedules, ensure adequate communication among all workers, establish policies about use of different technologies to support communications, and help their organizations adapt by building business processes to support mobile and remote workers.
! VIRTUAL TEAMS
Employees are not only working remotely on an independent basis, but also on teams with remote members called virtual teams. Virtual teams are defined as ‘‘geographically and/or organizationally dispersed coworkers that are assem- bled using a combination of telecommunications and information technologies to accomplish an organizational task.’’40 This definition includes teams whose mem- bers seldom meet face-to-face. The members of virtual teams may be in different locations, organizations, time zones, or time shifts. Further, virtual teams may have distinct, relatively permanent membership, or they may be relatively fluid as they evolve to respond to changing task requirements and as members leave and are replaced by new members.
Factors Driving Virtual Teams
The same drivers that apply to telecommuting, listed in Figure 4.3, can also be applied to virtual teams. Virtual teams clearly offer advantages in terms of expanding the knowledge base through team membership. Thanks to new and ever-emerging communication and information technologies, managers can draw team members with needed skills or expertise from around the globe, without having to commit to huge travel expenses. That is, difficulties in getting relevant stakeholders together physically are relaxed. Further, virtual teams can benefit from following the sun. In an example of following the sun, London team members of a virtual team of software developers at Tandem Services Corporation initially code the project and transmit their code each evening to U.S. team members for testing. U.S. members forward the code they tested to Tokyo for debugging. London team members start their next day with the code debugged by their Japanese colleagues, and another cycle is initiated.41 Increasingly, growing pressure for offshoring has resulted in systems development by global virtual teams whose members are located around the world.
Disadvantages and Challenges of Virtual Teams
There are some clear disadvantages to virtual teams. For example, different time zones, although helpful when following the sun, can work against virtual team
40 A. M. Townsend, S. DeMarie, and A. R. Hendrickson, ‘‘Virtual Teams: Technology and the Workplace of the Future,’’ Academy of Management Executive 12, no. 3 (1998), 17 – 28. 41 Marie-Claude Boudreau, Karen Loch, Daniel Robey, and Detmar Straub, ‘‘Going Global: Using Information Technology to Advance the Competitiveness of the Virtual Transnational Organization,’’ Academy of Management Executive 12, no. 4 (1998), 120 – 128.
Virtual Teams 121
members when they are forced to stay up late or work in the middle of the night to communicate with team members in other time zones. Further, security is harder to ensure with distributed workers. There also are a considerable number of challenges, that if not correctly managed could turn into disadvantages. A summary of these challenges in comparison with more traditional teams can be found in Figure 4.5.
A major communication challenge that virtual teams face stems from the limitations of having to primarily communicate electronically via e-mail, tele- conferences, or messaging systems. Electronic media allow team members to transcend the limitations of space and even store messages for future reference. But, electronic communications may not allow team members to convey the nuances that are possible with face-to-face conversations. Thus, conflict may be more likely to erupt in virtual environments, and trust may be slower to form. In addition, virtual teams differ from traditional teams in terms of technological and diversity challenges. For example, traditional teams, unlike virtual ones, may not have to deal with the hassles of learning new technologies or selecting the technology that is most appropriate for the task at hand. Perhaps the greatest chal- lenges that virtual teams face in comparison to their more traditional counterparts arise from the diversity of the team members. Virtual teams enable members to come from many different cultures and nations. Even though this diversity allows managers to pick team members from a wider selection of experts, global virtual teams are more likely than more traditional teams to be stymied by team members who have different native languages and cultures.
Managerial Issues in Virtual Teams
Managers cannot manage virtual teams in the same way that they manage more traditional teams. The differences in management control activities are particularly pronounced. Leaders of virtual teams cannot easily observe the behavior of virtual team members. Thus, monitoring of behavior is likely to be more limited than in traditional teams. As is the case with telecommuters and mobile workers, performance is more likely to be evaluated in terms of output than on displays of behavior. Because the team members are dispersed, providing feedback is especially important — not just at the end of a team’s project, but throughout the team’s life. To encourage the accomplishment of the team’s goal, compensation should be based heavily on the team’s performance, rather than just on individual performance. Compensating team members for individual performance may result in ‘‘hot-rodding’’ or lack of cooperation among team members. Organizational reward systems must be aligned with the accomplishment of desired team goals. This alignment is especially difficult when virtual team members belong to different organizations, each with their own unique reward and compensation systems. Each compensation system may affect individual performance in a different way. Managers need to be aware of differences and discover ways to provide motivating rewards to all team members. Further, policies about the selection, evaluation, and compensation of virtual team members may need to be enacted.
122 Chapter 4 Information Technology and the Design of Work
Challenges Virtual Teams (VT) Traditional Teams
Communication • Multiple time zones can lead to greater efficiencies when leveraged, but can also create communication difficulties in terms of scheduling meetings and interactions.
• Communication dynamics such as facial expressions, vocal inflections, verbal cues, and gestures are altered.
• Teams are collocated in same time zone. Scheduling is less difficult.
• Teams may use richer communication media, including face-to-face discussions.
Technology • Team members must have proficiency across a wide range of technologies; VT membership may be biased toward individuals skilled at learning new technologies.
• Technology offers an electronic repository that may facilitate building an organizational memory.
• Work group effectiveness may be more dependent on the ability to align group structure and technology with the task environment.
• Technology is not critical for group processes. Technological collaboration tools, while possibly used, are not essential for communications. Team members may not need to possess these skills.
• Electronic repositories are not typically used.
• Task technology fit may not be as critical.
Team Diversity • Members typically come from different organizations and/or cultures. This makes it:
• Harder to establish a group identity
• Necessary to have better communication skills
• More difficult to build trust, norms, and shared meanings about roles, be- cause team members have fewer cues about their teammates’ performance
• More likely that they have different perceptions about time and deadlines
• Because members are more homogeneous, group identity is easier to form.
• Because of commonalities, communications are easier to complete successfully.
FIGURE 4.5 Comparison of challenges facing virtual teams and traditional teams.
Virtual Teams 123
Looking beyond these management control activities, we see that prescriptions for managing the communications and information technologies in virtual team environments are limited. The rest of this section is devoted to managing the challenges highlighted in Figure 4.5: communication, technology and diversity.
Communication Challenges Perhaps the most research has focused on ways to overcome communication challenges. Because the distances are often great, managers clearly need to keep the channels of communication open to allow team members to get their work done. Some communication tasks lend themselves to certain technologies. This means that they must have the necessary technological support. For instance, if a team leader wants to have a meeting of team members but has neither the budget nor the lead time to plan for extensive travel to the meeting, video teleconferencing may be a viable alternative. E-mails are excellent for short messages to one or all group members. Team leaders may decide to initiate a team’s activity with a face-to-face meeting so that the seeds of trust can be planted and team members feel as if they know one another on a more personal basis.
Face-to face meetings also appear to be the heartbeat of successful global virtual teams.42 An in-depth study of three global virtual teams, found that the two effective teams created a rhythm organized around regularly scheduled face-to-face meetings. Before each meeting there was a flurry of communication and activity as team members prepared for the meeting. After the meeting there were a considerable number of follow-up messages and tasks. The ineffective team did not demonstrate a similar pattern. Because not all teams can meet face-to-face, synchronous meetings using video teleconferencing, or possibly in a virtual world, can activate the heartbeat.
Because team leaders cannot always see what their team members are up to or if they are experiencing any problems, frequent communications are important. If team members are quiet, the team leader must reach out to them to encourage their participation and to ensure that they feel their contributions are appreciated. Even though a majority of team members are in one location, the team leader should rotate meeting times to alternate the convenience among team members. Further, in the event that there is a larger group of team members in one or several places, the team leader should encourage these subgroups to have all their discussions online so remote members will not feel isolated.
Technology Challenges Having the needed communication and information technologies available means that all team members have the same or compatible technologies at their locations. The support staff to maintain and update the systems must be in place. Managers must ensure that seamless telephone transfers to the home office, desktop support, network connectivity, and security support are
42 M. L. Maznevski and K. Chudoba, ‘‘Bridging Space Over Time: Global Virtual Team Dynamics and Effectiveness,’’ Organization Science 11, no. 5 (2000), 373 – 392.
124 Chapter 4 Information Technology and the Design of Work
provided to the remote workers. Team members (like telecommuters) must have access to the files and applications they need to do their work. The importance of security for remote work cannot be overstated.
Further, managers must also provide the framework for using the technology. Policies and norms, or unwritten rules, need to be established about how the team members should use the technology to work with one another.43 These should include norms about telephone, e-mail, and videoconferencing etiquette (i.e., how often to check for messages, the maximum time to wait to return e-mails, warning team members about absences or national holidays), work to be performed, and so on. Such norms are especially important when team members are not in the same office and cannot see when team members are unavailable.
Diversity Challenges Managers may also seek to provide technologies to support diverse team member characteristics. For example, team members from different parts of the globe may have different views of time.44 Team members from Anglo-American cultures (i.e., U.S., U.K., Canada, Australia, New Zealand) may view time as a continuum from past, to present and future. For such team members, each unit of time is the same, and thus they can be interchanged with one another or used as a basis for pay. These team members are likely to be concerned with deadlines and often prefer to complete one task before starting another (i.e., monochronous). For team members who are conscious of deadlines, planning and scheduling software may be especially useful. In contrast, team members from India often have a cyclical view of time. They do not get excited about deadlines and there is no hurry to make a decision because it is likely to cycle back — at which time the team member may be in a better position to make the decision. Many people from India tend to be polychronous. Team members who are polychronous and prefer to do several activities at one time may want to have instant messaging or Skype (a voice-over-IP support system) available to them so that they can communicate with their teammates and still work on other tasks.
In addition to providing the appropriate technologies, managers with team members who have different views of time need to be aware of the differences and try to develop strategies to motivate those who are not concerned with deadlines to deliver their assigned tasks on time. Or the managers may wish to assign these team members to do tasks that are not sensitive to deadlines.
Of course, views of time are only one dimension of diversity. Although diversity has been demonstrated to lead to more creative solutions, it also makes it harder for team members to learn to trust one another, to communicate, and to form a group identity. Through open communications, managers may be able to uncover and deal with other areas of diversity that negatively affect the team.
43 C. Saunders, C. Van Slyke, and D. R. Vogel, ‘‘My Time or Yours? Managing Time Visions in Global Virtual Teams,’’ Academy of Management Executive 18, no. 1 (2004), 19 – 31. 44 C. S. Saunders, C. Van Slyke, and D. Vogel, ‘‘My Time or Yours? Managing Time Visions in Global Virtual Teams,’’ Academy of Management Executive 18, no. 1 (2004), 19 – 31.
Gaining Acceptance for IT-Induced Change 125
! GAINING ACCEPTANCE FOR IT-INDUCED CHANGE
The changes described in this chapter no doubt alter the frames of reference of organizational employees and may be a major source of concern for them. Employees may resist the changes if they view the changes as negatively affecting them. In the case of a new information system that they do not fully understand or are not prepared to operate, they may resist in several ways:
• They may deny that the system is up and running. • They may sabotage the system by distorting or otherwise altering inputs. • They may try to convince themselves, and others, that the new system
really will not change the status quo. • They may refuse to use the new system where its usage is voluntary.
To avoid the negative consequences of resistance to change, system imple- menters and managers must actively manage the change process and gain acceptance for new IS. To help explain how to gain acceptance for a new technology, Professor Fred Davis and his colleagues developed the Technology Acceptance Model (TAM). Many variations of TAM exist, but its most basic form is displayed on the right-hand side in Figure 4.6. TAM suggests that managers cannot get employees to use a system until they want to use it. To convince employees to want to use the system, managers may need to change employee attitudes about the system. Employee attitudes may change if employees believe that the system will allow them to do more or better work for the same amount of effort (perceived usefulness), and that it is easy to use. Training, documentation, and user support consultants are external variables that may help explain the usefulness of the system and make it easier to use.
TAM has many variants. For example, one variant considers subjective norms,45 whereas another adds attitudes toward behaviors.46 The Unified Theory of Acceptance and Use of Technology makes a valiant effort to integrate the many fragmented findings about TAM.47 Another attempt to integrate the many findings is TAM3.48 A simplified version of TAM3 is shown in Figure 4.6. The left hand side of Figure 4.6 provides the four categories of determinants of perceived usefulness and perceived ease of use. Specifically, they are individual differences (e.g., gender, age), system characteristics (such things as output quality and job relevance that help individuals develop favorable or unfavorable views about the system), social
45 V. Venkatesh and F. D. Davis, ‘‘A Theoretical Extension of the Technology Acceptance Model: Four Longitudinal Field Studies,’’ Management Science 45, no. 2 (2000), 186 – 204. 46 S. Taylor and P. Todd, ‘‘Assessing IT Usage: The Role of Prior Experience,’’ MIS Quarterly 19, no. 2 (1995), 561 – 570. 47 Venkatesh, V., Morris, M. G., Davis, G. B., & Davis, F. D. (2003). User acceptance of information technology: Toward a unified view. MIS Quarterly, 27(3), 425-478. 48 V. Venkatesh and H. Bala, ‘‘Technology Acceptance Model 3 and a Research Agenda on Interventions, Decision Sciences, 39, No. 2, 2008, 273-315.
126 Chapter 4 Information Technology and the Design of Work
Individual Differences
Perceived Usefulness
Social Influence
Facilitating Conditions
Perceived Ease of Use
Technology Acceptance Model (TAM)
Behavioral Intention
Use Behavior
System Characteristics
FIGURE 4.6 Simplified technology acceptance model 3(TAm3). Source: Viswanath Venkatest and Hillol Bala, ‘‘Technology Acceptance Model 3 and a Research Agenda on Interventions,’’ Decision Sciences, 39:2 (2008), pg.276.
influence (e.g., subjective norms), and facilitating conditions (e.g. top management support). The interrelationships described in UTAUT and TAM3 are very com- plex. For example, although social influences are important, they are likely to be important only for older works and women, and then only when they start using the system. The more complex models (UTAUT and TAM3) are useful for experts who are trying to take into account the nuances when trying to figure out the best way to implement systems. However, the parsimonious TAM model is clearly easier for practitioners trying to grasp the major issues involved in user acceptance.
TAM and all of these variants assume that system use is under the control of the individuals. When employees are mandated to use the system, they may use it in the short run, but over the long run the negative consequences of resistance may surface. Thus, gaining acceptance of the system is important, even in those situations where it is mandated.
TAM assumes that technology will be accepted if people’s attitudes and beliefs support its use. One way to make sure that employees’ attitudes and beliefs are favorable toward the system is to have them participate in its design and implementation. When future users of the system participate in its design and implementation, they can more easily tell the designers what they need from the system. Being involved in the development also makes them more aware of the trade-offs that inevitably occur during a system implementation. They may be more willing to accept the consequences of the trade-offs. Finally, being involved in the design and development allows users to better understand how the system works, and thus may make it easier for them to use the system.
Food for Thought: Security with Remote Workers 127
Microsoft recently applied the concept of participation when it invited hackers to a little-publicized security conference dubbed ‘‘Blue Hat’’ for the express pur- pose of exploiting flaws in Microsoft computing systems. The unusual summit of delegates of the hacking community and their primary corporate target illustrates the importance of security breaches to the world’s most powerful software com- pany. Bill Gates, Microsoft’s chairman at the time, estimated that security-related issues cost the company $2 billion a year — more than a third of its research budget. It is likely that Microsoft was using the event to woo an influential group to report security flaws discreetly rather than to go public with them. Both the hackers and the corporate engineers appreciated each other’s technical knowledge and agreed to meet again.49
! FOOD FOR THOUGHT: SECURITY WITH REMOTE WORKERS
In May of 2006, the Department of Veterans Affairs (VA) announced that a laptop carrying unencrypted, sensitive personal information on more that 2.2 million active-duty military personnel was stolen from an employee’s home.50 This security breach highlights the importance of posting and enforcing proper telecommuting (and remote work) policies. Although the VA claims that there is a policy in place that does not allow workers to take their laptops home, it would seem that the policy is not strictly enforced and/or that employees are not educated about the agency’s telecommuting policies and the importance of adhering to them.
The development, posting, and enforcement of telecommuting policies are vital in a world where security breaches are commonplace. These policies should incorporate such simple rules as never store information on a laptop, encrypt all information once it leaves the office, and provide telecommuters with dedicated computers that can only be used for work. If an organization does not wish to adhere to these strict guidelines, then it at least needs to develop telecom- muting policies that define what software will be allowed on the home-based computer and what data will be stored on the computer. Further, employ- ees must be made aware of the policies through a well-planned education program.51 One approach to make sure that remote workers understand the telecommuting policy, and to make them accountable, is to have them sign an
49 Ina Fried, ‘‘Microsoft Asks for Help from Hackers,’’ ZD Net News (June 16, 2005), available at http://news.zdnet.com/2100-1009 22-5749234html?tag=st.num. 50 Robert Lemos, ‘‘VA Data Theft Affects Most Soldiers,’’ Security Focus, June 7, 2006 http://www .securityfocus.com/brief/224. 51 Mary J. Culnan, Ellen R. Foxman, and Amy W. Ray, ‘‘Why IT executives Should Help Employees Secure Their Home Computers,’’ MIS Quarterly Executive 7, no. 1 (March 2008), 49 – 56, http://test .misqe.org/ojs/index.php/misqe/article/view/161.
128 Chapter 4 Information Technology and the Design of Work
agreement with employers on exactly how their computers are to be used and maintained.52
As the physical corporate walls are torn down and more workers work from remote locations, technology advances to keep up with their business and network security needs. Some of these technologies are the following.
• Probably the most basic security tactic is to deploy antivirus and antispy- ware software on computers used by remote workers. There should be a related organization policy about how often the computers should be updated with the latest virus definitions and system patches.
• Basic security protections that are often overlooked include adding a desk- top firewall and SSL (Security Socket Layer) for authentication.
• Many government-issued computers are equipped with Absolute Soft- ware’s Computrace — ‘‘the LoJack of computer hardware’’ to trace the location of a missing or stolen computer.53
• Centennial Software’s DeviceWall prevents USB mass-storage devices or iPods from accessing data on home-based computers. DeviceWall also lets machines work in read-only mode and can limit Wi-Fi connections and use of CDs.54
• A terminal server (without Internet access) allows remote workers to log on to a server where all their applications and data are available. In this scenario, because all the applications are running on data center computers, remote client security software is unnecessary.55
• A relatively new category of technology, data-leak prevention technology, is designed to ensure that sensitive corporate data is not being printed out, e-mailed, or saved to removable media without the proper authorization, even on remote endpoints.56
Remote workers pose a threat to office workers because if they come into the office with an infected computer and plug into the network, perimeter security technology is unable protect all the other workers connected to the network. Further, as demonstrated by the VA example earlier, remote workers can be the source of a security breach if their computers are stolen. It is impossible for organizations to make remote workers totally secure. However, managers need to get more involved in assessing the areas and severity of risk and take appropriate
52 Ellen Messmer, ‘‘Telecommuting Security Concerns Grow,’’ Network World, April 24, 2006, http://www.networkworld.com/news/2006/042406-telecommuter-security.html. 53 Cara Garretson, ‘‘Heightened Awareness, Reinforced Products Advance Teleworker’s Security,’’ Network World, February 20, 2007, http://www.networkworld.com/news/2007/022007-heightened- awareness.html?ap1=rcb. 54 Ibid. 55 Ibid. 56 Ibid.
Summary 129
steps, via policies, education and technology, to reduce the risks and make those remote workers as secure as possible.
! SUMMARY • The nature of work is changing, and IT supports, if not propels, these changes. • Organization structures have responded to changes in work. One new organiza-
tional form is the virtual organization, or a structure that makes it possible for individuals to work for an organization and live anywhere. They are made possible through information and communication technologies.
• Communication and collaboration are becoming increasingly important in today’s work. Technology to support communication includes e-mail, intranets, instant messaging (IM), Voice over Internet Protocol (VoIP), unified communications, RSS (Web feeds), virtual private networks (VPN), and file transfers. Technology to support collaboration includes social networking sites, Web logs (blogs), virtual worlds, wikis, and groupware.
• IT affects work by creating new work, creating new working arrangements, and pre- senting new managerial challenges in employee supervision, evaluation, compensa- tion, and hiring.
• Newer approaches to management reflect greater use of computer and informa- tion technology in hiring and supervising employees, a greater focus on output (compared to behavior), and a greater team orientation.
• The shift to knowledge-based work, changing demographics and lifestyle prefer- ences, new technologies, growing reliance on the Web, and energy concerns all contribute to the growth in remote work.
• Companies find that building telecommuting capabilities can be an important tool for attracting and retaining employees, increasing worker productivity, providing flexibility to otherwise overworked individuals, reducing office space and associated costs, responding to environmental concerns about energy consumption, and com- plying with the Clean Air Act. Telecommuting also promises employees potential benefits: schedule flexibility, higher personal productivity, less commuting time and fewer expenses, and greater geographic flexibility.
• Disadvantages of telecommuting include difficulties in evaluating performance, greater feelings of isolation among employees, easier displacement by offshoring, and limitations of jobs and workers in its application.
• Virtual teams are defined as ‘‘geographically and/or organizationally dispersed coworkers that are assembled using a combination of telecommunications and information technologies to accomplish an organizational task.’’ They are increas- ingly common organizational phenomenon and must be managed differently than more traditional teams.
• Managers of virtual teams must focus on overcoming the challenges of communica- tion, technology, and diversity of team members.
• To gain acceptance of a new technology, potential users must exhibit a favorable attitude toward the technology. In the case of information systems, the users’ beliefs about its perceived usefulness and perceived ease of use color their attitudes about the system.
130 Chapter 4 Information Technology and the Design of Work
! KEY TERMS e-mail (p. 103) file transfer (p. 106) groupware (p. 107) instant messaging (IM)
(p. 104) intranet (p. 103) mobile workers (p. 115) offshoring (p. 118) RSS (Web feed) (p. 105)
social networking site (p. 106)
telecommuting (p. 115) unified communications
(p. 105) video teleconference
(p. 104) virtual teams (p. 120) virtual organization (p. 99)
virtual private network (VPN) (p. 106)
virtual world (p. 107) Voice over Internet
Protocol (VoIP) (p. 104) Web logs (blogs) (p. 107) wiki (p. 107)
! DISCUSSION QUESTIONS 1. Why might a worker resist the implementation of a new technology? What are some of the possible consequences of asking a worker to use a computer or similar device in his or her job?
2. How can IT alter an individual’s work? How can a manager ensure that the impact is pos- itive rather than negative?
3. What current technologies do you predict will show the most impact on the way work is done? Why?
4. Given the growth in telecommuting and other mobile work arrangements, how might offices physically change in the coming years? Will offices as we think of them today exist by 2012? Why or why not?
5. How is working at an online retailer different from working at a brick-and-mortar retailer? What types of jobs are necessary at each? What skills are important?
6. Paul Saffo, director of the Institute for the Future, noted, ‘‘Telecommuting is a reality for many today, and will continue to be more so in the future. But beware, this doesn’t mean we will travel less. In fact, the more one uses electronics, the more they are likely to travel.’’57 Do you agree with this statement? Why or why not?
7. The explosion of information-driven self-serve options in the consumer world is evident in the gas station, where customers pay, pump gas, and purchase a car wash without ever seeing an employee; in the retail store such as Wal-Mart, Home Depot, and the local grocery, where self-service checkout stands mean customers can purchase a basket of items without ever speaking to a sales agent; at the airport, where customers make reservations and pay for and print tickets without the help of an agent; and at the bank, where ATMs have long replaced tellers for most transactions. But a backlash is coming, experts predict. Some say that people are more isolated than they used to be in the days of face-to-face service, and they question how much time people are really saving if they have to continually learn new processes, operate new machines, and overcome new glitches. Laborsaving technologies were supposed to liberate people from mundane tasks, but it appears that these technologies are actually shifting the boring tasks to the customer. On
57 ‘‘Online Forum: Companies of the Future,’’ available at http://www.msnbc.com/news/738363.asp (accessed June 11, 2002).
Case Study 131
the other hand, many people like the convenience of using these self-service systems, especially because it means customers can visit a bank for cash or order books or gifts from an online retailer 24 hours a day. Does this mean the end of ‘‘doing business the old-fashioned way?’’ Will this put a burden on the elderly or the poor when corporations begin charging for face-to-face services?58
CASE STUDY 4-1
AUTOMATED WASTE DISPOSAL, INC.
Ciro Viento is responsible for 110 of Automated Waste Disposal, Inc.’s (AWD’s) garbage trucks. Automated Waste Disposal is a commercial and household trash hauler in Con- necticut and New York. When a caller recently complained to Viento that a blue and white Automated Waste Disposal truck was speeding down Route 22, Viento turned to the company’s information system. He learned that the driver of a company front-loader had been on that very road at 7:22 a.m., doing 51 miles per hour (mph) in a 35 mph zone. Was the driver of that truck ever in trouble!
This AWD system uses a global positioning system not only to smooth its operations, but also to keep closer track of its workers, who may not always be doing what they are supposed to be doing during work hours. Viento pointed out, ‘‘If you’re not out there babysitting them, you don’t know how long it takes to do the route. The guy could be driving around the world, he could be at his girlfriend’s house.’’
Before AWD installed the GPS system, the drivers of his 22 front-loaders clocked in approximately 300 hours a week of overtime at 1.5 times pay. Once AWD started monitoring the time they spent in the yard before and after completing their routes and the time and location of stops that they made, the number of overtime hours plummeted to 70 per week. This translated to substantial savings for a company whose drivers earn about $20 an hour.
AWD also installed GPS receivers, which are the size and shape of cans of tuna, in salesmen’s cars. Viento was not surprised to learn that some of the company’s salespeople frequented a local bar around 4 p.m. when they were supposed to be calling on customers. Viento decided to set digital boundaries around the bar.
Not surprisingly, the drivers and salespeople aren’t entirely happy with the new GPS- based system. Tom McNally, an AWD driver, admits: ’’It’s kind of like Big Brother is watching a little bit. But it’s where we’re heading in this society . . . I get testy in the deli when I’m waiting in line for coffee, because it’s like, hey, they’re (managers) watching. I’ve got to go.’’
Viento counters that employers have a right to know what their employees are up to: ‘‘If you come to work here, and I pay you and you’re driving one of my vehicles, I should have the right to know what you’re doing.’’
Discussion Questions
1. What are the positive and negative aspects of Viento’s use of the GPS-based system to monitor his drivers and salespeople?
58 Stevenson Swanson, ‘‘Are Self-Serve Options a Disservice?’’ Austin American Statesman (May 8, 2005), Section H, p. 1. Reprinted from Chicago Tribune.
132 Chapter 4 Information Technology and the Design of Work
2. What advice do you have for Viento about the use of the system for supervising, evalu- ating, and compensating his drivers and salespeople?
3. As more and more companies turn to IS to help them monitor their employees, what do you anticipate the impact will be on employee privacy? Can anything be done to ensure employee privacy?
Source: Adapted from MSNBC News (Associated Press), ‘‘Bosses Keep Sharp Eye on Mobile Workers’’ (December 30, 2004), available at http://www.msnbc.msn.com/id/6769377/(downloaded June 18, 2005).
CASE STUDY 4-2
VIRTUALLY THERE?
Dr. Laura Esserman leans forward and speaks with conviction, making broad gestures with her hands. ‘‘Over the past couple of decades, I’ve watched industries be transformed by the use of information systems and incredible visual displays,’’ she says. ‘‘What we could do is to completely change the way we work — just by changing the way we collect and share information.’’
Sounds familiar, right? But Esserman isn’t championing yet another overzealous Silicon Valley start-up — she’s envisioning how cancer patients will interact with their doctors. If Esserman, a Stanford-trained surgeon and MBA, has her way, patients won’t sit passively on an exam table, listening to impenetrable diagnoses and memorizing treatment instructions. Instead, they’ll have access to a multimedia treasure chest of real-time diagnosis, treatment, and success-rate data from thousands of cases like their own. Better still, they won’t meet with just one doctor. There will be other doctors on the case — some from the other side of the hospital and some, perhaps, from the other side of the world.
Esserman and her colleagues at the University of California, San Francisco’s Carol Franc Buck Breast Care Center are pioneers in the new world of virtual teams and virtual tools, a world in which there will be real change in the way highly trained people whose work depends on intense collaboration get things done. Her goal at the Buck Breast Care Center is to use virtual tools to bring more useful information (and more doctors) into the exam room. Why? Because two heads really are better than one. She explains that when patients see their doctors after a breast cancer diagnosis, for example, they are handed a recommended course of treatment that involves serious choices and trade-offs. Of course, most patients don’t know enough about the merits of, say, a lumpectomy versus a mastectomy to make an informed choice, so they trust their doctors to tell them what to do.
But a single doctor isn’t always equipped to make the best decision, especially because different procedures can have very different long-term physical and emotional impacts — but may not be all that different in their short-term medical outcomes. ‘‘Very often,’’ Esserman says, ‘‘doctors recommend a particular treatment because they’re more familiar with it. But we should be advocates for our patients, rather than our specialties.’’
Although her full-blown program is a long way off, Esserman has run a pilot project with 24 patients. She worked with both Oracle, the Silicon Valley database giant, and MAYA Viz, a Pittsburgh company that develops ‘‘decision community’’ software, to allow doctors across the country to collaborate virtually. Through Esserman’s approach, when a patient arrives at the doctor’s office to receive treatment instructions, instead of listening to a physician’s
Case Study 133
monologue, she’s handed a printout. On the top left side of the page is the diagnosis, followed by patient-specific data: the size and spread of the tumor, when it was discovered, and the name of the treating doctor. Below that is statistical information generated from clinical-research databases, such as the number of similar cases treated each year and details about survival rates.
A set of arrows points to treatment options. Next, the patient reads the risks and benefits associated with each treatment. She can follow along as the doctor explains the chances that the cancer will recur after each option and the likelihood that a particular treatment will require follow-up procedures, as well as a comparison of survival rates for each one.
At this point, the patient has an opportunity to voice concerns about treatment options, and the physician can explain her experiences with each one. ‘‘When you share this kind of information, patients and doctors can make decisions together according to the patient’s values,’’ Esserman says. This is where the network tools come into play. Drawing from stored databases of both clinical trials and patient-treatment histories local to the hospital, the physician can compare courses of action and results far beyond her own personal experience. ‘‘A medical opinion is really just one physician’s synthesis of the information,’’ notes Esserman. ‘‘So you need a way to calibrate yourself — a way to continually ask, Are there variations among the group of doctors that I work with? Am I subjecting people to procedures that turn out not to be useful?’’
With a real-time, shared-data network, these questions can be answered at the touch of a button instead of after hours, weeks, or months of research. But that’s just the beginning. A real-time network also presents the possibility of seeking help from other specialists on puzzling cases, even if those specialists are on the other side of the world.
Discussion Questions
1. Why does this case offer an example of a virtual team? In what ways are the team mem- bers on this team dispersed (i.e., location, organization, culture)?
2. What are the advantages of the virtual team described in this case? 3. What technological support is needed for the virtual team to meet its goals? 4. What suggestions can you offer Dr. Esserman for managing this virtual team?
Source: Excerpted from Alison Overholt, ‘‘Virtually There,’’ Fast Company 56 (March 2002), 108, available at http://www.fastcompany.com/online/56/virtual.html.
!CHAPTER 5 INFORMATION TECHNOLOGY AND CHANGING BUSINESS PROCESSES1
Executives at concrete company Cemex faced a challenge as they confronted their second century of existence. As a 100-year-old multinational cement corporation, based in Monterrey, Mexico, they sought new ways to operate, innovate, and manage their vast organization. It took them 16 years, but they completely changed the key processes that affect their customers.
Prior to their transformation, the company looked like any other regional cement company with autonomous plants, secluded local management, and a dependency on factors they felt were beyond their control. Customers were regularly caught without their shipments. But that was standard practice in the industry, so it was tolerated.
The new CEO began by revisiting their business strategy and challenged his team to solve the issues of inefficient delivery and unforecastable demand. At the time, the IT department was only supporting back-office accounting applications. The transformation team looked at best practice ways of using information technology (IT) to serve production and delivery operations and built the IT capability they needed to be completely aligned with the business process redesign. They built Cemexnet to link all their cement plants and to keep the plants updated on changes in supply and demand. They redesigned their delivery processes while installing a logistics information system that used GPS technology to help dispatchers manage their fleet of trucks. Now the closest trucks were used to make deliveries, and rerouting was possible in extreme circumstances. Management also redesigned and created a set of global processes so customers, suppliers, and distributors could manage their orders.
1 The authors wish to acknowledge and thank Jeff Greer, MBA 1999, for his help researching and writing early drafts of this paper.
134
Silo Perspective Versus Business Process Perspective 135
The results were dramatic. Delivery windows went from 3 hours to 20 minutes, and Cemex made that window 98% of the time. They meet this window because they have control over their processes and information about issues that might affect their processes. Sales increased 19% in the first quarter after all the components and redesigned processes were put in place. And their reputation was greatly enhanced because they were able to transform themselves from just another regional cement company into a highly differentiated, service-oriented, customer-friendly organization. Cemex reset the bar for all others in the industry with their customer orientation, their use of technology, and their process redesign.2
IS can enable or impede business change. The right design coupled with the right technology can result in changes such as Cemex experienced. The wrong business process design or the wrong technology, however, can force a company into oblivion.
To a manager in today’s business environment, an understanding of how IS enable business change is essential. The terms management and change management are used almost synonymously: To manage effectively means to manage change effectively. As IS become ever more prevalent and more powerful, the speed and magnitude of the changes that organizations must address to remain competitive will continue to increase. To be a successful manager, one must understand how IS enable change in a business, one must gain a process perspective of business, and one must understand how to transform business processes effectively. This chapter provides the manager with a view of business process change. It provides tools for analyzing how a company currently does business and for thinking about how to effectively manage the inevitable changes that result from competition and the availability of IS. This chapter also describes an IT-based solution commonly known as enterprise IS (information systems).
A brief word to the reader is needed. The term process is used extensively in this chapter. In some instances, it is used to refer to the steps taken to change aspects of the business. At other times, it is used to refer to the part of the business to be changed: the business process. The reader should be sensitive to the potentially confusing use of the term process.
! SILO PERSPECTIVE VERSUS BUSINESS PROCESS PERSPECTIVE
When effectively linked with improvements to business processes, advances in IS enable changes that make it possible to do business in a new way, better and more competitive than before. On the other hand, IS can also inhibit change, which occurs when managers fail to adapt business processes because they rely on inflexible systems to support those processes. Finally, IS can also drive change, for better or for worse. Examples abound of industries that were fundamentally
2 Adapted from ‘‘BPR at Cemex’’ from www.cio.com/article/print/30445 (accessed February 28, 2008).
136 Chapter 5 Information Technology and Changing Business Processes
changed by advances in IS and of companies whose success or failure depended on the ability of their managers to adapt. This chapter considers IS as an enabler of business transformation, a partner in transforming business processes to achieve competitive advantages. We begin by comparing a process view of the firm with a functional view.
Transformation requires discontinuous thinking — recognizing and shedding outdated rules and fundamental assumptions that underlie operations. ‘‘Unless we change these rules, we are merely rearranging the deck chairs on the Titanic. We cannot achieve breakthroughs in performance by cutting fat or automating existing processes. Rather, we must challenge old assumptions and shed the old rules that made the business under perform in the first place.’’3
Functional (or Silo) Perspective Many think of business by imagining a hierarchical structure organized around a set of functions. Looking at a traditional organization chart allows an understanding of what the business does to achieve its goals. A typical hierarchical structure, organized by function, might look like the one shown in Figure 5.1.
In a hierarchy, each department determines its core competency and then concentrates on what it does best. For example, the operations department focuses on operations, the marketing department focuses on marketing, and so on. Each major function within the organization usually forms a separate department to ensure that work is done by groups of experts in that function. This functional structure is widespread in today’s organizations and is reinforced by business education curricula, which generally follow functional structures — students take courses in functions (i.e., marketing, management, accounting), major in functions, and then are predisposed to think in terms of these same functions.4
Even when companies use the perspective of the value chain model (as discussed in Chapter 2), they still focus on functions that deliver their portion of
Typical Hierarchical Organization Structure
Operations Marketing Accounting Finance Administration
Executive Offices CEO
President
FIGURE 5.1 Hierarchical structure.
3 Michael Hammer, ‘‘Reengineering Work: Don’t Automate, Obliterate,’’ Harvard Business Review (July – August 1990), 4. 4 Thomas Davenport and John Beck, The Attention Economy (Boston: Harvard Business School Press, 2001), 173.
Silo Perspective Versus Business Process Perspective 137
the process and ‘‘throwing it over the wall’’ to the next group on the value chain. These silos, or self-contained functional units, are useful for several reasons. First, they allow an organization to optimize expertise. For example, instead of having marketing people in a number of different groups, all the marketing people belong to the same department, which allows them to informally network and learn from each other and allows the business to leverage its resources. Second, the silos allow the organization to avoid redundancy in expertise by hiring one person who can be assigned to projects across functions on an as-needed basis instead of hiring an expert in each function. Third, with a functional organization, it is easier to benchmark with outside organizations, utilize bodies of knowledge created for each function, and easily understand the role of each silo. For example, it is clear that the marketing department produces and executes marketing plans, but it may not be clear what a customer-relationship department does. (It typically has some marketing, some sales, some services, and some accounting processes.)
On the other hand, silo organizations can experience significant suboptimiza- tion. First, individual departments often recreate information maintained by other departments. Second, communication gaps between departments are often wide. Third, as time passes, the structure and culture of a functionally organized business can become ingrained, creating a complex and frustrating bureaucracy. Fourth, handoffs between silos are often a source of problems, such as finger-pointing and lost information, in business processes. Finally, silos tend to lose sight of the objective of the overall organization goal and operate in a way that maximizes their local goals.
A firm’s work changes over time. In a functionally organized silo business, each group is primarily concerned with its own set of objectives. The executive officers jointly seek to ensure that these functions work together to create value, but the task of providing the ‘‘big picture’’ to so many functionally oriented personnel can prove extremely challenging. As time passes and business circumstances change, new work is created that relies on more than one of the old functional departments. Departments that took different directions must now work together. They negotiate the terms of any new work processes with their own functional interests in mind, and the ‘‘big picture’’ optimum gets scrapped in favor of suboptimal compromises among the silos. These compromises then become repeated processes; they become standard operating procedures.
Losing the big picture means losing business effectiveness. After all, a busi- ness’s main objective is to create as much value as possible for its shareholders and other stakeholders by satisfying its customers to the greatest extent possible. When functional groups duplicate work, when they fail to communicate with one another, when they lose the big picture and establish suboptimal processes, the customers and stakeholders are not being well served.
Process Perspective A manager can avoid such bureaucracy — or begin to ‘‘fix’’ it — by managing from a process perspective. A process perspective keeps the big picture in view and
138 Chapter 5 Information Technology and Changing Business Processes
allows the manager to concentrate on the work that must be done to ensure the optimal creation of value. A process perspective helps the manager avoid or reduce duplicate work, facilitate cross-functional communication, optimize business processes, and ultimately, best serve the customers and stakeholders.
In business, a process is defined as an interrelated, sequential set of activities and tasks that turns inputs into outputs, and includes the following:
• A beginning and an end • Inputs and outputs • A set of tasks (subprocesses) that transform the inputs into outputs • A set of metrics for measuring effectiveness
Metrics are important because they focus managers on the critical dimensions of the process. Metrics for a business process are things like throughput, which is how many outputs can be produced per unit time; or cycle time, which is how long it takes for the entire process to execute. Some use measures are the number of handoffs in the process or actual work versus total cycle time. Other metrics are based on the outputs themselves, such as customer satisfaction, revenue per output, profit per output, and quality of the output.
Examples of business processes include customer order fulfillment, manufac- turing planning and execution, payroll, financial reporting, and procurement. A typical procurement process might look like Figure 5.2. The process has a begin- ning and an end, inputs (requirements for goods or services) and outputs (receipt of goods, vendor payment), and subprocesses (filling out a purchase order, verifying the invoice). Metrics of the success of the process might include turnaround time and the number of paperwork errors.
The procurement process in Figure 5.2 cuts across the functional lines of a traditionally structured business. For example, the requirements for goods might originate in the operations department based on guidelines from the finance depart- ment. Paperwork would likely flow through the administration department, and the accounting department would be responsible for making payment to the vendor.
Focus on the process by its very nature ensures focus on the business’s goals (the ‘‘big picture’’) because each process has an ‘‘endpoint’’ that is usually a deliverable to a customer, supplier, or other stakeholder. A process perspective recognizes that processes are often cross-functional. In the diagram in Figure 5.3, the vertical bars represent functional departments within a business. The horizontal bars represent processes that flow across those functional departments. A process
Receive Requirement
for Goods/ Services
Pay Vendor
Verify Invoice
Receive Goods
Create and Send
Purchase Order
FIGURE 5.2 Sample business process.
Silo Perspective Versus Business Process Perspective 139
M A R K E T I N G
A C C O U N T I N G
F I N A N C E
A D M I N I S T R A T I O N
O P E R A T I O N S
Functions
Business Processes
FIGURE 5.3 Cross-functional nature of business processes.
perspective requires an understanding that processes properly exist to serve the larger goals of the business, and that functional departments must work together to optimize processes in light of these goals.
For example, Nokia Telecommunications, the telecommunications manufac- turing division of the Finnish company Nokia, built its order fulfillment process to include tendering, order delivery, implementation, and after-sales service tasks.5 The company built cellular systems, switching systems, and transmission systems worldwide to companies offering mobile and fixed telecommunications services. Their order fulfillment process crossed division and product group boundaries, making it a cross-functional business process.
When managers take the process perspective, they lead their organizations to optimize the value that customers and stakeholders receive. These managers begin to question the status quo. They do not accept ‘‘because we have always done it that way’’ as an answer to why business is conducted in a certain way. They concentrate instead on specific objectives and results. They begin to manage processes by:
• Identifying the customers of processes • Identifying these customers’ requirements • Clarifying the value that each process adds to the overall goals of the or-
ganization • Sharing their perspective with other organizational members until the
organization itself becomes more process focused
5 For more details about Nokia’s efforts, see S. Jarvenpaa and Ilkka Tuomi, ‘‘Nokia Telecommunica- tions: Redesign of International Logistics,’’ Harvard Business School case study 9-996-006 (September 1995).
140 Chapter 5 Information Technology and Changing Business Processes
The differences between the silo and process perspective are summarized in Figure 5.4. Unlike a silo perspective, a process perspective recognizes that businesses operate as a set of processes that flow across functional departments. It enables a manger to analyze the business’s processes in light of its larger goals, as compared to the functional orientation of the silo perspective. Finally, it provides a manager with insights into how those processes might better serve these goals.
Zara’s Cross-Functional Processes Consider Spanish clothing retailer Zara (see Chapter 2). With 650 stores in 50 countries around the world and a well-designed set of cross-functional processes, Zara is able to design, produce, and deliver a garment within 15 days. For this to happen, Zara managers must regularly create and rapidly replenish small batches of goods all over the world. Zara’s organization, operational procedures, perfor- mance measures, and even its office layout are all designed to make information transfer easy.
Zara’s designers are colocated with the production team, including marketing, procurement, and production planners. Prototypes are created nearby, facilitating easy discussion about the latest design. Large circular tables in the middle of the production process encourage impromptu meetings where ideas are readily exchanged among the designers, market specialists, and production planners. The speed and quality of the design process is greatly enhanced by the colocation of the entire team. That is because the designers can quickly check their ideas with others on their cross-functional teams. For example, the market specialists can quickly respond to their designs in terms of the style, color, and fabric, whereas the procurement and production planners can update them about manufacturing costs and available capacity.
Information technology provides a platform but does not preclude informal face-to-face conversations. Retail store managers are linked to marketing specialists through customized handheld computers but just as often use the telephone to share order data, sales trends, and customer reactions to a new style. The flat
Definition
Focus Goal Accomplishment
Benefits
Silo Perspective
Self-contained functional units such as marketing, operations, finance, and so on Functional Optimizes on functional goals, which might be a suboptimal organizational goal Highlighting and developing core competencies; functional efficiencies
Business Process Perspective
Interrelated, sequential set of activities and tasks that turns inputs into outputs Cross-functional Optimizes on organizational goals, or “big picture”
Avoiding work duplication and cross-functional communication gaps; organizational effectiveness
FIGURE 5.4 Comparison of silo perspective and business process perspective.
The Tools for Change 141
organization structure and cross-functional teams enable information sharing among everyone who needs to know and therefore offers the opportunity to change directions quickly to respond to new market trends.
! THE TOOLS FOR CHANGE
Two techniques are used to transform a business: (1) radical process, which is sometimes called business process reengineering (BPR) or simply reengineer- ing, and (2) incremental, continuous process improvement, sometimes referred to using the term total quality management (TQM). Every manager needs to know about both of these concepts. In fact, we would venture to say that every company uses both of these methods of improvement someplace in their operations. Some businesses have made radical process reconfiguration a core competency so that they can better serve customers whose demands are constantly changing. Both concepts are important; they continue to be two different tools a manager can use to effect change in the way his or her organization does business. The basis of both approaches is viewing the business as a set of business processes, rather than using a silo perspective.
Incremental Change At one end of the continuum, managers use incremental change approaches to improve business processes through small, incremental changes. This improvement process generally involves the following activities:
• Choosing a business process to improve • Choosing a metric by which to measure the business process • Enabling personnel involved with the process to find ways to improve it
based on the metric
Personnel often react favorably to incremental change because it gives them control and ownership of improvements and, therefore, renders change less threatening. The improvements grow from their grassroots efforts. One popular management approach to incremental change is called six-sigma. This approach uses incremental change activities within a larger structure of tools and processes to continually improve processes.
Radical Change Incremental change approaches work well for tweaking existing processes, but more major changes require a different type of management tool. At the other end of the change continuum, radical change enables the organization to attain aggressive improvement goals (again, as defined by a set of metrics). The goal of radical change is to make a rapid, breakthrough impact on key metrics.
The difference in the incremental and radical approaches over time is illus- trated by the graph in Figure 5.5. The vertical axis measures, in one sense, how well
142 Chapter 5 Information Technology and Changing Business Processes
Radical
Incremental
Time
Pe rc
en t I
m pr
ov em
en t
80
60
40
20
0
FIGURE 5.5 Comparison of radical and incremental improvement.
a business process meets its goals. Improvements are made either incrementally or radically. The horizontal axis measures time.
Not surprisingly, radical change typically faces greater internal resistance than does incremental change. Therefore, radical change processes should be carefully planned and only used when major change is needed in a short time. Some examples of situations requiring radical change are when the company is in trouble, when it imminently faces a major change in the operating environment, or when it must change significantly to outpace its competition. Key aspects of radical change approaches include the following:
• The need for major change in a short amount of time • Thinking from a cross-functional process perspective (or, as consultants
like to say, ‘‘thinking outside the box’’) • Challenging old assumptions • Networked (cross-functional) organizing • Empowerment of individuals in the process • Measurement of success via metrics tied directly to business goals
The Process for Radical Redesign Many different and effective approaches can be taken to achieve radical process change. Each consultant or academic has a pet method, but all share three main elements:
1. They begin with a vision of which performance metrics best reflect the success of overall business strategy.
2. They make changes to the existing process. 3. They measure the results using the predetermined metrics.
The diagram in Figure 5.6 illustrates a general view of how radical redesign methods work. A new process is envisioned, the change is designed and imple- mented, and its impact is measured. A more specific method for changing a
The Tools for Change 143
Vision Measure Current Process New Process
Change
Transformation Methodology
FIGURE 5.6 Conceptual flow of process design.
business process is illustrated in Figure 5.7. In this process, feedback from each step can affect any of the previous steps
Using a BPR methodology (Figure 5.7), a manager begins by stating a case for action. The manager must understand what it is about current conditions that makes them unfavorable and, in general terms, how business processes must change to address them. Next, the manager must assess the readiness of the organization to undertake change. Only after stating a compelling case for action and addressing organizational readiness should the manager identify those business processes that he or she believes should change to better support the overall business strategy and build a redesign team.
Once the case for action is made, the current process is analyzed. Some experts believe that it is only necessary to do a cursory study of the existing process, just enough to understand the problems, the key metrics, and the basic flow. Others believe a detailed study helps to clearly identify how the process works. Although detail is sometimes helpful, many BPR projects get derailed at this step because of ‘‘analysis paralysis,’’ spending an overabundance of time and effort understanding every detail of the process. Such detail is not necessary, but nevertheless is comforting to the manager and may help build credibility with the rest of the organization.
The tool used to understand a business process is a workflow diagram, which shows a picture, or map, of the sequence and detail of each process step. More than 200 products are available for helping managers diagram the workflow. The objective of process mapping is to understand and communicate the dimensions of the current process. Typically, process engineers begin the process mapping procedure by defining the scope, mission, and boundaries of the business process.
Set the Stage, Develop Vision
of “To Be”
Develop Transition
Plan
Implement Plan
Monitor and
Measure
(feedback loops)
Understand “As Is” (Current)
Process
FIGURE 5.7 Method for redesigning a business process.
144 Chapter 5 Information Technology and Changing Business Processes
Next, the engineer develops a high-level overview flowchart of the process and a detailed flow diagram of everything that happens in the process. The diagram uses active verbs to describe activities and identifies all actors, inputs, and outputs of the process. The engineer verifies the detailed diagram for accuracy with the actors in the process and adjusts it accordingly.
Another key task at this stage is to identify metrics of business success that clearly reflect both problems and opportunities in the status quo and that can measure the effectiveness of any new processes. It is vitally important that the metrics chosen relate to the key business drivers in any given situation. Examples include cost of production, cycle time, scrap and rework rates, customer satisfaction, revenues, and quality.
The manager’s next step is to develop a transition plan. The plan should include a clearly stated vision, an initial design of the new process that directly addresses the metrics that, in turn, address the goals of the business, and an implementation plan.
The Risk of Radical Redesign The original concept of reengineering described a theory of radical change through process design. In his famous Harvard Business Review article, reengineering guru Michael Hammer described the concept of process design as one of starting with a ‘‘clean sheet of paper.’’ The idea was not to let the existing process, nor any of the potential constraints in the environment, get in the way of the redesign. Starting with a greenfields approach allowed, in theory, the process designers to create the best possible design. The implementation of these new processes, however, proved more difficult than most organizations were willing to tolerate.
Dozens of stories tell of companies that attempted reengineering, only to fail to realize the advantages they sought. Radically changing a business is not an easy task. Research done to determine why companies failed to reach their goals reveal some of the more common reasons, which are summarized here.
• Lack of senior management support at the right times and the right places. Some estimates suggest that 50% or more of a senior manager’s time is necessary to make radical change successful.
• Lack of a coherent communications program. Radical change can scare many employees who are unsure about whether they will have a job when the changes are completed. Companies that fail to communicate regularly, clearly, and honestly experience an increased risk of failure.
• Introducing unnecessary complexity into the new process design. For example, some companies try to introduce new IS that are unproven or need extensive customization and training. Such an approach adds a level of complexity to a reengineering project that is often difficult to manage.
• Underestimating the amount of effort needed to redesign and implement the new processes. Companies, of course, do not stop operation while they reengineer, and therefore, many companies find themselves spread too
Shared Services 145
thin when trying to reengineer and continue operations. Some compare it to ‘‘changing airplanes in midair’’ — not impossible, but definitely not easy.
• Combining reengineering with downsizing. Many organizations really just want to downsize their operations and get rid of some of their labor costs. They call that initiative reengineering rather than downsizing and think their employees will understand that the new business design just takes fewer people. Employees are smarter than that and often make the implementation of the radical design impossible.
The benefits of radical change are seductive, but the risks are high. The trans- formation is not just a change in technology, but a change in organization structure and talent, often more challenging than the process redesigners anticipated. To mitigate this risk, some propose undertaking a revolutionary design approach but an evolutionary implementation approach. Although evolutionary implementation may reduce the risk of rejection, ease the adaptation of the new process, and allow more individuals to participate in the business change, it also means taking longer to realize the benefits of the redesign.
Agility and Constantly Redesigning Processes To stay competitive and consistently meet changing customer demands, some organizations build agile processes, or processes that iterate through a constant renewal cycle of design, deliver, evaluate, redesign, and so on. The ultimate goal for some is agile processes that reconfigure themselves as they ‘‘learn’’ and are utilized in the business. For a process to be agile necessitates a high degree of the use of IT. The more of the process that can be done with software, the easier it is to change, and the more likely it can be designed to be agile and constantly redesigning itself.
Examples of this type of process are often found in manufacturing operations, where production lines are reconfigured regularly to accommodate new products and technologies. For example, automobile production lines produce large quanti- ties of cars, but very few are identical to the car before or after it on the production line. The design of the line is such that many changes in design, features, or options are just incorporated into the assembly of the car at hand. More recently, with the use of the Internet and Web 2.0 technologies, building agility into business processes is increasingly common. Processes run entirely on the Internet, such as order-management, service provisioning, software development, and human resource support are candidates for agile designs that take advantage of the latest innovations offered by the vendors on the Internet.
! SHARED SERVICES
Business executives increasingly expect IT to not just provide technologies but to also provide the engine for efficiency. As companies look for new and different ways
146 Chapter 5 Information Technology and Changing Business Processes
to become more efficient and to add more business value, leaders increasingly expect to use IT as a key component of the solution. The term horizontal integration is often used as the all-encompassing term for looking beyond individual business processes and considering the bigger, cross-functional picture of the corporation. How can increased efficiencies be had once all business processes themselves are highly efficient? Horizontal integration makes the parts of the corporation work more effectively and efficiently by considering a larger scope than any one business process redesign would consider. Integrated databases, Web 2.0 technologies and services, and common infrastructure are the tools IT brings to the implementation of horizontal integration.
Consider a company with multiple business units, each of which is highly efficient in carrying out the business processes necessary to make their business work. What is the next opportunity for further reducing costs and increasing efficiency? Many organizations have restructured their common business processes into a shared services model. For example, IT services, human resources, procurement, and finance are often services needed by all business units of a corporation. Instead of each business unit building and supporting their own organization for each of these functions, a shared services model would consolidate all the individuals from all the business units into a single organization, run centrally, and utilized by each business unit. Often shared services organizations have relationship managers who work with individual business units to facilitate alignment of services to business needs.
Business Process Management (BPM) Systems Thinking about the business as a set of processes has become commonplace for most organizations. Managing their processes is another story. A class of software systems called Business Process Management (BPM) systems is used to solve this management challenge. In the 1990s, a class of systems emerged to help manage workflows in the business. They primarily helped track document-based processes where people executed the steps of the workflow. BPM systems go way beyond the document-management capabilities and include features that man- age person-to-person process steps, system-to-system steps, and those processes that include a combination. Systems include process modeling, simulation, code generation, process execution, monitoring, and integration capabilities for both company-based and Web-based systems. The tools allow an organization to actively manage and improve its processes from beginning to end.
BPM systems are a way to build, execute and monitor automated processes that may go across organizational boundaries. Some of the functionality of a BPM may be found in enterprise applications such as ERP, CRM, and financial software because these systems also manage processes within a corporation. But BPM systems go outside a specific application to help companies manage across processes. Some BPM systems manage front office applications that are often person-to-person processes such as a sales or ordering process. These processes
Enterprise Systems 147
Application Monitoring Sim
ula tio
n
De sig
n Templates Fr
am ew
ork s Manage
Optimize
Real-time Analytics
SO A
Bu sin
es s
M od
eli ng
User
Inte rface
CaseManagement Content
Managem ent
E vents/
M essages
BPM PROCESS ENGINE
FIGURE 5.8 Sample BPM Architecture: Appian Enterprise. Source: Adapted from www.appian.com/product/enterprise.
are humancentric. Other BPM systems support back-office processes that often are more system-to-system oriented and possibly extend outside the corporation to include Web-based components.
BPM systems are not meant for all processes. They are very useful when all the activities are in a predetermined order. They are less useful when steps vary each time the process is executed. One example of a BPM is the system by Appian. Their BPM product includes three components to help companies design, manage, and optimize core business processes. Figure 5.8 shows a diagram of the architecture of their BMP.
! ENTERPRISE SYSTEMS
Information technology is a critical component of most every business process today because information flow is at the core of most every process. A class of IT applications called enterprise systems is a set of information systems tools that many organizations use to enable this information flow within and between processes.
Computer systems in the 1960s and early 1970s were typically designed around a specific application, with each application using its own set of inputs. These early systems did not interface well with each other and often had their own version
148 Chapter 5 Information Technology and Changing Business Processes
of data, even though these data were used in other systems. The systems were designed to support a silo approach, and they did so very effectively.
Organizational computing groups were faced with the challenge of linking and maintaining the patchwork of loosely overlapping, redundant systems. In the 1980s and 1990s, software companies in a number of countries, including the United States, Germany, and the Netherlands, began developing integrated software packages that used a common database and cut across organizational systems. Some of these packages were developed from administrative systems (e.g., finance and human resources) and others evolved from materials resource planning (MRP) in manufacturing. These comprehensive software packages that incorporate all modules needed to run the operations of a business are called enter- prise systems or, alternatively, enterprise information systems (EIS). Enterprise resource planning (ERP) software packages are the most frequently discussed type of enterprise system. Other enterprise systems may be developed in-house to integrate organizational processes.
ERPs were designed to help large companies manage the fragmentation of information stored in hundreds of individual desktop, department, and business unit computers across the organization. They offered the management information system (MIS) department in many large organizations an option for switching from underperforming, obsolete mainframe systems to client-server environments designed to handle the changing business demands of their operational counter- parts. The threat of the year 2000 problem (Y2K), a problem in which computers used two digits instead of four digits to represent the year, making it impossible to distinguish between years such as 2000 and 1900, pushed many senior managers to outside vendors who offered Y2K-compliant enterprise systems as the solution for their companies. In some cases, business processes were so untamed that managers thought installing an enterprise system would be a way to standard- ize processes across their businesses. These managers wanted to transform their business processes by forcing all to conform to a software package.
By far the most widely used enterprise system was offered by a German company, SAP. Their product, R/3, was installed in almost every large global corporation. Many other competitors, including PeopleSoft, Baan, and Oracle, and many other vendors also offered a selection of software systems that, when integrated, formed an enterprise system.
The next generation of enterprise system emerged, ERP II systems. Whereas an ERP makes company information immediately available to all departments throughout a company, ERP II makes company information immediately avail- able to external stakeholders, such as customers and partners. ERP II enables e-business by integrating business processes between an enterprise and its trading partners.
Enterprise Systems 149
Characteristics of Enterprise Systems Enterprise systems have several characteristics:6
• Integration. Enterprise systems are designed to seamlessly integrate infor- mation flows throughout the company. Enterprise systems are configured by installing various modules, such as:
• Manufacturing (materials management, inventory, plant maintenance, production planning, routing, shipping, purchasing, etc.)
• Accounting (general ledger, accounts payable, accounts receivable, cash management, forecasting, cost accounting, profitability analysis, etc.)
• Human resources (employee data, position management, skills inven- tory, time accounting, payroll, travel expenses, etc.)
• Sales (order entry, order management, delivery support, sales planning, pricing, etc.)
• Packages. Enterprise systems are commercial packages purchased from software vendors. Unlike many packages, enterprise systems usually require long-term relationships with software vendors because the complex systems must typically be modified on a continuing basis to meet the organization’s needs.
• Best practices. Enterprise systems reflect industry best practices for generic business processes. To implement them, business process reengineering is often required.
• Some assembly required. The enterprise system is software that needs to be integrated with the organization’s hardware, operating systems, databases, and telecommunications. Further, enterprise systems often need to be integrated with proprietary legacy systems. It often requires that middleware (software used to connect processes running in one or more computers across a network) or ‘‘bolt-on’’ systems be used to make all the components operational.
• Evolving. Even though enterprise systems were designed first for main- frame systems and then client-server architectures, many systems now are being designed for Web-enabled or object-oriented versions. A major challenge facing many firms is to integrate Internet ERP applications with supply chain management software. One important problem in meeting this challenge is to allow companies to be both more flexible in sourcing from multiple (or alternative) suppliers, while also increasing
6 M. Lynne Markus and Cornelis Tanis, ‘‘The Enterprise System Experience — From Adoption to Success,’’ in R. Zmud (ed.), Framing the Domains of IT Management: Projecting the Future Through the Past (Cincinnati, OH: Pinaflex Educational Resources, Inc., 2000), 176 – 179.
150 Chapter 5 Information Technology and Changing Business Processes
the transparency in tightly coupled supply chains. A second problem is to integrate ERP’s transaction-driven focus into a firm’s workflow.7
Benefits and Disadvantages of Enterprise Systems The major benefit of an enterprise system is that all modules of the information system easily communicate with each other, offering enormous efficiencies over stand-alone systems. In business, information from one functional area is often needed by another area. For example, an inventory system stores information about vendors who supply specific parts. This same information is required by the accounts payable system, which pays vendors for their goods. It makes sense to integrate these two systems to have a single accurate record of vendors.
Because of the focus on integration, enterprise systems are useful tools for an organization seeking to centralize operations and decision making. One of the benefits of centralization is the effective use of organizational databases. Redundant data entry and duplicate data may be eliminated; standards for numbering, naming, and coding may be enforced; and data and records can be cleaned up through standardization. Further, the enterprise system can reinforce the use of standard procedures across different locations.
The obvious benefits notwithstanding, implementing an enterprise system represents an enormous amount of work. Using the same simple example as pre- viously, if an organization has allowed both the manufacturing and the accounting departments to keep their own records of vendors, then most likely these records are kept in somewhat different forms (one department may keep the vendor name as ‘‘IBM,’’ the other as ‘‘International Business Machines’’ or even ‘‘IBM Corp.,’’ all of which make it difficult to integrate the databases). Such data inconsistencies must be addressed for the enterprise system to provide optimal advantage.
Moreover, even though enterprise systems are flexible and customizable to a point, most also require business processes to be redesigned to achieve optimal performance of the integrated modules. The flexibility in an enterprise system comes from being able to change parameters in a process, such as the type of part number the company will use. However, all systems make assumptions about how the business processes work, and at some level, customization is not possible. For example, one major Fortune 500 company refused to implement a vendor’s enterprise system because the company manufactured products in lots of ‘‘one,’’ and the vendor’s system would not handle the volume this company generated. If they had decided to use the ERP, a complete overhaul of their manufacturing process in a way that executives were unwilling to do would have been necessary.
Organizations are expected to conform to the approach used in the enterprise system, arguably because the enterprise system represents a set of industry
7 Amit Basu and Akhil Kumar, ‘‘Research Commentary: Workflow Management Issues in e-Business,’’ Information Systems Research 13, no. 1 (March 2002), 1 – 14.
Enterprise Systems 151
best practices. Implementing enterprise systems requires organizations to make changes in their organization structure and often in the individual tasks done by workers. Recall in Chapter 1, the Information Systems Strategy Triangle suggests that implementing an information system must be accompanied with appropriate organizational changes to be effective. Implementing an enterprise system is no different. For example, who will now be responsible for entering the vendor information that was formerly kept in two locations? How will that information be entered into the enterprise system? The answer to such simple operational questions often requires managers at a minimum to modify business processes and more likely to redesign them completely to accommodate the information system.
Furthermore, enterprise systems and the organizational changes they induce tend to come with a hefty price tag. A Meta Group survey of 63 small, medium, and large companies found the average total cost of ownership (TCO) of an ERP to be $15 million.8 The TCOs ranged from $400,000 to $30 million. As discussed in Chapter 10, TCO numbers included hardware, software, professional services, and internal staff costs as well as installing the software and maintaining, upgrading, and optimizing it for two years. Because they are so complex, the cost of professional services and internal staff tend to be quite high. Further, additional hidden costs in the form of technical and business changes are likely to be necessary when implementing an enterprise system.
One of the reasons that enterprise (ERP) systems are so expensive is that they are sold as a suite, such as financials or manufacturing, and not as individual modules. Because buying modules separately is difficult, companies implementing ERP software often find the price of modules they won’t use hidden in the cost of the suite.
Enterprise systems are also risky. The number of enterprise system horror stories demonstrates this risk. For example, Kmart wrote off its $130 million ERP investment. American LaFrance (ALF), the manufacturer of highly customized emergency vehicles and a spinoff from Freightliner, declared bankruptcy in early 2008, blaming their IT vendor and their ERP implementation. The problems with the implementation kept ALF from being able to manufacture many preordered vehicles. The Los Angeles Unified School District implemented an enterprise system only to find their payroll process completely messed up. In June 2007, the worst month for problems, about 30,000 paychecks were issued with errors, and the problems continued well into the next school year. One executive said the problem occurred because the system was rolled out too quickly and without sufficient testing.9 Oftentimes, installing an enterprise system means the business must
8 Christopher Koch, ‘‘The ABCs of ERP,’’ CIO Magazine, http://www.cio.com/research/erp/edit/ erpbasics.html (accessed February 7, 2002). 9 For additional examples of IT failures in general, and enterprise systems failures in particular, please visit the blog written by Michael Krigsman, http://blogs.zdnet.com/projectfailures/
152 Chapter 5 Information Technology and Changing Business Processes
reengineer its business processes. Because the enterprise system is an automation of the major business processes such as financial, manufacturing, and human resource management and because most enterprise systems are purchased from vendors such as SAP, PeopleSoft, and Oracle, it is rare that an off-the-shelf system is perfectly harmonious with an existing business process. More typical is that either the software requires significant modification or customization to fit with the existing processes, or the processes must change to fit the software. In most installations of enterprise systems, both take place. The system is customized when it is installed in a business by setting a number of parameters, and in the worst case, by modifying the code itself. The business processes are changed, often through a radical change project, as described earlier in this chapter. Many of these projects are massive undertakings, requiring formal, structured project management tools (as discussed in Chapter 11).
! INTEGRATED SUPPLY CHAINS
Another type of enterprise system in common use is the supply chain management system, which manages the integrated supply chain (as introduced in Chapter 2). Business processes are not just internal to a company. With the help of information technologies, many processes are linked across companies with a companion process at a customer or supplier, creating an integrated supply chain
The supply chain of a business is the process that begins with raw materials and ends with a product or service ready to be delivered (or in some cases actually delivered) to a customer. It typically includes the procurement of materials or components, the activities to turn these materials into larger subsystems or final products, and the distribution of these final products to warehouses or customers. But with the increase in information systems use, it may also include product design, product planning, contract management, logistics, and sourcing. Globalization of business and ubiquity of communication networks and information technology has enabled businesses to use suppliers from almost anywhere in the world. At the same time, this has created an additional level of complexity for managing the supply chain. Supply chain integration is the approach of technically linking supply chains of vendors and customers to streamline the process and to increase efficiency and accuracy.
Integrated supply chains have several challenges, primarily resulting from different degrees of integration and coordination among supply chain members.10 At the most basic level, there is the issue of information integration. Partners must agree on the type of information to share, the format of that information, the technological standards they will both use to share it, and the security they will use to ensure that only authorized partners access it. Trust must be established so the
10 Adapted from Hau Lee and Seungjin Whang, ‘‘E-Business and Supply Chain Integration,’’ Stanford University Global Supply Chain Management Forum, November 2001.
Integrated Supply Chains 153
partners can solve higher-level issues that may arise. At the next level is the issue of synchronized planning. At this level, the partners must agree on a joint design of planning, forecasting, and replenishment. The partners, having already agreed on what information to share, now have to agree on what to do with it. The third level can be described as workflow coordination — the coordination, integration, and automation of critical business processes between partners. For some supply chains, this might mean simply using a third party to link the procurement process to the preferred vendors or to communities of vendors who compete virtually for the business. For others it might be a more complex process of integrating order processing and payment systems. Ultimately, the integration of supply chains is leading to new business models, as varied as the visionaries who think them up. These business models are based on new ideas of coordination and integration made possible by the Internet and information-based supply chains. In some cases, new services have been designed by the partnership between supplier and customer, such as new financial services offered when banks link up electronically with businesses to accept online payments for goods and services purchased by the businesses’ customers. In other cases, a new business model for sourcing has resulted, such as one in which companies list their supply needs, and vendors electronically bid to be the supplier for that business.
Demand-driven supply networks are the next step for companies with highly evolved supply chain capabilities. Kimberly Clark, the 135-year-old consumer products company, is one such example. Their vision is for a highly integrated suite of supply chain systems that provide end-to-end visibility of the supply processes in real time. Key processes included in their demand-driven supply network are both forecast-to-stock and order-to-cash. Using an integrated suite of systems allowed their users to share the same information in as close to real time as possible, and to use the data in their systems for continually updating their supply chain, category management, and consumer insight processes. IT has allowed management to reduce the problems of handing off data from one system or process to another (because now everything is in one system), having workers work from different databases (because it’s now one database), and of working off old data (because it’s as real time as possible). This has improved their ability to see what’s going on in the marketplace and evaluate the impact of promotions, production, and inventory much more quickly.
Integrated supply chains are truly global in nature. Thomas Friedman, in his book The World is Flat, describes how the Dell computer that he had ordered to write his book was developed from the contributions of an integrated supply chain that involved about four hundred companies in North America, Europe, and, primarily, Asia. However, the globalization of integrated supply chains faces a growing challenge from skyrocketing transportation costs. For example, Tesla Motors, a pioneer in electric-power cars, had originally planned the production of a luxury roadster for the American market based on an integrated global supply chain. The 1,000-pound battery packs for the cars were to be manufactured in Thailand, shipped to Britain for installation, and then shipped to the United States,
154 Chapter 5 Information Technology and Changing Business Processes
where they would be assembled into cars. However, because of the extensive costs associated with shipping the batteries more than 5,000 miles, Tesla decided to make the batteries and assemble the cars near its headquarters in California. Darryl Siry, Tesla’s senior vice president of global sales, marketing, and service explains: ‘‘It was kind of a no-brain decision for us. A major reason was to avoid the transportation costs, which are terrible.’’ Economists warn managers to expect the ‘‘neighborhood effect’’ in which factories may be built closer to components suppliers and consumers to reduce transportation costs. This effect may apply not only to cars and steel, but also to chickens and avocados and a wide range of other items.11
When the System Drives the Change When is it appropriate to use the enterprise system to drive business process redesign, and when is it appropriate to redesign the process first, then implement an enterprise system? In several instances, it is appropriate to let the enterprise system drive business process redesign. First, when an organization is just starting out and processes do not yet exist, it is appropriate to begin with an enterprise system as a way to structure operational business processes. After all, most of the processes embedded in the ‘‘vanilla’’ enterprise system from a top vendor are based on the best practices of corporations who have been in business for years. Second, when an organization does not rely on its operational business processes as a source of competitive advantage, then using an enterprise system to redesign these processes is appropriate. Third, it is reasonable for an organization to let the enterprise system drive business process change when the current systems are in crisis and there is not enough time, resources, or knowledge in the firm to fix them. Even though it is not an optimal situation, managers must make tough decisions about how to fix the problems. A business must have working operational processes; therefore, using an enterprise system as the basis for process design may be the only workable plan. It was precisely this situation that many companies faced with Y2K.
Likewise, it is sometimes inappropriate to let an enterprise system drive business process change. When an organization derives a strategic advantage through its operational business processes, it is usually not advisable to buy a vendor’s enterprise system. Using a standard, publicly available information system that both the company and its competitors can buy from a vendor may mean that any competitive advantage is lost. For example, consider a major computer manufacturer that relied on its ability to process orders faster than its competitors to gain strategic advantage. It would not have been to that organization’s benefit to use an enterprise system to drive the redesign of the order fulfillment system because doing so would force the manufacturer to restrict its process to that which is available from enterprise system vendors. More important,
11 Larry Rohter, ‘‘Shipping Costs Start to Crimp Globalization,’’ New York Times, August 3, 2008, pp. 1, 10.
Food for Thought: is ERP a Universal Solution? 155
any other manufacturer could then copy the process, neutralizing any advantages. Furthermore, the manufacturer believed that relying on a third party as the provider of such a strategic system would be a mistake in the long run. Should the system develop a bug or need to be redesigned to accommodate unique aspects of the business, the manufacturer would be forced to negotiate with the enterprise system vendor to get it to modify the enterprise system. With a system designed in-house, the manufacturer was able to ensure complete control over the IS that drives its critical processes.
Another situation in which it would be inappropriate to let an enterprise system drive business process change is when the features of available packages and the needs of the business do not fit. An organization may use specialized processes that cannot be accommodated by the available enterprise systems. For example, many ERPs were developed for discrete part manufacturing and do not support some processes in paper, food, or other process industries.12
A third situation would result from lack of top management support, company growth, a desire for strategic flexibility, or decentralized decision making that render the enterprise system inappropriate. For example, Dell stopped the full implementation of SAP R/3 after only the human resources module had been installed because the CIO did not think that the software would be able to keep pace with Dell’s extraordinary growth. Enterprise systems were also viewed as culturally inappropriate at the highly decentralized Kraft Foods.
Challenges for Integrating ERP between Companies With the widespread use of ERP systems, the issue of linking supplier and customer systems to the business’s systems brings many challenges. As with integrated supply chains, there are the issues of deciding what to share, how to share it, and what to do with it when the sharing can take place. There are also issues of security and agreeing on encryption or other measures to protect data integrity as well as to ensure that only authorized parties have access.
Some companies have tried to reduce the complexity of this integration by insisting on standards, either at the industry level or at the system level. An example of an industry-level standard is the bar coding used by all who do business in the consumer products industry. An example of a system-level standard is the use of SAP or Oracle as the ERP system used by both supplier and customer.
! FOOD FOR THOUGHT: IS ERP A UNIVERSAL SOLUTION?
Building a business process that crosses functional or even business unit boundaries is often a difficult exercise for executives. Managers and workers may resist change simply because the new process differs significantly from the old process and makes their job more complex or difficult. But imagine the impact when a business
12 Markus and Tanis, ‘‘The Enterprise System Experience.’’
156 Chapter 5 Information Technology and Changing Business Processes
process change, such as an ERP system, crosses country boundaries. That is, when the cultures within which a process must operate are significantly different, there is the potential for not only difficulty in implementation but also total rejection of the new process.
Consider an ERP system in the context of cultural differences. Each firm may have specific requirements for the ERP system that reflects its own organizational structure, management style, and business processes. There are likely to also be unique regulatory and social practices. For example, the record of successful global ERP system implementations in state-owned businesses in China has been abysmal. The problems are due, in part, to the misfit between the ERP systems and traditional Chinese management systems, which favor personal relationships.13
ERP systems are usually designed around best practices — but whose best practices? SAP and Oracle, the leading vendors of ERP systems, have a decided Western bias. More specifically, best practices at the heart of their systems are based on business processes that are found in successful companies in Germany and North America. However, when these systems are transplanted into Asian companies, problematic ‘‘misfits’’ have been found to occur.
Take, for example, the use of ERP systems designed for hospitals. Western health-care models are decidedly different from those used in Singapore. Much of the health care in Western countries is privately delivered. The government or insurance companies pay for the major portion of health-care services, with insured patients bearing only a fraction of the costs. In contrast, Singaporean health care is based on a model of individual responsibility, with community support and government subsidies provided only to the limited extent needed to keep the health care affordable. How does this affect processes embedded in the ERP system? The Western-based ERP billing and collections modules cater to complex claims submission processes and insurance verification and not to over-the-counter payment or installment payments by individual patients. Further, ‘‘bed class’’ is a big deal in Singapore, where patients in public hos- pitals can choose from a variety of plans ranging from one bed to six or more per room. The Western model is simpler because single-bedded rooms are more common.
A survey of Singaporean hospitals with an ERP system revealed that to accommodate the major differences between their processes and those embedded in the ERP, the hospitals typically developed add-on modules rather than changing package source codes. Customizing the source code was considered by the hospitals to be prohibitively costly and to lead to difficulties in maintaining future upgrades from the vendor.14
13 M. G. Martinson, ‘‘ERP in China: One Package, Two Profiles,’’ Communications of the ACM 47, no. 7 (July 2004), 65 – 68. 14 C. Soh, S. K. Sia, and J. Tay-Yap, ‘‘Cultural Fits and Misfits: Is ERP a Universal Solution?’’ Communications of the ACM 43, no. 4 (April 2000), 47 – 51.
Summary 157
Because of differences and ‘‘misfits,’’ businesses in many non-Western compa- nies are turning to local vendors that have developed systems reflecting local best practices. For example, local ERP vendors in Taiwan have developed ERP systems to support the majority of firms in the market space — small to medium-sized Tai- wanese companies with sophisticated, adaptive logistic networks. The local ERP vendors have adopted a strategy of customization and are more willing to modify their systems to satisfy local needs than are their large, global competitors.15
These examples suggest that another factor needs to be considered when designing and implementing an ERP. The ERP should not be implemented if the system is based on a cultural model that conflicts with the local customs and that cannot easily be accommodated by the ERP.
! SUMMARY • IS can enable or impede business change. IS enables change by providing both the
tools to implement the change and the tools on which the change is based. IS can also impede change, particularly when the desired information is mismatched with the capabilities of the IS.
• To understand the role IS plays in business transformation, one must take a business process, rather than a functional, perspective. Business processes are a well-defined, ordered set of tasks characterized by a beginning and an end, a set of associated metrics, and cross-functional boundaries. Most businesses operate business processes, even if their organization charts are structured by functions rather than by processes.
• Making changes in business processes is typically done through either TQM or BPR techniques. TQM techniques tend to imply an evolutionary change, where processes are improved incrementally. BPR techniques, on the other hand, imply a more radical objective and improvement. Both techniques can be disruptive to the normal flow of the business; hence strong project management skills are needed.
• To stay competitive, organizations must consistently meet changing customer demands and build processes that are agile and self-renewing. Agile processes often require a high degree of IT; the more the process can be done with software, the easier it is to change and the more agile the design becomes.
• BPM systems are used to help managers design, control, and document business processes and ultimately workflow in an organization.
• Enterprise systems are large information systems that provide the core functional- ity needed to run a business. These systems are typically implemented to help orga- nizations share data between divisions. However, in some cases enterprise systems are used to affect organizational transformation by imposing a set of assumptions on the business processes they manage.
15 E. T. G. Wang, G. Kleing, and J. J. Jiang, ‘‘ERP Misfit: Country of Origin and Organizational Factors,’’ Journal of Management Information Systems 23, no. 1 (Summer 2006), 263 – 292.
158 Chapter 5 Information Technology and Changing Business Processes
• An integrated supply chain is often managed using an enterprise system that crosses company boundaries and connects vendors and suppliers with organizations to syn- chronize and streamline planning and deliver products to all members of the supply chain.
• Information systems are useful as tools to both enable and manage business trans- formation. The general manager must take care to ensure that consequences of the tools themselves are well understood and well managed.
! KEY TERMS agile processes (p. 145) business process
management (BPM) (p. 146)
business process reengineering (BPR) (p. 141)
enterprise resource planning (ERP) (p. 148)
enterprise systems (p. 147)
horizontal integration (p. 146)
information integration (p. 152)
integrated supply chain (p. 152)
middleware (p. 149) process (p. 138) process perspective
(p. 137)
shared services (p. 146) silos (p. 137) six-sigma (p. 141) synchronized planning
(p. 153) total quality management
(TQM) (p. 141) workflow coordination
(p. 153) workflow diagram (p. 143)
! DISCUSSION QUESTIONS 1. Why was radical design of business processes embraced so quickly and so deeply by senior managers of so many companies? In your opinion, and using hindsight, was its popularity a benefit for businesses? Why or why not?
2. Off-the-shelf enterprise IS often forces an organization to redesign its business processes. What are the critical success factors to make sure the implementation of an enterprise system is successful?
3. Have you been involved with a company doing a redesign of its business processes? If so, what were the key things that went right? What went wrong? What could have been done better to minimize the risk of failure?
4. What do you think that Jerry Gregoire, former CIO of Dell, meant when he said, ‘‘Don’t automate broken business processes’’?16
5. What, in your opinion, are the advantages and the disadvantages of a shared services model for IT? What are some example activities done by a relationship manager from a shared services organization?
6. What might an integrated supply chain look like for a financial services company such as an insurance provider or a bank? What are the components of the process?
16 ‘‘Technology: How Much? How Fast? How Revolutionary? How Expensive?’’ Fast Company 56, p. 62, http://www.fastcompany.com/online/56/fasttalk.html (accessed May 30, 2002).
Case Study 159
CASE STUDY 5-1
SANTA CRUZ BICYCLES
Bicycle enthusiasts not only love the ride their bikes provide, but they also are often willing to pay for newer technology especially when it will increase their speed or comfort. Innovating new technologies for bikes is only half the battle for bike manufacturers. Designing the process to manufacture the bikes is often the more daunting challenge.
Consider the case of Santa Cruz Bicycles. It digitally designs and builds mountain bikes and tests them under the most extreme conditions to bring the best possible product to their customers. A few years back, the company designed and patented the Virtual Pivot Point (VPP) suspension system, a means to absorb the shocks that mountain bikers encounter when on the rough terrain of the off-road ride. One feature of the new design allowed the rear wheel to bounce 10 inches without hitting the frame or seat, providing shock absorption without feeling like the rider was sitting on a coiled spring.
The first few prototypes did not work well; in one case, the VPP joint’s upper link snapped after a quick jump. The experience was motivation for a complete overhaul of the design and engineering process to find a way to go from design to prototype faster. The 25-person company adopted a similar system used by large, global manufacturers: product life cycle management (PLM) software.
The research and development team had been using computer-aided-design (CAD) software, but it took 7 months to develop a new design, and if the design failed, starting over was the only solution. This was not only a drain on the company’s time but also on finances. The design team found a PLM system that helped them analyze and model capabilities in a much more robust manner. The team uses simulation capabilities to watch the impact of the new designs on rough mountain terrain. The software tracks all the variables the designers and engineers need so they can quickly and easily make adjustments to the design. The new system allows them to run a simulation in a few minutes, which is a very large improvement over their previous design software, which took 7 hours to run a simulation.
The software was just one component of the new process design. The company also hired a new master frame builder to build and test prototypes in-house and they invested in a van-size machine that can fabricate intricate parts for their prototypes, a process they used to outsource. The result was a significant decrease in their design-to-prototype process. What used to average about 28 months from start of design to shipping of the new bike now takes 12 to 14 months.
Discussion Questions
1. What, in your opinion, was the key factor in Santa Cruz Bicycles’ successful process redesign? Why was that factor the key?
2. What outside factors had to come together for Santa Cruz Bicycles to be able to make the changes they did?
3. Why is this story more about change management that software implementation?
Source: Adapted from Mel Duvall, ‘‘Santa Cruz Bicycles,’’ available at www.baselinemag.com, retrieved February 24, 2008.
160 Chapter 5 Information Technology and Changing Business Processes
CASE STUDY 5-2
BOEING 787 DREAMLINER
Delivery of Boeing’s 787 Dreamliner project was delayed, in part, because of their global supply chain network, which was touted to reduce cost and development time. In reality, this turned out to be a major cause for problems. Boeing decided to change the rules of the way large passenger aircraft were developed through its Dreamliner program; rather than simply relying on technological know-how, it decided to use collaboration as a competitive tool embedded into a new global supply chain process.
With the Dreamliner project, Boeing not only attempted to create a new aircraft through the innovative design and new material, but it also radically changed the production process. It built an incredibly complex supply chain involving over 50 partners scattered in 103 locations all over the world. The goal was to reduce the financial risks involved in a $10 billion-plus project for designing and developing a new aircraft and reduce the new product development cycle time. It tapped expertise of various firms in different areas such as composite materials, aerodynamics, and IT infrastructure to create a network in which partners’ skills complement each other. This changed the basis of competition to skill set rather than the traditional basis of low cost. In addition, this was the first time Boeing had outsourced the production on the two most critical parts of the plane — the wings and the fuselage.
The first sign of problems showed up just six months into the trial production. Engineers discovered unexpected bubbles in the skin of the fuselage during baking of the composite material. This delayed the project a month. Boeing officials insisted that they made up the time and all things were under control. But next to fail was the test version of the nose section. This time a problem was found in the software programs, which were designed by various manufacturers. They failed to communicate with each other, leading to a breakdown in the integrated supply chain. Then problems popped up in the integration of electronics. The Dreamliner program entered the danger zone when Boeing declared that it was having trouble getting enough permanent titanium fasteners to hold together various parts of the aircraft. The global supply network did not integrate well for Boeing and left it highly dependent on a few suppliers.
This case clearly underscores the hazards in relying on an extensive supply chain in which information exchange problems may create extended problems and seriously compromise a company’s ability to carry out business as planned. Creating a radically different process can mean encountering unexpected problems. In some cases, it would put a company so far behind their competition that they were doomed to fail. However, in this case, the major competitor to the Dreamliner, the Airbus 380 program, was also using a global supply-chain model, and its program was delayed by a couple of years. Their competition continued.
Discussion Questions
1. Why did Boeing adopt the radical redesign for designing and developing the 787 Dreamliner? In your opinion, was it a good move? Defend your choice.
2. Using the Silo Perspective versus Business Process Perspective, analyze the Dreamliner program.
Case Study 161
3. Develop a risk analysis scenario using the Risks of Radical Redesign framework discussed in the chapter.
4. If you were the program manager, what would you have done different to avoid the problems faced by the Dreamliner program?
Source: Adapted from J. Lynn Lunsford, ‘‘Boeing Scrambles to Repair Problems with New Plane,’’ Wall Street Journal, December 7, 2007, pp. A1, 13; and Stanley Holmes, ‘‘The 787 Encounters Turbulence,’’ BusinessWeek, June 19, 2006, pp. 38 – 40.
!CHAPTER 6 ARCHITECTURE AND INFRASTRUCTURE1
Valero Energy, the North American oil and gas refiner, has experienced hyper- growth for the past 10 years, mostly through acquisitions.2 The company’s revenue has grown from $29 billion to $90 billion, but with this growth came a mixture of different information technology (IT) systems and applications that were difficult and expensive to manage, and that did not easily integrate into their corporate enterprise resource planning (ERP) system and their business applications suite. Further, in the future, managers wanted to implement a self-service model where business units could create applications themselves in an easy, low-cost manner. For the managers to execute their business strategy, their IT architecture had to be redesigned and their infrastructure updated.
The architecture had to be flexible, able to grow with the company, and easily reused as new systems were needed. The MIS organization decided to use an SOA (service-oriented architecture) design in which applications and computing resources were available as components. For example, an order management component might be used by both a customer service application and a profitability analysis application.
The infrastructure for the ERP and business applications suite was SAP’s R/3 system. The newer components included a set of 90 services built on SAP’s development environment. Further, these core services have been used to create 40 different composite applications, helping management attain their reusability goal and keeping application development costs down. For example, one of the new applications was designed to let wholesale clients view account information via the Internet. The infrastructure used SAP NewWeaver Portal interface to connect to the SAP R/3 CRM (customer relationship management) system data warehouse and to other non-SAP systems. This design gives users a single view into the integrated information.
1 The authors wish to acknowledge and thank Vince Cavasin, MBA 1999, for his help in researching and writing early drafts of this chapter. 2 This case was adapted from http://www.cioinsight.com — CIOInsight Ziff Davis Enterprise Holdings Inc., Accessed 24 February 2008.
162
From Vision to Implementation 163
The results were dramatic. Savings added up for Valero because they did not have to build interfaces between all the independent systems they inherited through the acquisitions. New applications made operations more efficient and effective. One application saved the company a half-million dollars in fees that are charged when a ship sits idle at the dock. Before this new application, the managers did not have a way to monitor tankers as they unloaded oil, and therefore sometimes ships had to wait to unload their cargo. The new application provides visibility to the tankers and communications with employees at the refineries and helps the company avoid scheduling conflicts and the ensuing costs.
So far, this text explored the organizational, tactical, and strategic importance of IS. As illustrated with the Valero story, this chapter examines the mechanisms by which business strategy is transformed into tangible IS architecture and infra- structure. The terms architecture and infrastructure are often used interchangeably in the context of IS. This chapter discusses how the two differ and the role each plays in realizing a business strategy.
! FROM VISION TO IMPLEMENTATION
As shown in Figure 6.1, architecture translates strategy into infrastructure. Building a house is similar: the owner has a vision of how the final product should look and function. The owner must decide on a strategy about where to live — in an apartment or in a house. The owner’s strategy also includes deciding how to live in the house in terms of taking advantage of a beautiful view, having an open floor plan, or planning for special interests by designing such special areas as a game room, study, music room, or other amenities. The architect develops plans based on this vision. These plans, or blueprints, provide a guide — unchangeable in some areas, but subject to interpretation in others — for the carpenters, plumbers, and electricians who actually construct the house. Guided by past experience and by industry standards, these builders select the materials and construction techniques
Owner’s Vision
Architect’s Plans
Builder’s Implementation
Strategy Architecture Infrastructure
Abstract Concrete
Building
Information Technology
FIGURE 6.1 From the abstract to the concrete — building vs. IT.
164 Chapter 6 Architecture and Infrastructure
best suited to the plan. The plan helps them determine where to put the plumbing and wiring. When the process works, the completed house fulfills its owner’s vision, even though he or she did not participate in the actual construction. As finishing touches, the owner adds window coverings, light fixtures, and furniture to make the new house livable.
An information technology (IT) architecture provides a blueprint for trans- lating business strategy into a plan for IS. An information technology (IT) infrastructure is everything that supports the flow and processing of information in an organization, including hardware, software, data, and network components. It consists of components, chosen and assembled in a manner that best suits the plan and therefore best enables the overarching business strategy.3 Infrastructure in an organization is similar to the plumbing, wiring, and furnishings in a house.
The Manager’s Role Even though he or she is not drawing up plans or pounding nails, the homeowner in this example needs to know what to reasonably expect from the architect and builders. The homeowner must know enough about architecture, specifically about styling and layout, to work effectively with the architect who draws up the plans. Similarly, the homeowner must know enough about construction details such as the benefits of various types of siding, windows, and insulation to set reasonable expectations for the builders.
Like the homeowner, the manager must understand what to expect from IT architecture and infrastructure to be able to make full and realistic use of them. The manager must effectively communicate his or her business vision to IT architects and implementers and, if necessary, modify the plans if IT cannot realistically support them. For without the involvement of the manager, IT architects could inadvertently make decisions that limit the manager’s business options in the future.
For example, a sales manager for a large distribution company did not want to partake in discussions about providing sales force automation systems for his group. He felt that each individual salesperson could buy a laptop, if he or she wanted one, and the IT group would be able to provide support. No architecture was designed, and no long-range thought was given to how IT might support or inhibit the sales group. Salespeople did buy laptops, and other personal organizing devices. Soon, the IT group was unable to support all the different systems the salespeople had, so they developed a set of standards for systems they would support, based on the infrastructure they used elsewhere in the company. Again, the manager just blindly accepted that decision, and salespeople with systems outside the standards bought new systems. Then the sales manager wanted to change the way his group managed sales leads. He approached the IT department for help, and in the discussions that ensued, he learned that earlier infrastructure decisions made by
3 Gordon Hay and Rick Muñoz, ‘‘Establishing an IT Architecture Strategy,’’ Information Systems Management (Summer 1997).
The Leap from Strategy to Architecture to Infrastructure 165
the IT group now made it expensive to implement the new capability he wanted. Involvement with earlier decisions and the ability to convey his vision of what the sales group wanted to do might have resulted in an IT infrastructure that provided a platform for the changes the manager now wanted to make. The IT group-built infrastructure lacked an architecture that met the business objectives of the sales and marketing management.
! THE LEAP FROM STRATEGY TO ARCHITECTURE TO INFRASTRUCTURE
The huge number of IT choices available, coupled with the incredible speed of technology advances, makes the manager’s task of designing an IT infrastructure seem nearly impossible. However in this chapter, the task is broken down into two major steps: first, translating strategy into architecture and, second, translating architecture into infrastructure. This chapter describes a simple framework to help managers sort IT issues. This framework stresses the need to consider business strategy when defining an organization’s IT building blocks. Although this framework may not cover every possible architectural issue, it does highlight major issues associated with effectively defining IT architecture and infrastructure.
From Strategy to Architecture The manager must start out with a strategy, and then use the strategy to develop more specific goals, as shown in Figure 6.2. Then detailed business requirements are derived from each goal. In the Valero case, the strategy was to provide a single face to customers, and the goal was to integrate all the acquisitions. The business requirements were to integrate the information systems into a single, flexible system. By outlining the overarching business strategy and then fleshing out the business requirements associated with each goal, the manager can provide the architect with a clear picture of what IS must accomplish and the governance arrangements needed to ensure their smooth development, implementation, and use. The governance arrangements specify who in the company retains control of, and responsibility for, the IS. Preferably this is somebody at the top. Of course, the manager’s job is not finished here. He or she must work with the architect to translate these business requirements into a more detailed view of the systems requirements, standards, and processes that shape an IT architecture. This more detailed view includes consideration of such things as data and process demands, as well as security objectives. This process is depicted in Figure 6.2
From Architecture to Infrastructure Valero’s decision to use a service-oriented architecture led to the design of a number of services and composite applications. This illustrates the next step, translating the architecture into infrastructure. This task entails adding yet more detail to the architectural plan that emerged in the previous phase. Now the detail comprises actual hardware, data, networking, and software. Details extend
Fu nc
tio na
l S
pe c
Fu nc
tio na
l S
pe c
A rc
hi te
ct ur
al R
eq ui
re m
en t
A rc
hi te
ct ur
al R
eq ui
re m
en t
B us
in es
s R
eq ui
re m
en t
B us
in es
s R
eq ui
re m
en t
G oa
l
In te
rfa ce
S
pe c
D at
a P
ro to
co l
S W
S
pe c
H W
S
pe c
A rc
hi te
ct ur
e S
tra te
gy G
oa l
G oa
l
FI G
U RE
6. 2
F ro
m st
ra te
gy to
ar ch
it ec
tu re
to in
fr as
tr uc
tu re
.
166
The Leap from Strategy to Architecture to Infrastructure 167
to location of data and access procedures, location of firewalls, link specifications, interconnection design, and so on. This phase is also illustrated in Figure 6.2.
When we speak about infrastructure we are referring to more than the components. Plumbing, electrical wiring, walls, and a roof do not make a house. Rather, these components must be assembled according to the blueprint to create a structure in which people can live. Similarly, hardware, software, data, and networks must be combined in a coherent pattern to have a viable infrastructure. This infrastructure can be considered at several levels. At the most global level infrastructure may focus on the enterprise and refer to the infrastructure for the entire organization. Infrastructure may also focus on the interorganizational level by laying the foundation for communicating with customers, suppliers, or other stakeholders across organizational boundaries. Sometimes infrastructure refers to those components needed for an individual application. When considering the structure of a particular application, it is important to consider databases and program components, as well as the devices and operating environments on which they run. The application-level infrastructure reflects decisions made at the enterprise level. The following discussion relates to infrastructure and architecture at the enterprise level.
A Framework for the Translation When developing a framework for transforming business strategy into architecture and then into infrastructure these basic components should be considered:
• Hardware: The physical components that handle computation, storage, or transmission of data (e.g., personal computers, servers, mainframes, hard drives, RAM, fiber-optic cabling, modems, and telephone lines).
• Software: The programs that run on hardware to enable work to be performed (e.g., operating systems, databases, accounting packages, word processors, sales force automation, and enterprise resource planning systems). Some software, such as an operating system like Windows Vista or XP, Apple’s Leopard, or Linux, provides the platform on which other software, the applications, run. Applications, on the other hand, are software that automate tasks such as storing data, transferring files, cre- ating documents, and calculating numbers. Applications include generic software, such as word processors and spreadsheets, and specific software, such as sales force automation systems, human resource management systems, payroll systems, and manufacturing management systems.
• Network: Software and hardware components, such as switches, hubs, and routers, that create a path for communication and data sharing according to a common protocol.
• Data: The electronic representation of the numbers and text on which the IT infrastructure must perform work. Here, the main concern is the quan- tity and format of data, and how often it must be transferred from one piece of hardware to another or translated from one format to another.
168 Chapter 6 Architecture and Infrastructure
The framework that guides the analysis of these components was introduced in the first chapter, in Figure 1.10. This framework is simplified to make the point that initially understanding an organization’s infrastructure is not difficult. Understanding the technology behind each component of the infrastructure and the technical requirements of the architecture is a much more complex task. The main point is that the general manager must begin with an overview that is complete and that delivers a big picture.
This framework asks three types of questions that must be answered for each infrastructure component: what, who, and where. The ‘‘what’’ questions are those most commonly asked and that identify the specific type of technology. The ‘‘who’’ questions seek to understand what individuals, groups, and departments are involved. In most cases, the individual user is not the owner of the system nor even the person who maintains it. In many cases, the systems are leased, not owned, by the company, making the owner a party completely outside the organization. In understanding the infrastructure, it is important to get a picture of the people involved. The third set of questions address ‘‘where’’ issues. With the proliferation of networks, many IS are designed and built with components in multiple locations, often even crossing oceans. Learning about infrastructure means understanding where everything is located.
We can expand the use of this framework to also understand architecture. To illustrate the connections between strategy and systems, the table in Figure 6.3 has been populated with questions that typify those asked in addressing architecture and infrastructure issues associated with each component.
The questions shown in Figure 6.3 are only representative of those to be asked; the specific questions managers would ask about their organizations depend on the business strategy the organizations are following. However, this framework can help managers raise appropriate questions as they seek to translate business strategy into architecture and ultimately into infrastructure in their organizations. The answers derived with IT architects and implementers should provide a robust picture of the IT environment. That means that the IT architecture includes plans for the data and information, the technology (the standards to be followed and the infrastructure that provides the foundation), and the applications to be accessed via the company IT system.
There are three common configurations of IT architecture. A mainframe architecture uses a large central computer that handles all the functionality of the system. Users only need a very simple terminal to access the computer. Applications run on the mainframe, and data is stored there. This was the common architecture of every enterprise for a long time. Microprocessors and the technologies necessary for smaller computers were not available. Computer vendors such as IBM, Digital Equipment Company (DEC) and many others built systems with this architecture in mind. Enterprises liked the idea of a centralized data center where the IT assets were managed, and technology at the time was not able to put all the components into small systems. In addition, since virtually every enterprise had a large data center with mainframe architecture, there are a significant number of legacy
The Leap from Strategy to Architecture to Infrastructure 169
Component What Who Where
Architecture Infrastructure Architecture Infrastructure Architecture Infrastructure
Hardware Does fulfillment of our strategy require thick or thin clients?
What size hard drives do we equip our thick clients with?
Who knows the most about servers in our organization?
Who will operate the server?
Does our architecture require centralized or distributed servers?
Must we hire a server administrator for the Tokyo office?
Software Does fulfillment of our strategy require ERP software?
Shall we go with SAP or Oracle Applications?
Who is affected by a move to SAP?
Who will need SAP training?
Does our geographical organization require multiple database instances?
Does Oracle provide the multiple- database functionality we need?
Network What kind of bandwidth do we need to fulfill our strategy?
Will 10baseT Ethernet suffice?
Who needs a connection to the network?
Who needs an ISDN line to his or her home?
Does our WAN need to span the Atlantic?
Shall we lease a cable or use satellite?
Data Do our vendors all use the same EDI format?
Which VAN provides all the translation services we need?
Who needs access to sensitive data?
Who needs encryption software?
Will backups be stored on-site or off-site?
Which stor- age service shall we select?
FIGURE 6.3 Infrastructure and architecture analysis framework with sample questions.
mainframe environments still in operation today. However, one large computer at the center of the IT architecture is not used as regularly today as it was even as recently as five years ago. Instead, many computers are linked together to form a centralized IT core that operates very much like the mainframe architecture. The idea of a centralized IT core, where the bulk of the processing is done, is a viable, and common architecture design.
A more common configuration is a client/server architecture. Client/server architecture is one in which one software program (the client) requests and receives data and sometimes instructions from another software program (the server) running on a separate computer. The hardware, software, networking, and data are arranged in a way that distributes the processing and functionality between multiple small computers.
Although some would debate this point, a third increasingly common con- figuration is service-oriented architecture (SOA), the architecture that Valero decided to use. In this text, SOA is defined as an architecture in which larger software programs are broken down into services that are then connected to each other, in a process called orchestration, to form the applications for an entire business process. Sometimes IT architects consider SOA a philosophy rather than an architecture and argue that it’s really a type of Web-based architecture. That is because in SOA, the service components reside on different computers, often on
170 Chapter 6 Architecture and Infrastructure
the Internet. An example of a service might be an online employment form that, when completed, generates a file with the data for use in another service. Another example might be a ticket processing service that identifies available concert seats and allocates them. These relatively small chunks of functionality are available for many applications, or reuse. SOA is increasingly popular because the design enables large units of functionality to be built almost entirely from existing software service components. It offers managers a modular, and therefore a more easily modifiable, approach to building applications, The type of software used in an SOA architecture is often referred to as software-as-a-service or SaaS. Another term for these applications, when delivered over the Internet, is Web services.
A key differentiator in these configurations is the degree of centralization versus decentralization. A manager must be aware of the trade-offs when con- sidering architecture decisions. For example, client/server architectures are more modular than the mainframe architectures, allowing additional servers to be added with relative ease and provide greater flexibility for adding clients with specific functionality for specific users. Decentralized organizational governance, such as that associated with the networked organization structure (discussed in Chapter 3) is consistent with client/server architectures. In contrast, a mainframe architecture is easier to manage in some ways because all functionality is centralized in the main computer instead of distributed throughout all the clients and servers. A main- frame architecture tends to be a better match in companies with highly centralized governance, for example, those with hierarchical organization structures.
An example of an organization making these trade-offs is the Veterans Health Administration (VHA), a part of the Department of Veterans Affairs of the U.S. federal government.4 The organization included 14 different business units that served various administrative and organizational needs. The primary objective of the organization was to provide health care for veterans and their families. In addition, the VHA was a major contributor to medical research, allowing medical students to train at VHA hospitals. The medical centers operated independently and sometimes competed against each other. In 1996, however, the U.S. Congress passed an act that enabled the VHA to restructure itself from a system of hospitals to a single health-care system. The IT architecture was reconfigured from a very centralized design, which enabled the Office of Data Management and Telecommunications to retain control, to a decentralized hospital-based architecture that gave local physicians and administrators the opportunity to deploy applications addressing local needs, while ensuring that standards were developed across the different locations. The VA then introduced the ‘‘One-VA’’ architecture to unify the decentralized systems and ‘‘to provide an accessible source of consistent, reliable, accurate, useful, and secure information and knowledge to veterans and their families. . . .’’
4 Adapted from V. Venkatesh, H. Bala, S. Venkatraman, and J. Bates, ‘‘Enterprise Architecture Maturity: The Story of the Veterans Health Administration,’’ MIS Quarterly Executive 6, no. 2 (June 2007), 79 – 90.
Enterprise Architecture 171
Recent technological advances make designs possible such as peer-to-peer and wireless or mobile infrastructures. These designs do not necessarily need to be the firm’s exclusive infrastructure. For example, a wireless infrastructure may operate separately or may be built on a mainframe or client/server backbone. Peer-to-peer allows networked computers to share resources without a central server playing a dominant role. Kazaa, the Web site for sharing music, movies, games, and more, used a peer-to-peer architecture. Wireless (mobile) infrastructures allow communication from remote locations using a variety of wireless technologies (e.g., fixed microwave links, wireless LANs, data over cellular networks, wireless WANs, satellite links, digital dispatch networks, one-way and two-way paging networks, diffuse infrared, laser-based communications, keyless car entry, and global positioning systems).
Web-oriented architectures (WOAs) are architectures in which significant hardware, software, and possibly even data elements reside on the Internet. WOA offers greater flexibility when used as a source for capacity-on-demand, or the availability of additional processing capability for a fee. IT managers like the concept of capacity on demand to help manage peak processing periods when additional capacity is needed. It allows them to use the Web-available capacity as needed, rather than purchasing additional computers to handle the larger loads.
! ARCHITECTURAL PRINCIPLES
Any good architecture is based on a set of principles, or fundamental beliefs about how the architecture should function. Architectural principles must be consistent with both the values of the enterprise as well as with the technology used in the infrastructure. They are designed by considering the key objectives of the organization, and then translated into principles to apply to the design of the IT architecture. The number of principles vary widely, and there is no set list of what must be included in a set of architectural principles. However, a guideline for developing architectural principles is to make sure they are directly related to the operating model of the enterprise and IS organization. Principles should define the desirable behaviors of the IT systems and the role of the organization(s) that support it. A sample of architectural principles is shown in Figure 6.4
! ENTERPRISE ARCHITECTURE
Many companies apply even more complex frameworks than those described earlier for developing an IT architecture and infrastructure, employing an enterprise architecture, or the ‘‘blueprint’’ for all IS and their interrelationships in an enterprise. Enterprise architecture is the term used for the organizing logic for the entire organization, often specifying how information technologies will support business processes. It differs from an IT architecture in its level of analysis, although it shares some design principles of the lower-level architectures. It identifies the core processes of the company and how they will work together, how the IT systems
172 Chapter 6 Architecture and Infrastructure
Principle Description
Ease of use The IT architecture will promote ease of use in building and supporting the architecture and solutions based on the architecture.
Single point of view
The IT architecture will enable a consistent, integrated view of the business, regardless of access point.
Buy over Build Business applications, system components, and enabling frameworks will be purchased unless there is a competitive reason to develop them internally.
Speed and Quality
Architectural decisions will be made with an emphasis on accelerating time to market for solutions, while still maintaining required quality levels.
Flexibility and Agility
The IT architecture will incorporate flexibility to support changing busi- ness needs and enable evolution of the architecture and the solutions built on it.
Innovative The IT architecture will support incorporation of new technologies and facilitate innovation.
Data Security Data is protected from unauthorized use and disclosure.
Common Data Vocabulary
Data is defined consistently throughout the enterprise, and the defini- tions are understandable and available to all users.
Data Quality Each data element will have a trustee accountable for data quality.
Data Asset Data must be managed like other assets that have value to the enterprise.
FIGURE 6.4 Sample architectural principles. Source: Adapted from examples of IT architecture from IBM, TOGAF, the US Government, and the State of Wisconsin.
will support the processes, the standard technical capabilities and activities for all parts of the enterprise, and guidelines for making choices. As experts Jeanne Ross, Peter Weill, and David Robertson describe in their book, Enterprise Architecture as Strategy,
Top-performing companies define how they will do business (an operating model) and design the processes and infrastructure critical to their current and future operations (enterprise architecture), which guide the evolution of their foundation for execution. Then these smart companies exploit their foundation, embedding new initiatives to make that foundation stronger and using it as a competitive weapon to seize new business opportunities.5
5 Jeanne W. Ross, Peter Weill, and David C. Robertson, Enterprise Architecture as Strategy (Boston: Harvard Business School Press, 2006), viii – ix.
Enterprise Architecture 173
The components of an enterprise architecture typically include four key elements:
• Core business processes — the key enterprise processes that create the capabilities the company uses to execute its operating model and create market opportunities
• Shared data — the data that drives the core processes • Linking and automation technologies — the software, hardware, and net-
working technologies provide the links between applications (applications themselves are part of the IT architecture, but the way applications will link together is part of the bigger picture of the enterprise architecture)
• Customer groups — key customers to be served by the architecture6
One example of an enterprise architecture framework is the TOGAF (The Open Group Architecture Framework).7 TOGAF is an open architecture that has been developing and continuously evolving since the mid-1990s. It seeks to provide a practical, standardized methodology (called Architecture Development Methodology) to successfully implement an enterprise architecture into a company. The architect implements the Enterprise Architecture by setting up the foundation architecture, which is composed of services, functions, and standards. Subsets of the enterprise architecture are the business, data, application, and technology architectures. Like the framework in this book, the TOGAF is designed to translate strategy into architecture and then into a detailed infrastructure; however, it supports a much higher level of architecture that includes more components of the enterprise.8
Other examples of enterprise architecture frameworks are Zachman, Federal Enterprise Architecture, and the Gartner Methodology. The Zachman Frame- work determines architectural requirements by providing a broad view that helps guide the analysis of the detailed view. Its perspectives range from the company’s scope to its critical models and, finally, to very detailed representations of the data, programs, networks, security, and so on. The models it uses are the conceptual business model, the logical system model, and the physical technical model.9
Because enterprise architecture is more about how the company will operate than how the technology is designed, building an enterprise architecture is a joint exercise to be done with business leaders and IT leaders. IT leaders cannot and should not do this alone. Because virtually all business processes today involve some component of IT, the idea of trying to align IT with business processes is outdated. Instead, business processes are designed concurrently with IT systems.
6 Ibid., 50 – 52. 7 The Open Group at http://www.opengroup.org. 8 For more information on the TOGAF framework, visit www.togaf.org, the home site for the Open Group. 9 For more information on the Zachman framework, visit www.zifa.com, the Web site of the Zachman Institute.
174 Chapter 6 Architecture and Infrastructure
Building an enterprise architecture is more than just linking the business processes to IT. It starts with organizational clarity of vision and strategy and places a high value on consistency in approach as a means of optimal effectiveness. The consistency manifests itself as some level of standardization — standardization of processes, deliverables, and/or people Every enterprise architecture has elements of all these types of standardization; however, the degree and proportion of each vary with the organizational needs, making it dynamic. A good enterprise architect understands this and looks for the right blend for each activity the business undertakes. That means that because organizational groups and individuals are resources for business processes, the organizational design decisions should be part of the enterprise architecture. However, this is a sophisticated capability, and new enterprise architects often seek to put more rigid standards in place and do not attempt to tackle the more complex organizational design issues.
! OTHER MANAGERIAL CONSIDERATIONS
The framework guides the manager toward the design and implementation of an appropriate infrastructure. Defining an IT architecture that fulfills an organization’s needs today is relatively simple; the problem is, by the time it is installed, those needs change. The primary reason to base an architecture on an organization’s strategic goals is to allow for inevitable future changes — changes in the business environment, organization, IT requirements, and technology itself. Considering future impacts should include an analysis of the existing architecture, the strategic time frame, technological advances, and financial constraints.
Understanding Existing Architecture At the beginning of any project, the first step is to assess the current situation. Understanding existing IT architecture allows the manager to evaluate the IT requirements of an evolving business strategy against current IT capacity. The architecture, rather than the infrastructure, is the basis for this evaluation because the specific technologies used to build the infrastructure are chosen based on the overall plan, or architecture. As previously discussed, it is these architectural plans that support the business strategy. Assuming some overlap is found, the manager can then evaluate the associated infrastructure and the degree to which it can be utilized going forward.
Relevant questions for managers to ask include the following:
• What IT architecture is already in place? • Is the company developing the IT architecture from scratch? • Is the company replacing an existing architecture? • Does the company need to work within the confines of an existing archi-
tecture? • Is the company expanding an existing architecture?
Other Managerial Considerations 175
Starting from scratch allows the most flexibility in determining how architec- ture will enable a new business strategy, and a clean architectural slate generally translates into a clean infrastructure slate. However, it can be a challenge to plan effectively even when starting from scratch. For example, in a resource-starved start-up environment, it is far too easy to let effective IT planning fall by the wayside. Sometimes, the problem is less a shortcoming in IT management and more one of poorly devised business strategy. A strong business strategy is a prereq- uisite for IT architecture design, which is in turn a prerequisite for infrastructure design.
Of course, managers seldom enjoy the relative luxury of starting with a clean IT slate. More often, they must deal in some way with an existing architecture, infrastructure, and legacy systems already in place. In this case, they encounter both opportunity — to leverage the existing architecture and infrastructure and their attendant human resource experience pool — and the challenge of overcoming or working within the old system’s shortcomings. By implementing the following steps, managers can derive the most value and suffer the least pain when working with legacy architectures and infrastructures.
1. Objectively analyze the existing architecture and infrastructure. Remem- ber, architecture and infrastructure are separate entities; managers must assess the capability, capacity, reliability, and expandability of each.
2. Objectively analyze the strategy served by the existing architecture. What were the strategic goals it was designed to attain? To what extent do those goals align with current strategic goals?
3. Objectively analyze the ability of the existing architecture and infra- structure to further the current strategic goals. In what areas is alignment present? What parts of the existing architecture or infrastructure must be modified? Replaced?
Whether managers are facing a fresh start or an existing architecture, they must ensure that the architecture will satisfy their strategic requirements, and that the associated infrastructure is modern and efficient. The following sections describe evaluation criteria including strategic time frame, technical issues (adaptability, scalability, standardization, maintainability, security), and financial issues.
Assessing Strategic Time Frame Understanding the life span of an IT infrastructure and architecture is critical. How far into the future does the strategy extend? How long can the architecture and its associated infrastructure fulfill strategic goals? What issues could arise and change these assumptions?
Answers to these questions vary widely from industry to industry. Strategic time frames depend on industrywide factors such as level of commitment to fixed resources, maturity of the industry, cyclicality, and barriers to entry. As discussed in Chapter 1, hypercompetition has increased the pace of change to the point that requires any strategic decision be viewed as temporary.
176 Chapter 6 Architecture and Infrastructure
Architectural longevity depends not only on the strategic planning horizon, but also on the nature of a manager’s reliance on IT and on the specific rate of advances affecting the information technologies on which he or she depends. Hypercompetition implies that any architecture must be designed with maximum flexibility and scalability to ensure it can handle the imminent business changes. Imagine the planning horizon for a dot-com company in an industry in which Internet technologies and applications are changing daily, if not more often. Even oil giant Valero found that flexibility and agility were critical to their business and hence to their IT architecture
Assessing Technical Issues: Adaptability With the rapid pace of business, it is no longer possible to build a static information system to support businesses. Instead adaptability is a core design principle of every IT architecture. A manager may think of technological advances as primarily affecting IT infrastructure, but the architecture must be able to support any such advance. Can the architecture adapt to emerging technologies? Can a manager delay the implementation of certain components until he or she can evaluate the potential of new technologies?
At a minimum, the architecture should be able to handle expected technolog- ical advances, such as innovations in storage capacity and computing power. An exceptional architecture also has the capacity to absorb unexpected technological leaps. Both hardware and software should be considered when promoting adapt- ability. For example, new Web-based applications emerge daily that may benefit the corporation. The architecture must be able to integrate these new technologies without violating the architecture principles or significantly disrupting business operations.
The following are guidelines for planning adaptable IT architecture and infrastructure. At this point, these two terms are used together, because in most IT planning they are discussed together. These guidelines are derived from work by Meta Group.10
• Plan for applications and systems that are independent and loosely coupled rather than monolithic. This approach allows managers to modify or replace only those applications affected by a change in the state of technology.
• Set clear boundaries between infrastructure components. If one compo- nent changes, others are minimally affected, or if effects are unavoidable, the impact is easily identifiable and quantifiable.
• When designing a network architecture, provide access to all users when it makes sense to do so (i.e., when security concerns allow it). A robust and
10 Larry R. DeBoever and Richard D. Buchanan, ‘‘Three Architectural Sins,’’ CIO Magazine (May 1, 1997).
Other Managerial Considerations 177
consistent network architecture simplifies training and knowledge sharing and provides some resource redundancy. An example is an architecture that allows employees to use a different server or printer if their local one goes down.
Note that requirements concerning reliability may mitigate the need for technological adaptability under certain circumstances. If the architecture requires high reliability, a manager seldom is tempted by bleeding-edge technologies. The competitive advantage offered by bleeding-edge technologies is often eroded by downtime and problems resulting from pioneering efforts with the technology. For example, despite Microsoft’s virtual monopoly in providing PC operating systems, its Web server runs on only 20% of sites; the Linux-based Apache server dominates this reliability-sensitive market with nearly 70% of Web sites.11
Assessing Technical Issues: Scalability A large number of other technical issues should also be considered when selecting an architecture or infrastructure. A frequently used criterion is scalability. To be scalable refers to how well an infrastructure component can adapt to increased, or in some cases decreased, demands. A scalable network system, for instance, could start with just a few nodes but could easily be expanded to include thousands of nodes. Scalability is an important technical feature because it means that an investment can be made in an infrastructure or architecture with confidence that the firm will not outgrow it.
What is the company’s projected growth? What must the architecture do to support it? How will it respond if the company greatly exceeds its growth goals? What if the projected growth never materializes? These questions help define scalability needs.
Consider a case in which capacity requirements were poorly anticipated. In early 2007, an ice storm on the East Coast of the United States forced JetBlue Airlines to scramble to take care of stranded customers, grounded planes, checked luggage, and cancelled flights. In the aftermath, executives told investors that the computers didn’t fail. Indeed, they did not fail, but the system failed to scale as needed. The system was set up to accommodate 650 agents and was able to be increased to 950, but no more.12 It’s unlikely that JetBlue, or its software provider, would have had to do any serious systems redesign to respond to the increase in demand; it simply needed to increase its infrastructure capacity. Ultimately, this planning failure cost JetBlue millions to recover from the failure and even more in defending its image, which suffered severe negative word of mouth from the poor service that resulted. JetBlue’s plight underscores the importance of analyzing the impact of strategic business decisions on IT architecture and infrastructure and
11 Web server survey at http://news.netcraft.com/archives/web server survey.html (accessed June 2005). 12 Mel Duvall, ‘‘What Really Happened to JetBlue,’’ www.cioinsight.com (July 2008).
178 Chapter 6 Architecture and Infrastructure
at least ensuring a contingency plan exists for potential unexpected effects of a strategy change.
Assessing Technical Issues: Standardization Another important feature deals with commonly used standards. Hardware and software that uses a common standard, as opposed to a proprietary approach, are easier to plug into an existing or future infrastructure or architecture because interfaces often accompany the standard. For example, many companies use Microsoft Office software, making it an almost de facto standard. Therefore, a number of additional packages come with translators to the systems in the Office suite to make it easy to move data between systems.
Assessing Technical Issues: Maintainability How easy is the infrastructure to maintain? Are replacement parts available? Is service available? Maintainability is a key technical consideration because the complexity of these systems increases the number of things that can go wrong, need fixing, or simply need replacing. In addition to availability of parts and service people, maintenance considerations include issues such as the length of time the system might be out of commission for maintenance, how expensive and how local the parts are, and obsolescence. Should a technology become obsolete, costs skyrocket for parts and expertise.
Assessing Technical Issues: Security Security is a major concern for business managers and IT managers alike. Busi- nesses feel vulnerable to attack. IT managers worry about protecting key data and process elements of the IT infrastructure. Security is a concern that extends outside the corporate boundaries; for example, customers wonder how safe their credit card numbers are when typed into a vendor’s order form. Technologies have come a long way to provide security. Innovations encrypt or otherwise disguise sensitive information, financial information, and business information.
Architectures have different inherent security profiles. Securing assets in a highly centralized, mainframe architecture means building protection around the centralized core. Because data and software are stored and executed on the mainframe computer, methods of protecting these assets revolve around protecting the mainframe itself. Client/server architecture are more difficult to secure due to the dispersion of servers. Security is a matter of protecting every server instead of one centralized system. A Web-based architecture that utilizes SaaS and capacity on demand raises a whole new set of security issues. The data and applications not only reside on servers in the various vendor systems around the Web, but also the linking mechanism, the network that ties the Web together, introduces another level of security concerns.
What if, for example, someone were to steal a file of credit card numbers as they were relayed over the Internet? The risk of the interception of e-commerce data may be no greater than the risks of paper transactions: credit card receipts
Other Managerial Considerations 179
(and credit cards themselves) are stolen and the numbers used fraudulently. Checkbooks are stolen and signatures are fraudulently forged. Transactions with a paper trail are hardly foolproof and may indeed be riskier than e-commerce transactions. The difference is in the speed of the communication. A file with secure information can be sent anywhere in the world in a matter of seconds over the Internet, whereas the paper-based file takes longer to reach a destination. The good news is that the security of networks continues to improve. Innovations such as authentication, passwords, digital signatures, encryption, secure servers, and firewalls are already in place, and new schemes for security, such as securing specific assets instead of just securing the perimeter of a system, are being explored.
Managing security is often a matter of managing risk. It is virtually impossible to be totally secure regardless of the security model employed. Hackers and thieves will find a way around just about any security system. Therefore, managing risk often means assessing the likelihood of a breach and the cost of that breach in terms of loss and recovery. For example, one forward-thinking executive suggested that instead of trying to protect all his employees’ Social Security numbers from theft, he preferred to purchase insurance to cover any losses that might result from the identity theft. He chose a service, LifeLock, that closely monitors its customers identity, proactively takes steps to minimize identity theft, and offers a $1 million service guarantee to cover any losses that do occur.
Assessing Financial Issues Like any business investment, IT infrastructure components should be evalu- ated based on their expected financial value. Unfortunately, payback from IT investments is often difficult to quantify; it can come in the form of increased productivity, increased interoperability with business partners, improved service for customers, or yet more abstract improvements. For this reason, the Gartner Group suggests focusing on how IT investments enable business objectives rather than on their quantitative returns.13
Still, some effort can and should be made to quantify the return on infras- tructure investments. This effort can be simplified if a manager works through the following steps with the IT staff.
1. Quantify costs: The easy part is costing out the proposed infrastructure components and estimating the total investment necessary. Don’t forget to include installation and training costs in the total.
2. Determine the anticipated life cycles of system components: Experienced IT staff or consultants can help establish life cycle trends both for a company and an industry to estimate the useful life of various systems.
3. Quantify benefits: The hard part is getting input from all affected user groups, as well as the IT group — which presumably knows most about
13 B. Rosser, ‘‘Key Issues in Strategic Planning and Architecture [Gartner Group research note],’’ Key Issues (April 15, 1996).
180 Chapter 6 Architecture and Infrastructure
the equipment’s capabilities. If possible, form a team with representatives from each of these groups and work together to identify all potential areas in which the new IT system may bring value.
4. Quantify risks: Work with the IT staff to identify cost trends in the equip- ment the company proposes to acquire. Also, assess any risk that might be attributable to delaying acquisition, as opposed to paying more to get the latest technology now.
5. Consider ongoing dollar costs and benefits: Examine how the new equip- ment affects maintenance and upgrade costs associated with the current infrastructure.
Once this analysis is complete, the manager can calculate the company’s preferred discounted cash flow (i.e., net present value or internal rate of return computation) and payback horizon. Approaches to evaluating IT investments are discussed in greater detail in Chapter 10.
Differentiating between Architecture and Infrastructure Figure 6.5 shows the extent to which current and future requirements, associ- ated financial issues, and technical criteria can be used to evaluate architecture and infrastructure. All these criteria are important for decisions about architec- ture. However, issues regarding the infrastructure and the components chosen to implement the architecture are primarily about adaptability, scalability, standard- ization, maintainability, security, and financial considerations (such as the cost of infrastructure components). The strategic time frame is an issue that is decided before the infrastructure discussion begins. The example in the following section demonstrates the steps that must be taken to derive these components.
Applicability
Criteria Architecture Infrastructure
Strategic time frame Very applicable Not applicable Adaptability Very applicable Very applicable Scalability/Growth Requirements Very applicable Very applicable Standardization Very applicable Very applicable Maintainability Very applicable Very applicable Security Very applicable Very applicable Assessing financial issues Somewhat applicable Very applicable
Net present value Payback analysis Incidental investments
FIGURE 6.5 Applicability of evaluation criteria to discussion of architecture and infra- structure.
From Strategy to Architecture to Infrastructure: An Example 181
! FROM STRATEGY TO ARCHITECTURE TO INFRASTRUCTURE: AN EXAMPLE
This section considers a simple example to illustrate the application of concepts from preceding sections. The case discussed is TennisUp, a fictitious maker of tennis rackets.
Step 1: Define the Strategic Goals The managers at TennisUp recognize the increasing popularity of tennis; in fact, they can hardly keep up with demand for their rackets. At the same time, however, TennisUp’s president, Love Addin, is concerned that tennis mania may end. Addin wants to ensure that TennisUp can respond to sudden changes in demand for rackets. Along with the board of directors, Addin sets TennisUp’s strategic goals:
• To lower costs by outsourcing racket manufacturing
• To lower costs by outsourcing racket distribution
• To improve market responsiveness by outsourcing racket manufacturing
• To improve market responsiveness by outsourcing racket distribution
Step 2: Translate Strategic Goals to Business Requirements To keep things simple, consider more closely only one of TennisUp’s strategic goals: To lower costs by outsourcing racket manufacturing. How can TennisUp’s architecture enable this goal? Its business requirements must reflect the following key interfaces to the new manufacturing partners:
• Sales to manufacturing partners: Send forecasts, confirm orders received.
• Manufacturing partner to sales: Send capacity, confirm orders shipped.
• Manufacturing partner to accounting: Confirm orders shipped, electronic invoices, various inventory levels, returns.
• Accounting to manufacturing partner: Transfer funds for orders fulfilled.
Step 3: Apply Strategy-Architecture-Infrastructure Framework To support the business requirements, an architecture needs to be established. One major component of the architecture deals with how to obtain, store, and use data to support those business requirements. The database can be designed to provide the sales data to support sales applications such as sending forecasts and confirming orders received. The database can also be designed to support manufacturing applications that confirm orders shipped, manage inventory, and estimate capacity. The database also needs to be designed to support accounting applications for invoicing, handling returns, and transferring funds.
182 Chapter 6 Architecture and Infrastructure
Step 4: Translate Architecture to Infrastructure With the architecture goals in hand, apply the framework presented in the first section of this chapter to build the infrastructure. Figure 6.6 lists questions raised when applying the framework to TennisUp’s architecture goals and related infrastructure. Note that not all questions apply in a given situation. Figure 6.7 lists possible infrastructure components.
Component What Who Where
Architecture Infrastructure Architecture Infrastructure Architecture Infrastructure
Hardware What kind of supple- mental server capacity will the new EDI transactions require?
Will Ten- nisUp’s current dual-CPU NT servers handle the capacity, or will the company have to add addi- tional CPUs and/or disks?
NA Who is responsible for setting up necessary hardware at partner site?
Where does responsibility for owning and main- taining EDI hardware fall within Ten- nisUp?
Which hard- ware com- ponents will need to be replaced or modified to connect to new EDI hardware?
Software What parts of TennisUp’s software architecture will the new architecture affect?
Will Ten- nisUp’s cur- rent Access database interface ade- quately with new EDI soft- ware?
Who knows the current software architecture well enough to manage the EDI enhance- ments?
Who will do any new SQL coding required to accommodate new software?
NA Where will software patches be required to achieve com- patibility with changes resulting from new software components?
Network What is the anticipated volume of transactions between Ten- nisUp and its manufactur- ing partners?
High volume may require leased lines to carry trans- action data; dial-up con- nections may suffice for low volume.
Who is responsible for additional network- ing expense incurred by partners due to increased demands of EDI architec- ture?
NA Where will security con- cerns arise in TennisUp’s current net- work architec- ture?
Where will TennisUp house new networking hardware required for EDI?
Data Will data for- mats support- ing the new architecture be compat- ible with TennisUp’s existing for- mats?
Which for- mats must TennisUp translate?
Who will be responsible for using sales data to project future volumes to report to man- ufacturing partner?
Who will be responsible for backing up additional data result- ing from new architecture?
Where does the current architec- ture contain potential bot- tlenecks given changes antic- ipated in data flows?
Does the new architec- ture require TennisUp to switch from its current 10Base-T Ethernet to 100Base-T?
FIGURE 6.6 Framework application to TennisUp.
Food for Thought: Cloud Computing 183
Hardware
3 servers: • manufacturing • sales • accounting Storage systems
Software
ERP system with modules for: • manufacturing • sales • accounting • inventory Enterprise application integration (EAI) software
Network
Cable modem to ISP Dial-up lines for backup Routers Hubs Switches Firewalls
Data
Database: • sales • manufacturing • accounting
FIGURE 6.7 TennisUp’s infrastructure components.
Only a few questions that the framework could lead TennisUp to ask are provided; a comprehensive, detailed treatment of this situation would require more information than we can contrive in a simple example.
Step 5: Evaluate Additional Issues The last task is to weigh the managerial considerations outlined in the second
section of this chapter. Weigh them against the same architectural goals outlined in step 2. Figure 6.8 shows how these considerations apply to TennisUp’s situation.
Again, note that not every issue in the evaluation criteria was addressed for TennisUp, but this example shows a broad sampling of the kinds of issues that will arise.
! FOOD FOR THOUGHT: CLOUD COMPUTING
Flexibility, agility, and cost management are increasingly important attributes of the enterprise’s infrastructure. Managing peak demand, infrequently used applications, and very specialized applications that require extensive computing resources can completely overtake existing servers and resources, slowing down daily transactional and operational business. What can a manager do to increase the capacity in the infrastructure? Replacing locally managed stacks of hardware and software resources with an Internet-based utility is called cloud computing.
Cloud computing is the availability of entire computing infrastructure over the Internet. Initially, clouds were a community of SaaS applications built with commodity technologies and open systems. Initial implementations ended up being so proprietary or applications-dependent that they were not widely adopted. Salesforce.com is an example. Salesforce clients use the Internet-based applications provided by Salesforce.com to manage their sales and marketing activities. Today the vision is a build-out of IT infrastructure that is increasingly useful for a variety of applications. Companies like Salesforce.com, Google, and Amazon.com are
184 Chapter 6 Architecture and Infrastructure
Criteria
Strategic time frame
Technology advances
Financial issues: NPV of investment
Payback analysis
Incidental investments
Growth requirements/ scalability
Standardization
Maintainability
Staff experience
Architecture
Indefinite: Addin’s strategic goal is to be able to respond to fluctuations in market demand.
EDI technology is fairly stable though the impact of Internet- EDI, XML, and VPNs on EDI transactions needs to be assessed, especially with smaller suppliers and customers.
NA—In this limited case, NPV analysis applies only to infrastructure.
TennisUp expects the new architecture to pay for itself within three years.
The new architecture represents a radical shift in the way TennisUp does business and will require extensive training and work force adjustment.
Outsourcing should provide more scalability than TennisUp’s current model, which is constrained by assembly line capacity. Both primary and secondary vendors will be identified to provide scalability of volume.
NA
The new architecture raises some maintenance issues, but also eliminates those associated with in- house manufacturing.
The new model will displace some current employees. The cost and effect on morale needs to be analyzed.
Infrastructure
NA
NA
TennisUp will analyze NPV of various hardware and software solutions and ongoing costs before investing. Various options will be evaluated using conservative sales growth projections to see how they match the three-year goal. Training costs for each option will be analyzed. Redeployment costs for employees displaced by the outsourcing must also be considered.
The scalability required of various new hardware and software components is not significant, but options will be evaluated based on their ability to meet scalability requirements.
TennisUp will adopt the ANSI X12 EDI standard, and make it a requirement of all manufacturing partners.
Various options will be evaluated for their maintenance and repair costs.
Current staff is not familiar with EDI. Training and work force adjustment will be needed. Some new staff will be hired.
FIGURE 6.8 TennisUp’s managerial considerations.
looking for ways to leverage their gigantic infrastructures, and providing basic computing services to clients over the Internet is one option.
Consumers of cloud computing purchase computing capacity on-demand and are not generally concerned with the underlying technologies. It’s the next
Food for Thought: Cloud Computing 185
step in utility computing or purchasing entire capability as needed. Much like the distribution of electricity, the vision of utility computing is that computing infrastructure would be available when needed in as much quantity as needed. When the lights and appliances are turned off in a home, the electricity is not consumed. Ultimately, the customer is billed only for what is used. In utility computing, a company uses a third-party infrastructure to do their processing or transactions and pay only for what they use. And as in the case of the electrical utility, the economies of scale enjoyed by the computing utility enable very attractive financial models for their customers. As the cost of connectivity falls, models of cloud computing emerge.
Managers considering cloud computing as a component of their architecture have three choices of what to do in the cloud. They can choose to use the infrastructure, a platform, or an entire application. Using the cloud to provide infrastructure means that the cloud is essentially a large cluster of virtual servers or storage devices. Using the cloud for a platform means that the manager will use an environment with the basic software available, such as Web software, applications, database, and collaboration tools. Using the cloud for an entire application generally means that the software is custom designed or custom configured for the business but resides in the cloud.
Cloud computing provides significant incentives for handling peak or new computing needs. In 2007, the New York Times decided to make all public domain articles from 1851 to 1922 available on the Internet. To do that they decided to create PDF files of all the articles using the original papers in their archives. This meant they had to scan each column of the story, create a series of graphic pictures of the scanned image, and then cobble them together to create the single PDF for each story. This was a lot of work and required significant computing power. Once this batch of articles was converted and added to their existing library, the New York Times would have 11 million stories from 1851 to 1989 available free on the Internet.
The manager of this project had an idea to try using the cloud. He selected a service offered by Amazon.com, Amazon EC2, wrote some code to do the project he envisioned, and tested it on the Amazon servers. He used his credit card to charge the $240 it cost him to do this conversion. He calculated it would have taken him at least a month to do the conversion if he used only the few servers available to him in the New York Times network. However using the Amazon cloud services, he was able to use a virtual server cluster of 100 servers, and it took just under 24 hours to do the entire 11 million articles.14
The business case for cloud computing includes better managed server costs, energy costs, and staff costs. As described in the example earlier, purchasing the
14 Galen Gruman, ‘‘Early Experiments in Cloud Computing,’’ InfoWorld, www.infoworld.com (accessed July 25, 2008); and Derek Gottfrid, ‘‘Self-Service, Prorated Super Computing Fun,’’ Blog ‘‘Open All the Code that’s Fit to Print,’’ November 1, 2007, at open.nytimes.com (accessed July 25, 2008).
186 Chapter 6 Architecture and Infrastructure
computing power needed at a fraction of the cost of purchasing new equipment is at the core of the economic model of cloud computing. In the day of the ‘‘green computing,’’ companies focus on reducing their carbon footprint and their energy consumption. Energy consumption, and hence costs, associated with running new computers are eliminated with cloud computing. Because the processing is done at the third-party vendor, the enterprise does not incur the cost to literally keep the lights on. And because cloud computing vendors have multiple clients using their infrastructure, they enjoy economies of scale that result. Staff costs shift from data center maintenance staff to applications integration staff. Staff who normally must maintain the hardware and corporate infrastructure are not needed to maintain the infrastructure in the cloud; that is done by the staff at the vendor’s location. Resources inside the corporation can be shifted to focus on more value-added applications for the business.
But managers considering cloud computing must also understand the risks. First is the dependence on the third-party supplier. Building applications that work in the cloud may mean retooling existing applications for the cloud’s infrastructure. As of the writing of this text, there were no standards for the infrastructures offered by the various vendors. That means that applications running on one vendor’s infrastructure may not port easily to another vendor’s environment.
Architectures are increasingly including cloud computing as an alternative to the in-house infrastructures. As coordination costs drop, and platforms in the cloud open up, cloud computing utilization will increase.
! SUMMARY • Strategy drives architecture, which drives infrastructure. Strategic business goals
dictate IT architecture requirements. These requirements provide an extensible blueprint suggesting which infrastructure components will best facilitate the realization of the strategic goals.
• Enterprise architecture is the broad design that includes both the information sys- tems architecture and the interrelationships in the enterprise. Often this plan speci- fies the logic for the entire organization. It identifies core processes, how they work together, how IT systems will support them, and the capabilities necessary to cre- ate, execute, and manage them.
• Three configurations for IT architecture are mainframe, client/server, and SOA (or Web-based) architectures. Applications are increasingly being offered as a service, reducing the cost and maintenance requirements for clients.
• The manager’s role is to understand how to plan IT to realize business goals. With this knowledge, he or she can facilitate the process of translating business goals to IT architecture and then modify the selection of infrastructure components as nec- essary.
• Frameworks guide the translation from business strategy to IS design. This trans- lation can be simplified by categorizing components into broad classes (hardware, software, network, data), which make up both IT architecture and infrastructure.
Discussion Questions 187
• While translating strategy into architecture and then infrastructure, it is important to know the state of any existing architecture and infrastructure, to weigh current against future architectural requirements, and strategic time frame, and to analyze the financial consequences of the various systems options under consideration. Monitor the performance of the systems on an ongoing basis.
! KEY TERMS architecture (p. 164) capacity-on-demand
(p. 171) client (p. 169) client/server architecture
(p. 169) cloud computing (p. 183) enterprise architecture
(p. 171) infrastructure (p. 164) mainframe architecture
(p. 168)
peer-to-peer (p. 171) platform (p. 167) reuse (p. 170) scalable (p. 177) server (p. 169) service-oriented
architecture (SOA) (p. 169)
software-as-a-service (SaaS) (p. 170)
standards (p. 178) TOGAF (p. 173)
utility computing (p. 185) web-oriented
architectures (p. 171) Web services (p. 170) wireless (mobile)
infrastructures (p. 171) Zachman Framework
(p. 173)
! DISCUSSION QUESTIONS 1. Think about a company you know well. What would be an example of IT architecture at that company? An example of the IT infrastructure?
2. What, in your opinion, is the difference between a client/server architecture and a main- frame architecture? What is an example of a business decision that would be affected by the choice of the architecture?
3. How does the Internet affect an organization’s architecture?
4. Saab Cars USA, with its network of 212 dealerships and 30 service centers, dedicated itself to providing its customers a level of service reflective of the high quality of its cars. To improve productivity and reduce costs, Saab wanted to facilitate dealer access to corporate information and applications through the Internet using Web browsers. Saab knew it needed to leverage both its legacy hardware and code to make it a cost-effective e-business initiative. It outsourced to IBM Global Services to build its Intranet Retailer Information System (IRIS). IRIS is written in Java, using IBM DB2 Universal Database running on Saab’s existing IBM AS/400 server. Lotus Domino is the middleware that leverages the existing infrastructure. Using a standard Web browser, any authorized employee at a Saab dealership or service center in the United States has access to enterprise applications stored on the AS/400 server at the Saab U.S. headquarters. The applications make use of a consolidated repository of vehicle, customer, warranty, sales, and service information stored in DB2 Universal Database. Says Director of IS, Jerry Rode, ‘‘DB2 Universal Database has demonstrated incredible scalability and reliability as the data management solution for our IRIS system.’’ Lotus Domino, residing in another logical partition on the AS/400 server, is the middleware that mediates between the back-end applications and the front-end Web interface. For example, if a customer walks in and asks for a black model
188 Chapter 6 Architecture and Infrastructure
9-3 Saab with a tan leather interior, a sales associate logs into the IRIS menu created by Domino and initiates a search. Domino queries DB2 by location, model, and color and puts the results of the query into an HTML form for the dealer. Upon locating the customer’s vehicle, that dealer clicks to another vehicle distribution application and orders the car to be brought on site.15
a. Use this case to describe how Saab went from vision to infrastructure. b. What criteria did Saab use in selecting its infrastructure?
CASE STUDY 6-1
HASBRO
Hasbro, the global producer of games and toys, wanted to build an application to help market a new version of their popular Monopoly game, Monopoly Here and Now: World Edition. The application would allow individuals from around the world to vote for their city to be included in the game.
Hasbro’s IT organization decided to work with a third party, Digitaria, to create an application that utilized Amazon Web Services (AWS) and open source software to produce the infrastructure that backed up a Web site for the marketing campaign. A director for the project explained, ‘‘In a traditional (environment), Hasbro would have had to commit to spending a large sum of money on infrastructure and would only be guaranteed a finite amount of capacity. Also, the Web site probably would have gone down during major traffic spikes. AWS enabled us to adjust to the fluctuating traffic caused by the worldwide press exposure without investing in more hardware. When our monitoring software started . . . to notify us that the load was increasing, we were able to log in and (increase capacity) within minutes.’’
The IT costs were very low for this application. A manager explained, ‘‘If the system is architected properly, using these services, one can launch a campaign or application on a shoe-string budget and scale the application as needed without requiring a large support team.’’
Discussion Questions
1. What are the key components of the infrastructure Hasbro used for this project? 2. Why do you think Hasbro used a third party, Digitaria, to help them create this project?
What resources would they need internally to do this themselves? 3. What are the advantages and disadvantages to Hasbro of using Web services?
Source: Adapted from www.amazon.com/AWS-home-page-Money/b/ref = sv hp 4?ie = UTF8&node = 3435361 on July 31, 2008.
15 IBM, ‘‘Saab Rolls Out Dealer Intranet to Improve Customer Service,’’ available at http://www3.ibm.com/software/success/cssdb.nsf/CS/NAVO-4LJQ8N?OpenDocument&Site = software (accessed June 25, 2002).
Case Study 189
CASE STUDY 6-2
JOHNSON & JOHNSON’S ENTERPRISE ARCHITECTURE
In 1995, Johnson & Johnson (J&J), a large pharmaceutical, health-care, and medical devices firm, wanted to offer its key customers a single point of contact. This was a real challenge for the decentralized company with 150 companies that generated operating revenues of $15 billion. Internal and external analysts attributed the company’s previous success to an autonomous management structure that held managers accountable for the financial results of their independent operating companies. The focus of these managers was on making their operating companies run as efficiently as possible, and not on making the customer’s life easier. J&J’s customers had to take it upon themselves to deal with multiple invoices, multiple sales calls, and multiple contracts with the operating companies.
Presenting a single face to the customer translated into massive IT changes. The IT support had been developed around the decentralized operating units. To change IT’s focus from the operating unit to the global customer entailed major technology changes. It also meant that everyone in the firm now needed to think about IT in terms of the corporate level as well as the operating level.
J&J realized that it needed to realign IT with its new corporate strategy. J&J began by training its IT staff about the need for integrated systems and common standards. The early groups who went for training found this thinking quite foreign to the operating company environment to which they had become accustomed. The later groups, though, needed little convincing about the value of standards, which became obvious with the implementation of a single global network and desktop configuration.
Before 1995, IT initiatives had been funded by the operating units. However, with the new one-face-to-the-customer strategy, J&J found it necessary to provide corporate funding for the costs of establishing an IT infrastructure to fit its strategy. This funding strategy stimulated standardization and helped management learn how to assess corporatewide IT investments.
J&J has continued to evolve its enterprise architecture. It did not dismantle the operating companies. Rather, its strategic objectives fostered the operating companies while leveraging cross-company IT capabilities where appropriate. J&J created committees to establish and monitor necessary technical standards. New formal organizational units called sectors were created to link operating companies with shared customers and markets. Some sectors sponsored information system development to support the exchange of data across their operating companies. Thus, over time, J&J has aligned its business strategy, IT infrastructure, and technology management practices.
Discussion Questions
1. Discuss Johnson & Johnson’s approach to providing an IT infrastructure to support its one-face-to-the-customer strategy.
2. What are the strengths and weaknesses of this approach?
Source: Adapted from Jeanne Ross, ‘‘Creating a Strategic IT Enterprise Architecture Competency: Learning in Stages,’’ MISQ Executive 2:1 (March 2003), pp. 31 – 43.
!CHAPTER 7 INFORMATION SYSTEMS SOURCING
When JP Morgan (now JP Morgan Chase) signed a 7-year mega-outsourcing con- tract with IBM in December 2002, it did it with much fanfare. The arrangement included support for running data centers, help desks, distributed computing, and data and voice networks. JP Morgan’s vice chairman, Thomas B. Ketchum, declared in a company press release about the contract, ‘‘We view technology as a key competitive advantage. . . . Our agreement with IBM will create capacity for efficient growth and accelerate our pace of innovation while reducing costs, increasing quality and providing exciting career opportunities for our employees.’’1 The move was designed to improve the group’s technology infrastructure and resulted in a cash infusion when IBM purchased some of JP Morgan’s hard- ware. Clearly JP Morgan considered a number of factors in making this major decision.
When JP Morgan terminated its contract and brought information systems (IS) operations back in house only 21 months into a 7-year mega-contract, it did so with equal fanfare. Its costs for doing so were estimated to be in the millions, not to mention the enormous losses in productivity and employee morale. The CIO of JP Morgan, Austin Adams, stated at that time, ‘‘We believe managing our own technology infrastructure is best for the long-term growth and success of our company, as well as our shareholders. Our new capabilities will give us competitive advantages, accelerate innovation, and enable us to become more streamlined and efficient.’’2
A number of factors appear to have played a role in the decision to bring the IS operations back in house. As stated in the press release, outsourcing appeared to stagnate information technology (IT) at JP Morgan under the outsourcing arrangement. A JP Morgan systems engineer observed, ‘‘Once they signed the contract, we didn’t move at all beyond that date as far as picking up new technologies that would give us a competitive advantage. Technology was not
1 Stephanie Overby, ‘‘Outsourcing — and Backsourcing — at JP Morgan Chase,’’ CIO (2005), http://www.cio.com/article/print/10524 (accessed July 23, 2008). 2 Ibid.
190
Information Systems Sourcing 191
refreshed, and new projects were not rolled out.’’3 What the press release didn’t say was that JP Morgan had undergone a major change with its July 2004 merger with Bank One, which had gained a reputation for consolidating data centers and eliminating thousands of computer applications. And the man who had played a big role in the consolidation was Bank One’s CIO Austin Adams. Adams, in his new role at JP Morgan Chase, managed the switch from IBM to self-sufficiency by taking advantage of the cost-cutting know-how he had gained at Bank One. The underperforming JP Morgan Chase learned much from the efficient Bank One.4
The JP Morgan Chase example demonstrates the series of decisions that it made in relation to outsourcing. Both the decision to outsource, and then the decision to bring IS operations back in-house, were based on a series of factors. These factors are similar to those used by many companies in the sourcing decisions.
The global outsourcing market has been growing steadily from revenues of U.S. $9 billion in 19905 to U.S. $256 billion in 2008.6 Companies of all sizes pursue outsourcing arrangements, and many multimillion deals have been widely publicized. As more companies adopt outsourcing as a means of controlling IT costs and acquiring ‘‘best of breed’’ capabilities, managing these supplier relationships becomes increasingly important. IS must maximize the benefit of these relationships to the enterprise and preempt problems that might occur. Failure in this regard could result in deteriorating quality of service, loss of competitive advantage, costly contract disputes, low morale, and loss of key personnel.
This chapter looks at the sourcing cycle to consider the full range of decisions related to who should perform the information systems work of an organization. The cycle begins with a decision to make or buy information services and products. If the decision is to buy, a series of questions must be answered about where and how these services should be delivered or products developed. The discussion is built around the Sourcing Decision Cycle Framework discussed in the next section. Next we discuss types of sourcing: insourcing, outsourcing, outsourcing abroad, and backsourcing. We conclude the chapter with a discussion of various outsourcing models. This discussion focuses on what should be outsourced and how it can be outsourced.
3 Ibid. 4 Paul Strassmann, ‘‘Why JP Morgan Chase Really Dropped IBM,’’ Baseline Magazine, 2005-01-13, http://www.baselinemag.com/c/a/Projects-Management/Why-JP-Morgan-Chase-Really-Dropped- IBM/. 5 Mary C. Lacity and Leslie P. Willcocks, ‘‘Relationships in IT Outsourcing: A Stakeholder’s Perspective,’’ in Framing the Domains of IT Management: Projecting the Future. . . Through the Past, ed. Robert W. Zmud, 355 – 384 (Cincinnati: Pinnaflex Education Resources, Inc., 2000). 6 Dean Blackmore, Robert De Souza, Allie Young, Eric Goodness, and Ron Silliman, ‘‘Forecast: IT Outsourcing, Worldwide, 2002 – 2008 (Update),’’ Gartner Report (March 2005).
192 Chapter 7 Information Systems Sourcing
! SOURCING DECISION CYCLE FRAMEWORK
Sourcing doesn’t really just involve one decision. It involves many decisions. As demonstrated in Figure 7.1, the first sourcing decision is the original make-or-buy decision. In cases where the ‘‘buy’’ option is selected and the company outsources, the client company must decide whether to work with an outsourcing provider in its own country or offshore. If the company decides to go offshore because labor is cheaper or needed skills are more readily available, the client company is faced with another decision: It must decide if it wants the work done in a country that is relatively nearby or in a country that is quite distant. Finally, the client company settles on an outsourcing provider (or decides to do its own IS work). After a while, it faces another decision. It periodically must evaluate the arrangement and see whether a change is in order. If the in-house work is unsatisfactory or if other opportunities have become available that are preferable to the current arrangement, then the company may turn to outsourcing. If, on the other hand, the outsourcing arrangement is unsatisfactory, the client company has several options to consider: correct any existing problems and continue outsourcing with its current provider, outsource with another provider, or backsource. If the company decides to make a change in its sourcing arrangements at this point, the sourcing decision cycle starts over again.
CAPTIVE CENTEROFFSHORING
OUTSOURCING
INSHORING
INSOURCING
Where?
Make or Buy?
Status Quo or Change?
In or Out of Country?
FARSHORING
NEARSHORING
FIGURE 7.1 Sourcing Decision Cycle Framework.
Outsourcing 193
! INSOURCING
The most traditional approach to sourcing is insourcing, or the situation in which a firm provides IS services or develops IS in its own in-house IS organization. The decision to insource is really the same as the ‘‘make’’ decision. Several drivers favor the decision to insource. Probably the most common is to keep core competencies in house. It is argued that if a company outsources a core competency, it can lose control over that competency or lose contact with suppliers who can help it remain innovative in relation to that competency. Failing to control the competency or stay innovative is a sure way to forfeit the company’s competitive advantage. Further, by outsourcing commodity work, a firm can concentrate on its core competencies. Other factors that weigh in favor of insourcing are having an IS service or product that requires considerable security or confidentiality or that requires resources that are not adequately available in house (i.e., qualified personnel or IT professionals with the needed skills). Challenges for insourcing include gaining the respect and support from top management that is needed to acquire needed resources and get the job done. A second challenge is finding a reliable, competent outsourcing provider that is likely to stay in business for the long term — or at least the duration of the contract. The drivers and challenges of insourcing are listed in Figure 7.2.
! OUTSOURCING
Beginning in the 1970s, some IT managers turned to outsourcing as an important weapon in the battle to control costs. Outsourcing means the purchase of a good or service that was previously provided internally or that could be provided internally. With IT outsourcing, an outside vendor provides IT services traditionally provided by the internal MIS department. Over the years, however, motives for outsourcing broadened. This section examines outsourcing’s drivers and challenges, as well as ways of avoiding pitfalls.
Insourcing Drivers Insourcing Challenges
Good for core competencies Dealing with inadequate support from top management to acquire needed resources
Good for confidential or sensitive IS ser- vices or software development Time available in house to complete soft- ware development projects
Finding a reliable, competent outsourcing provider that is likely to stay in business
In-house IT professionals have adequate training, experience, or skills to provide service or develop software
FIGURE 7.2 Insourcing drivers and challenges.
194 Chapter 7 Information Systems Sourcing
Outsourcing Drivers What factors drive companies to decide to outsource? One of the most common is the need to reduce costs. Outsourcing providers derive savings from economies of scale. They realize these economies through centralized (often ‘‘greener’’) data centers, preferential contracts with suppliers, and large pools of technical expertise. Most often, enterprises lack such resources on a sufficient scale within their own IS departments. A single company may need only 5,000 PCs, but an outsourcing provider can negotiate a contract for 50,000 and achieve a much lower unit cost.
A second common factor driving companies to outsource is to help a company transition to new technologies. Outsourcing providers generally offer access to larger pools of talent and more current knowledge of advancing technologies. For example, many outsourcing providers gain vast experience solving business intelligence problems, whereas IS staff within a single company only have lim- ited experience, if any. The provider’s experienced consultants are more readily available to the marketplace than any comparably trained and experienced IT professionals who might be recruitable for in-house employment. Many compa- nies turn to outsourcing providers to help them implement such technologies as Web 2.0 tools and ERP systems.
Third, by bringing in outside expertise, management often can focus less attention on IS operations and more on core activities. IS department personnel manage the relationships with outsourcing providers and are ultimately still responsible for IS services. Using outsourcing providers, which are separate businesses rather than internal departments, frees up managers to devote their energies to areas that reflect core competencies for the business.
Fourth, to the extent that outsourcing providers specialize in IS services, they are likely to understand how to hire, manage, and retain IS staff effectively. An outsourcing provider often can offer IS personnel a professional environment that a typical company cannot afford to build. For example, a Web designer would have responsibility for one Web site within a company, but for multiple sites at an outsourcing provider. It becomes the outsourcing provider’s responsibility to find, train, and retain highly marketable IT talent. An outsourcing provider often opens greater opportunity for training and advancement in IT than can a single IS organization. Outsourcing relieves a client of costly investments in continuous training so that IS staff can keep current with marketplace technologies and the headaches of hiring and retaining a staff that easily can change jobs with more pay or other lures.
Fifth, as long as contract terms effectively address contingencies, the larger resources of an outsourcing provider make available greater capacity on demand. For instance, at year-end, outsourcing providers potentially can allocate additional mainframe capacity to ensure timely completion of nightly processing in a manner that would be impossible for an enterprise running its own bare-bones data center.
Finally, an outsourcing provider may help a company overcome inertia to consolidate data centers that could not be consolidated by an internal group or following a merger or acquisition. Outsourcing may also offer an infusion of cash
Outsourcing 195
as a company sells its equipment to the outsourcing vendor. These drivers are summarized in Figure 7.3.
Outsourcing Challenges Opponents of outsourcing cite a number of challenges (see Figure 7.3). A manager should consider each of these before making a decision about outsourcing. Each can be mitigated with effective planning and ongoing management.
First, outsourcing requires that a company surrender a degree of control over critical aspects of the enterprise. The potential loss of control could extend to several areas: control of the project, scope creep, the technologies, the costs, and their company’s IT direction. By turning over data center operations, for example, a company puts itself at the mercy of an outsourcing provider’s ability to manage this function effectively. A manager must choose an outsourcing provider carefully and negotiate terms that will support an effective working relationship.
Second, outsourcing clients may not adequately anticipate new technological capabilities when negotiating outsourcing contracts. Outsourcing providers may not recommend so-called bleeding-edge technologies for fear of losing money in the process of implementation and support, even if implementation would best serve the client. Thus, poorly planned outsourcing risks a loss in IT flexibility. For example, some outsourcing providers were slow to adopt Web technologies for their clients because they feared the benefits would not be as tangible as the costs of entering the market. This reluctance impinged on clients’ ability to realize business strategies involving e-business. To avoid this problem, outsourcing clients should have a chief technology officer (CTO) or technology group that is charged with learning about and assessing emerging technologies for their ability to support their company’s business strategy.
Outsourcing Drivers Outsourcing Challenges
Offers costs savings Maintaining an adequate level of control Eases transition to new technologies Maintaining ability to respond to techno-
logical innovation Offers opportunity for better strategic focus Avoiding a loss of strategic advantage Provides better management of IS staff Avoiding overreliance on outsourcing
provider Offers better ability to handle peaks Mitigating outsourcing risks Makes it easier to consolidate data centers Ensuring cost savings while protecting
quality Provides a cash infusion Working effectively with suppliers (espe-
cially multiple suppliers at the same time)
FIGURE 7.3 Outsourcing drivers and challenges.
196 Chapter 7 Information Systems Sourcing
Third, by surrendering IT functions, a company gives up any real potential to develop them for competitive advantage — unless, of course, the outsourcing agreement is sophisticated enough to comprehend developing such advantage in tandem with the outsourcing company. However, even these partnerships poten- tially compromise the advantage when ownership is shared with the outsourcing provider, and the advantage may become available to the outsourcing provider’s other clients. Under many circumstances, the outsourcing provider becomes the primary owner of any technological solutions developed, which allows the out- sourcing provider to leverage the knowledge to benefit other clients, possibly even competitors of the initial client.
Fourth, contract terms may leave clients highly dependent on their outsourc- ing provider, with little recourse in terms of terminating troublesome vendor relationships. Outsourcing providers should avoid entering relationships in which they might face summary dismissal. On the other hand, clients must ensure that contract terms allow them the flexibility they require to manage and, if necessary, sever supplier relationships. The 10-year contracts that were so popular in the early 1990s are being replaced with shorter-duration contracts lasting 3 to 5 years. The contracts are being tightened by adding clauses describing actions to be taken in the event of a deterioration in quality of service or noncompliance to service-level agreements. Service levels, baseline period measurements, growth rates, and ser- vice volume fluctuations are specified to reduce opportunistic behavior on the part of the outsourcing vendor. Research demonstrates that tighter contracts tend to lead to more successful outsourcing arrangements.7 Unfortunately, a tight con- tract does not provide much solace to an outsourcing client when an outsourcing provider goes out of business.
Fifth, when a company turns to an outsourcing provider, it must realize that its competitive secrets are likely to be harder to keep. Its databases are no longer kept in house, and the outsourcing provider’s other customers may have easier access to sensitive information. This is a major risk that needs to be mitigated or at least thought through carefully. Other risks include business, legal, political, infrastructure, workforce, social, and logistical risks. As the size of projects entrusted to the offshore outsourcing providers or captives grows, so does the risk. DHL Worldwide Express recently entrusted 90 percent of its IT development and maintenance projects to a large Indian-based company, Infosys. ‘‘There’s a lot of money wrapped up in a contract this size, so it’s not something you take lightly or hurry with,’’ said Ron Kifer, DHL’s Vice President of Program Solutions and Management.8 Clearly DHL is facing considerable risk in offshoring with Infosys.
7 See, for example, C. Saunders, M. Gebelt, and Q. Hu, ‘‘Achieving Success in Information Systems Outsourcing,’’ California Management Review 39, no. 2 (1997), 63 – 79; and M. Lacity and R. Hirschheim, Information Systems Outsourcing: Myths, Metaphors and Realities (Hoboken, NJ: John Wiley & Sons, 1995). 8 Stephanie Overby, ‘‘The Hidden Costs of Offshore Outsourcing,’’ CIO Magazine (September 1, 2003), Page 7 retrieved from http://www.swqual.com/newsletter/vol2/no8/Hidden%20Costs.PDF (on September 27, 2008).
Outsourcing 197
Sixth, although many companies turn to outsourcing because of perceived cost savings, these savings may never be realized. Typically, the cost savings are premised on activities that were performed by the company. However, implementation of new technologies may fail to generate any savings because the old processes on which they were premised are no longer performed. Further, the outsourcing client is, to some extent, at the mercy of the outsourcing provider. Increased volumes due to unspecified growth, software upgrades, or new technologies not anticipated in the contract may end up costing a firm considerably more than it anticipated when it signed the contract. Also, some savings, although real, may be hard to measure.
Finally, there may be specific challenges for working with outsourcing providers that have not been addressed already, such as the challenges of dealing with multiple vendors. Following are some suggestions for dealing with these challenges.
Avoiding Outsourcing Pitfalls Outsourcing decisions must be made with adequate care and deliberation. The steps outlined in Figure 7.4 are recommended when considering this option.
What is the future of outsourcing? Every enterprise faces different competitive pressures. These factors shape how it will view IT and how it will decide to leverage IT for the future. Most will need to outsource at least some IT functions. How each enterprise chooses to manage its outsourced functions will be crucial to its success.
• Do not negotiate solely on price. • Craft full life-cycle service contracts that occur in stages. • Establish short-term supplier contracts. • Use multiple, best-of-breed suppliers. • Develop skills in contract management. • Carefully evaluate your company’s own capabilities. • Thoroughly evaluate outsourcing providers’ capabilities. • Choose an outsourcing provider whose capabilities complement yours. • Base a choice on cultural fit as well as technical expertise. • Determine whether a particular outsourcing relationship produces a net benefit for
your company. • Plan transition to offshoring. • Use SOAs to increase agility.
FIGURE 7.4 Steps to avoid pitfalls.
198 Chapter 7 Information Systems Sourcing
! OUTSOURCING ABROAD
As the outsourcing phenomenon has matured, the marketplace has differentiated across different types of outsourcing abroad. The most general term for outsourcing abroad is offshoring. Offshoring can be either relatively proximate (nearshoring) or in a distant land (farshoring). An alternative to offshoring is a captive center. Each of these is described in more detail below.
Offshoring Offshoring (which is short for outsourcing offshore) is when the management information systems (MIS) organization uses contractor services, or even builds its own data center in a distant land. The functions sent offshore range from routine IT transactions to increasingly higher-end, knowledge-based business processes.
Programmer salaries can be a fraction of those in the home country in part because the cost of living and the standard of living in the distant country are much lower. Depending on the type of work that is outsourced and the skill level it requires, labor savings alone can range from 40 to 70 percent.9 However, these savings come at a price because other costs increase. Additional technol- ogy, telecommunications, travel, process changes, and management overhead are required to relocate and supervise operations overseas. For example, during the transition period, which can be rather lengthy, offshore workers must often be brought to the U.S. headquarters for extended periods to become familiar with the company’s operations and technology. Because of the long transition period, it may often take several years for offshoring’s labor savings to be fully realized. And even if they are realized, they may never reflect the true cost to a country. Many argue, especially those who have lost their jobs to offshore workers, that offshoring cuts into the very fiber of the society in the origin country where companies are laying off workers.
Even though the labor savings are often very attractive, companies sometimes turn to offshoring for other reasons. The employees in many offshore companies are typically well educated (often holding master’s degrees) and proud to work for an international company. The offshore service providers are often ‘‘profit centers’’ that have established Six Sigma, ISO 9001, or another certification program. They usually are more willing to ‘‘throw more brainpower at a problem’’ to meet their performance goals than many companies in the United States or Western Europe. In offshore economies, technology know-how is a relatively cheap commodity in ample supply.10 USAA CEO Bob Davis cited the superiority of offshore IT talent
9 Aditya Bhasin, Vinay Couto, Chris Disher, and Gil Irwin, ‘‘Business Process Offshoring: Making the Right Decision,’’ CIO Magazine (January 29, 2004), available at http://www2.cio.com/consultant/ report2161.html (accessed August 14, 2005). 10 Ibid.
Outsourcing Abroad 199
that his company uses extensively when he proffered this reason for offshoring: ‘‘ . . . because it helps us get our projects done, and because of the level of expertise of this technology, these technology companies and individuals is incredible.’’11
Selecting Offshoring Destinations A difficult decision that many companies face is selecting an offshoring destination. Approximately 100 countries are now exporting software services and products. For various reasons, some countries are more attractive than others as hosts of offshoring business because of the firm’s geographic orientation. With English as the predominant language of outsourcing countries (i.e., U.S. and UK), countries with a high English proficiency are more attractive than those where different languages prevail. Geopolitical risk is another factor that affects the use of offshore firms in a country. Countries on the verge of war, countries with high rates of crime, and countries without friendly relationships with the home country are typically not suitable candidates for this business. Regulatory restrictions, trade issues, data security, and intellectual property also affect the attractiveness of a country for an offshoring arrangement. The level of technical infrastructure available in some countries also can add to or detract from the attractiveness of a country. Although a company may decide that a certain country is attractive overall for offshoring, it still must assess city differences when selecting an offshore outsourcing provider or creating wholly owned subsidiaries (‘‘captives’’). For example, Chennai is a better location in India for finance and accounting, but Delhi has better call-center capabilities.12
Some countries make an entire industry of offshoring. India, for example, took an early mover advantage in the industry. With a large, low-cost English-speaking labor pool, many entrepreneurs set up programming factories that produce high-quality software to meet even the toughest standards. One measure of the level of proficiency of the development process within an IS organiza- tion is the Software Engineering Institute’s Capability Maturity Model (CMM). Level 1 means that the software development processes are immature, bordering on chaotic. Few processes are formally defined, and output is highly inconsistent. At the other end of the model is level 5, where processes are predictable, repeatable, highly refined, and consistently innovating, growing, and incorporating feedback. The software factories in many Indian enterprises are well known for their CMM level 5 software development processes, making them extremely reliable, and, thus, desirable as vendors.
A very important factor in selecting an offshore destination is the level of development of the country, which will often subsume a variety of other factors. For example in the highest tier, the countries have an advanced technological
11 Ben Worthen and Stephanie Overby, ‘‘USAA IT Chief Exits,’’ CIO Magazine (June 15, 2004), available at http://www.cio.com/archive/061504/tl management.html (accessed August 14, 2005). 12 Ibid.
200 Chapter 7 Information Systems Sourcing
foundation and a broad base of institutions of higher learning. Carmel and Tjia suggest that there are three tiers of software exporting nations:13
• Tier 1. Mature Software Exporting Nations — These include such highly industrialized nations as United Kingdom, United States, Japan, Germany, France, Canada, the Netherlands, Sweden, and Finland. It also includes the 3 ‘‘I’s’’ (i.e., India, Ireland, and Israel) that became very prominent software exporters in the 1990s, as well as China and Russia, which entered the tier in the 2000s.
• Tier 2. Emerging Software Exporting Nations — These nations are the up-and-comers. They tend to have small population bases or unfavorable conditions such as political instability or an immature state of economic development. Countries in this tier include Brazil, Costa Rica, South Korea, and many Eastern European countries.
• Tier 3. Infant Stage Software Exporting Nations — These nations have not significantly affected the global software market, and their software indus- try is mostly a ‘‘cottage industry’’ with smaller, isolated firms. Some Tier 3 countries are Cuba, Vietnam, Jordan, and 15 to 25 others.
The tiers were determined on the basis of industrial maturity, the extent of clustering of some critical mass of software enterprises, and export revenues.
Cultural Differences
Often misunderstandings arise because of differences in culture and, sometimes, language. For example, GE Real Estate’s CIO quickly learned that American programmers have a greater tendency to speak up and offer suggestions, whereas Indian programmers might think something does not make sense, but they go ahead and do what they were asked, assuming that this is what the client wants.14 Thus, a project that is common sense for a U.S. worker — like creating an automation system for consumer credit cards — may be harder to understand and take longer when undertaken by an offshore worker. The end result may be a more expensive system that responds poorly to situations unanticipated by its offshore developers. It is important to be aware of and to manage the risks due to cultural differences.
Sometimes cultural and other differences are so great that companies take back in-house operations that were previously outsourced offshore. Carmel and Tjia outlined some examples of communication failures with Indian developers due to differences in language, culture and perceptions about time:15
• Indians are less likely than Westerners, especially the British, to engage in small talk.
13 Erran Carmel and Paul Tjia, Offshoring Information Technology (Cambridge, UK: University Press, 2005). 14 Stephanie Overby, ‘‘The Hidden Costs of Offshore Outsourcing’’. 15 Ibid. Carmel and Tjia, Offshoring Information Technology.
Outsourcing Abroad 201
• Indians often are not concerned with deadlines. When they are, they are likely to be overly optimistic about their ability to meet the deadlines of a project. One cultural trainer was heard to say, ‘‘When an Indian program- mer says the work will be finished tomorrow, it only means it will not be ready today.’’16
• Indians, like Malaysians and other cultures, are hesitant about saying ‘‘no.’’ Questions where one option for response is ‘‘no’’ are extremely difficult to interpret.
• What is funny in one culture is not necessarily funny in another culture.
Offshoring Best Practices Offshoring raises the fundamental question of what you send offshore, and what you keep within your enterprise IS organization. Will CIOs be losing some important learning opportunities if they outsource, and ultimately offshore, basic programming processes? Because communications are made difficult by differences in culture, time zones, and possibly language, outsourced tasks are usually those that can be well specified. They typically, but not always, are basic noncore transactional systems that require little in-depth knowledge of the users or customers. In contrast, early-stage prototypes and pilot development are often kept in house because this work is very dynamic and needs familiarity with business processes. Keeping the work at home allows CIOs to offer learning opportunities to in-house staff. In summary, the costs savings that lure many companies to turn to offshoring need to be assessed in relation to the increased risks in working with offshore workers and relying on them to handle major projects.
A recent survey of companies involved with offshoring suggests the top 20 practices with offshore sourcing. These are displayed in Figure 7.5. Also in the figure is a comparison of offshoring practices with inshoring (domestic) practices. Some practices such as creating a program management office, selecting locations, projects, suppliers, and managers to leverage in-house sourcing expertise, using pilot projects, developing meaningful career paths for staff, and creating balanced scorecard metrics are used by both. Most are used by both but are more important for offshoring. Still others, including some related to CMM processes, are unique to offshoring.
Government Involvement with Offshoring Government actions to support offshoring Politicians in countries around the world are trying to create an environment so that their country can become ‘‘the next India.’’ India invested in a substantial infrastructure, and other hopefuls will have to do the same. Part of that infrastructure is in human capital, telecommunications, and technology parks. Most important, a groundwork must be laid in science and technology education, especially IT education. Offshoring will only be possible
16 Ibid., 181.
202 Chapter 7 Information Systems Sourcing
Sourcing Challenge
Equally Important for Both
Domestic & Offshore
More Important
For Offshore
Unique to OffshorePractices to Overcome the Challenge
1. Create a centralized program management of- fice to consolidate management 2. Hire an intermediary consulting firm to serve as a broker and guide 3. Select locations, projects, suppliers, and managers to leverage in-house sourcing expertise 4. Use pilor projects to mitigate business risks 5. Give customers a choice of sourcing location to mitigate business risks 6. Hire a legal expert to mitigate legal risks 7. Openly communicate the sourcing strategy to all stakeholders to mitigate political risks 8. Use secure information links or redundant lines to mitigate infrastructure risks 9. Use fixed-price contracts to mitigate workforce risks 10. Elevate your own organization's CMM certifi- cation to close the process gap between you and your supplier 11. Negotiate the CMM processes you will and will not pay for to avoid wasting money 12. Cross-examine or replace the supplier's em- ployees to overcome cultural communication barriers 13. Let the project team members meet face-to-face to foster camaraderie 14. Consider innovative techniques, such as real- time dashboards, to improve workflow verifica- tion, synchronization, and management 15. Manage bottlenecks to relieve the substantial time zone differences 16. Consider both transaction and production costs to calculate overall savings realistically 17. Size projects large enough to receive total cost savings 18. Establish the ideal in-house/onsite/offshore ratio only after the relationship has stabilized 19. Develop meaningful career paths for subject matter experts, project managers, governance experts, and technical experts to help ensure quality 20. Create balance scorecard metrics
How can we swiftly move through the
learning curve?
How can we mitigate risks?
How can we effectively work with suppliers?
How can we ensure cost
savings while protecting quality?
FIGURE 7.5 Sourcing best practices. Source: J. Rottman and M. C. Lacity, ‘‘Twenty Practices for Offshore Sourcing,’’ MIS Quarterly Executive 3, no. 3 (September 2004), 119, Table 1.
if its key resource, the country’s potential job pool, consists of highly skilled workers. Other actions that governments can take to make their countries more appealing to outsourcing clients are to give marketing assistance to offshore vendors, assist firms in attaining recognized standards of quality in the global marketplace, and promote collaborative efforts between the government, software companies, financial institutions, and universities.17 Governments can also offer
17 Carmel and Tjia, Offshoring Information Technology.
Outsourcing Abroad 203
specific incentives to companies that are considering their country as an offshoring destination. They can, for example reduce/eliminate various taxes or ease the bureaucratic process required for the company.18
One other obvious step that governments need to take is to ensure political stability for their country. In 2002, both India and Pakistan were amassing troops on their common border, and rumors were rampant that the nuclear war heads were being prepared to see service. Not surprisingly, offshoring companies headquartered in India saw the hostilities as threatening to the viability of their businesses. Says N. Krishnakumar, president of MindTree, a leading Indian knowledge outsourcing firm in Bangalore, ‘‘What we explained to our government, through the Confederation of Indian Industry, is that providing a stable, predictable operating environment is now the key to India’s development.’’19 Apparently the elderly leaders in New Delhi saw the confrontation in a new light after the Confederation members explained that the confrontation was very bad for Indian business and the Indian economy. Shortly thereafter, the Indian prime minister toned down the rhetoric and averted a nuclear war.
Government actions to protect against offshoring Some claim that offshoring has resulted in a high number of lost information technology jobs in the United States and Western Europe. Forrester Research estimated that 500,000 U.S. jobs moved offshore in 2004 and that this number will grow to 3.4 million in 2015.20 A follow-up report estimated that the UK would lose 750,000 jobs to offshoring by 2015, and a fifth of them would be IT jobs.21 Deloitte consulting predicted that two million jobs in the financial sector would be lost globally to offshoring.22 These job losses have sparked considerable controversy.23 On the one hand, critics argue that these job losses are harmful to American citizens in the short run. In addition, they see an ultimate decrease in the subjective quality of the new jobs or lowered pay scales in the long run. They point to the necessity of government funding for education and training, health-care insurance and pension portability, and unemployment-compensation programs for the displaced workers — funding that unfortunately is unlikely during this time of growing federal budget deficits. To stem the outflow of lost jobs, the U.S. Congress proposed more
18 Ibid. 19 Friedman, Thomas The World Is Flat (New York: Farrar, Straus and Giroux, 2005), 436. 20 Metrics, ‘‘Offspring to Steadily Increase Through 2015,’’ CIO.com (May 21, 2004), available at http://www2.cio.com/metrics/2004/metric697.html (accessed August 14, 2005). 21 Carmel and Tjia, Offshoring Information Technology. 22 Deloitte Research, Making the Off-shore Call: The Road Map for Communications Operators. Research Report, (2004). 23 Analysis of the Bureau of Labor Statistics Mass Layoff Statistics and European Restructuring Monitor in 2005 did not find support for the idea that large numbers of IT jobs are being offshored. Raymond Panko, ‘‘IT Employment Prospects: Beyond the Dotcom Bubble,’’ European Journal of Information Systems (2008).
204 Chapter 7 Information Systems Sourcing
than 20 federal law proposals (‘‘bills’’) to restrict offshoring.24 In addition, state legislatures in Connecticut, Maryland, Missouri, New Jersey, Rhode Island, and Washington proposed laws to restrain offshoring by more heavily regulating the ‘‘privatization’’ of state services, and 30 other states discussed some kind of legislation. Because the number of contracts offered by state governments is limited, these ‘‘privatization’’ bills, if enacted into law, probably would have little impact on offshoring. Nonetheless, lobbying efforts and public pressure to legislate against offshoring and for making the business dealings of publicly owned firms that engage in offshoring more transparent are likely to continue.
On the other hand, offshoring is argued to benefit both the origin (frequently the United States, Western Europe, and Australia) as well as the destination country through free trade. A recent study of manufactured components outsourced by U.S. computer and telecommunications companies in the 1990s found that outsourcing reduced the prices of computers and communications equipment by 10 to 30 percent and fueled the rapid expansion of IT jobs. Offshoring of IT services may similarly create high-level jobs for U.S. workers to design, tailor, and implement IT packages for a range of industries and companies.25 Forrester Research’s dire prediction about job losses from offshoring only studied job losses from offshored work and not gains from work that American companies export. Other studies show that the United States has enjoyed a growing surplus in IT services, which suggests that inshoring may be more important than offshoring for the U.S. labor force. Clearly, not all offshoring goes from high-wage countries to low-wage countries. For example, the UK purchases four times as much computer service from Germany than it does from India. Surprisingly, India ranks sixth — behind the United States, the United Kingdom, Germany, France, and the Netherlands — as a top recipient of global offshoring pacts based on an International Monetary Fund Study.
Nearshoring Nearshoring is ‘‘sourcing service work to a foreign, lower-wage country that is relatively close in distance or time zone (or both).’’26 Nearshoring was first presented as an alternative to ‘‘farshoring.’’ With nearshoring, the client company hopes to benefit from one or more ways of being close: geographically, tempo- rally, culturally, linguistically, economically, politically, or from historical linkages. Nearshoring basically challenges the assumption on which offshoring is premised: Distance doesn’t matter. With nearshoring, distance matters! The advocates of nearshoring argue that by being closer on one or more of the dimensions listed, the client company will face less challenges in terms of communication, control, supervision, coordination, or bonding socially.
24 Carmel and Tjia, Offshoring Information Technology. 25 Laura D’Andrea Tyson, ‘‘Outsourcing: Who’s Safe Anymore?’’ Executive Viewpoint (February 23, 2004). 26 Erran Carmel and Pamela Abbott ‘‘Why ‘Nearshore’ Means that Distance Matters,’’ Communica- tions of the ACM 50, no. 10 (October 2007), 40 – 46. The quote is from page 44.
Outsourcing Abroad 205
A recent analysis of the nearshoring literature found three major global clusters of countries focused on building a reputation as a home for nearshoring: a cluster of 20 nations around the United States and Canada, a cluster of 27 countries around Western Europe, and a smaller cluster of three countries in East Asia. This smaller cluster contains China, Malaysia, and Korea.27 The ways, or dimensions, of being close clearly extend beyond distance and time zone. For example, language makes a difference in nearshoring. That is why Latin American nearshoring destinations are appealing to Texas or Florida, where there is a large Spanish-speaking population and why French-speaking North African nations are appealing to France. These dimensions likely play a key role when companies are trying to decide between a nearshore or a farshore destination (particularly India). Ironically, India, which exports roughly five times the software of the strictly nearshoring nations, is responding to the competitive threat that these nations pose by offering clients nearshoring options. For example, India-based Tata Consulting Services (TCS) offers its British clients services that are nearshore (Budapest, Hungary), farshore (India), or inshore (London, UK). It is likely that the differentiation based on ‘‘distance’’ is likely to continue to be important in the outsourcing arena.
Captive Centers An alternative to offshoring or nearshoring is a captive center. A captive center is an overseas subsidiary that is set up to serve the parent company. Companies set up captive centers as an alternative to offshoring. Although many companies first set them up in the 1990s to do software maintenance and customer service, these same companies are adopting other strategies. A recent study found four major strategies that are being employed:28
• Hybrid Captive — captive center that performs core business processes for parent company but outsources noncore work to an offshore provider. That is, the captive center performs the more expensive, higher-profile work and outsources the more commoditized work that is more cheaply provided by the offshore vendor.
• Shared Captive — captive center that performs work for both a parent company and external customers. By increasing the volume of work that is performed, the shared captive can become more efficient in terms of processes, equipment, and costs.
• Divest captive — captive center that has a large enough scale and scope that it is well positioned to be sold for a profit by the parent company.
• Terminated Captive — captive center that has been shut down, usually because its inferior service was hurting the parent company’s reputation.
27 Ibid. 28 I. Oshri, J. Kotalarsky, and C.-M. Liew ‘‘What to Do with Your Captive Center: Four Strategic Options,’’ Wall Street Journal, (May 12, 2008).
206 Chapter 7 Information Systems Sourcing
When a center is terminated, the parent company minimizes its losses by outsourcing the noncore work and bringing the core components back in house where they can be managed more effectively.
In determining which captive strategy to adopt, the parent company should consider its goal for the center (i.e., cost savings vs. growth) and the extent to which the offshore market is developed (i.e., developed vs. underdeveloped), as well as the offshoring considerations discussed earlier.
! BACKSOURCING
Backsourcing is a business practice in which a company takes back in-house assets, activities, and skills that are part of its information systems operations and were previously outsourced to one or more outside IS providers.29 It may be partial or complete reversal of an outsourcing contract. A growing number of companies around the globe have brought their outsourced IS functions back in house after terminating, renegotiating or letting their contracts expire. Some companies, such as Continental Airlines, Cable and Wireless, Halifax Bank of Scotland, Sears, Bank One, and Xerox, have backsourced contracts worth over a billion dollars or more. The biggest backsourcing of a contract to date was the one that JP Morgan had signed with IBM for $5 billion dollars and that was described at the start of the chapter.
It isn’t only large companies that are backsourcing. A recent study by Deloitte Consulting reports that 70 percent of outsourcing clients have had negative experi- ences with outsourcing and 25 percent of outsourcing clients have backsourced.30 An even more recent Compass poll of 70 North American companies found that only 4 percent would not consider backsourcing when their current outsourc- ing contracts expired.31 Given the size and number of the current outsourcing contracts and the difficulties of delivering high-quality information services and products, backsourcing is likely to remain an important option to be considered by many client companies.
Ironically, the reasons given for backsourcing often mirror the reasons for outsourcing in the first place. That is, companies often claim that they backsource to reduce costs and become more efficient. Based on reports in the popular press, the most common reasons given for backsourcing are a change in the way the IS is
29 Rudy Hirschheim, ‘‘Backsourcing: An Emerging Trend,’’ Outsourcing Journal, 1998; Mary C. Lacity and Leslie P. Willcocks, ‘‘Relationships in IT Outsourcing: A Stakeholder’s Perspective,’’ in Framing the Domains of IT Management. Projecting the Future. . . Through the Past, ed. Robert W. Zmud, 355 – 384 (Cincinnati: Pinnaflex Education Resources, Inc., 2000). 30 Daniel Mucisko and Evonne Lum, ‘‘Outsourcing Falling from Favor with World’s Largest Organizations, Deloitte Consulting Study Reveals,’’ Deloitte Consulting LLP Report (April 2005). 31 Bill Fowler and Geraldine Fox, ‘‘Bringing IT Back Home: Repatriation Emerges as a Viable Sourcing Option,’’ Compass Report (October 2006), http://www.compassmc.com/pdf/Insourcing.pdf.
Outsourcing Models 207
perceived by the organization, the need to regain control over critical activities that had been outsourced, a change in the executive team (where the new executives favored backsourcing), higher than expected costs, and poor service. The study found that backsourcing wasn’t always due to problems. Sometime companies saw opportunities, such as mergers, acquisition, or new roles for IS, that required backsourcing to be realized.32
Outsourcing decisions can be difficult and expensive to reverse because outsourcing requires the enterprise to acquire the necessary infrastructure and staff. Unless experienced IT staff can contribute elsewhere in the firm, outsourcing major IT functions means staff will be lost either to the outsourcing provider or to other companies. When IT staff get news that their company is considering outsourcing, they often seek work elsewhere. Even when staff are hired by the outsourcing provider to handle the account, they may be transferred to other accounts, taking with them critical knowledge. Backsourcing represents the final decision in one sourcing decision cycle. However, it is invariably followed by another cycle of decisions as the company seeks to respond to its dynamic environment.
! OUTSOURCING MODELS
The classic outsourcing model dictates that an enterprise should outsource only those functions that do not give it a competitive advantage. For instance, mainframe computer maintenance and monitoring are not often considered core competencies of an enterprise and therefore are often farmed to vendors such as Computer Sciences Corporation or Electronic Data Systems. In the early days of outsourcing, such contracts ran long term — often for 10 years or more. Frequently, outsourcing providers took over entire IS departments, including people, equipment, and management responsibility. This classic approach prevailed through most of the 1970s and 1980s, but then experienced a decline in popularity.
In 1989, Eastman Kodak Company’s multivendor approach to meeting its IS needs created the ‘‘Kodak effect.’’ Kodak outsourced its data center operations to IBM, its network to Digital Equipment Company, and its desktop supply
32 N. Veltri, C. Saunders, and C. B. Kavan, ‘‘Information Systems Backsourcing: Correcting Problems and Responding to Opportunities.’’ California Management Review (2008).These economic and relationship issues are similar to the three empirical studies to date that have performed backsourcing research: Bandula Jayatilaka, ‘‘IS Sourcing a Dynamic Phenomena: Forming an Institutional Theory Perspective,’’ in Information Systems Outsourcing: Enduring Themes, New Perspectives and Global Challenges, ed. Rudy Hirschheim, Armin Heinzl, and Jens Dibbern, 103 – 134 (Berlin: Springer- Verlag, 2006); R. Hirschheim and M. C. Lacity, ‘‘Four stories of information systems sourcing,’’ in Information Systems Outsourcing: Enduring Themes, New Perspectives and Global Challenges, ed. R. Hirschheim and J. Dibbern, 303 – 346 (Berlin: Springer, 2006); and Dwayne Whitten and Dorothy Leidner, ‘‘Bringing IT Back: An Analysis of the Decision to Backsource or Switch Vendors,’’ Decision Sciences 37, no. 4 (2006): 605 – 621.
208 Chapter 7 Information Systems Sourcing
and support operations to Businessland.33 Kodak managed these relationships through strategic alliances.34 Kodak retained IS staff to act on behalf of its business personnel with outsource vendors. Vendor contracts created incentives for new investment in technology and provided enough flexibility to encourage quick problem resolution. Vendors made fair profits and received additional business if they performed well. Within a couple of years, Kodak’s capital expenditures attributable to computing dropped by 90 percent.35 Its approach to supplier management became a model emulated by Continental Bank, General Dynamics, Continental Airlines, and National Car Rental.36
Kodak’s watershed outsourcing arrangement ushered in changes to outsourc- ing practices in the 1990s that put all IS activities up for grabs, including aspects that provide competitive advantage. As relationships with outsourcing providers become more sophisticated, companies realize that even such essential functions as customer service are sometimes better managed by experts on the outside. Sometimes these experts may be offshore. In addition, the ubiquity of the Internet has spawned a series of new application service providers (ASPs) who perform sim- ilar services using Web-based applications and, more recently, wireless application service providers (WASP).
Application Service Provider Model An application service provider (ASP) is a company that ‘‘rents’’ the use of an application to the customer. In return, the ASP provides not only the software, but also the infrastructure, people, and maintenance to run it in a customized fashion for a client. It is different from the traditional outsourcing relationship in which an entire IS shop is run by an outside organization. With an ASP, the outsourcing occurs application by application. The goal is to provide trouble-free operation for the customer. This model is particularly useful for the IS that are necessary, but not core, to the business. Companies may also use ASPs to free up IT staff, combine data resources, rapidly deploy new applications, control a widely distributed user base, develop a non-IT-based application, implement new technologies, and in many other ways. Because the ASP is typically responsible for security and maintenance of the systems, they make systems easier to scale and manage. Finally, they provide the infrastructure and applications necessary to get the business up and running. A variation to ASP is the multi-tenant software-as-a-service (SaaS). Companies may host SaaS software so that clients can save not only their software costs, but also their hardware costs.
33 L. Applegate and R. Montealegre, ‘‘Eastman Kodak Co.: Managing Information Systems Through Strategic Alliances,’’ Harvard Business School case 192030 (September 1995). 34 Anthony DiRomualdo and Vijay Gurbaxani, ‘‘Strategic Intent for IT Outsourcing,’’ Sloan Management Review (June 22, 1998). 35 Steven L. Alter, Information Systems: A Manager’s Perspective (San Francisco: Benjamin Cummings, 1996). 36 Mary C. Lacity, Leslie P. Willcocks, and David F. Feeny, ‘‘The Value of Selective IT Sourcing,’’ Sloan Management Review (March 22, 1996).
Outsourcing Models 209
Crowdsourcing Crowdsourcing is the act of taking a task traditionally performed by an employee or contractor and outsourcing it to an undefined, generally large group of people, in the form of an open call. Typically the people performing the work do so either for small amounts of money or because they think it will be fun or give them some desired experience. The content is produced by crowds of people (outside the company) using their collective intelligence. It has international appeal because for some people in third-world countries, even a small reimbursement can go a long way.
Large corporations and businesses of all sizes are issuing open calls as a way of increasing productivity, lowering production cost, and filling skill gaps. Crowd- sourcing can be used for a variety of tasks including manufacturing, photography, software development, and scientific research. However, with this approach, cor- porations do not have control over the people performing the work and often have little say in how or when the work will be performed. In some cases, crowdsourcing has cost a business more than it would have cost using a straightforward, traditional outsourcing approach.
Some well-known crowdsourcing sites are Innocentive (for solving pharmaceu- tical problems), Cambrian House and Rent-a-Coder (for software development), and iStockPhoto for professional-looking images.37 A very recent open call was issued by a Finnish Internet community called ‘‘eCars — Now!’’ The community wants to shake up the automotive industry by developing electric cars, with the first rollout due by the end of 2008.38
Full versus Selective Outsourcing Models Once a company decides to outsource, despite possible challenges, it must decide whether to pursue it fully or selectively. As the term full outsourcing implies, an enterprise can outsource all its IT functions from desktop services to software development. An enterprise would outsource everything if it does not view IT as a strategic advantage that it needs to cultivate internally. Full outsourcing can free resources to be employed in areas that add greater value. It can also reduce overall cost per transaction due to size and economies of scale.39 Many companies outsource IT simply to allow their managers to focus attention on other business issues. Others outsource to accommodate growth and respond to their business environment. Palm Inc. had no choice but to outsource when it split off from parent 3Com Corp. It was a $3 billion company with a 100 percent annual growth rate that had to build its internal capabilities quickly.40
37 Top 10 Crowdsourcing Companies (August 2006). http://innovationzen.com/blog/2006/08/01/ top-10-crowdsourcing-companies/ (accessed July 23, 2008). 38 Reuters, ‘‘Crowd Sourcing the Electric Car,’’ BaseLine (July 23, 2008), http://www.baselinemag .com/c/a/Automotive/CrowdSourcing-the-Electric-Car/?kc=BLBLBEMNL07242008STR1 (accessed July 23, 2008). 39 Tom Field, ‘‘An Outsourcing Buyer’s Guide: Caveat Emptor,’’ CIO Magazine (April 1, 1997). 40 Lorraine Cosgrove Ware, ‘‘Adventures in Outsourcing,’’ CIO Magazine (May 3, 2002), available at http://www2.cio.com/research/surveyreport.cfm?id=78 (accessed June 22, 2002).
210 Chapter 7 Information Systems Sourcing
With selective outsourcing, an enterprise chooses which IT capabilities to retain in house and which to give to an outsider. A ‘‘best-of-breed’’ approach is taken in which suppliers are chosen for their expertise in specific technology areas. Areas include Web site hosting, Web 2.0 applications, business process application development, help desk support, networking and communications, and data center operations. Although an enterprise can acquire top-level skills and experience through such relationships, the effort required to manage them grows tremendously with each new provider. Still, selective outsourcing gives greater flexibility and often better service due to the competitive market.41 To illustrate, an enterprise might retain a firm to develop virtual world applications and at the same time select a large outsourcing provider, such as Perot Systems, to assume mainframe maintenance. Such firms as GM and Southland Corporation have adopted this approach, also called ‘‘strategic sourcing.’’
To illustrate the ins and outs of selective and full outsourcing, consider the case of a company that pursued both approaches. British Petroleum (BP) selected only a few outsourcing providers with short-term contracts to meet its IT needs.42 BP awarded Sema Group management of its data center, Science Applications International Corporation, its European IT facility management and companywide applications support, and Syncordia, its telecommunications and telex networks. This arrangement was selective in that BP chose each company for its particular expertise, but full in that BP turned over a significant percentage of its IT to outsourcing providers. Thus, it gained the benefits of best of breed and competitive pricing along with fewer contract management worries and the ability to develop long-term relationships. BP encouraged the outsourcing providers to work together to provide high-quality services.
What were the results of BP’s approach? The company saw its IT costs fall from $360 million in 1989 to $132 million in 1994. At the same time, it gained more flexible IT systems and higher-quality service. BP saw its IT staff shrink by 80 percent. The remaining staff became internal consultants throughout the company. In fact, BP is considering outsourcing its internal consultants to other companies. Not all outsourcing arrangements are so successful, but BP illustrates the best-case scenario.
Single versus Multiple Vendors Kodak ushered in the practice of multiple vendors when it contracted IBM, Digital Equipment Company, and Businessland to perform work for which they each were considered to be leaders in the industry. Multiple vendors allows client companies to distribute work to the ‘‘best in breed.’’ It comes with its downsides, though. More vendors means more coordination than with working with a single outsourcing provider. Further, when a major problem occurs, there may be a tendency to
41 Tom Field, ‘‘An Outsourcing Buyer’s Guide: Caveat Emptor,’’ CIO Magazine (April 1, 1997). 42 J. Cross, ‘‘IT Outsourcing: British Petroleum,’’ Harvard Business Review (May – June 1995), 94 – 102.
Food for Thought: Outsoucing and Strategic Networks 211
‘‘finger-point.’’ That is, each vendor may claim that the problem is caused by, or can only be corrected by, another vendor.
With time the various outsourcing models blossom and then wane in popularity. For example, the ASP model, which was hyped around the turn of the millennium, is now much less popular than crowdsourcing. And crowdsourcing, which capitalizes on Web 2.0 tools, surely will be supplanted by other sourcing models as new technologies enter the scene. Further, as companies take steps to become more flexible, they will enact their preference for shorter and more selective outsourcing contracts.
! FOOD FOR THOUGHT: OUTSOURCING AND STRATEGIC NETWORKS
Typically outsourcing relationships are couched in terms of a provider and a client. The client must decide whether to develop the system or provide a service in house or to turn to a provider for the service. That is, many of today’s corporations turn to the two traditional ways to organize economic activity: make (i.e., also called insourcing or vertical integration) or buy (i.e., also called outsourcing or subcontracting). Both forms have their advantages and disadvantages, which were discussed earlier in the chapter. In the extreme, outsourcing may lead to a situation in which a company transfers so much of its competitive advantage to an outsourcing provider that the provider becomes a competitor or the client company’s strategic knowledge is diffused to its competitors who also use the same provider.43 Unfortunately, the outsourcing client may become distanced from both its customers and sources of innovation. The worse fear for a company is that it becomes a ‘‘hollow’’ corporation that merely shuffles product components from one supplier to another and that eventually loses its core competencies. Jarillo persuasively describes a third approach for organizing economic activity: the strategic network.44
A strategic network is a long-term, purposeful ‘‘arrangement by which com- panies set up a web of close relationships that form a veritable system geared to providing product or services in a coordinated way.’’45 It becomes a hub and its suppliers, including its outsourcing providers, are part of its network. The advan- tage of the strategic network is that it lowers the costs of working with others in its network. In doing so, the company can become more efficient than its competitors, as well as flexible enough to respond to its rapidly changing environment. Perhaps the strategic network is the best way to think about outsourcing arrangements in today’s world.
An example of a strategic network is the keiretsu. Japanese keiretsu is similar to a strategic network in that it has a hub company, a policy that encourages
43 J. C. Jarillo, Strategic Networks: Creating the Borderless Organization (Oxford, UK: Butterworth- Heinemann, 1993). 44 Ibid. 45 Ibid., 7.
212 Chapter 7 Information Systems Sourcing
specialization within the network, and investments (financial and otherwise) in long-term relationships.46 The Japanese companies manage their outsourcing activities based on the types of inputs from different types of suppliers.47 The strategic suppliers (kankei kaisa) fall into the keiretsu category, whereas indepen- dent suppliers (dokuritsu kaisha) do not. Japanese companies work very closely with companies in the keiretsu. Foreign multinationals, especially the Japanese, have capitalized on having different types of outsourcing arrangements (i.e., strate- gic partnerships and arm’s-length arrangements) to achieve both effectiveness and efficiency.
! SUMMARY • Firms typically face a range of sourcing decisions. The Sourcing Decision Cycle
Framework highlights decisions about where the work will be performed. Decisions include insourcing versus outsourcing, inshoring versus offshoring, and selecting among offshoring options (nearshoring versus farshoring versus captive centers). The cycle involves an assessment of the adequacy of the IS service/product delivery. The assessment can trigger a new cycle.
• Cost savings or filling the gaps in the organization’s IT skills are powerful drivers for outsourcing. Other drivers include the ability for the company to adopt a more strategic focus, manage IS staff better, better handle peaks, consolidate data cen- ters, or benefit from a cash infusion, The numerous risks involved in outsourcing arrangements must be carefully assessed by IS and general managers alike.
• Offshoring may be performed in a country that is proximate along one or a number of dimensions (nearshoring) or that is distant (farshoring). Offshoring must be man- aged carefully and take into consideration functional differences.
• Different ways of outsourcing include application service providers (ASPs) and crowdsourcing.
• Full or selective outsourcing offers organizations an alternative to keeping top-performing IS services in-house. Firms can meet their outsourcing needs by using a single-vendor or multiple-vendor models.
! KEY TERMS application service
provider (ASP) (p. 208) backsourcing (p. 206) captive center (p. 205)
crowdsourcing (p. 209) full outsourcing (p. 209) insourcing (p. 193) nearshoring (p. 204)
offshoring (p. 198) outsourcing (p. 193) selective outsourcing
(p. 210)
46 Ibid., 122. 47 Masaaki Kotabe and Janet Y. Murray, ‘‘Global Sourcing Strategy and Sustainable Competitive Advantage,’’ Industrial Marketing Management 33 (2004), 7 – 14.
Case Study 213
! DISCUSSION QUESTIONS 1. The make-versus-buy decision is important every time a new application is requested of the IS group. What, in your opinion, are the key reasons an IS organization should make its own systems? What are the key reasons it should buy an application?
2. Is offshoring a problem to your country? To the global economy? Please explain.
3. Premiere Technologies, Inc., a fast-growing supplier of communication services in more than 30 countries, provides an example of successful use of an ASP. Premiere began to implement an enterprise resource planning (ERP) system and found that whenever there was a problem or call to work on a ‘‘revenue producing’’ information system, all resources were diverted from the implementation of the ERP.
Premiere decided to outsource the ERP applications. The ASP not only came in to help plan how to best make the ERP system successful, but it also bought and maintained the servers on which the ERP runs, installed and configured the ERP software, and staffed the help desk to make the deployment smooth. When Premiere acquires a new company, something they do regularly, the ASP takes care of incorporating the new acquisition into the ERP. By one estimate, Premiere saved about $3 million over five years by using the ASP instead of doing it themselves.48
a. Discuss the advantages an ASP offers Premiere Technologies, Inc. b. What possible risks are associated with Premiere’s use of an ASP? c. What would determine which application(s) to give to an ASP versus the ones to keep in house? d. Premiere Technologies was seven years old when it turned to using ASPs. When would it make sense to use an ASP for start-up companies?
4. When does using crowdsourcing make sense for a large corporation that already has an IS organization? Give an example of when crowdsourcing might make sense for a start-up company?
CASE STUDY 7-1
SODEXHO ASIA PACIFIC
Sodexho Asia Pacific, a major subsidiary of one of the world’s largest food and support services, Sodexho Alliance, provides a wide range of catering, food and management services, and facilities management. Sodexho Asia Pacific employs 20,000 employees in nine countries. It has used a decentralized business model, which gave its managers considerable autonomy to adapt their operations to meet local customer needs. However, the autonomy came with a price, and Sodexho Asia Pacific found that over time information silos were created that made it difficult to communicate across national boundaries. Its processes were
48 Adapted from Cynthia Morgan, ‘‘ASPs Speak the Corporate Language,’’ Computerworld (October 25, 1999), 74 – 77.
214 Chapter 7 Information Systems Sourcing
adapted to accommodate the information systems and back-office processes of the many different service providers in each country. Further adaptation was required following a series of mergers and acquisitions in the early 2000’s. When Sodexho absorbed these many organizations, it had to design additional systems and middleware to integrate each legacy system with the others.
As a result of the decentralization, mergers, and acquisitions, Sodexho Asia Pacific’s processes were extremely complex, its information systems were fragmented, and com- munication across systems was difficult. Even though Sodexho Asia Pacific was very large, it could not leverage the company’s overall purchasing power. Nor could its managers respond quickly enough to take advantage of opportunities or make timely decisions. In an industry challenged by its low profit margins, expenditures ballooned as a result of processing inefficiencies and multiple procurement systems. The company knew it needed to take dramatic action. It determined an organizationwide integrated system was required to improve information sharing and leverage its purchasing power.
‘‘We have about 250 contracts with customers in Australia alone,’’ noted Sodexho Asia Pacific’s Director of Finance and IS Garen Azoyan in 2004. ‘‘We needed to get more information out of our SAP system about the profitability of each contract, and about how well we are meeting the needs of our customers.’’
In 2004 Sodexho Asia Pacific awarded IBM Global Business Services in Australia a two-phase, multi-million-dollar, five-year outsourcing contract. The first phase provided application system support for remodeling and integrating accounting and financial processes into an existing Australian SAP system. It was developed and delivered using offshore resources in India working in concert with the Sodexho Asia Pacific personnel. The revamped SAP system replaced six different systems in 17 of Sodexho’s companies in six Asia Pacific countries. The adoption of the revamped system meant Sodexho Asia Pacific could centralize all its finance efforts. This allows better organization and retrieval of the available information and the management of the finance operations from a single site in Sydney, Australia.
Azoyan explained the reasons for the outsourcing arrangement: ‘‘Sodexho has invested in IBM’s consulting and e-business hosting expertise to improve the efficiency of its operations and to maximize its bottom line. We will realize significant financial benefits as well as utilizing better finance and accounting processes. This will improve our ability to respond quickly to changing business conditions, to focus on our clients needs, and to continue improving the quality of daily life of our customers.’’
In the second phase of the agreement IBM migrated Sodexho Asia Pacific’s SAP infrastructure to an e-business hosting environment that is managed and supported by IBM Global Services. The expanded system was transitioned to IBM’s eServer pSeries servers. IBM’s hosted solution is on a pay-per-user basis that is consistent with Sodexho’s contract-based model. That is, it allows Sodexho Asia Pacific to shift its fixed IT costs to variable costs, just as Sodexho tends to do with its customers.
Because it is now able to leverage its buying power, Sodexho realized a 3 percent increase in profits within two years. It has also reduced its infrastructure costs by 25 percent, increased its operational efficiency, and improved organizational decision making. Since undertaking the project Sodexho has reported improvements in the speed of financial and accounting performance. With less focus required on these processes, the company is better able to address the needs of its consumers by shifting their efforts to areas of competencies of its core business skills, enhancing client services, and executing better cost management.
Case Study 215
Outsourcing has traditionally been associated with the loss of jobs at the source company; however, in the case of Sodexho, not a single job has been lost due to the outsourcing to IBM. The people that were working in the company’s finance section have shifted into analytical roles, allowing better business decisions rather than solely processing, as had been the case prior to the outsourcing exercise.
For all the successes that have been realized by Sodexho’s outsourcing, the implemen- tation has not been without hiccups. Outsourcing presents a large cultural change for any organization; getting the support from employees is paramount for the implementation’s success. It was found that the most effective way to gain the support of the employees was to involve them throughout the process. Even now, after the implementation is complete, the company holds two meetings a week to ensure support and maintenance is of the highest quality.
Discussion Questions
1. How were jobs actually saved by Sodexho’s decision to outsource? 2. What are the important factors to consider when deciding whether to outsource a par-
ticular part of a business? 3. Describe five advantages that are commonly attributed to outsourcing. Demonstrate
how the Sodexho Asia Pacific case illustrates (or does not illustrate) each of these advantages.
4. Sodexho used offshore resources in India working in concert with the Sodexho Asia Pacific personnel. Why do you think Sodexho decided to offshore to an Indian provider? What do you anticipate were some of the challenges experienced in offshoring to an Indian provider?
5. What steps did Sodexho take to make the outsourcing arrangement a success?
Source: Excerpted from minicase by Chad Elliott and ‘‘Sodexho Asia Pacific.’’ IBM Global Financ- ing, (October 16, 2007), http://www-01.ibm.com/software/success/cssdb.nsf/cs/BTHD-778TLM? OpenDocument&Site=igf&cty=en us; Sodexho Selects IBM for business process and application support work, http://www.physorg.com/news839.html, (August 16, 2004); and Sodexho Asia Pacific, http://www.qubix-au.com/Qubix%20Case%20Studies%20-%20Sodexho.pdf.
CASE STUDY 7-2
OVERSEAS OUTSOURCING OF MEDICAL TRANSCRIBING
The following is a discussion between Chris Boss, CEO of Good Hospital and M.D. Noitall, the Medical Director at the same hospital in Brisbane, Australia. Chris met M.D. in the hallway early one Monday morning.
CHRIS: Good morning, M.D. I read a report in the Financial Times this morning that many hospitals and doctors are now sending medical files overseas to be typed up. The article says that it is cheaper. But I see a number of problems. I am especially concerned about privacy issues. How can medical histories remain confidential if they are being sent halfway around the globe? And what about the language barrier? Can we guarantee that
216 Chapter 7 Information Systems Sourcing
exact detail is being translated by people who do not normally speak English? Have you heard of this?
M.D.: Good morning, Chris. Yes, I’ve heard of this. I mean, we know that many things are now done in a global network. So whether it is reading the X-ray reports or recording bank transactions or transcribing medical transactions, it is certainly going on.
CHRIS: How many hospitals are sending records overseas to be typed up?
M.D.: Well, I really don’t know the numbers. I would imagine that it is a pretty large number of hospitals. And the reason for that is, they are trying to downsize the medical administration within the hospitals.
CHRIS: But if we were to do this, how could we be absolutely sure that what one of our doctors says in a report is actually being translated correctly?
M.D.: Well I mean, the same errors in transcription would occur whether the transcriber sits here or sits in India or sits . . .
CHRIS: No. This is going overseas to Malaysia. Surely the risks are increased unbelievably.
M.D.: Well, the risks will be based on the quality of the recording, the quality of the decoding at the other end, and the person at the other end who is doing the transcribing. But that comes back to basics. If you’re sending work out, you’ve got to be assured wherever you’re sending it to be transcribed, that it is a secure environment and that confidentiality is maintained. And when it comes back to you, you have got to check it. And, of course, we’ve got to have a secure environment on our end.
I do not think that will have the whole three inches of somebody’s medical file going to and fro on the Internet. We’ll only have recordings of a conversation, which needs to be transcribed as a letter or recordings of findings. Nonetheless, it has got to be confidential. We would have to make sure that confidentiality is maintained throughout this whole process.
CHRIS: You don’t have a problem with this, then?
M.D.: I have a problem if it is not done in a confidential way designed to maintain patients’ privacy or if the transcribing is not checked. We also need to make sure that the IT environment that we have actually allows us to share that information and send the reports securely over the Internet.
CHRIS: How much cheaper is it?
M.D.: The cost of doing this electronically, compared to having somebody here, would obviously vary on the size of the job. But obviously, there are cost savings; otherwise it wouldn’t be done. And I suppose there may be some efficiencies in time. Because if you finish your work at 6 p.m. here, you can send it to somewhere else in the world where it is several hours earlier. Then when you go back to work the next morning, it is done! And besides, it is hard to find people in Brisbane who even want to do medical transcribing.
CHRIS: So, do you think we should look into medical transcribing here at Good Hospital?
Case Study 217
Discussion Questions
1. Are Chris and M.D. talking about outsourcing? Is it an example of offshoring? Is it an example of nearshoring? Explain.
2. What challenges do you see in sending the medical transcription work to Malaysia? What would you do to reduce those challenges?
3. How would you respond to Chris’s question?
Source: Based heavily on ‘‘Overseas Outsourcing of Medical Transcribing — 2GB,’’ interview by Luke Bona reporting the conversation between Bona and Dr. Haikerwal, AMA Media Transcript, (April 19, 2007) http://www.ama.com.au/web.nsf/doc/WEEN-72E7QP (accessed July 25, 2008).
!CHAPTER 8 GOVERNANCE OF THE INFORMATION SYSTEMS ORGANIZATION1
When 3M’s CEO James McNerney came on board, he handed the chief infor- mation officer (CIO) David Drew a big surprise. Prior to McNerney’s arrival, the Information Systems Steering Committee (ISSC) had met six times a year to provide direction for the information technology (IT) group, endorse IT projects of more that $1million, and prioritize IT resources. The board included 3M’s heavy hitters, including all six business division chiefs, top functional leaders, and the CIO. But to Drew’s chagrin, the CEO broke up the group. A disappointed Drew stated, ‘‘The corporate IT prioritization process was moved back to IT, and I would really rather have it at the highest business level.’’2
Now 3M’s IT governance structure starts at the business process level. Its six divisions each must document the productivity of their IT projects. Business unit leaders select and champion their IT projects, while IT plays a supporting role. Each project is reviewed to make sure that it is in line with the division’s quarterly cost-reduction dollar target. If it isn’t, the business unit leadership is accountable to the top executives. Thus, the business units are motivated to devote the resources necessary to help the IT staff successfully complete the IT projects. Of course, Drew is also accountable for making sure that his staff are well managed and have the resources that they need. Projects that could conceivably benefit more than one business unit get elevated to corporate-level sponsorship.3
Drew decided, ‘‘You can’t solve everything with committees. . . . You have to figure out the most practical way to interrelate with senior management on
1 The authors wish to acknowledge and thank David M. Zahn, MBA 1999, for his help in researching and writing early drafts of this chapter. 2 Christopher Koch, ‘‘IT Governance Strategies from State Street, 3M and Others,’’ CIO, (September 15, 2002), www.cio.com/article/print/31330. 3 Understanding IT Governance, Public CIO Magazine, (May 2005), http://209.85.215.104/search?q= cache:Z1CM3KbCY44J:tgb.iowa.gov/images/pdf/Understanding%2520IT%2520Governance%2520 Article.doc+IT+governance+3m&hl=en&ct=clnk&cd=2&gl=us (accessed July 23, 2008).
218
Understanding the IS Organization 219
IT issues and be prepared to change the way you do it. There’s no standard model for that.’’4
The CIO at 3M recognizes that it is important to get the buy-in of business leaders for information systems (IS) projects. The higher the level of support, the better it is for the IS projects. That is why the CIO was disappointed when the high-level ISSC was disbanded. In its place, however, is a governance structure to help both his IS organization and the business units work toward achieving corporate goals. Although each IS organization is unique in many ways, all have elements in common. The focus of this chapter is to introduce managers to the typical activities of an IS organization to facilitate interaction with management information systems (MIS) professionals. Managers will be more effective consumers of services from MIS professionals in their organization if they understand, in general, what these professionals do. This chapter examines the roles, tasks and governance of the IS organization.
! UNDERSTANDING THE IS ORGANIZATION
Consider an analogy of a ship to help explain the purpose of an IS organization and how it functions. A ship transports people and cargo to a particular destination in much the same way that an IS organization directs itself toward the strategic goals set by the larger enterprise. Sometimes the IS organization must navigate perilous waters or storms to reach port. For both the IS organization and the ship, the key is to perform more capably than any competitors. It means using the right resources to propel the enterprise through the rough waters of business. Each of these resources is discussed in the following sections.
Chief Information Officer If an IS organization is like a ship, then the chief information officer (CIO) is at the helm. The CIO is an executive who manages IT resources to implement enter- prise strategy. The Gartner Group defines a CIO as one who ‘‘provides technology vision and leadership for developing and implementing IT initiatives that create and maintain leadership for the enterprise in a constantly changing and intensely competitive marketplace.’’5 We would add that the CIO’s role is also to provide expertise in the strategy formulation processes along with the executive team.
This definition may seem clear, but to understand what the CIO does, we should explore the historical origins of this position. The CIO function is a relatively new position when compared to the more established chief executive officer (CEO) or chief financial officer (CFO), which have existed in the corporate structure for decades. In fact, the CIO position did not really emerge until the early 1980s, when top management perceived a need for an executive-level manager to focus
4 Koch, ‘‘IT Governance Strategies.’’ 5 Available at http://www.cio.com/forums/executive/gartner description.html.
220 Chapter 8 Governance of the Information Systems Organization
on cutting the ever-increasing costs of IT. Cost-cutting measures typically took the form of outsourcing arrangements, which are addressed later in this chapter and in Chapter 7.
The evolution of the CIO’s role closely follows the evolution of technology in business. Throughout the late 1980s and into the 1990s, technology grew from an expensive necessity to a strategic enabler. As technology’s role increased in importance, so did that of the CIO. As the Internet became a core component in the business environment, the CIO’s role became a critical component of the strategy formulation process. In fact, many organizations include the CIO as an integral member of the executive-level decision-making team.
CIOs are a unique breed. They have a strong understanding of the business and of the technology. In many organizations they take on roles that span both of these areas. More often than not, CIOs are asked to play strategic roles at some part of their day and operations roles at other times, rather than spending all their time on one or the other. It appears that the scope and depth of the CIO are expanding. Now, 12 main responsibilities often define the CIO role:
1. Championing the organization. Promoting IT within the enterprise as a strategic tool for growth and innovation
2. Architecture management. Setting organizational direction and priorities 3. Business strategy consultant. Participating in executive-level decision
making 4. Business technology planning. Bridging business and technology groups
for purposes of collaborating in planning and execution 5. Applications development. Overseeing legacy and emerging enterprise
initiatives, as well as broader strategic business unit (SBU) and divisional initiatives
6. IT infrastructure management (e.g., computers, printers, and networks). Maintaining current technologies and investing in future technologies
7. Sourcing. Developing and implementing a strategy for outsourcing (ver- sus retaining in-house) IT services and/or people
8. Partnership developer. Negotiating relationships with key suppliers of IT expertise and services and making sure everyone is working toward mutual goals
9. Technology transfer agent. Providing technologies that enable the enterprise to work better with suppliers and customers — both internal and external — and consequently, increase shareholder value
10. Customer satisfaction management. Understanding and communicating with both internal and external customers to ensure that customer satisfaction goals are met
11. Training. Providing training to IT users, as well as senior executives who must understand how IT fits with enterprise strategy
Understanding the IS Organization 221
12. Business discontinuity/disaster recovery planning. Planning and imple- menting strategies to limit the impact of natural and human-made disasters on information technology and, consequently, the conduct of business
CIOs must work effectively not only within the technical arena, but also in overall business management. This means that they need the technical ability to conceive, build, and implement multiple IT projects on time and within budget. Their technical skills must be balanced against business skills such as the ability to realize the benefits and manage the costs and risks associated with IT, to articulate and advocate for a management vision of IT, and to mesh well with the existing management structure. Further, CIOs must have both the technical and business skills to bridge the technology and business gaps between available technologies and business needs, including nontechnical internal clients. They must see the business vision and understand how the IT function can contribute to realizing this vision.
Where the CIO fits within an enterprise is often a source of controversy. In the early days of the CIO position, when the CIO was predominantly responsible for controlling costs, the CIO reported to the chief financial officer (CFO). Because the CIO was rarely involved in enterprise governance, this reporting structure worked. However, as IT burgeoned into a source for competitive advantage in the marketplace, reporting to the CFO proved too limiting. Conflicts arose because the CFO misunderstood the vision for IT or saw only the costs of technology, or because management still saw the CIO’s primary responsibility as controlling costs. More recently, CIOs report directly to the CEO, president, or other executive manager.
Confusion often occurs regarding whether the CIO is more of a strategist or an operational manager. He or she is often asked to be both. Because the CIO is the top IS professional in the hierarchy, it is imperative that this person also be a strategist. The title CIO signals to both the organization and to outside observers that this executive is a strategic IS thinker and is responsible for linking IS strategy with the business strategy. With the increasing importance of the Internet to every business, the CIO is increasingly asked to assist, advise, and participate in discussions in which business strategy is set. However, just as the CFO is somewhat involved in operational management of the financial activities of the organization, the CIO is involved with operational issues related to IS. These include activities such as identifying and managing the introduction of new technologies into the firm, setting purchasing and vendor policies, and managing the overall IT budget. Actual day-to-day management of the data center, the vendor portfolio, and other operational issues is typically not handled directly by the CIO, but by one of the managers in the IS organization.
What, then, does a CIO do? Although there is no such thing as an average day in the life of a CIO, the following examples give a picture of how varied the role is across organizations. Several years ago, the longtime CIO for Northrop Gumman Corp., Tom Shelman, was asked to transform the role so that it would
222 Chapter 8 Governance of the Information Systems Organization
be more ‘‘strategic’’ and ‘‘transformational.’’ The result was Shelman overseeing a project that subsequently led to a $500 municipal contract. The implementation of a wireless network at one of Northrop’s shipyards in Pascagoula, Mississippi, was a stepping-stone to a contract for a citywide wireless network for a number of New York City’s departments. H – P’s CIO Randy Mott now spends less time on tech support and more on meeting with customers to describe to them how to use the company’s products in a major way. Louie Ehrlich, the CIO of one of Chevron Corp.’s business units, used to spend much of his time integrating the company’s far-flung IT operations. Now that he has been given the additional title of vice president of strategy and services, he only spends about 10% of his time supervising IT. ‘‘The CIO title is misused,’’ he claims adding if the CIO only oversees IT, ‘‘they should be named a tech manager. A CIO should be enabling a business to grow.’’6
Some organizations choose not to have a CIO. These organizations do not believe that the CIO should have decision-making authority to lead strategic IT initiatives. Rather, they typically hire an individual to be responsible for running the computer systems and possibly to manage many of the activities described later in this chapter. But they signal that this person is not a strategist by giving them the title of data processing manager or director of information systems or some other reference that clearly differentiates this person from other top officers in the com- pany. Using the words chief and officer usually implies a strategic focus, and some organizations do not see the value of having an IS person on their executive team.
Chief Technology Officer, Chief Privacy Officer, and Other Similar Roles Although the CIO’s role is to guide the enterprise toward the future, this respon- sibility is frequently too great to accomplish alone. Many organizations recognize that certain strategic areas of the IS organization require more focused guidance. This recognition led to the creation of new positions, such as the chief knowledge officer (CKO), chief technology officer (CTO), chief telecommunications officer (also CTO), chief network officer (CNO), chief information security officer (CISO), chief privacy officer (CPO), and chief resource officer (CRO). See Figure 8.1 for a list of their different responsibilities. Each of these positions typically subordinates to the CIO, with the occasional exception of the chief technology officer. Together, they form a management team that leads the IT organization.
The chief technology officer (CTO) is an especially critical role. The CTO, or the enterprise’s top technology architect, often works alongside the CIO. The CTO must have enough business savvy and communication skills to create an organizational vision for new technologies, as well as to oversee and manage the firm’s technological operations and infrastructure. The new position is often created because one person isn’t qualified to fill the broadly defined CIO role.
6 Pui-Wing Tam ‘‘CIO Jobs Morph from Tech Support into Strategy,’’ Wall Street Journal, (March 22, 2007), http://online.wsj.com/public/article/SB117193647410313201-fqJsAOxwVGloj OngdVIS bjVI 20070322.html?mod=tff article.
Understanding the IS Organization 223
Title Responsibility
Chief technology officer (CTO) Track emerging technologies Advise on technology adoption Design and manage IT architecture to ensure consistency and compliance
Chief knowledge officer (CKO) Create knowledge management infra- structure Build a knowledge culture Make corporate knowledge pay off
Chief telecommunications officer (CTO) Manage phones, networks, and other communications technology across entire enterprise
Chief network officer (CNO) Build and maintain internal and external networks
Chief resource officer (CRO) Manage outsourcing relationships
Chief information security officer (CISO) Ensure information management prac- tices are consistent with security requirements
Chief privacy officer (CPO) Responsible for processes and practices that ensure privacy concerns of customers, employees, and vendors are met
FIGURE 8.1 The CIO’s lieutenants.
New ‘‘chief’’ roles spring up almost daily as enterprises try to share the complex and growing responsibilities of managing IT. Giving someone the title of ‘‘chief’’ is one way to signal that this individual is ultimately responsible for decisions in their area, even though he or she does not report directly to the CEO of the enterprise. This individual is recognized as the most senior person in the organization charged with responsibility for that functional area. For example, Earthlink, one of the largest U.S. information service providers (ISPs), created the office of chief privacy officer (CPO) to interface with the FBI and privacy advocates about the mandated use of Carnivore, a controversial e-mail surveillance tool. The CPOs at AllAdvantage.com, AT&T, and Excite@home represent customers’ privacy interests in negotiations with business developers, top management, and technology executives.7 Other firms eliminated the CIO altogether in favor of some configuration of the typically subordinate positions. These enterprises hope that flatter organizations will prove more effective.
7 Steve Ulfleder, ‘‘OhNo, Not Another O,’’ CIO Magazine (January 15, 2001), http://www.cio.com/ archive/011501/ohno content.html (accessed June 21, 2002).
224 Chapter 8 Governance of the Information Systems Organization
Many large corporations take the concept of CIO one step further and identify a business unit CIO. This is someone who has similar responsibilities to a corporate CIO, but the scope is the business unit. Typically the business unit CIO has dual reporting responsibility to both the corporate CIO and the president of the business unit. General Motors established divisional CIO positions that report to the corporate CIO.8
! WHAT A MANAGER CAN EXPECT FROM THE IS ORGANIZATION
This chapter explores the roles and processes performed by a typical IS organization (i.e., IS department). We now turn to the customer of the IS organization, the general manager or ‘‘user’’ of the systems. What can a manager expect from the IS organization?
Managers must learn what to expect from the IS organization so they can plan and implement business strategy accordingly. A manager typically can expect 13 core activities: (1) anticipating new technologies, (2) participating in setting and implementing strategic goals, (3) innovating current processes, (4) developing and maintaining information systems, (5) managing supplier relationships, (6) estab- lishing architecture platforms and standards, (7) promoting enterprise security, (8) planning for business discontinuities, (9) managing data, information, and knowledge, (10) managing Internet and network services, (11) managing human resources, (12) operating the data center, and (13) providing general support.9
Anticipating New Technologies Given the breakneck speeds at which technology moves, the IS organization must keep an eye toward the horizon in order for an enterprise to leverage state-of-the art tools. The chief technology officer (CTO) or IS staff members in a new technology group assess the costs and benefits of new technologies for the enterprise. The CTO or new technology group works closely with business groups to determine which technologies can provide the greatest benefit, how the technologies might affect the organization, and when they should be implemented. They are the watchdogs who ensure that the enterprise does not invest heavily in new technologies that quickly become obsolete or incompatible with other enterprise standards. To correctly assess the enterprise’s needs, business and IS staff must work closely to evaluate which technologies can best advance the business strategy and capitalize on new cost savings or sources of revenue. It is the job of the IS organization to scout new technology trends and help the business integrate them into planning and operations.
8 Lauren Gibbons Paul, ‘‘A Separate Piece,’’ CIO Magazine (October 15, 1998). 9 Eight activities are described by John F. Rockart, Michael J. Earl, and Jeanne W. Ross, ‘‘Eight Imperatives for the New IT Organization,’’ Sloan Management Review (Fall 1996), 52 – 53. Five activities have been added to their eight imperatives.
What A Manager Can Expect From The Is Organzation 225
Participating in Setting Strategic Direction Ideally, IS staff enable business managers to achieve strategic goals by acting as consultants or by teaching them about developing technologies. As consultants, IS staff can advise managers on best practices within IT and work with them to develop IT-enhanced solutions to business problems. IS personnel also educate managers about current technologies as well as IT trends. Sharing business and technical knowledge between groups encourages better, more informed decisions across the enterprise. No longer anonymous techies, IS staff are partners in moving the enterprise forward. They must initiate, foster, and grow strong partnerships with their business colleagues. For instance, over 2,000 UPS technicians are now commissioned to provide on-site support at Mail Boxes, Etc (a 2001 UPS acquisition) in the United States.10 This tighter relationship improves integration between systems and business and helps in using IT to meet the customers’ needs.
Innovating Current Processes IS staff, especially IS managers, business analysts, and developers, work with managers to innovate processes that can benefit from technological solutions. Such solutions can range from installing voice mail to networking personal computers or automating general ledger transactions. Over the last decade such solutions include ERP implementations (see Chapter 5 for more discussion about ERPs). Business process reviews usually begin with a survey of best practices. Information technology becomes an integral component of new processes designed for the enterprise. Thus, IS personnel can play a crucial role by designing systems that facilitate these new ways of doing business.
When systems are incorrectly designed, or when IS processes do not function correctly, the IS organization can become a ‘‘disabler’’ of innovation. In some cases, the lack of flexibility in existing systems, and the reluctance to discard technology before the investment return is realized, block business managers from implementing decisions they would otherwise choose to make.
Developing and Maintaining Systems The primary processes performed by most IS organizations are that of building systems or buying software packages to meet business needs. Systems development itself is discussed in more detail in Chapter 11, the chapter on project management. In this core IS organization activity, business analysts and systems developers work together in analyzing needs, designing the software, writing or coding the software, and testing to make sure the software works and meets the business objectives. Other systems development activities identify, acquire, and install outside software packages to fill a need for individuals in the organizations. As more companies move to software-as-a-service (see Chapter 6 for more on SaaS), developing systems is
10 ‘‘UPS Governance: The Key to Aligning Technology Initiatives with Business Direction,’’ http://www.pressroom.ups.com/mediakits/factsheet/0,2305,1043,00.html (accessed July 23, 2008).
226 Chapter 8 Governance of the Information Systems Organization
done by using Web services and tinkering together services available on the Inter- net. Once systems are implemented or installed, many people work toward their continued maintenance. For instance, once a general ledger system is installed, sup- port personnel or DBAs monitor the daily processing of transactions and reports. Developers and business personnel address postimplementation needs, such as writing additional reports, correcting system errors, or enhancing the system to respond to changing business environments and governmental regulations.
Managing Supplier Relationships As more companies adopt outsourcing as a means of controlling IT costs and acquir- ing ‘‘best-of-breed’’ capabilities, managing these supplier relationships becomes increasingly important. IS must maximize the benefit of these relationships to the enterprise and preempt problems that might occur. Failure in this regard could result in deteriorating quality of service, loss of competitive advantage, costly contract disputes, low morale, and loss of key personnel. Managing the sourcing relationships is so important that we have devoted Chapter 7 to issues related to sourcing.
Establishing Architecture Platforms and Standards Given the complex nature of IT in the enterprise, the role of the IS organization in developing, maintaining, and communicating standards is critical. Failure could mean increased maintenance costs due to incompatibilities between platforms, redundant or incorrect data, and slow processing. For example, precise naming standards are crucial in implementing a new data warehouse or accounts payable system. Even small variations in invoice entries — the difference between showing a payment to ‘‘IBM,’’ ‘‘I.B.M.,’’ or ‘‘International Business Machines’’ — could yield incomplete information when business managers query the data warehouse to understand how much was paid to the vendor in a given period. Inconsistent data undermines the integrity of a data warehouse.
Promoting Enterprise Security Information security is generally seen as very technical and only dealing with the internal operations of the IS organization. However, this process is actually one of importance to all general managers because it involves maintaining the integrity of the organizational infrastructure. IS security is much more than a technical problem. Rather, it is a social and organizational problem because the technical systems are operated and used by people. In Chapter 9 we discuss the governance that must be put in place to ensure that a structure for dealing with technical, social, and organizational problems is in place.
Because general managers typically look to the IS organization to handle security, the IS organization identifies and prioritizes threats to the company’s information assets. It develops and implements security policies and technical controls to address each threat. Because many security breaches are the result of human negligence enabled by weak operational practices, the IS organization
What A Manager Can Expect From The Is Organzation 227
works with the business units to make their operational practices more secure and to train employees about security risks and the importance of security to their work. The IS organization typically is also responsible for implementing an awareness program that keeps security on employees’ minds as they deal with information on a daily basis.
Planning for Business Continuity Hurricane Katrina in 2005 and the events of September 11, 2001, presented disaster impacts that few organizations ever face. Disaster is broadly defined here as a sudden, unplanned calamitous event that makes it difficult for the firm to provide critical business functions for some period of time and results in great damage or loss. To counter terrorist attacks, hurricanes, tornadoes, floods, or countless other disasters, firms are realizing more than ever the importance of business continuity planning (BCP). In the face of such man-made and natural disasters, businesses not only must recover, but they must also survive. The chances of surviving can be improved with BCP. Further, BCP allows a company to respond to events that may hurt its business without the company directly experiencing a disaster. For example, the BCP should outline how the company would bill its customers if the U.S. Postal Service were to be shut down, or how the company would respond in a situation where its primary and redundant Internet backbone cables were simultaneously cut because they run together over the same interstate overpass.
A business continuity plan (BCP) is an approved set of preparations and sufficient procedures for responding to a variety of disaster events. It requires careful and thoughtful preparation. The Disaster Recovery Institute International (DRII) defines three major stages of BCP: preplanning, planning, and postplan- ning.11 In the preplanning stage, management’s responsibility is defined, possible risks are evaluated, and a business impact analysis is performed. In the planning stage, alternative business recovery operating strategies are determined. Business recovery operating strategies deal with how to recover business and IT within the recovery time objective while still maintaining the company’s critical functions. The IS organization must be involved in preparing off-site storage and alternate recovery sites or in selecting business continuity vendors. An important part of the BCP planning stage is to develop emergency response procedures designed to prevent or limit injury to personnel on site, damage to structures and equipment, and the degradation of vital business functions. These procedures must be kept up-to-date. The final activity in the planning stage is to implement the plan by publishing it and gaining top-management approval for the plan. The postplanning stage of BCP familiarizes employees with the plan through awareness and training programs. Regular exercises to test and evaluate the plan should be conducted.
11 ‘‘Business Continuity Planning Review,’’ DRI International Professional Development Program DRP 501.
228 Chapter 8 Governance of the Information Systems Organization
Companies are increasingly using the virtual world, Second Life, to conduct sim- ulations, often under the aegis of the IS organization. With the simulations, the companies can quickly assess the plan, make any adjustments needed, and perform a second simulation with almost no additional costs. Also in this third stage, the BCP should be discussed with public authorities, and public relations and crisis communications should be mapped out.
BCP is designed to respond to threats. In preparing a BCP, it is important to remember that the biggest threat may come not from terrorist attacks or natural disasters, but from disgruntled or dishonest employees. Companies need to screen their employees carefully, create a culture of loyalty to inhibit the internal threats, and develop systems that help promote security.
The tremendous loss of human capital in the collapse of the World Trade Center in New York City on 9/11 highlighted the problem of keeping all of a company’s talent in one location. Decentralizing operations, flextime, and telecommuting are ways of dispersing a company’s human assets. Similarly, critical technology systems, proprietary computer codes, and other core business assets may need to be distributed. Because the information resources are so integral to business operations, the IS organization is typically in charge of planning for possible scenarios leading to business discontinuity and taking steps to avoid them or alleviate their impact. Clearly firms do not have enough resources to develop a response for every conceivable risky scenario. Thus, each firm needs to determine which detrimental scenarios are likely to occur and/or which are more like to have the greatest impact. These are the risky scenarios that the firm has to devote the most attention to avoiding or mitigating.
Managing Data, Information, and Knowledge Managing information and knowledge in the enterprise is of particular concern to the IS organization. This text devotes an entire chapter to knowledge management (Chapter 12). Then again, the management of the data itself, or database admin- istration, is an activity that requires the unique expertise of the IS organization. Database administration includes the activities of collecting and storing the actual data created, developed, or discovered by the enterprise. For example, deciding on the format, location, and indexing of stored data are database administration tasks.
Managing Internet and Network Services Such technologies as intranets, extranets, Web pages, and e-mail are becoming essential in most business environments. General managers must interact with the Web master, Web designers, and Web developers who develop and maintain Internet capabilities. Further, the IS organization typically includes a network group that manages private networks. For example, when problems connecting to the local area network (LAN) arise or when a new user needs to set up new PCs for a department, the networking group eventually processes the request. Networking groups design network architecture. They also build and maintain the network infrastructure. Certain networking systems, along with telephone
What A Manager Can Expect From The Is Organzation 229
systems, access to the Internet, and new wireless technologies fall under the rubric of telecommunications. General managers should concern themselves with telecommunications because the quality of service provided affects the daily operations of the business. Moreover, telecommunications costs are typically charged back to the business area cost center.
Managing Human Resources The IS organization must manage its own resources. Doing so means providing sufficient business and technical training so that staff can perform effectively and retain their value to the enterprise. Additional human resource activities include hiring and firing; training; tracking time; and managing budgets, operations, and projects. These activities often affect one another. For example, some companies seek to fill positions that require ‘‘hot’’ skills, or technology skills that are in high demand, by hiring IS staff who have acquired and used the needed skills at other organizations. Other companies turn to offshoring for immediate fulfillment of hot skills needs. Still other companies adopt a policy of growing their own. They attempt to hire and retain their employees for the employees’ entire work careers. To make sure that these employees have hot skills when needed, they maintain a skills inventory and train employees according to a plan that reflects anticipated technical needs. Because most IS organizations lack their own human resource (HR) departments, individual managers bear these responsibilities. It is often wise for them to work with company HR personnel, who may be familiar with interviewing approaches, personnel laws, regulations, and trends. For example, HR personnel may be aware of professional issues related to the retirement of baby boomers that IS managers may not tend to consider.
Operating Data Center The data center typically houses large mainframe computers or rows of servers on which the company’s data and business applications reside. General managers rarely have direct contact with data center personnel unless they experience processing problems. Even then, they may only communicate electronically with data center staff to get their problems solved. Many organizations outsource data center operations. Chapter 6 discusses this approach in the discussion on cloud computing.
Providing General Support Processes in place to support day-to-day business operations vary, depending on the size of the enterprise and the levels of support required. Typically, support requests are centralized so they can be tracked for quality control purposes and handled more efficiently. Often IS organizations maintain the first client contact through a centralized help desk even for such diverse services as networking and telecommunications. The help desk serves as the primary, easily identifiable point of contact for technical questions and problem reporting.
230 Chapter 8 Governance of the Information Systems Organization
Help desks are not usually manned by people who solve the problem. Help desk personnel collect pertinent information, record it, determine its priority, contact the appropriate support personnel, and follow up with the business contacts with updates or resolution information. For help beyond daily support, most organizations also maintain a customer service request (CSR) process. A paper or electronic form is used to allow a businessperson to describe the nature of the request, its priority, the contact point, and the appropriate cost center. CSRs initiate much of the work in IS organizations.
The IS organization can be expected to be responsible for most, if not all, of the activities just described. However, instead of actually performing the activities, increasingly the IS organization supervises the outsourcing vendors who do execute them. More traditional activities such as data center operations and system development and maintenance (including application design, development, and maintenance) have been performed by vendors for decades. More recently, enterprises are turning to vendors — even offshore vendors — to perform more newly acquired IT activities such as process innovation (alternatively called business process outsourcing). Figure 8.2 provides a framework for traditional and newer IS activities that are considered the responsibility of the IS organization and suggests alternate ways of executing them.
! WHAT THE IS ORGANIZATION DOES NOT DO
This chapter presented typical roles and processes for IS organizations. Although most IS professionals are asked to perform a wide range of tasks for their organization, in reality the IS organization should not do a number of specific tasks. Clearly, the IS organization does not directly do other core business functions such
Traditional IT Activities (often supplied through alliances with vendors)
• Data Center Management • Network Management • Application Design, Development and Maintenance • Desktop Hardware Procurement, Installation, and Maintenance
The New IT Activities (often supplied by MIS organization)
• Architecture, Standards and Technology Planning • IT Strategic Planning • Process Innovation • Supplier Management • Training and Internal Consulting • Business Continuity Planning • Security
• Technology scanning and development • Applications Strategy • Choose and maintain Desktop, Laptop, Personal Digital Assistant or other Personal Devices • Implementation
User’s Activities (supplied by IS person
on payroll in end user department)
FIGURE 8.2 User management activities. Source: Adapted from J. Ownes, ‘‘Transforming the Informations Systems Organization,’’ CISR Endicott House XXIX presentation, December 2 – 3, 1993.
IT Governance 231
as selling, manufacturing, and accounting. Sometimes, however, managers of these functions inadvertently delegate key operational decisions to the IS organization. When general managers ask the IS professional to build an information system for their organization and do not become active partners in the design of that system, they are in effect turning over control of their business operations. Likewise, asking an IS professional to implement a software package without partnering with that professional to ensure the package not only meets current needs, but future needs as well, is ceding control. The IS organization does not design business processes.
As discussed in Chapter 2, when using IS for strategic advantage, the general manager, not the IS professional, sets business strategy. However, in many organizations, the general manager delegates critical technology decisions to the CIO, which in turn may limit the strategic options available to the firm. The role for the IS professional in the discussion of strategy centers on suggesting technologies and applications that enable strategy, identifying limits to the technologies and applications under consideration, and consulting with all those involved with setting strategic direction to make sure they properly consider the role and impact of IS on the decisions they make. The IS organization does not set business strategy.
! IT GOVERNANCE
Expectations (or more specifically, what managers should and should not expect from the IS organization) are at the heart of IT governance. Governance in the context of business enterprises is all about making ‘‘decisions that define expectations, grant power, or verify performance.’’12 In other words, governance is about aligning behavior with business goals through empowerment and monitoring. Empowerment comes from granting the right to make decisions, and monitoring comes from evaluating performance. As noted in Chapter 3, a decision right is an important organizational design variable.
A traditional perspective of IT governance focuses on how decision rights can be distributed differently to facilitate centralized, decentralized, or hybrid modes of decision making. In this view of governance, the organization structure plays a major role.
Centralized versus Decentralized Organizational Structures Organizational structures for IS evolved in a cyclic manner. At one end of the spectrum, centralized IS organizations bring together all staff, hardware, soft- ware, data, and processing into a single location. Decentralized IS organizations scatter these components in different locations to address local business needs. Companies’ organizational strategies exist along a continuum from centralization to decentralization, with a combination of the two, called federalism, found in the middle (see Figure 8.3). Enterprises of all shapes and sizes can be found at any
12 Wikipedia definition for governance: http://en.wikipedia.org/wiki/Governance.
232 Chapter 8 Governance of the Information Systems Organization
Decentralization Federalism Centralization
FIGURE 8.3 Organizational continuum.
point along the continuum. Over time, however, each enterprise may gravitate toward one end of the continuum or the other, and often a reorganization is in reality a change from one end to the other.
To illustrate these tendencies, consider the different approaches taken to organize IS in the five eras of information usage. (See Figure 2.1.) In the 1960s, mainframes dictated a centralized approach to IS because the mainframe resided in one physical location. Centralized decision making, purchasing, maintenance, and staff kept these early computing behemoths running.13 The 1970s remained centralized due in part to the constraints of mainframe computing, although the minicomputer began to create a rationale to decentralize. The 1980s saw the advent of the personal computer (PC). PCs allowed computing power to spread beyond the raised-floor, super-cooled rooms of mainframes. This phenomenon gave rise to decentralization, a trend that exploded with the advent of LANs and client/server technology. The Web, with its ubiquitous presence and fast network speeds, shifted some back to a more centralized approach. However, the increasingly global nature of many businesses makes complete centralization impossible. What are the most important considerations in deciding how much to centralize or decentralize? Figure 8.4 shows some of the advantages and disadvantages of each approach.
The centralized and decentralized approaches amalgamated in the 1990s. Companies began to adopt a strategy based on lessons learned from earlier years of centralization and decentralization. Most companies would like to achieve the advantages derived from both organizational paradigms. This desire leads to federalism.14 Federalism is a structuring approach that distributes power, hardware, software, data, and personnel between a central IS group and IS in business units. Many companies adopt a form of federal IT, yet still count themselves as either decentralized or centralized, depending on their position on the continuum. For example, Inditex, a multinational clothing retailer and manufacturer, uses a centralized approach to IT. Zara, the company that we talked about in Chapters 2, 3 and 5, is the largest of Inditex’s chain of stores. The head of IT, who is not a CIO, reports directly to the deputy general manager, who is two levels below the CEO.15 This way of structuring the IT department is consistent
13 Bill Laberis, ‘‘Recentralization: Breaking the News,’’ Computerworld (June 29, 1998), p. 1. 14 John F. Rockart, Michael J. Earl, and Jeanne W. Ross, ‘‘Eight Imperatives for the New IT Organization,’’ Sloan Management Review (Fall 1996), 52 – 53. 15 Andrew McAfee, Vincent Dessain, Anders Sjman, ‘‘Zara: IT for Fast Fashion,’’ Harvard Business School Case 9-604-081, revised September 6, 2007.
IT Governance 233
Companies Approach Advantages Disadvantages Adopting
Centralized • Global standards and common data
• ‘‘One voice’’ when negotiating supplier contracts
• Greater leverage in deploying strategic IT initiatives
• Economies of scale and a shared cost structure
• Access to large capacity
• Better recruitment and training of IT professionals
• Consistent with centralized enterprise structure
• Technology may not meet local needs
• Slow support for strategic initiatives
• Schism between business and IT organization
• Us versus them mentality when technology problems occur
• Lack of business unit control over overhead costs
Inditex
Decentralized • Technology customized to local business needs
• Closer partnership between IT and business units
• Greater flexibility • Reduced tele-
communication costs
• Consistency with decentralized enterprise structure
• Business unit control over overhead costs
• Difficulty maintaining global standards and consistent data
• Higher infrastructure costs
• Difficulty negotiating preferential supplier agreements
• Loss of control • Duplication of
staff and data
VeriFone
FIGURE 8.4 Advantages and disadvantages of organizational approaches.
with the organization’s predominately centralized structure. It is also well suited to organizational processing where most administrative decisions are made in the headquarters at LaCoruńa, Spain. The users do not require a lot of hand-holding with regard to the rather primitive POS systems in the stores. For these reasons, a centralized approach seems to be a good fit for Inditex. The store managers, however, do retain decision rights about which products to send to the stores. Thus, Inditext is not totally at the end of the centralization continuum. Other companies, such as Home Depot, recognize the advantages of a more hybrid approach and
234 Chapter 8 Governance of the Information Systems Organization
Federal IT
Centralized IT Decentralized IT
The federal IT attempts to capture the benefits of centralized and decentralized organizations while eliminating the drawbacks of each.
• Unresponsive • No Business Unit Ownership of Systems • No Business Unit Control of Central Overhead Costs • Doesn't Meet Every Business Unit's Needs
• Scale Economies • Control of Standards • Critical Mass of Skills
• IT Vision and Leadership • Groupwide IT Strategy and Architecture
• Strategic control • Synergy
• Users Control IT Priorities • Business Units Have Ownership • Responsive to Business Unit's Needs
• Excessive Overall Costs to Group • Variable Standards of IS Competence • Reinvention of Wheels • No Synergy and Integration
FIGURE 8.5 Federal IT. Source: John F. Rockart, Michael J. Earl, and Jeanne W. Ross, ‘‘Eight Imperatives for the New IT Organization,” Sloan Management Review (Fall 1996) 52 – 53.
actively seek to benefit from adopting a federal structure. Figure 8.5 shows how these approaches interrelate.
Another Perspective on IT Governance Sometimes the centralized/decentralized/federal approaches to governance are not fine-tuned enough to help managers deal with the many contingencies facing today’s organizations. Thus we turn to a framework developed by Peter Weill and his colleagues.16 They define IT governance as ‘‘specifying the decision rights and accountability framework to encourage desirable behavior in using IT.’’ IT governance is not about what decisions are actually made but rather about who is making the decisions (i.e., who holds the decision rights) and how the decision makers are held accountable for them. That is, good IT governance provides a structure to make good decisions. IT governance has two major components:
16 Peter Weill and Jeanne W. Ross, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results (Cambridge, MA: Harvard Business School Press, 2004). Also, Peter Weill, ‘‘Don’t Just Lead, Govern: How Top-Performing Firms Govern IT,’’ MIS Quarterly Executive,3, no. 1(2004), 1-17. The quote is on page 3.
IT Governance 235
(1) the assignment of decision-making authority and responsibility, and (2) the decision-making mechanisms (e.g., steering committees, review boards, policies). When it comes specifically to IT governance, Weill and his colleagues proposed five generally applicable categories of IT decisions: IT principles, IT architecture, IT infrastructure strategies, business application needs, and IT investment and prioritization. A description of these decision categories with an example of major IS activities affected by them is provided in Figure 8.6.
Weill and Ross’s study of 256 enterprises shows that a defining trait of high-performing companies is the use of proper decision right allocation patterns for each of the five major categories of IT decisions. They use six political archetypes (business monarchy, IT monarchy, feudal, federal, IT duopoly, and anarchy) to label the combinations of people who either input information or have decision rights for the key IT decisions. An archetype is a pattern from decision rights allocation. Decisions can be made at several levels in the organization: enterprisewide, by business unit, and by region or group within a business unit.
Category Description Examples of Affected IS Activities
IT Principles High-level statements about how IT is used in the business
Participating in setting strategic direction
IT Architecture An integrated set of technical choices to guide the organiza- tion in satisfying business needs. The architecture is a set of poli- cies and rules for the use of IT and plots a migration path to the way business will be done
Establishing architecture and standards
IT Infrastructure Strategies
Strategies for the base founda- tion of budgeted-for IT capabil- ity (both technical and human) shared throughout the firm as reliable services and centrally coordinated
Managing Internet and net- work services; providing general support; manag- ing data; managing human resources
Business Application Needs
Specification of the business need for purchased or internally developed IT applications
Developing and maintaining information systems
IT Investment and Prioritization
Decision about how much and where to invest in IT including project approvals and justifica- tion techniques
Anticipating new technolo- gies
FIGURE 8.6 Five major categories of IT decisions. Source: Adapted from P. Weill, ‘‘Don’t Just Lead, Govern: How Top Performing Firms Govern IT,’’ MIS Quarterly Executive 3, no. 1 (2004), 4, Figure 2.
236 Chapter 8 Governance of the Information Systems Organization
Decision rights or inputs rights for a particular IT decision are held by:
Business Monarchy
CxO Level Execs
Corp. IT and/or Business Unit IT
Business Unit Leaders or Process Owners
A group of, or individual, business executives (i.e., CxOs). Includes committees comprised of senior business executives (may include CIO). Excludes IT executives acting independently.
Individuals or groups of IT executives.
Business unit leaders, key process owners or their delegates.
C level executives and at least one other business group (e.g., CxO and BU leaders)—IT executives may be an additional participant. Equivalent to a country and its states working together.
IT executives and one other group (e.g., CxO or BU leaders).
Each individual user
IT Monarchy
Feudal
Federal
IT Duopoly
Anarchy
! MIT Sloan Center for Information Systems Research 2003 - Weill
FIGURE 8.7 IT governance archetypes. Source: P. Weill, ‘‘Don’t Just Lead, Govern: How Top Performing Firms Govern IT,’’ MIS Quarterly Executive 3, no. 1 (2004): 5, Figure 3.
Figure 8.7 summarizes the level and function for the allocation of decision rights in each archetype.
For each decision category, the organization adopts an archetype as the means to obtain inputs for decisions and to assign responsibility for them. Although there is little variation in the selection of archetypes regarding who provides information for decision making, there is significant variation across organizations in terms of archetypes selected for decision right allocation. For instance, the duopoly is used by the largest portion (36%) of organizations for IT principles decisions, whereas the IT monarchy is the most popular for IT architecture and infrastructure decisions (i.e., 73% and 59%, respectively)17.
There is no one best arrangement for the allocation of decision rights. Rather, the most appropriate arrangement depends on a number of factors, including the type of performance indicator. Some common performance indicators are asset utilization, profit, or growth Figure 8.8 displays the three most effective
17 Weill and Ross, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results.
IT Governance 237
1
IT Principles
IT Monarchy
Business Monarchy
Feudal
Federal
Anarchy
Key: Most popular Second most popular
Third most popular
1 2
2
2
1 2
1
1 2
Duopoly
IT Architecture
IT Infrastruc- ture
Business Application Needs
IT Investment & Prioritization
3 33 2 3
13
3
FIGURE 8.8 Top three overall IT governance performers. Source: Adapted from P. Weill, ‘‘Don’t Just Lead, Govern: How Top Performing Firms Govern IT,’’ MIS Quarterly Executive 3, no. 1 (2004): 13, Figure 6.
arrangements as measured by IT governance performance. There is considerable overlap in the top two, with both of these arrangements using a duopoly for IT principles and an IT monarchy for both IT architecture and infrastructure. Thus, the IS organization is responsible for the most technical decisions, but both the IS organization and business managers are involved in the remaining three decisions.
The Weill framework for decision rights allocation can be used to understand governance of a variety of organizational decisions. In Chapter 9, governance patterns that are suitable for important information security decisions are identified and discussed.
Decision-Making Mechanisms
Many different types of mechanisms can be created to ensure good IT governance. Policies are useful for defining the process of making a decision under certain situations. However, often the environment is so complex that policies are too rigid. Another mechanism that is used very frequently for IT decisions is the steering committee. Steering committees work especially well with the federal archetypes, which calls for joint participation of IT and business leaders in the decision-making process. Steering committees can be geared toward different levels of decision making.
At the highest level, the steering committee, also called the IT Governance Council, reports to the board of the directors or the CEO. The steering committee at this level is comprised of top-level executives and the CIO. It provides strategic direction and funding authority for major IT projects. It ensures that adequate
238 Chapter 8 Governance of the Information Systems Organization
resources be allocated to the IS organization for achieving strategic goals. Commit- tees with lower-level players typically are involved with allocating scarce resources effectively and efficiently. Lower-level steering committees provide a forum for business leaders to present their IT needs and to offer input and direction about the support they receive from IT operations. Either level may have working groups to help the steering committee to be effective. Further, either level is concerned with performance measurement of the IS organization, though the assessment of performance is more detailed for the lower-level committee. For example, the lower-level committee would focus on the progress of the various projects and adherence to the budget. The higher-level committee would focus on the performance of the CIO and the ability of the IS organization to contribute to the company’s achievement of its strategic goals.
Although an organization may have both levels of steering committees, it is more likely to have one or the other. If the IS organization is viewed as being critical for the organization to achieve its strategic goals, the C-level executives are likely to be on the committee. Otherwise, the steering committee will tend to be larger to have widespread representation from the various business units. In this case, the steering committee is an excellent mechanism for helping the business units realize the competing benefits of proposed IT projects and develop an approach for allocating among the project requests. In the case described at the beginning of this chapter, the CIO was disappointed because the disbanding of the ISSC suggested that the new CEO did not think the IS organization was as strategic as it had been viewed in the past. The new governance structure, however, did play an important role in resource allocation and project oversight.
Managing the Global Considerations How does the management of IT differ when the scope of the organization is global, rather than just within one country? Typically, large global MIS organizations face many of the same organizational issues as any other global department. Managers must figure out how to manage when employees are in different time zones, speak different languages, have different customs and holidays, and come from different cultures. In the case of information management, various issues arise that put the business at risk beyond the typical global considerations. Figure 8.9 summarizes how a global IT perspective affects six information management issues.
Research by The Concours Group in 2007 found that four drivers are shaping the IT organization:
• Growth and innovation agenda of many corporations • Demand for horizontal integration to facilitate the sharing of best
practices across the enterprise • Changing workforce demographics that indicate the demand for IT pro-
fessionals is not keeping up with supply • Expanding options of technology supply such as software-as-a-service,
cloud computing, and capacity on demand
IT Governance 239
Issue
Political Stability
Transparency
Business Continuity Planning
Cultural Differences
Sourcing
Data Flow Across Borders
Global IT Perspective
Investments in IT in a country with an unstable government should be carefully considered: How much do you invest? How risky is the investment?
Domestically, an IT network can be end-to-end with little effort compared to global networks, which makes it difficult for these two types of systems to have the same look and feel, or, sometimes, to get to the data.
When crossing borders, it is important to make sure that contingency plans are in place and working.
Different countries have different cultures; some things are acceptable one place but not another. IT systems must not offend or insult those of a different culture
Getting the IT hardware within every country of operation may be difficult. Some technologies cannot be exported from the United States, and other technologies cannot be imported into specific countries. Vendors do not always have the same technologies available in every country.
Data, especially private or personal data, are not allowed to cross some borders.
Example
Much offshoring is done with companies in India, a country that is facing an atomic war in its conflict with Pakistan.
SAP-R3 is used to support production processes. When it is not installed in one country, managers cannot monitor the processes in that country the same way.
After 9/11, many businesses are considering placing backup data centers in remote locations, but the concern when crossing borders is whether that data center will be available when/if needed.
Using images or artifacts from one culture may be insulting to another culture. For example, DitchWitch could not use its logo globally because a witch is offensive in some countries.
Some technology is considered a potential threat to national security, such as encryption technologies, so exporting it to some countries, especially those that are not political allies of the United States, is not possible.
Brazil refused to let data come across its borders from other countries, making it difficult for businesses to integrate their Brazilian operations into the corporate operations.
FIGURE 8.9 Global considerations for the MIS organization.
240 Chapter 8 Governance of the Information Systems Organization
Some, if not all, of these drivers are pushing toward greater globalization. For example, many companies are looking to other parts of the globe to grow their companies. In our increasingly flat world, many companies are successfully drawing from labor supplies in other parts of the world to compensate for gaps in skills.
! FOOD FOR THOUGHT: CIO LEADERSHIP PROFILES
As information technology increases its role in business, the work of the IT organization in general and of the CIO in particular has grown in scope and complexity. More often, the CIO is asked to take on additional roles such as chief innovation officer, supply chain officer, or even chief operating officer. CIO Insight’s research in 2005 on the ‘‘role of the CIO’’ found that one-third of CIOs manage an additional corporate function; three-quarters of the CIOs report to the CEO, president, or COO; and over one-half listed corporate strategy as one of their top responsibilities.18 What better leader to take on these roles than the CIO because it is the information systems organization that often has the best cross-functional view of the organization. The information flows are the lifeblood of most organizations, and the CIO has the unique opportunity to understand just how those flows work from the vantage point of managing the IT services that support them.
A recent study presents four profiles that characterize the CIO’s leadership role (and their percentage occurrence in the survey).19
• IT Orchestrator (32%) — an effective IS leader who has the ear of top management and is involved in strategic decision making.
• IT Advisor (18%) — a CIO who possesses the strategic and business skills to make the IS organization successful, but whose IS organization is not adequately funded to make a strong contribution. The CIO has relatively low decision-making authority.
• IT Laggard (18%) — CIO who has a relatively high level of decision- making authority, but doesn’t have the business and strategic skills to capitalize on the top management support. The CIO has a conservative vision for the IS organization.
• IT Mechanic (32%) — CIO who has relatively low levels of strategic effectiveness and decision-making authority; has the lowest level of business skills. Fewer of them report to the CEO than CIOs in the other three profiles.
The survey findings link the contribution of the IS organization to the profiles. In particular, the Orchestrator’s IS organization makes the most contribution to the company, followed in order by the Advisor, Laggard, and Mechanic. To change
18 Allan Alter ‘‘The Changing Role of the CIO’’ CIO Insight, April 5, 2005, www.cioinsight.com. 19 D. Preston, D. Leidner, and D. Chen ‘‘CIO Leadership Profiles: Implications of Matching CIO Authority and Leadership Capability on IT impact,’’ MISQ Executive 7, no. 2 (June 2008), 57 – 69.
Summary 241
profiles and, ultimately, develop a more effective IS organization, the authors suggest that the Laggard and Mechanic gain more skills, especially strategic skills. They advise the Advisor to implement strategies to gain more funding for the IS organization.
! SUMMARY • The chief information officer (CIO) is a high-level IS officer who performs many
important organizational functions, including championing the organization, managing the IT architecture and infrastructure, participating in the development of business and IT strategy, planning for technology, overseeing application development, sourcing, overseeing training, advising on emerging technologies, interfacing with internal and external customers, and planning for business discontinuities.
• IS organizations can be expected to anticipate new technologies, participate in setting and implementing strategic goals, innovate current processes, develop and maintain information systems, manage supplier relationships, establish architecture platforms and standards, promote enterprise security, plan for business discontinu- ities, manage data/information/knowledge, manage Internet and network services, manage human resources, operate the data center, and provide general support. It does not perform core business functions or independently develop business strategy.
• Because each organization differs depending on the nature of the enterprise, a business manager must know the particular needs of his or her organization — just as the IS manager must educate him or her on the IT available. If neither seeks the other out, then a schism can develop between business and IS. The enterprise will suffer due to missed opportunities and expensive mistakes
• In addition to understanding the structure of an IS organization, a manager should work with IT leaders to develop a lean, competitive enterprise in which IT acts as a strategic enabler. Working as a team, business and IS managers can fruitfully address crucial organizational issues such as outsourcing, centralization, and globalization. Such collaboration is essential if the enterprise is to remain afloat amid the difficult waters of business competition.
• IT governance specifies how to allocate decision rights in such a way as to encour- age desirable behavior in the use of IT. The allocation of decision rights can be bro- ken down into six archetypes (business monarchy, IT monarchy, feudal, federal, IT duopoly, and anarchy). High-performing companies use the proper decision rights allocation patterns for each of the five major categories of IT decisions.
• Alternative structuring approaches are possible. Centralized IS organizations place IT staff, hardware, software, and data in one location to promote control and effi- ciency. At the other end of the continuum, decentralized IS organizations with dis- tributed resources can best meet the needs of local users. Federalism is in the mid- dle of the centralized/decentralized continuum.
• Global MIS organizations face a host of issues that domestic departments avoid. Geopolitical risk, language and cultural barriers, business continuity planning, and transborder data flow issues must be reexamined in a global organization, and each country’s laws and policies considered in the architectural design.
242 Chapter 8 Governance of the Information Systems Organization
! KEY TERMS archetype (p. 235) business continuity plan
(BCP) (p. 227) centralized IS
organizations (p. 231)
chief information officer (CIO) (p. 219)
chief technology officer (CTO) (p. 222)
decentralized IS organizations (p. 231)
federalism (p. 232) governance (p. 231) IT governance (p. 234) steering committee
(p. 237)
! DISCUSSION QUESTIONS 1. Using an organization with which you are familiar, describe the role of the most senior IS professional. Is that person a strategist or an operationalist?
2. What advantages does a CIO bring to a business? What might be the disadvantages of having a CIO?
3. The debate about centralization and decentralization is heating up again with the advent of network computing and the increasing use of the Internet. Why does the Internet make this debate topical?
4. Why is the concept of decision rights important?
5. Why can an IT governance archetype be good for one type of IS decision but not for another?
CASE STUDY 8-1
IT GOVERNANCE AT UPS
UPS has long been concerned about how to keep its IT initiatives aligned with its business direction. One of its earliest governance mechanisms was an executive steering committee made up of four cross-functional, senior-level executives. The steering committee was charged with setting a strategic direction for IT and establishing priorities and funding levels. The steering committee met regularly in the late 1980s and early 1990s when UPS’s IT capability was being built. In 2001, the executive steering committee refocused to an overseer role that provided input on UPS’s long-term IT strategy. It now establishes IT principles, such as UPS’s commitment to standardization and scalability in any system used by its 60,000 drivers. The executive steering committee is a team of three senior executives, including the CIO.
Because the executive steering committee had became less active in IT governance related to the short-term matters, it was replaced with the Information and Technology Strategy Committee (ITSC). ITSC’s members includes 15 senior managers from all func- tional areas within UPS and is headed by the CIO. Its charter was repositioned to study the impacts and application of new technology and to provide a short-term technology direction.
Consider governance for one type of decision — a standards decision. The chief IT architect, a CIO direct report and member of the ITSC, heads the standards committee that handles most of the daily negotiations related to standards. However, the standards committee escalates decisions up to the ITSC when its members think that a standards
Case Study 243
decision has implications beyond the immediate application in question. Similarly, the CIO escalates a standards decision up to the executive steering committee if the ITSC thinks that a standards decision has long-term strategic implications for UPS.
Discussion Questions
1. Describe the IT governance mechanisms used at UPS. 2. What does the representation of UPS’s executive steering committee suggest to you? Do
you think that IT plays a strategic role at UPS? Why or why not? 3. What types of skills do you think are important for UPS’s CIO? Explain your answer. 4. Why can decisions about standards be important?
Source: Excerpted from Jeanne Ross and Peter Weill, ‘‘Recipe for God Governance,’’ CIO, June 15, 2004, www.cio.com/article/print/29162 (accessed July 23, 2008); and UPS, UPS IT Gov- ernance: The Key to Aligning Technology Initiatives with Business Direction, http://www.pressroom .ups.com/mediakits/factsheet/0,2305,1043,00.html (accessed July 23, 2008).
CASE STUDY 8-2
THE BIG FIX AT TOYOTA MOTOR SALES (TMS)
When Barbra Cooper joined Toyota Motor Sales as CIO in late 1996, her reception was lukewarm. She was an outsider in a company that prizes employee loyalty. Cooper was surprised to find that IS was relatively isolated and primitive. ‘‘I would describe it as almost 1970s-like,’’ she says. Business units were buying their own IT systems because in-house IT couldn’t deliver. There were no PCs or network management. And basic IT disciplines such as business relationship management and financial management were largely absent. ‘‘No one understood the cost of delivering IT,’’ she says. Unfortunately IS personnel were more like ‘‘order takers’’ than ‘‘business partners.’’ Worse, business execs cut deals with their go-to guys in IS for project approval and funding, with no thought to architecture standards, systems integration, or business benefits.
Before Cooper could rectify the situation, she found herself and her staff buried under the Big Six technology projects. The Big Six were expensive enterprisewide projects that included a new extranet for Toyota dealers and the PeopleSoft ERP rollout, as well as four new systems for order management, parts forecasting, advanced warranty, and financial document management. Feeling besieged, the IS group made the mistake of not explaining to the business all the things it was doing and how much it all cost.
Starting in 2001, Japanese executives were feeling squeezed because of a tanking domestic Japanese market and lukewarm results from its global units. Toyota Motor Sales USA, though, had increasing sales and market share. Japan relied more on its American division’s profits, and from across the Pacific, the parent company looked more closely at U.S. spending habits.
Both Japanese and U.S. management wanted to know more about IS’s runaway costs, which had doubled after Cooper’s arrival and, at its peak, tripled. And Toyota Motor Sales President and CEO Yuki Funo wanted Cooper to tell him where the ceiling of IS’s spend was.
At the same time Cooper was feeling the pressure to explain about runaway costs from Japan, she also needed to respond to local grumbling that IS had become an unresponsive,
244 Chapter 8 Governance of the Information Systems Organization
bureaucratic machine. In late 2002, Cooper hired an outside consultancy to interview TMS’s top 20 executives. She wanted their honest opinions of how IS was doing. The results didn’t provide all the answers to IS’s ailments, but she certainly saw the hot spots. ‘‘Parts of [the survey results] were stinging,’’ Cooper says. ‘‘But you can’t be a CIO and not face that.’’
Cooper spent many introspective weeks in 2003 formulating her vision for a new IT department. What she developed was a strategy for a decentralized and transparent IS organization that focused all its energy on the major business segments. In summer 2003, she called her senior IS staffers into her conference room and presented her vision on her whiteboard.
The first thing Cooper did was set up the Toyota Value Action Program, a team of eight staffers responsible for translating her vision into actionable items for the department and her direct reports. Using the executive’s survey results and Cooper’s direction, the team winnowed the list down to 18 initiatives, including increasing employee training and development, gaining cost savings, making process improvements, ridding IS inefficiencies, and implementing a metrics program. Each initiative got a project owner, a team, and a mechanism to check the team’s success.
The most significant initiative called for improved alignment with the business side. At the heart of this new effort was a revamped office of the CIO structure with new roles, reporting lines, and responsibilities.
As part of the rehaul, top-flight senior personnel were embedded as divisional information officers, or DIOs, in all the business units. These DIOs are accountable for IT strategy, development, and services, and they sit on the management committees headed by top business executives. Further, rotating high-potential IT staff into the business units primes them for a broader understanding of the company and trains them for a leadership position in the IT department. The DIOs’ goal is to forge relationships with and gain the respect of high-level business executives. ‘‘I still believe in managing IT centrally, but it was incumbent on us to physically distribute IT into the businesses,’’ says Cooper. ‘‘They could provide more local attention while keeping the enterprise vision alive.’’
The difference between the previous relationship managers and the new DIOs is that DIOs have complete accountability and responsibility for the vertical area they serve. For instance, Ken Goltara (Corporate Manager of Business Systems) now heads up a smaller group of internal customers — which includes Toyota, Lexus, and Scion — as well as all of the vehicle-ordering systems, logistics, and dealer portals. ‘‘I now have more vertical responsibility, and my responsibilities are deeper, from cradle to grave,’’ Goltara says. ‘‘From Toyota to Lexus to Scion, I’m it.’’
Cooper changed the jobs of 50% of her staffers within six months, yet no one left or was let go. Some took on new responsibilities; others took on expanded or completely new roles. Cooper says some mid- and upper-level staffers were initially uncomfortable with their new roles, but she says she spent a lot of time early on fostering a new attitude about the change. Now she spends approximately 30% of her time mentoring and coaching, and she encourages her senior management team to also be involved in coaching.
To further strengthen the IS – business bond, Cooper chartered the executive steering committee, or ESC, to approve all major IT projects. The committee consists of Cooper; Cooper’s boss, Senior Vice President and Planning and Administrative Officer Dave Illingworth; Senior Vice President and Treasurer Mikihiro Mori; and Senior Vice President and Coordinating Officer Masanao Tomozoe. By exposing IT’s inner workings to the business side at Toyota Motor Sales, Cooper hoped that this new transparency would lessen IS’s role on IT project vetting and monitoring and increase business’s responsibility.
Case Study 245
The executive steering committee now controls all project funds in one pool of cash, and it releases funds for each project as each phase of the project’s goals are achieved. Everyone in the company can look at which dollars were (and were not) going to be spent, the pool’s administrators can sweep unused funds out, and other projects can go after those funds. And there are no more spending swings; projects are regularly paced throughout the year.
Initially, many business executives didn’t want to participate in the new approval process that required them to seek funding through the ESC. Instead, those executives tapped lower-level business sponsors who worked with IS on business case development and implementation. But then, if a project ran into trouble, those high-level ‘‘executives would scatter like cockroaches,’’ says Goltara. No senior-level business execs were willing to take IS project responsibility. After about six months of this, Cooper demanded that a higher-level business executive — a corporate manager, VP-level or above — back each IS proposal. Now, the ESC won’t approve a project unless that support is there. ‘‘There’s equal skin in the game now,’’ says Goltara. The ESC members now grill the business executive, and not the IT executive, to see whether he or she can support the business benefits.
Discussion Questions
1. Describe the advantages of TMS’s new decentralized IS structure. What are its disad- vantages?
2. What problems was Cooper trying to solve with the new IS structure? How successful do you think the new structure will be in solving these problems?
3. Describe the role of the Executive Steering Committee at TMS. Do you think the Executive Steering Committee is a good idea? Why or why not?
Source: Excerpted from Thomas Wailgum, ‘‘The Big Fix,’’ CIO Magazine (April 15, 2005), http://www.cio.com/archive/041505/toyota.html (accessed August 15, 2005). Updated with excerpts from Michael Fitzgerald, ‘‘How to Develop the Next Generation of IT Leaders,’’ CIO Magazine (May 2, 2008), http://www.cio.com/article/print/341067 (accessed July 23, 2008).
!CHAPTER 9 USING INFORMATION ETHICALLY1
When TJX Co. found the largest data security breach of its computer systems in the history of retailing, it faced a serious ethical dilemma not faced by many companies. It originally estimated that the credit card accounts of 45.6 million customers worldwide were affected (though that number has been updated to 94 million). Given the extent of the breach, multiple state, federal, and foreign jurisdictions dictated how and when it must inform affected customers and what corrective steps it must take. Most jurisdictions allowed 45 days for it to act following the determination of the breach. Any extension beyond 45 days would incur heavy fines. However, on the ethical side it became an even more pressing issue. Should TJX inform the affected customers immediately or wait till the breach was secured and all remedial steps were undertaken, which may take weeks?
As a socially responsible company, TJX takes its obligations to customers seriously. If it informed the customers immediately, the customers could start taking preventive steps to protect themselves from the identity theft and avoid any resulting financial and psychological losses. However, this means the breach would become public knowledge before the remedial steps were taken. More hackers would learn about it and may exploit the weakness in its IT infrastructure. Additionally, the financial markets would lose confidence in the company and severely punish shareholders. Such loss of image would also affect its ability to attract and retain high-quality employees in the long run. On the other hand, if it waited for 45 days, financial stability of many customers would be compromised through misuse of their credit card and other private records. This could result in a major class-action litigation, which might permanently affect the company.
As in the case of TJX, information collected in the course of business is important for the conduct of business and can even create valuable competitive advantage. But ethical questions concerning just how that information will be used and by whom, whether they arise inside or outside the organization, can
1 The authors wish to acknowledge and thank Arthur J. Ebersole, MBA 1999, for his help in researching and writing early drafts of this chapter.
246
Using Information Ethically 247
have powerful effects on the company’s ability to carry out its plans.2 As computer networks and their products come to touch every aspect of people’s lives, and as the power, speed, and capabilities of computers increase, managers are increasingly challenged to govern their use in an ethical manner. No longer can managers afford to view information systems (IS) as discrete entities within the corporate structure. In many cases, IS are coming to comprise much of the corporation itself.
In such an environment, managers are called on to manage the information generated and contained within those systems for the benefit not only of the corporation, but also of society as a whole. The predominant issue, which arises due to the omnipresence of corporate IS, concerns the just and ethical use of the information companies collect in the course of everyday operations. Without official guidelines and codes of conduct, who decides how to use this information? More and more, this challenge falls on corporate managers. Managers need to understand societal needs and expectations to determine what they ethically can and cannot do in their quest to learn about their customers, suppliers, and employees, and to provide greater service.
Before managers can deal effectively with issues related to the ethical and moral governance of IS, they need to know what these issues are. Unfortunately, as with many emerging fields, well-accepted guidelines do not exist. Thus, managers bear even greater responsibility as they try to run their businesses and simultaneously develop control methods that meet both corporate imperatives and the needs of society at large. If this challenge appears to be a matter of drafting operating manuals, nothing could be further from the truth.
In a society whose legal standards are continually challenged, managers must serve as guardians of the public and private interest, although many may have no formal legal training and, thus, no firm basis for judgment. This chapter addresses many such concerns. It begins by expanding on the definition of ethical behavior and introduces several heuristics that managers can employ to help them make better decisions. Next this chapter elaborates on the most important issues behind the ethical treatment of information. This is followed by a discussion of some newly emerging controversies that will surely test society’s resolve concerning the increasing presence of IS in every aspect of life. It concludes with a discussion of IT governance, security, and accountability.
This chapter takes a high-level view of ethical issues facing managers in today’s environment. It focuses primarily on providing a set of frameworks the manager can apply to a wide variety of ethical issues. Omitted is a specific focus on several important issues such as social justice (the impact of computer technology on the poor or ‘‘have-nots,’’ racial minorities, and third world nations), nor is there a discussion of social concerns that arise out of artificial intelligence, neural networks, and expert systems. Although these are interesting and important areas for concern, in this chapter the objective is to provide managers with a way to
2 J. Hasnas and J. Smith, ‘‘Ethics and Information Systems: The Corporate Domain,’’ Working paper, 1998, p. 2.
248 Chapter 9 Using Information Ethically
think about the issues of ethics, privacy, security, and governance. The interested reader may wish to seek out one of a number of sources for dozens of articles and books on this area of IS management.
! NORMATIVE THEORIES OF BUSINESS ETHICS
The landscape changes daily as advances in technology are incorporated into existing organizational structures. IS are becoming omnipresent as companies look to decrease costs, increase efficiency, and build strategic competitive advantages. Increasingly, however, these advances come about in a business domain lacking ethical clarity. Because of its newness, this area of IT often lacks accepted norms of behavior. Companies encounter daily quandaries as they try to use their IS to create and exploit competitive advantages.
Managers must assess current information initiatives with particular attention to possible ethical issues. Because so many managers have been educated in the current corporate world, they are used to the overriding ethical norms present in their traditional businesses. As Conger and Loch observed, ‘‘People who have been trained in engineering, computer science, and MIS frequently have little training in ethics, philosophy, and moral reasoning. Without a vocabulary with which to think and talk about what constitutes an ethical computing issue, it is difficult to have the necessary discussions to develop social norms.’’3
Managers in the information age need to translate their current ethical norms into terms meaningful for the new electronic corporation. To suggest a workable framework for this process, consider three theories of ethical behavior in the corporate environment that managers can develop and apply to the particular challenges they face. These normative theories of business ethics — stockholder theory, stakeholder theory, and social contract theory — are widely applied in traditional business situations. They are ‘‘normative’’ in that they attempt to derive what might be called ‘‘intermediate-level’’ ethical principles: principles expressed in language accessible to the ordinary businessperson, which can be applied to the concrete moral quandaries of the business domain.4 Following is a definition of each theory accompanied by an illustration of its application using the TJX example outlined at the beginning of this chapter.
Stockholder Theory According to stockholder theory, stockholders advance capital to corporate managers, who act as agents in furthering their ends. The nature of this contract binds managers to act in the interest of the shareholders (i.e., to maximize shareholder value). As Milton Friedman wrote, ‘‘There is one and only one social responsibility of business: to use its resources and engage in activities designed to
3 S. Conger and K. D. Loch, ‘‘Ethics and Computer Use,’’ Communications of the ACM 38, no. 12 (December 1995), 31, 32. 4 Hasnas and Smith, ‘‘Ethics and Information Systems,’’ 5.
Normative Theories of Business Ethics 249
increase its profits so long as it stays within the rules of the game, which is to say, engages in open and free competition, without deception or fraud.’’5
Stockholder theory qualifies the manager’s duty in two salient ways. First, managers are bound to employ legal, nonfraudulent means. Second, managers must take the long-term view of shareholder interest (i.e., they are obliged to forgo short-term gains if doing so will maximize value over the long term).
Managers should bear in mind that stockholder theory itself provides a limited framework for moral argument because it assumes the ability of the free market to fully promote the interests of society at large. Yet the singular pursuit of profit on the part of individuals or corporations cannot be said to maximize social welfare. Free markets can foster the creation of monopolies and other circumstances that limit the ability of members of a society to secure the common good. A proponent of stockholder theory might insist that, as agents of stockholders, managers must not use stockholders’ money to accomplish goals that do not directly serve the interests of those same stockholders. A critic of stockholder theory would argue that such spending would be just if the money went to further the public interest.
The stipulation under stockholder theory that the pursuit of profits must be legal and nonfraudulent would not limit TJX from waiting to announce the security breach until it had taken corrective action. The delay allowed by law might also have a positive impact on TJX’s stock price. The delay would satisfy the test of maximizing shareholder value because it would help keep the price of its stock from dropping. Further, a recent survey has shown that customers are reluctant to shop in stores once data breaches have been announced, so delaying may be important for maintaining a steady stream of revenues for as long as possible. On the other hand, disgruntled customers would definitely stop shopping at its stores if TJX waited too long.6
Any lost revenues would weigh against managers’ success in meeting the ethical obligation to work toward maximizing value.
Stakeholder Theory Stakeholder theory holds that managers, although bound by their relation to stockholders, are entrusted also with a responsibility, fiduciary or otherwise, to all those who hold a stake in or a claim on the firm.7 The term ‘‘stakeholder’’ is currently taken to mean any group that vitally affects the survival and success of the corporation or whose interests the corporation vitally affects. Such groups normally include stockholders, customers, employees, suppliers, and the local community, though other groups may also be considered stakeholders, depending on the circumstances. At its most basic level, stakeholder theory states that management
5 M. Friedman, Capitalism and Freedom (Chicago: University of Chicago Press, 1962), 133. 6 There is an interesting presentation of a similar breach with commentaries from the CIOs of ChoicePoint, Motorola, Visa International, and Theft Resource Center in Eric McNulty’s ‘‘Boss I Think Someone Stole Our Customer Data,’’ Harvard Business Review (September 2007), 37 – 50. 7 Hasnas and Smith, ‘‘Ethics and Information Systems,’’ 8.
250 Chapter 9 Using Information Ethically
must enact and follow policies that balance the rights of all stakeholders without impinging on the rights of any one particular stakeholder.
Stakeholder theory diverges most consequentially from stockholder theory in affirming that the interests of parties other than the stockholders also play a legitimate role in the governance and management of the firm. As a practical matter, due to the high transaction costs entailed in canvassing all these disparate groups, managers must act as their agents in deriving business solutions that optimally serve their respective interests. Thus, in most cases, stakeholders’ only real recourse is to stop participating in the corporation: Customers can stop buying the company’s products, stockholders can sell their stock, and so forth.
Some stakeholders are not in a position to stop participating in the corporation. In particular, employees may need to continue working for the corporation, even though they dislike practices of their employers, or experience considerable stress due to their jobs. The use of monitoring and surveillance software can create levels of control that the employees resent. As employees become aware of these activities, their productivity and morale may fall. Ethically, managers are obliged to consider the welfare of workers. If, as they create employment opportunities and write job descriptions, managers set out to limit individuality, enforce conformity, and increase demands, they violate their ethical responsibilities.
Viewed in light of stakeholder theory, the ethical issue facing TJX presents a more complex dilemma. John Philip Coghlan, CEO of Visa USA noted, ‘‘A data breach can put an executive in an exceedingly complex situation, where he must negotiate the often divergent interests of multiple stakeholders.’’8 TJX’s shareholders stand to gain in the short term, but what would be the effects on other stakeholders? One stakeholder group, the customers, definitely could benefit from knowing about the breach as soon as possible because they could take steps to protect themselves. Customers could be informed of the severity of the breach and protective actions that they could take through a special Web page, toll-free information hotlines, or Webcasts. TJX could also offer them free credit-monitoring service and compensate those who are injured. Research has shown that customers who receive adequate compensation after making a complaint are actually more loyal than those without complaints.9 On the other hand, if the breach were not announced, fewer hackers might attempt to break into the systems. Nonetheless, it probably could be shown that the costs to customers outweighed the benefits within the larger stakeholder group.
Social Contract Theory Social contract theory derives the social responsibilities of corporate managers by considering the needs of a society with no corporations or other complex business arrangements. Social contract theorists ask what conditions would have to be met for the members of such a society to agree to allow a corporation to
8 McNulty, ‘‘Boss I Think Someone Stole Our Customer Data.’’ 9 McNulty, ‘‘Boss I Think Someone Stole Our Customer Data.’’
Normative Theories of Business Ethics 251
be formed. Thus, society bestows legal recognition on a corporation to allow it to employ social resources toward given ends. This contract generally is taken to mean that, in allowing a corporation to exist, society demands at a minimum that it creates more value to the society than it consumes. Thus, society charges the corporation to enhance its welfare by satisfying particular interests of consumers and workers in exploiting the advantages of the corporate form. The corporation must conduct its activities while observing the canons of justice.10
The social contract comprises two distinct components: the social welfare term and the justice term. The former arises from the belief that corporations must provide greater benefits than their associated costs, or society would not allow their creation. Thus, the social contract obliges managers to pursue profits in ways that are compatible with the well-being of society as a whole. Similarly, the justice term holds that corporations must pursue profits legally, without fraud or deception, and avoid activities that injure society.
Social contract theory meets criticism because no mechanism exists to actuate it. In the absence of a real contract whose terms subordinate profit maximization to social welfare, most critics find it hard to imagine corporations losing profitability in the name of altruism. Yet, the strength of the theory lies in its broad assessment of the moral foundations of business activity.
Applied to the TJX case, social contract theory would demand that the manager ask whether the delay in notifying customers about the security breach could compromise fundamental tenets of fairness or social justice. If customers were not apprised of the delay as soon as possible, TJX’s actions could be seen as unethical because it would not seem fair to delay notifying them. If, on the other hand, the time prior to notification were used to take corrective action with the consequence of limiting not only hackers from stealing confidential customer information but also of forestalling future attacks that would impact society as a whole, the delay conceivably could be considered ethical.
Although these three normative theories of business ethics possess distinct characteristics, they are not completely incompatible. All offer useful metrics for defining ethical behavior in profit-seeking enterprises under free market conditions. They provide managers with an independent standard by which to judge the ethical nature of superiors’ orders as well as their firms’ policies and codes of conduct. Upon inspection, the three theories appear to represent concentric circles, with stockholder theory at the center and social contract theory at the outer ring. Stockholder theory is narrowest in scope, stakeholder theory encompasses and expands on it, and social contract theory covers the broadest area. Figure 9.1 summarizes these three theories.
What, ultimately, did TJX do? TJX disclosed the breach in January 2007, but didn’t release a comprehensive executive summary of the attack until March 2007, when it made a regulatory filing. TJX had actually noticed suspicious software the preceding December, at which point it hired IBM and General Dynamics to
10 Hasnas and Smith, ‘‘Ethics and Information Systems,’’ 10.
252 Chapter 9 Using Information Ethically
Theory Definition Metrics
Stockholder Maximize stockholder wealth, in legal and non- fraudulent manners.
Will this action maximize long-term stockholder value? Can goals be accom- plished without compromising company standards and without breaking laws?
Stakeholder Maximize benefits to all stakeholders while weighing costs to competing interests.
Does the proposed action maximize col- lective benefits to the company? Does this action treat one or more of the cor- porate stakeholders unfairly?
Social contract Create value for society in a manner that is just and nondiscriminatory.
Does this action create a ‘‘net’’ benefit for society? Does the proposed action discriminate against any group in partic- ular, and is its implementation socially just?
FIGURE 9.1 Three normative theories of business ethics.
investigate. Three days later, these investigators determined that TJX’s systems had been compromised and that the attacker still had access. That means it took TJX 17 months to find out that their computer systems had been breached on numerous occasions on a colossal scale.11 It was over a year later, on February 29, 2008, when the President and CEO, Carol Meyrowitz, wrote a letter to ‘‘valued customers’’ about the breach that had been announced on January 2007. The TJX retail chain agreed to pay $24 and $41 million in restitution to MasterCard and Visa issuing lenders, respectively, who were affected by the breach. TJX brokered a separate agreement with a coalition of Massachusetts-based banks who had sued it. The only settlement to date to actual cardholders by TJX has been an offer of free credit monitoring for cardholders and a $30 store voucher.12 Based on the newspaper accounts, one could surmise that TJX’s overriding approach was more consistent with the stockholder theory than social contract theory. At least one stakeholder group, the customers, were not well served.
A number of other cases demonstrate different ethical issues associated with the handling of information as a result of business transactions. One such case arose when DoubleClick, a leading Internet advertisement company, announced its plans to merge its vast database of user navigational history with that of users’ offline spending habits. DoubleClick provides the sites of members of its DoubleClick Network with advertisements. It then monitors the viewing of these advertisements through cookies. From cookies, DoubleClick obtains ‘‘clickstream
11 Kevin Murphy, ‘‘TJX Hack Is Biggest Ever,’’ Computer Business Review (March 30, 2007), http://www.cbronline.com/article news.asp?guid = 0EFDDC37-4EA7-4A78-9726-E6F63C86234D. 12 Martin Bosworth, ‘‘TJX to Pay Mastercard $24 Million for Data Breach,’’ consumeraffaris.com (April 6, 2008), http://www.consumeraffairs.com/news04/2008/04/tjx mc.html (accessed July 29, 2008).
Control of Information 253
data’’ about the sites visited by a user, the time spent at these sites, and any purchases made by the user at the sites. DoubleClick has extensive Internet navigational histories for identified users. With its purchase of Abacus Direct Corporation in November 1999, it acquired a database with information about the spending habits of more than 88 million people derived from more than two billion offline purchases. Even though it was a complete reversal of its previously stated privacy policies, DoubleClick was going to merge these two powerful databases. A suit filed by Electronic Privacy Information with the Federal Trade Commission, coupled with a public uproar, caused DoubleClick to back down from its proposed merger.13 DoubleClick has since sold Abacus. However, it has now teamed up with an even more data rich-company than Abacus. It was acquired by Google, a company known for its huge database and innovative search technologies
Living.com, a furniture retailer on the Internet, made a very public decision not to sell its customer information. When it ceased doing business and filed for bankruptcy, the question arose as to whether their customer data was an asset that could be sold to help pay off their debts. Managers at Living.com and the U.S. government officials working with them reached an agreement that their customer information was private and it would be inappropriate to sell it for use by someone other than Living.com.
! CONTROL OF INFORMATION
In an economy that is rapidly becoming dominated by knowledge workers, the value of information is tantamount. Those who possess the ‘‘best’’ information and know how to use it, win. The recent trend in computer prices has meant that high levels of computational power can be purchased for relatively small amounts of money. Although this trend means that computer-generated or stored information now falls within the reach of an ever-larger percentage of the populace, it also means that collecting and storing information is becoming easier and more cost effective. Although this circumstance certainly affects businesses and individuals for the better, it also can affect them substantially for the worse. Consider several areas in which the control of information is crucial. Richard O. Mason14 identified four such areas, which can be summarized by the acronym PAPA: privacy, accuracy, property, and accessibility (see Figure 9.2).
Privacy Many consider privacy to be the most important area in which their interests need to be safeguarded. Privacy has long been considered ‘‘the right to be left
13 Jones, Day, Reavis, and Pogue, ‘‘DoubleClick and the Privacy Wars,’’ 1, no. 1 (May 2001), available at http://www1.jonesday.com/files/tbl s31Publications%5CFileUpload137%5C139%5CDouble Click Privacy.pdf (accessed June 28, 2002). 14 Richard O. Mason, ‘‘Four Ethical Issues of the Information Age,’’ MIS Quarterly 10, no. 1 (March 1986).
254 Chapter 9 Using Information Ethically
Area Critical Question
Privacy What information must a person reveal to others? Can the information that the person provides be used to identify his/her personal preferences or history when he/she doesn’t want those preferences to be known? Can the information that the person provides be used for purposes other than those for which the person was told that it would be used?
Accuracy Who is responsible for the reliability and accuracy of information? Who will be accountable for errors?
Property Who owns information? Who owns the channels of distribution, and how should they be regulated?
Accessibility What information does a person or organization have a right to obtain, under what conditions, and with what safeguards? Who can access personal information in the files? Does the person accessing personal information ‘‘need to know’’ the information that is being accessed?
FIGURE 9.2 Mason’s areas of managerial control.
alone’’15 In today’s information-oriented world, it has been defined as ‘‘the ability of the individual to personally control information about one’s self.’’16 It pertains to the authorized collection and use of personal information and is based on what information individuals choose to disclose about themselves. Individuals may be concerned about their privacy when extensive amounts of data that can personally identify them are being collected and stored in databases. They may also be concerned that information is collected for one purpose, but used for another purpose without their authorization.
Employers can monitor their employees’ e-mail and computer utilization while they are at work, even though they have not historically monitored telephone calls. Every time someone logs onto one of the main search engines, a ‘‘cookie’’ is placed in their hard drive so that these companies can track their surfing habits. A cookie is a message given to a Web browser by a Web server. The browser stores the message with user identification codes in a text file that is sent back to the server each time the browser requests a page from the server.17 Currently this information is used only to target advertising, but its future use depends on the discretion of managers. Their view is formed in part by how much competitive advantage this knowledge can create. Do customers have a right to privacy while searching the Internet? Courts have decided that the
15 Samuel D. Warren and Louis D. Brandeis, ‘‘The Right to Privacy,’’ Harvard Law Review 4, no. 5 (December 1890): 193 – 200. 16 E. F. Stone, D. G. Gardner, H. G. Gueutal, and S. McClure, ‘‘A Field Experiment Comparing Information-Privacy Values, Beliefs, and Attitudes Across Several Types of Organizations,’’ Journal of Applied Psychology 68, no. 3 (August 1983): 459 – 468. 17 Webopedia, http://www.webopedia.com/TERM/c/cookie.html (accessed June 28, 2002).
Control of Information 255
answer is no, but as society moves ahead, the right to monitor customer habits will be affected by how managers decide to use the information that they have collected.
Governments around the world are grappling with privacy legislation. Not surprisingly, they are using different approaches for ensuring the privacy of their citizens. The U.S.’s sectoral approach relies on a mix of legislation, regulation, and self-regulation. Examples of the U.S.’s relatively limited privacy legislation include the 1974 Privacy Act that regulates the U.S. government’s collection and use of personal information and the 1998 Children’s Online Privacy Protection Act that regulates the online collection and use of children’s personal information. Much of the privacy legislation in the United States is industry based. For example, the Gramm-Leach-Bliley Act of 1999 followed in the wake of banks selling sensitive information, including account information, Social Security numbers, credit card purchase histories, and so forth to telemarketing companies. This U.S. law somewhat mitigates the sharing of sensitive financial and personal information by allowing customers of financial institutions the limited right to ‘‘opt-out’’ of the information sharing by these institutions with nonaffiliated third parties. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is designed to safeguard the electronic exchange privacy and security of information in the health-care industry. Its Privacy Rule ensures that patients’ health information is properly protected while allowing its necessary flow for providing and promoting health care. HIPAA’s Security Rule specifies national standards for protecting electronic health information from unauthorized access, alteration, deletion, and transmission.
In contrast to the U.S.’s sectoral approach combined with strong encourage- ment of self-regulation by industry, the European Union relies on comprehensive legislation that requires creation of government data protection agencies, regis- tration of databases with those agencies, and in some cases prior approval before processing personal data. Because of pronounced differences in governmental approaches, many U.S. companies were concerned that they would be unable to meet the European ‘‘adequacy’’ standard for privacy protection specified in the European Commission’s Directive on Data Protection that went into effect in 1998. This directive prohibits the transfer of personal data to non – European Union nations that do not meet the European privacy standards. Many U.S. companies believed that this directive would significantly hamper their ability to engage in many trans-Atlantic transactions. However, the U.S. Department of Commerce (DOC), in consultation with the European Commission, developed a ‘‘safe harbor’’ framework in 2000 that allows U.S. companies to be placed on a list maintained by the DOC. The U.S. companies must demonstrate through a self-certification process that they are enforcing privacy at a level practiced in the European Union.18
18 U.S. Department of Commerce, ‘‘Safe Harbor Overview,’’ available at http://www.export.gov/ safeharbor/sh overview.html (accessed July 15, 2002).
256 Chapter 9 Using Information Ethically
Accuracy The accuracy, or the correctness, of information assumes real importance for society as computers come to dominate in corporate record-keeping activities. When records are inputted incorrectly, who is to blame? In a case in Florida, a family whose bank had recently changed from a paper bookkeeping system to a computer-based system found that a mortgage payment that had been made was not credited. As the family attempted to pay the mortgage in subsequent months, the system rejected the payments because the mortgage was listed as past due. After a year of ‘‘missing’’ payments, the bank foreclosed on the house.19 Although this incident may highlight the need for better controls over the bank’s internal processes, it also demonstrates the risks that can be attributed to inaccurate information retained in corporate systems. In this case, the bank was responsible for the error, but it paid little — compared to the family — for its mistake. Although they cannot expect to eliminate all mistakes from the online environment, managers must establish controls to ensure that situations such as this one do not happen with any frequency.
Over time it becomes increasingly difficult to maintain the accuracy of some types of information. Although a person’s birth date does not typically change (my grandmother’s change of her birth year notwithstanding), addresses and phone numbers often change as people relocate, and even their names may change with marriage, divorce, and adoption. The European Union Directive on Data Protection requires accurate and up-to-date data and tries to make sure that data is kept no longer than necessary to fulfill its stated purpose. Keeping data only as long as it is necessary to fulfill its stated purpose is a challenge many companies don’t even attempt to meet.
Property The increase in monitoring leads to the question of property, or who owns the data. Now that organizations have the ability to collect vast amounts of data on their clients, do they have a right to share data with others to create a more accurate profile of an individual? And if they do create such consolidated profiles, who owns that information, which in many cases was not divulged willingly for that purpose? Who owns images that are posted in cyberspace? With ever more sophisticated methods of computer animation, can companies use newly ‘‘created’’ images or characters building on models in other media without paying royalties? Mason summarizes the issues,
Any individual item of information can be extremely costly to produce in the first instance. Yet once it is produced, that information has the illusive quality of being easy to reproduce and to share with others. Moreover, this replication can take place without destroying the original. This makes information hard to
19 Richard O. Mason, ‘‘Four Ethical Issues of the Information Age,’’ MIS Quarterly 10, no. 1 (March 1986).
Control of Information 257
safeguard since, unlike tangible property, it becomes communicable and hard to keep it to one’s self. It is even difficult to secure appropriate reimbursements when somebody else uses your information.20
Accessibility In the age of the information worker, accessibility, or the ability to obtain the data, becomes increasingly important. Would-be users of information must first gain the physical ability to access online information resources, which broadly means they must access computational systems. Recent trends in computer hardware prices have greatly lowered the barriers to entry on this account. Second and more important, the user must gain access to information itself. In this sense, the issue of access is closely linked to that of property. Although major corporations have benefited greatly from the drop in computer prices, the same benefit only now is beginning to filter through the rest of society. Looking forward, the major issue facing managers is how to create and maintain access to information for society at large. As our society moves toward a service- or knowledge-based economy, managers whose organizations control vast quantities of information will have to weigh the benefits of information control against societal needs to upgrade the knowledge bases of individuals or knowledge workers.
Today’s managers must ensure that information about their employees and customers is accessible only to those who have a right to see and use it. They should take active measures to see that adequate security and control measures are in place in their companies. It is becoming increasingly clear that they also must ensure that adequate safeguards are working in the companies of their key trading partners. The managers at MasterCard International were no doubt embarrassed when they reported to 68,000 of its cardholders that their accounts were at risk of fraud because one of its card processors, CardSystems Solutions, had violated long-established standards to handle MasterCards’ transactions. MasterCard had spent millions of dollars to upgrade its own computer systems with sophisticated fraud-detection software and had sent out teams to processor and merchant sites to make sure that they were in compliance with these standards. Yet, it was only recently that MasterCard detected a rogue computer program that CardSystems Solutions had installed to extract data for unauthorized research purposes. Unfortunately, this extracted data was accessed by data thieves.21 Accessibility clearly is an issue that extended beyond MasterCard’s internal systems.
Accessibility is becoming increasingly important with the surge in identity theft, or ‘‘the taking of the victim’s identity to obtain credit, credit cards from banks and retailers, steal money from the victim’s existing accounts, apply for loans, establish accounts with utility companies, rent an apartment, file bankruptcy or obtain a job using the victim’s name.’’22 In short, identity theft is a crime in which
20 Ibid. 21 Eric Dash, ‘‘CEO Hacked Card Process Broke Rules,’’ Orlando Sentinel (June 18, 2005), p. A12. 22 Identity Theft Organization, http://www.identitytheft/.org.
258 Chapter 9 Using Information Ethically
the thief uses the victim’s personal information (such as driver’s license number or Social Security number) to impersonate the victim. In TJX’s case, the security breach made its customers vulnerable to identity theft.
According to subject matter experts, identity theft is categorized in two ways: true name and account takeover. True name identity theft means that the thief uses personal information to open new accounts. The thief might open a new credit card account, establish cellular phone service, or open a new checking account to obtain blank checks. Account takeover identity theft means the imposter uses personal information to gain access to the person’s existing accounts. Typically, the thief will change the mailing address on an account and run up a huge bill before the person whose identity has been stolen realizes there is a problem.
Identity theft is a problem for both individuals and businesses. The U.S. government keeps statistics on reported cases of identity theft.23 The incidence of identity theft had been growing at an amazing rate during the early part of this century. Though the number of cases in 2006 was down from the previous year, there were still over 240,000 reported cases of identity theft.24 A total of 8.4 million Americans experienced losses to the tune of $49.3 billion. The most victimized tend to be college students and young adults who have not learned to use security software or shred documents.25
Although some cases of individual identity theft can be traced to carelessness on the part of victims, some may also be credited to the failure of businesses to limit accessibility to their databases. Businesses are also subject to significant losses due to identity theft. Illegitimate e-mail messages that solicit personal information for the thief can ruin a business’s hard-won reputation. Purchases made by the thief must be paid for, and often that loss is covered by the business. The U.S. Federal Trade Commission (FTC) maintains a Web site to help both individuals and businesses manage identity theft (http://www.ftc.gov/bcp/edu/microsites/idtheft/).
PAPA and Managers Managers must work to implement controls over information highlighted by the PAPA principles. Not only should they deter identity theft by limiting inappropriate access to customer information, but they should also respect their customers’ privacy. Internet purchasers surveyed believed Internet retailers should post their policies about how they will use private information. Mary Culnan noted in CIO magazine that the ease with which consumer information is collected over the Internet makes purchasers increasingly uneasy. ‘‘People are balking at giving their
23 http://www.consumer.gov/sentinel/pubs/Top10Fraud2004.pdf (accessed on August 4, 2005) 24 Consumer Sentinel, ‘‘Executive Summary Consumer Fraud and Identity Theft Complaint Data,’’ (January – December 2006), http://www.consumer.gov/sentinel/Sentinel CY 2006/executive% 20summary.pdf (accessed April 13, 2008). 25 Allen Alter, ‘‘Identity Theft Losses are Falling,’’ Research Central (February 2, 2007), http://blog .eweek.com/blogs/research central/archive/2007/02/02/Identity Theft Losses Are Falling.aspx (accessed April 13, 2008).
Security and Controls 259
information on the Web in a lot of cases because the organization has not made a good case for why they should,’’ Culnan wrote. ‘‘If there are no benefits or if they aren’t told why the information is being collected or how it’s being used, a lot of people say ‘Forget it.’ ’’26 As customers increasingly appreciate the power new technologies put in the hands of retailers, they become skeptical about the wisdom of providing personal information in transacting business online.
Recently the FTC made strides toward requiring Web retailers to more fully disclose how they will use customers’ private information. The FTC’s efforts to foster fair information practices for Internet commerce mesh with Mason’s PAPA framework. To protect the integrity of information collected about them, federal regulators have recommended allowing consumers limited access to corporate information databases. Consumers thus could update their information and correct errors. Many consumer advocacy groups are arguing for requirement that retailers cannot use personal information unless the customer ‘‘opts-in,’’ or specifically gives the retailer permission to use the information. The default practice now is ‘‘opting-out,’’ or using the information unless the customer specifically tells the retailer that his or her personal information cannot be used or distributed. For example, the Gramm-Leach-Bliley Act (1999) gave customers of financial institutions the ability to opt-out of information sharing by those institutions. More recent, federal legislation requires states to allow registrants to ‘‘opt-in’’ their driver license information.
Information privacy guidelines must come from above: from the CEO, CIO, and general management. Employees must learn about these issues early in their tenure with a firm to avoid incurring serious problems with FTC oversight.
! SECURITY AND CONTROLS
It should be clear from the earlier discussion that the PAPA principles work hand-in-hand with security and controls. Unfortunately, organizations more often than not may rely on luck rather than proven information systems controls, at least according to a recent Ernst & Young survey. 27 More than half of the high-level executives responding to the survey reported that hardware, telecommunications, and software failures, as well as major viruses, Trojan horses, or Internet worms, had resulted in unexpected or unscheduled outages of their critical business systems. The survey confirmed that companies turn to technical responses to deal with these and other threats. In particular considerable emphasis is placed on using technology (i.e., antivirus countermeasures, spam-filtering software, intrusion detection systems) to protect organizational data from unauthorized hackers and undesirable viruses. Managers go to great lengths to make sure their computers are secure from outsider access, such as a hacker who seeks to enter a computer
26 ‘‘Saving Private Data,’’ CIO Magazine (October 1, 1998). 27 Ernst & Young, Global Information Survey, 2004.
260 Chapter 9 Using Information Ethically
for sport or for malicious intent. They also try to safeguard against other external threats such as telecommunications failure, service provider failure, spamming, or distributed denial of service (DDoS) attacks.
Technologies have been devised to manage the security and control problems. Figure 9.3 summarizes three types of tools, such as firewalls, passwords, and
Hardware system security and control
Firewalls A computer set up with both an inter- nal network card and an external network card. This computer is set up to control access to the internal network and only lets authorized traffic pass the barrier.
Encryption and decryption
Cryptography or secure writing ensures that information is transformed into unin- telligible forms before transmission and intelligible forms when it arrives at its des- tination.
Network and soft- ware security con- trols
Network operating system software
The core set of programs that manage the resources of the computer or network often have functionality such as authentication, access control, and cryptology.
Security information management
A management scheme to synchronize all mechanisms and protocols built into network and computer operating systems and protect the systems from authorized access.
Server and browser software security
Mechanisms to ensure that errors in pro- gramming do not create holes and trap- doors that can compromise Web sites.
Broadcast medium security and controls
Labeling and rating software
The software industry incorporates Plat- form for Internet Content Selection (PICS) technology, a mechanism of label- ing Web pages based on content. These labels can be used by filtering software to manage access.
Filtering/blocking software
Software that rates documents and Web sites that have been rated and contain con- tent on a designated filter’s ‘‘black list’’ and keeps them from being displayed on the user’s computer.
FIGURE 9.3 Security and control tools. Source: Adapted from J. Berleur, P. Duquenoy, and D. Whitehouse, ‘‘Ethics and the Governance of the Internet,’’ IFIP-SIG9.2.2, White paper, September 1999.
Security and Controls 261
authentication routines, that restrict access to information on a computer by preventing access to the server on the network. They provide warning for early discovery of security breaches, limit losses suffered in case of security breaches, analyze and react to security breaches (and try to prevent them from reoccurring), and recover whatever has been lost from security breaches.28
Future technological approaches to security and privacy may include a combi- nation of software and hardware. Some of today’s laptop computers have built-in fingerprint identification pads to prevent unauthorized use. Biometrics are also being considered for security purposes at national levels. For example, in the United Kingdom, a debate is underway about making compulsory a national iden- tity card that would contain 49 different types of information, including name, birth date and place, current and past addresses, a head and shoulders photograph, fingerprints, an iris scan and other biometric information, personal reference infor- mation, and registration and record histories. The British government is arguing that the card would give people a convenient way of proving their identity and preventing identity theft. It would also offer a secure way of identifying people for national security, detect crime, aid in enforcing immigration controls, prevent illegal workers, and assist in providing public services. Opponents fear the card will create a ‘‘Big Brother’’ world.
RFID tags with passport information and digital pictures of the owners have been included in new passports from Ireland, Japan, Pakistan, Norway, Malaysia, New Zealand, Belgium, the Netherlands, Germany, the United Kingdom, and the United States. However, security concerns were raised after it was clearly demonstrated that special equipment could read test passports from 10 meters (33 feet) away and not from a distance of 10 cm (4 in), as originally claimed. Consequently, U.S. passports were redesigned to incorporate a thin metal lining and a Basic Access Control to make it more difficult for unauthorized readers to ‘‘skim’’ information when the passport is closed. Nonetheless, the Center for Democracy and Technology has issued warnings that significant security weaknesses still exist.29
Although the focus on technological security controls just discussed has been primarily on dealing with external threats, managers must also guard against typically more lethal threats — internal threats that originate from within the company. Internal threats include operational errors (i.e., loading the wrong software) and former or current employee misconduct involving information systems, as well as hardware or software failure. Managers from the highest echelons down must champion the human aspect of protecting information. This means that they must be supportive of efforts to develop employees into the company’s strongest layer of defense. These efforts include training and awareness programs to alert employees to risks, to make them aware of countermeasures
28 J. Berleur, P. Duquenoy, and D. Whitehouse, ‘‘Ethics and the Governance of the Internet,’’ IFIP SIG 9.2.2, White paper, September 1999. 29 http://en.wikipedia.org/wiki/RFID#Passports (accessed on April, 23, 2008).
262 Chapter 9 Using Information Ethically
that exist to mitigate these risks, and to drill into them the importance of security, as well as awareness programs. Buttressing the technological controls, training, and awareness programs with security procedures and policies and an overall information security strategy can help round out a company’s security efforts.
! IT GOVERNANCE AND SECURITY
The Weill and Ross Framework for IT governance introduced in Chapter 8 offers security professionals a new perspective for assigning responsibility for key security decisions.30 Using the same archetypes described in Chapter 8, their framework is expanded to illustrate appropriate roles of business managers and IT managers in making a company’s security decisions. As an example, the framework can be applied to five critical decisions about information security that are frequently discussed in the security literature.31 A governance pattern that is appropriate for each decision is discussed next and displayed in Figure 9.4.
1. Information Security Strategy. A company’s information security strategy is based on such IT principles as protecting the confidentiality of customer information, strict compliance with regulations, and maintaining a security baseline that is above the industry benchmark. Security strategy is not a technical decision. Rather, it should reflect the company’s mission, overall strategy, business model, and business environment. Deciding on the security strategy requires decision makers who are knowledgeable about the company’s strategy and management systems. In contrast, decision makers do not need to be well versed in information security implementation. Thus, a business monarchy is a good match for such situations in which the top business executives, including the CIO, set the tone for the company’s security. The IT function may need to provide the required technical input for supporting the decision.
2. Information Security Policies. Security policies encourage standardization and integration. Following best practices, they broadly define the scope of and overall expectations for the company’s information security program. From these security policies, lower-level policies are developed to control specific security areas (e.g., Internet use, access control) and/or individual applications (e.g., payroll systems, telecom systems). Policies must reflect the tenuous balance between the enhanced information security gained from adhering to them versus productivity losses and user inconvenience. As security attacks become more sophisticated, obeying security measures to deflect those attacks places increased cognitive demands on users
30 P. Weill, and J. W. Ross, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results (Boston: Harvard Business School Press, 2004). 31 Andy Wu, ‘‘What Color Is Your Archetype? Governance Patterns for Information Security,’’ PH.D, Dissertation, University of Central Florida, 2007.
IT Governance and Security 263
Information Security Decision
Recommended Archetype
Rationale
Information Security Strategy
Business monarchy Business leaders have the knowledge of the company’s strategies, on which security strat- egy should be based. No detailed technical knowledge is required.
Information Security Policies
IT duopoly Technical and security implications of behav- iors and processes need to be analyzed and trade-offs between security and productivity need to be made. Need to know the particu- larities of company’s IT infrastructure.
Information Security Infrastructure
IT monarchy In-depth technical knowledge and expertise is needed.
Information Security Education/Training/ Awareness
IT duopoly Business buy-in and understanding are needed. Technical expertise and knowledge of critical security issues is needed in build- ing programs.
Information Security Investments
IT duopoly Requires financial (quantitative) and qual- itative evaluation of business impacts of security investments. Business case has to be presented for rivaling projects.
FIGURE 9.4 Matching information security decisions and archetypes. Adapted from Andy Wu, ‘‘What Color Is Your Archetype? Governance Patterns for Information Security,’’ PH.D, Dissertation, University of Central Florida, 2007.
(e.g., long passwords with special characters for system logon) and sacrifices productivity (e.g., the daily chore of scanning e-mails to spot phishing attempts). Not surprisingly, both IT and business perspectives are important in setting policies. Business users express what they want from the information security program and how they expect the security function to support their business activities. On the other hand, IT leaders should be consulted for two reasons: (1) their judgment prevents unre- alistic goals for standardization and integration, and (2) policy decisions require the ability to analyze the technical and security implications of user behaviors and business processes. Thus, for high-level security architecture decisions, IT duopoly is a good fit.
3. Information Security Infrastructure. The information security infrastruc- ture provides protection by arranging security mechanisms according to the IS architecture specifications. Firewalls, intrusion detection systems (IDSs), and encryption devices are the most popular examples of informa- tion security infrastructure, but other security and control tools are listed in Figure 9.3. Infrastructure decisions deal with technology selection
264 Chapter 9 Using Information Ethically
and configuration. Common objectives are to achieve consistency in protection, economies of scale, and synergy among the components. For these reasons, corporate IT typically is responsible for managing the dedicated security mechanisms. Also, general IT infrastructure, such as enterprise network devices, often is centrally controlled by corporate IT. Thus, fitting governance patterns for these decisions is IT monarchy, where corporate IT takes the lead.
4. Information Security Education/Training/Awareness. An important aspect of information security is making business users aware of security policies and practices. Training and awareness programs build a security-conscious culture. To promote effectiveness and posttraining retention, training and awareness programs must be linked to the unique requirements of individual business processes. User participation in planning and implementing training and awareness programs helps gain acceptance of security initiatives. However, IT security personnel are in the best position to know critical issues. Thus, an IT duopoly would be effective for combining the business and technical perspectives.
5. Information Security Investments. The ‘‘FUD factor’’ (fear, uncertainty, and doubt) used to be all that was needed to get top management to invest in information security. As information security becomes a routine concern in daily operations, security managers increasingly must justify their budget requests financially. Of course, qualitative cost-benefit assessments often supplement, or even substitute for, more quantitative financial analytical methods. As when determining business needs, differ- ent units within the company may have rival or conflicting ‘‘wish lists’’ for information security-related purchases that benefit their unique needs. The IT function also should have a significant say in these decisions, as it is in the best position to assess whether and how the investments may fit with the company’s current IT infrastructure and application portfolio. Thus, an appropriate governance pattern for investment and prioritization decisions is IT duopoly. The most typical governance mechanism for this archetype is executive committees/councils composed of business and IT executives, such as the IT steering committee and budget committee, with the CIO having overlapping memberships in both. These committees are where IT and business leaders make business cases for their proposed investments and debate the merit and priorities of the investments. Decisions then are made with the company’s best interest in mind.
These critical decision-archetype matches described are by no means etched in stone. Organizational and environmental factors may suggest other governance patterns. For instance, it is easy to imagine that business monarchy governs security investments decisions if a company emphasizes stringent budget review and control from a pure business/financial perspective. In enterprises with many relatively independent business units, a federal archetype that involves the corporate center,
Sarbanes – Oxley Act of 2002 265
business unit leaders, and IT leaders may be the proper archetype for business requirement decisions.
The archetypes clearly define the responsibilities of the major players in the company — business executives, business unit leaders, corporate IT, business unit IT, and so forth. By matching appropriate archetypes to the key security decisions, the board of directors in effect puts the decisions in the hands of those who are in the most appropriate positions for making quality decisions. In addition, decision makers are truly empowered when they hold the authority to make decisions that (1) are suitable for their positions, (2) make the best use of their expertise and knowledge, and (3) cater to the needs and specialization of the organization units to which they belong.
! SARBANES – OXLEY ACT OF 2002
In response to rogue accounting activity by major global corporations such as Enron, Worldcom, and their accounting firms, such as Arthur Andersen, the Sarbanes – Oxley Act (SoX) was enacted in the United States in 2002 to increase regulatory visibility and accountability of public companies and their financial health. The U.S. federal government wanted to assure the investing public that financial markets could be relied on to deliver valid performance data and accurate stock valuation. All corporations that fall under the jurisdiction of the U.S. Securities and Exchange Commissions are subject to SoX requirements. This includes not only U.S. and foreign companies that are traded on U.S. exchanges, but also those that make up a significant part of a U.S. company’s financial reporting. All told, 15,000 U.S. companies, 1,200 non-U.S.-based companies and over 1,400 accounting firms in 76 countries have been affected by SoX.32
According to SoX, CFOs and CEOs must personally certify and be accountable for their firms’ financial records and accounting (Section 302), auditors must certify the underlying controls and processes that are used to compile the financial results of a company (Section 404), and companies must provide real-time disclosures of any events that may affect a firm’s stock price or financial performance within a 48-hour period (Section 409). Penalties for failing to comply range from fines to a 20-year jail term.
Although SoX was not originally aimed at IT departments, it soon became clear that IT played a major role in ensuring the accuracy of financial data. Consequently, in 2004 and 2005, there was a flurry of activity as IT managers identified controls, determined design effectiveness, and validated operation of controls through testing. Five IT control weaknesses repeatedly were uncovered by auditors:33
32 These figures were derived from the Public Company Accounting Oversight Board (PCAOB) as were reported in Ashley Braganza and Arnoud Franken’s ‘‘SOX, Compliance, and Power Relationships,’’ Communications of the ACM 50, no. 9 (September 2007): 97 – 102. 33 Ben Worthen, The Top Five I.T. Control Weaknesses (July 1, 2005), available at http://www.cio.com/ archive/070105/sox sidebar two.html.
266 Chapter 9 Using Information Ethically
1. Failure to segregate duties within applications, and failure to set up new accounts and terminate old ones in a timely manner.
2. Lack of proper oversight for making application changes, including appointing a person to make a change and another to perform quality assurance on it.
3. Inadequate review of audit logs to ensure that not only were systems run- ning smoothly but also that there was an audit log of the audit log.
4. Failure to identify abnormal transactions in a timely manner. 5. Lack of understanding of key system configurations.
Although SoX’s focus is on financial controls, many auditors encouraged (forced) IT managers to extend their focus to organizational controls and risks in business processes. This means that IT managers must assess the level of controls needed to mitigate potential risks in organizational business processes. As companies move beyond SoX certification into compliance, IT managers now must be involved in ongoing and consistent risk identification, actively recognize and monitor changes to the IT organization and environment that may affect SoX compliance, and continuously improve IT process maturity. It is likely that they will turn to software to automate many of the needed controls.
Frameworks for Implementing SoX COSO
The recent Enron and Worldcom major financial scandals were not the first. In the wake of financial scandals in the mid 1980s the Treadway Commission (or National Commission on Fraudulent Financial Reporting) was created. Its head, James Treadway, had previously served as commissioner of the SEC. The members of the Treadway Commission came from five highly esteemed accounting organizations: Financial Executives International (FEI), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA). These organizations became known as the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Together they created three control objectives for management and auditors that focused on dealing with risks to internal control. These control objectives deal with:
• Operations — to help the company maintain and improve its operating effectiveness and protect the assets of shareholders.
• Compliance — to ensure that the company is in compliance with relevant laws and regulations.
• Financial reporting — to ensure that the company’s financial statements are produced in accordance with Generally Accepted Accounting Principles (GAAP). SoX is focused on this control objective.
Sarbanes – Oxley Act of 2002 267
To make sure a company is meeting its control objectives, COSO estab- lished five essential control components for managers and auditors. These control components are (1) control environment, which addresses the overall culture of the company; (2) risk assessment of the most critical risks to internal controls; (3) control processes that outline important processes and guidelines; (4) informa- tion and communication of the procedures; and (5) monitoring by management of the internal controls. The Sabanes – Oxley Act requires public companies to define their control framework, and it specifically recommends COSO as that business framework for general accounting controls. It is not IT specific.
COBIT
COBIT (Control Objectives for Information and Related Technology) is an IT governance framework that is consistent with COSO controls. It is a governance tool that focuses on making sure that IT provides the systematic rigor needed for the strong internal controls and Sarbanes – Oxley compliance. It provides a framework for linking IT processes, IT resources, and IT information to a company’s strategies and objectives. As a governance framework, it provides guidelines about who in the organization should be making decisions about the IT processes, resources, and information.
Information Systems Audit & Control Association (ISACA) issued COBIT in 1996. COBIT consists of several overlapping sets of guidance with multiple components, which almost form a cascade of process goals, metrics, and practices. At the highest level, key areas of risks are defined in four major domains (planning and organization, acquisition and implementation, delivery and support, and monitoring). When implementing a COBIT framework, the company determines the processes that are the most susceptible to the risks that it judiciously chooses to manage. There are far too many risks for a company to try to manage all of them.
Once the company identifies processes that it is going to manage, it sets up a control objective and then more specific key goal indicators. As with any control system, metrics need to be established to ensure that the goals are being met. These specific metrics are called key performance indicators. Then, activities to achieve the key goal indicators are selected. These activities, or critical success factors, are the steps that need to be followed to successfully provide controls for a selected process. When a company wants to compare itself with other organizations, it uses a well-defined maturity model. The components of COBIT and examples of each component are provided in Figure 9.5.
One advantage of COBIT is that it is well suited to organizations focused on risk management and mitigation. Another advantage is that it is very detailed. Unfortunately, this high level of detail can serve as a disadvantage in the sense that it makes COBIT very costly and time consuming to implement. Yet, despite the costs, companies are starting to realize benefits from implementing COBIT. As a governance framework, it designates clear ownership and responsibility for key organizational processes in such a way that is understood by all organizational
268 Chapter 9 Using Information Ethically
Component Description Example
Domain One of four major areas of risk (plan and organize, acquire and implement, deliver and sup- port, and monitor and evaluate); each domain consists of multiple processes
Delivery and support
Control Objective Focuses on control of a process associated with risk; there are 34 processes
DS (delivery and support) 11 — Manage data: ensures deliv- ery of complete, accurate, and valid data to the business
Key Goal Indicator Specific measures of the extent to which the goals of the system in regard to a control objective have been met
‘‘A measured reduction in the data preparation process and tasks’’
Key Performance Indicator
Actual, highly specific measures for measuring accomplishment of a goal
‘‘Percent of data input errors’’ (Note: the percentage should decrease over specified periods of time)
Critical Success Factor
Describes the steps that a com- pany must take to accomplish a control objective; there are 318 critical success factors
‘‘Data entry requirements are clearly stated, enforced, and sup- ported by automated techniques at all levels, including database and file interfaces’’
Maturity Model A uniquely defined six-point ranking of a company’s readi- ness for each control objective made in comparison with other companies in the industry
‘‘0 — Data is not recognized as a corporate resource and asset. There is no assigned data owner- ship or individual accountability for data integrity and reliability; data quality and security is poor or nonexistent’’
FIGURE 9.5 Components of COBIT and their examples. Adapted from Hugh Taylor, The Joy of SOX (Indianapolis, IN: Wiley Publishing Inc, 2006).
stakeholders. Consistent with the Information Systems Strategy Triangle discussed in Chapter 1, COBIT provides a formal framework for aligning IT strategy with the business strategy. It does so by recognizing who is responsible for important control decisions using a governance framework. (See Chapter 8 for a discussion of governance.) And, it promotes a focus on risks of internal control and associated processes. Finally, it makes possible the fulfillment of the COSO requirements for the IT control environment that is encouraged by the Sarbanes – Oxley Act.
Sarbanes – Oxley Act of 2002 269
IT and the Implementation of Sarbanes – Oxley Act Compliance Because of the level of detail, the involvement of the IT department and the CIO in implementing SoX, most notably Section 404, which deals with management’s assessment of internal controls, is considerable. The CIO needs to work with auditors, the CFO, and the CEO in ensuring an appropriate response.34 Although the IT department typically plays a major role in SoX compliance, it often is without any formal authority. Thus, the CIO needs to tread carefully when working with auditors, the CFO, the CEO, and business leaders. Braganza and Franken provide six tactics that CIOs can use in working effectively in these relationships.35 These strategies include knowledge building, knowledge deployment, innovation direc- tive mobilization, standardization, and subsidy. A definition for each of these tactics, along with examples of activities to enact these tactics, is provided in Figure 9.6.
The extent to which a CIO could use these various tactics depends on the power that he or she holds relating to the SoX implementation. Those few CIOs who are given a carte blanche by their CEOs to implement SoX compliance can employ more directive activities. That is, they can use subsidy, standardization, and innovative directives tactics. For example, they can establish standards and enforce their compliance; They can create an overarching corporate compliance architecture and use mandate compliance to various controls. They can direct the SoX implementation from top down and put 404 implementation drivers in place. If, on the other hand, the CEO does not vest the CIO with the considerable power to employ such tactics, the CIO may need to take more of a persuasive stance and be more involved in training programs and building an electronic knowledge database of SoX documents. In this case, it is especially important to sell the CIO and CFO on the importance of complying with prescribed procedures and methods. In either situation, the CIO needs to acquire and manage the considerable IT resources to make SoX compliance a reality.
Other Control Frameworks Although COBIT is the most common set of IT control guidelines for SoX, it is by no means the only control framework. Others include those provided by the International Standards Organization (ISO), as well as Information Technology Infrastructure Library (ITIL). ITIL is a set of concepts and techniques for managing information technology infrastructure, development, and operations that was developed in the United Kingdom. ITIL offers eight sets of management procedures in eight books: service delivery, service support, service management, ICT infrastructure management, software asset management, business perspective, security management, and application management. ITIL is a widely recognized framework for IT service management and operations management that has been adopted around the globe.
34 Braganza and Franken, ‘‘SOX, Compliance, and Power Relationships.’’ 35 Ibid.
270 Chapter 9 Using Information Ethically
Tactic Definition Examples of Activities
Knowledge Building
Establishing a knowledge base to implement SoX
Acquiring technical knowledge about SoX and 404
Knowledge Deployment
Disseminating knowledge about SoX and develop- ing an understanding of this knowledge among management and other organizational members
Moving IT staff with knowledge of 404 to parts of the organization that are less knowl- edgeable; creating a central repository of 404 knowledge; absorbing 404 require- ments from external bodies; conducting training programs to spread an understand- ing of SoX
Innovation Directive
Organizing for imple- menting SoX and announcing the approach
Issuing instructions that encourage the adoption of 404 compliance practices; pub- lishing progress reports of each subsidiary’s progress toward 404 implementation; putting drivers for 404 implementation in place; directing 404 implementation from top down and/or bottom up
Mobilization Persuading decentralized players and subsidiaries to participate in SoX imple- mentation
Creating a positive impression of SoX (and 404) implementation; conducting promo- tional and awareness campaigns
Standardization Negotiating agreements between organizational members to facilitate the SoX implementation
Using mandatory controls, often embedded within the technology, to which users must comply; indicating formal levels of compli- ance or variance from prescribed controls; establishing standards of control throughout the organization; creating an overarching corporate compliance architecture
Subsidy Funding implementors’ costs during the SoX implementation and users’ costs during its deployment and use
Centralizing template development; devel- oping Web-based resources; investing in developing the skills of IT staff to imple- menting 404; funding short-term skill gaps; investing in tracking implementation; man- aging funds during implementation to achieve specific IT-related 404 goals.
FIGURE 9.6 CIO Tactics for implementing SoX compliance.
! FOOD FOR THOUGHT: GREEN COMPUTING
Gartner Inc. recently put green computing at the top of its list of upcoming strategic technologies, signaling that more and more companies are becoming
Food for Thought: Green Computing 271
socially responsible.36 Green computing is concerned with using computing resources efficiently. The need for green computing is becoming more obvious as the amount of power needed to drive the world’s PCs, servers, routers, switches, and data centers continues to grow rapidly. Consider, for example, the computing power consumed by the five largest search companies. The five companies currently use about 2 million servers that need approximately 2.4 gigawatts to run. By comparison, the massive Hoover Dam at a maximum only generates about 2 gigawatts. The situation is complicated by the cooling systems that companies need to add to combat the heat that the highest-performing systems generate.37
Companies are working in a number of ways to adopt more socially responsible approaches to energy consumption. In particular they are replacing older systems with more energy-efficient ones, moving workloads based on energy efficiency, using the most power-inefficient servers only at times of peak usage, improving air flows in data centers, and turning to virtualization. Virtualization lets a computer run multiple operating systems or several versions of the same operating system at the same time. Further, some technologies to improve the temperature interface are being developed to support green computing. For example, localized temperature sensors are being designed to adjust the airflow from distributed fans to optimize cooling for the components of a system that are generating the most heat. Another technology is nanocarpets, which are carbon nanotubes that are configured like a Velcro carpet and are designed to conduct heat away from the chips to which they are attached.
An especially creative green approach is the one contemplated by Google to cool the computers that power its search engine. Google’s management is con- sidering placing the computers in a fleet of barges anchored approximately seven miles (11km) offshore. This would allow Google to turn tidal power, a continuous uninterruptible power source, into electricity. The sea could also be used to power a cooling pump to carry away the considerable heat generated by its computers38.
Green programs can be considered to have a triple bottom line (TBL): economic, environmental, and social. They represent an expanded spectrum of values and criteria for measuring organizational and societal success. The triple bottom line is also known as ‘‘3BL,’’ or ‘‘People, Planet, Profit’’.39
Green computing can be considered from the social contract theory perspec- tive: Managers benefit society by conserving global resources when they make green, energy-related decisions about their computer operations. These are the ‘‘people’’ and ‘‘planet’’ motivations. However, their actions may also be evaluated
36 P. Thibodeau, ‘‘Gartner’s Top 10 Strategic Technologies for 2008,’’ Computerworld (October 9, 2007), http://www.networkworld.com/news/2007/100907-10-strategic-technologies-gartner.html (accessed April 23, 2008). 37 G. Lawton, ‘‘Powering Down the Computing Infrastructure,’’ Computer (February 2007), 16 – 19. 38 J. Mick, ‘‘Google Looks at Floating Data Centers for Energy,’’ Daily Tech, September 16, 2008, http://www.dailytech.com/Google+Looks+to+Floating+Data+Centers+for+Energy/article12966 .htm (accessed October 1, 2008). 39 Wikipedia. (2008, June 17). Green Computing. Retrieved June 17, 2008, from Wikipedia: http://en .wikipedia.org/wiki/Green computing.
272 Chapter 9 Using Information Ethically
from the stockholder theory perspective. Energy-efficient computers reduce not only the direct costs of running the computing-related infrastructure, but also the costs of complementary utilities, such as cooling systems for the infrastruc- ture components. This creates a huge ‘‘profit’’ motivation for companies to turn ‘‘green.’’ The companies can become more environmentally friendly and reduce their energy costs at the same time.
! SUMMARY • Due to the asymmetry of power relationships, managers tend to frame ethical
concerns in terms of refraining from doing harm, mitigating injury, and paying attention to dependent and vulnerable parties. As a practical matter, ethics is about maintaining one’s own, independent perspective about the propriety of business practices. Managers must make systematic, reasoned judgments about right and wrong and take responsibility for them. Ethics is about decisive action rooted in principles that express what is right and important and about action that is publicly defensible and personally supportable.
• Three important normative theories describing business ethics are (1) stockholder theory (maximizing stockholder wealth), (2) stakeholder theory (maximizing the benefits to all stakeholders while weighing costs to competing inter- ests), and (3) social contract theory (creating value for society that is just and nondiscriminatory).
• PAPA is an acronym for the four areas in which control of information is crucial: privacy, accuracy, property, and accessibility.
• Issues related to the ethical governance of information systems are emerging in terms of the outward transactions of business that may impinge on the privacy of customers and electronic surveillance and other internally oriented personnel issues.
• Security looms as a major threat to Internet growth. Businesses are bolstering secu- rity with hardware, software, and communication devices.
• Security may best be enacted using a framework that assigns responsibility for security-related decision making based on governance archetypes.
• The Sarbanes – Oxley Act (2002) was enacted to improve internal controls. COBIT is an IT governance framework that can be used to promote IT-related internal con- trols and Sarbanes – Oxley compliance.
! KEY TERMS accessibility (p. 257) accuracy (p. 256) cookie (p. 254) COBIT (Control
Objectives for Information and Related Technology) (p. 267)
green computing (p. 271) identity theft (p. 257)
ITIL (Information Technology Infrastructure Library) (p. 269)
privacy (p. 253) property (p. 256) Sarbanes – Oxley Act (SoX)
(p. 265)
social contract theory (p. 250)
stakeholder theory (p. 249)
stockholder theory (p. 248)
virtualization (p. 271)
Discussion Questions 273
! DISCUSSION QUESTIONS 1. Private corporate data is often encrypted using a key, which is needed to decrypt the information. Who within the corporation should be responsible for maintaining the ‘‘keys’’ to private information collected about consumers? Is that the same person who should have the ‘‘keys’’ to employee data?
2. Lotus Development Corporation launched its Marketplace product in 1990. The product was a marketing database of 120 million U.S. consumers, with demographic information based on publicly available information. Each consumer had personal information, such as name and mailing address. But the value proposition for the product was in the fact that it combined several publicly available databases, and the result was a database that made assumptions about lifestyle, income, family and marital status, and several other demographic categories. It was intended to give companies a comprehensive database of individual spending habits for direct-mail marketing using otherwise unthreatening databases. A grassroots outcry on the Internet resulted in over 30,000 letters and phone calls from individuals who wanted their names deleted from the product. The negative press Lotus received, combined with the flood of letters from consumers who were concerned about invasion of privacy, caused Lotus to cancel the project. In this case, the resulting database showed patterns of spending and placed consumers into categories that reflected personal data the consumers felt was private. But many organizations these days collect individual information, including your credit card provider, your bank, your creditors, and virtually any retail store in which you use a credit card or other identifying customer number. Who owns the information that is collected? Do you, the person who initially provided information to the collector? Or the collecting organization that spent the resources to save the information in the first place?
3. Consider arrest records, which are mostly computerized and stored locally by law enforcement agencies. They have an accuracy rate of about 50 percent — about half of them are inaccurate, incomplete, or ambiguous. These records often are used by others than just law enforcement. Approximately 90 percent of all criminal histories in the United States are available to public and private employers. Use the three normative theories of business ethics to analyze the ethical issues surrounding this situation. How might hiring decisions be influenced inappropriately by this information?
4. The European Community’s Directive on Data Protection that was put into effect in 1998 strictly limits how database information is used and who has access to it. Some of the restrictions include registering all databases containing personal information with the countries in which they are operating, collecting data only with the consent of the subjects, and telling subjects of the database the intended and actual use of the databases. What effect might these restrictions have on global companies? In your opinion, should these types of restrictions be made into law? Why or why not? Should the United States bring its laws into agreement with the EU directive?
5. Should there be a global Internet privacy policy?
6. Is anonymous clickstream tracking and profiling objectionable? Is sending targeted advertising information to a computer using cookie ID numbers objectionable?
7. What is your opinion of the English ID card discussed in this chapter?
274 Chapter 9 Using Information Ethically
CASE STUDY 9-1
ETHICAL DECISION MAKING
Situation 1
The secretarial pool is part of the group assigned to Doug Smith, the manager of office automation. The pool has produced very low quality work for the past several months. Smith has access to the passwords for each of the pool members’ computer accounts. He instructs the pool supervisor to go into each hard drive after hours and obtain a sample document to check for quality control for each pool member.
Discussion Questions
1. If you were the supervisor, what would you do? 2. What, if any, ethical propositions have been violated by this situation? 3. If poor quality were found, could the information be used for disciplinary purposes? For
training purposes? 4. Apply PAPA to this situation.
Situation 2
Kate Essex is the supervisor of the customer service representative group for Enovelty.com, a manufacturer of novelty items. This group spends its workday answering calls, and sometimes placing calls, to customers to assist in solving a variety of issues about orders previously placed with the company. The company has a rule that personal phone calls are only allowed during breaks. Essex is assigned to monitor each representative on the phone for 15 minutes a day, as part of her regular job tasks. The representatives are aware that Essex will be monitoring them, and customers are immediately informed when they begin their calls. Essex begins to monitor James Olsen, and finds that he is on a personal call regarding his sick child. Olsen is not on break.
Discussion Questions
1. What should Essex do? 2. What, if any, ethical principles help guide decision making in this situation? 3. What management practices should be in place to ensure proper behavior without vio-
lating individual ‘‘rights’’? 4. Apply the normative theories of business ethics to this situation.
Situation 3
Jane Mark was the newest hire in the IS group at We Sell More.com, a business on the Internet. The company takes in $30 million in revenue quarterly from Web business. Jane reports to Sam Brady, the VP of IS. Jane is assigned to a project to build a new capability into the company Web page that facilitates linking products ordered with future
Case Study 275
offerings of the company. After weeks of analysis, Jane concluded that the best way to incorporate that capability is to buy a software package from a small start-up company in Silicon Valley, California. She convinces Brady of her decision and is authorized to lease the software. The vendor e-mails Jane the software in a ZIP file and instructs her on how to install it. At the initial installation, Jane is asked to acknowledge and electronically sign the license agreement. The installed system does not ask Jane if she wants to make a backup copy of the software on diskettes, so as a precaution, Jane takes it on herself and copies the ZIP files sent to her onto a set of floppies. She stores these floppies in her desk drawer.
A year later the vendor is bought by another company, and the software is removed from the marketplace. The new owner believes this software will provide them with a competitive advantage they want to reserve for themselves. The new vendor terminates all lease agreements and revokes all licenses on their expiration. But Jane still has the floppies she made as backup.
Discussion Questions
1. Is Jane obligated to stop using her backup copy? Why or why not? 2. If We Sell More.com wants to continue to use the system, can they? Why or
why not? 3. Does it change your opinion if the software is a critical system for We Sell More.com?
If it is a noncritical system? Explain.
Situation 4
Some of the Internet’s biggest companies (i.e., Google, Microsoft, Yahoo, IBM, and Verisign) are working on a new ‘‘single sign-on’’ system that would make it easier to surf the Web. As corporate members of the OpenID Foundation, they are supporting the development of a system that would make it easier for users to sign on to a number of sites without having to remember multiple user IDs, passwords, and registration information. Under OpenID, the companies would share the sign-on information for any Web user who agrees to participate. They would also share personal information such as credit card data, billing addresses, and personal preferences.
Discussion Questions
1. Discuss any threats to privacy in this situation. 2. Who would own the data? Explain. 3. Who do you think should have access to the data? How should that access be controlled?
Situation 5
SpectorSoft markets eBlaster as a way to keep track of what your spouse or children are doing online. Operating in stealth mode, eBlaster tracks every single keystroke entered into a computer, from instant messages to passwords. It also records every e-mail sent and received and every Web site visited by the unsuspecting computer user. The data is sent anonymously to an IP address of the person who installed eBlaster. eBlaster could also be installed onto a business’s computers.
276 Chapter 9 Using Information Ethically
Discussion Questions
1. Do you think it would be ethical for a business to install eBlaster to ensure that its employees are engaged only in work-related activities? If so, under what conditions would it be appropriate? If not, why not?
2. Apply the normative theories of business ethics to this situation.
Situation 6
Red-light camera systems are used by government agencies internationally to catch drivers passing through intersections with a red light showing on the traffic signal. The systems continuously monitor the traffic signal, and the camera is triggered by any vehicle entering the intersection following a specified time after the signal has turned red. Cameras record the date, time of day, time elapsed since the beginning of the red signal, vehicle speed, and license plate.
The Insurance Institute for Highway Safety has concluded that cameras reduce red light violations by 40% to 50% and reduce injury crashes by 25% to 30%. However, critics of such programs argue that the decrease in side-impact collisions has been accompanied by an increase in rear-end collisions as drivers slam on their brakes to avoid running a red light.
Some agencies that have implemented the systems have benefited from revenues generated by fines that exceed their costs (i.e., the costs of installing the system and the charges of the private contractors who operate the programs). Some criticize the fines and revenue-sharing arrangement with the technology providers, arguing that cameras are placed to optimize revenues rather than to promote the most safety. Consequently, some red-light camera technology providers have negotiated flat-fee, rather than revenue-based, contracts.
Discussion Questions
1. Do you see any ethical issues involved in the use of red-light camera systems? Why or why not?
2. Should cities allow outsourcing of the operation of the systems? Why or why not? 3. Apply the normative theories of business ethics to the use of red-light camera systems.
Sources: Situations 1 to 4 adapted from short cases suggested by Professor Kay Nelson, University of Utah. The names of people, places, and companies have been made up for these stories. Any similarity to real people, places, or companies is purely coincidental. Situation 6 was based on a minicase by Chad Hutyra and adapted from Jonathan Miller, ‘‘With Cameras on the Corner, Your Ticket Is in the Mail,’’ New York Times, (January 6, 2005), http://www.nytimes.com/2005/01/06/technology/circuits/ 06came.html?ei=5090&en=8bc6df38e1042a40&ex=1262667600&partner=techdirt&pagewanted= all&position= (accessed March 30, 2008); and Jonathan Silverstein, ‘‘Do Red-Light Traffic Cameras Help?’’ abcnews.com, (February 19, 2005), http://abcnews.go.com/US/story?id=292547&page=1 (accessed March 30, 2008).
CASE STUDY 9-2
MIDWEST FAMILY MUTUAL GOES GREEN
Midwest Family Mutual Insurance Co. ($70 million in annual premiums) has declared itself ‘‘operationally green.’’ Through a variety of initiatives it has reduced its annual energy, natural
Case Study 277
gas, and paper consumption by 63%, 76%, and 65%, respectively. Ron Boyd, the carrier’s CEO, attributes most of the improvements in energy usage to creating a virtual ‘‘work from home’’ office environment. As a result of implementing a series of electronic processes and applications, including imaging and workflow technology, networking technology, and a VoIP network, all but two of Midwest Family Mutual’s 65 employees can now work from home. In addition to the energy savings that Midwest Family Mutual has directly experienced, Boyd estimates that the company’s telecommuting policy has resulted in fuel savings of at least 25,000 gallons.
Though green computing was a commendable goal in itself, Midwest Family Mutual’s bottom line also has benefitted from the company’s socially responsible approach. ‘‘In the past five years the company has decreased its expense ratio from 33.5% to 29.9% of every dollar,’’ Boyd states. ‘‘Being environmentally green can equate to financial green.’’
Green computing grew out of Midwest Family Mutual’s IT successes, according to Boyd. ‘‘As we saw the effectiveness of our imaging and workflow in establishing a truly paperless environment, we started thinking about work-from-home [arrangements]. It became obvious that many of our jobs could be done wherever a high-speed connection existed . . . VOIP completed the technology requirements for all [employees] to work from home.’’
Boyd summarizes: ‘‘We became green as a side benefit of saving resources and cost.’’ The company continued its green policy with its decision to sell its 24,000-square-foot office building in Minnetonka, Minnesota. After the sale of the property, it moved to a more energy-efficient rental property in Plymouth, which conforms to the Environmental Protection Agency’s Energy Star standards.
Discussion Questions
1. Do you think that the economic benefits that Midwest Family Mutual realized as a result of green computing are unusual? Do you think most companies can see similar types of economic gains? Explain.
2. What are some possible disadvantages the employees of Midwest Family Mutual may be experiencing as a result of their new virtual ‘‘work from home’’ office environment?
3. Apply the normative theories of business ethics to this situation.
Source: Adapted from Anthony O’Donnell, ‘‘Plymouth, Minnesota-based Midwest Family Mutual’s Move to a Paperless, Work-at-Home Operational Paradigm Has Yielded Both Environmental and Bottom-Line Benefits,’’ Insurance & Technology (February 24, 2008), http://www.insurancetech .com/resources/fss/showArticle.jhtml;jsessionid=AYMVWDKZBGIFIQSNDLOSKHSCJUNN2JVN? articleID=206801556 (accessed April 23, 2008).
!CHAPTER 10 FUNDING IT
The CIO of Avon Products, Inc., in New York relies heavily on hard-dollar metrics such as net present value (NPV) and internal rate of return (IRR) to demonstrate the business value resulting from information technology (IT) investments. Although these are not the typical IT metrics, they are the language of business. Funding IT becomes a matter of speaking the language of business. ‘‘We apply all of the analytical rigor and financial ROI tools against each of our IT projects as well as other business projects,’’ the CIO (Chief information officer) of Avon Products remarked. Avon uses payback, NPV, IRR, and risk analyses for every investment. Further, each IT project is monitored using a green-/yellow-/red-coded dashboard to convey the status as ‘‘on target,’’ ‘‘warning,’’ or ‘‘having serious problems.’’ Monthly reports to the senior management team inform them about the status of major projects. Other business tools, such as investment-tracking databases and monitors on capital spending, assist the CIO’s office in managing the funds allocated to the IT group.1
The business side of IT is similar to the business itself. Projects are funded through budget allocations or a multitude of other sources, and managing those funds is done with prudent business practices. As Avon’s CIO’s comments indicate, the basic tools of finance and accounting are the basic tools for the financial management of IT and, further, for determining and communicating the value received from IT investments.
In this chapter we explore issues related to the financial side of IT. We begin by looking at ways of funding the IT department, then continue with an exploration of several ways to calculate the cost of IT investments, including total cost of ownership and activity-based costing, and ways of monitoring IT investments once they are made, including portfolio management. These topics are critical for the IT manager to understand, but a general manager must also understand how the business of IT works to successfully propose, plan, manage, and use IT systems.
! FUNDING IT RESOURCES
Who pays for IT? The users? The IT department? The corporate function? Certain costs are associated with designing, developing, delivering, and maintaining the
1 Adapted from Thomas Hoffman, ‘‘How Will You Prove IT Value?’’ Computerworld (January 6, 2003).
278
Funding IT Resources 279
IT systems. How are these costs recovered? The three main funding methods are chargeback, allocation, and corporate budget. Both chargeback and allocation methods distribute the costs back to the businesses, departments, or individuals within the company. This distribution of costs is used for management reasons, so that managers can understand the costs associated with running their organization, or for tax reasons, where the costs associated with each business must be paid for by the appropriate business unit. Corporate budgeting, on the other hand, is a completely different funding method in which IT costs are not linked directly with any specific user or business unit; costs are recovered using corporate coffers.
Chargeback With a chargeback funding method, IT costs are recovered by charging individuals, departments, or business units based on actual usage and cost. The IT department collects usage data on each system it runs. Rates for usage are calculated based on the actual cost to the IT group to run the system and billed out on a regular basis. For example, a desktop PC might be billed out at $100/month, which includes the cost of maintaining the system, any software license fees for the standard desktop configuration, e-mail, network access, a usage fee for the help desk, and other related services. Each department receives a bill showing the number of desktop computers they have and the charge per desktop, the number of printers they have and the charge per printer, the number of servers they have and the charge per server, the amount of mainframe time they have used and the cost per second of that time, and so on. When the IT department wants to recover administrative and overhead costs using a chargeback system, these costs are built into rates charged for each of the services.
Chargeback systems are popular because they are viewed as the most equitable way to recover IT costs. Costs are distributed based on usage or consumption of resources, ensuring that the largest portion of the costs is paid for by the group or individual who consumes the most. Chargeback systems can also provide managers with the most options for managing and controlling their IT costs. For example, a manager may decide to use desktop systems rather than laptop systems because the unit charge is less expensive. The chargeback system gives managers the details they need to understand both what IT resources they use and how to account for IT consumption in the cost of their products and services. Because the departments get a regular bill, they know exactly what their costs are.
Creating and managing a chargeback system, however, is a costly endeavor itself. IT departments must build systems to collect details that might not be needed for anything other than the bills they generate. For example, if PCs are the basis for charging for network time, then the network connect time per PC must be collected, stored, and analyzed each billing cycle. The data collection quickly becomes large and complex, which often results in complicated, difficult-to-understand bills. In addition, picking the charging criteria is more of an art than a science. For example, it is relatively easy to count the number of PCs located in a particular business unit, but is that number a good measure of the
280 Chapter 10 Funding IT
network resources used? It might be more accurate to charge based on units of network time used, but how would that be captured and calculated?
Chargeback methods are most appropriate when there is a wide variation in usage among users or when actual costs need to be accounted for by the business units.
Allocation To simplify the cost recovery process compared to the chargeback method, an allocation system can be used. An allocation funding method recovers costs based on something other than usage, such as revenues, login accounts, or number of employees. For example, suppose the total spending for IT for a year is $1 million for a company with 10,000 employees. A business unit with 1,000 employees might be responsible for 10%, or $100,000, of the total IT costs. Of course, with this type of allocation system, it does not matter whether these employees even use the IT; the department is still charged the same amount.
The allocation mechanism is simpler to implement and apply each month. Actual usage does not need to be captured. The rate charged is often fixed at the beginning of the year. It offers two main advantages. First, the level of detail required to calculate the allocations is much less, and for many organizations that aspect saves expense. Second, the charges from the IT department are predictable. Unlike the chargeback mechanism, where each bill opens up an opportunity for discussion about the charges incurred, the allocation mechanism seems to generate far less frequent arguments from the business units. Often, quite a bit of discussion takes place at the beginning of the year, when rates and allocation bases are set, but less discussion occurs each month because the managers understand and expect the bill.
Two major complaints are made about allocation systems. First is the free-rider problem: A large user of IT services pays the same amount as a small user when the charges are not based on usage. Second, deciding the basis for allocating the costs is an issue. Choosing the number of employees over the number of desktops or other basis is a management decision, and whichever basis is chosen, someone will pay more than their actual usage would imply. Allocation mechanisms work well when a corporate directive requires use of this method and when the units agree on the basis for dividing up the costs.
Often when an allocation process is used, a follow-up process is needed at the end of the fiscal year, in which total IT expenses are compared to total IT funds recovered from the business units, and any extra funds are given back to the business. Sometimes this process is called a ‘‘true-up’’ process because true expenses are balanced against payments made. In some cases, additional funds are needed; however, IT managers try to avoid asking for funds to make up for shortfalls in their budget. The true-up process is needed because the actual cost of the information system is difficult to predict at the beginning of the year. Cost changes over the year because hardware, software, or support costs fluctuate in the marketplace and because IT managers, like all managers, work constantly on
How Much Does IT Cost? 281
improving efficiency and productivity, resulting in lower costs. In an allocation process, where the rate charged for each service is fixed for the year, a true-up process allows IT managers to pass along any additional savings to their business counterparts. Business managers often prefer the predictability of their monthly IT bills along with a true-up process over the relative unpredictability of being charged actual costs each month.
Corporate Budget An entirely different way to pay for IT costs is to simply consider them all to be corporate overhead and pay for them directly out of the corporate budget. With the corporate budget funding method, the costs fall to the corporate bottom line, rather than levying charges on specific users or business units.
Corporate budgeting is a relatively simple method for funding IT costs. It requires no calculation of prices of the IT systems. And because bills are not generated on a regular cycle to the businesses, concerns are raised less often by the business managers. IT managers control the entire budget, giving them control of the use of those funds and, ultimately, more input into what systems are created, how they are managed, and when they are retired. This funding method also encourages the use of new technologies because learners are not charged for exploration and inefficient system use.
As with the other methods, certain drawbacks come with using the corporate budget. First, all IT expenditures are subjected to the same process as all other corporate expenditures, namely, the budgeting process. In many companies, this process is one of the most stressful events of the year: Everyone has projects to be done, and everyone is competing for scarce funds. If the business units do not get billed in some way for their usage, many companies find that they do not control their usage. Getting a bill for services motivates the individual business manager to reconsider his or her usage of those services. Finally, if the business units are not footing the bill, the IT group may feel less accountable to them, which may result in an IT department that is less end-user or customer oriented.
Figure 10.1 summarizes the advantages and disadvantages of these methods.
! HOW MUCH DOES IT COST?
The three major IT funding approaches in the preceding discussion are designed to recover the costs of building and maintaining the information systems in an enterprise. The goal is to simply cover the costs, not to generate a profit (although some MIS organizations are actually profit centers for their corporation). The most basic method for calculating the costs of a system is to add the costs of all the components, including hardware, software, network, and the people involved. Many management information systems (MIS) organizations calculate the initial costs and ongoing maintenance costs in just this way.
282 Chapter 10 Funding IT
Funding Method
Chargeback
Allocation
Corporate Budget
Description
Charges are calculated based on actual usage.
Total expected IT expenditures are divided by nonusage basis such as number of login IDs, employees, or desktops.
Corporate allocates funds to IT at annual budget session.
Why Do It?
Fairest method for recovering costs because it is based on actual usage. IT users can see exactly what their usage costs.
Less bookkeeping for IT because rate is set once per fiscal year, and basis is well understood.
No billing to the businesses. IT exercises more control over what projects are done. Good for encouraging use of new technologies.
Why Not Do It?
IT department must collect details on usage, which can be expensive and difficult. IT must be prepared to defend the charges, which takes time and resources.
IT department must defend allocation rates; may charge low- usage department more than their usage would indicate is fair.
Competes with all other budgeted items for funds.
Predictable monthly costs.
FIGURE 10.1 Comparison of IT funding methods.
Activity-Based Costing Another method for calculating costs is known as activity-based costing (ABC). Traditional accounting methods account for direct and indirect costs. Direct costs are those costs that can be clearly linked to a particular process or product, such as the components used to manufacture the product and the assembler’s wages for time spent building the product. Indirect costs are the overhead costs, which include everything from the electric bill, the salary of administrative managers, and the expenses of administrative function, to the wages of the supervisor overseeing the assembler, the cost of running the factory, and the maintenance of machinery used for multiple products. Further, depending on the funding method used by the organization, indirect costs are allocated or absorbed elsewhere in the pricing model. The allocation process can be cumbersome and complex and often is a source of trouble for many organizations. The alternative is ABC.
Activity-based costing counts the actual activities that go into making a specific product or delivering a specific service. Activities are processes, functions, or tasks
How Much Does IT Cost? 283
that occur over time and produce recognized results. They consume assigned resources to produce products and services. Activities are useful in costing because they are the common denominator between business process improvement and information improvement across departments.
Rather than allocate the total indirect cost of a system across a range of services according to an allocation formula, ABC calculates the amount of time that system was spent supporting a particular activity and allocates only that cost to that activity. For example, an accountant would look at the ERP (enterprise resource planning system) and divide its cost over the activities it supports by calculating how much of the system is used by each activity. Product A might take up one-twelfth of an ERP system’s capacity to control the manufacturing activities needed to make it, so it would be allocated one-twelfth of the system’s costs. The help desk might take up a whole server, so the entire server’s cost would be allocated to that activity. In the end, the costs are put in buckets that reflect the products and services of the business, rather than the organization structure or the processes of any given department. In effect, ABC is the process of charging all costs to ‘‘profit centers’’ instead of to ‘‘cost centers.’’
Total Cost of Ownership When a system is proposed and a business case is created to justify the investment, summing up the initial outlay and the maintenance cost does not provide an entirely accurate total system cost. In fact, if only the initial and maintenance cost are considered, the decision is often made on incomplete information. Other costs are involved, and a time value of money affects the total cost. One technique used to calculate a more accurate cost is total cost of ownership (TCO). It is fast becoming the industry standard. Gartner Group introduced TCO in the late 1980s when PC-based IT infrastructures began gaining popularity.2 Other IT experts have since modified the concept, and this section synthesizes the latest and best thinking about TCO.
TCO looks beyond initial capital investments to include costs associated with technical support, administration, training, and system retirement. Often, the initial cost is an inadequate predictor of the additional costs necessary to successfully implement the system. TCO techniques estimate annual costs per user for each potential infrastructure choice; these costs are then totaled. Careful estimates of TCO provide the best investment numbers to compare with financial return numbers when analyzing the net returns on various IT options. The alternative, an analysis without TCO, can result in an ‘‘apples and oranges’’ comparison. Consider a decision about printers. The initial cost of one printer may be much less than a second choice. However, the cost and longevity of the ink cartridges necessary to run each printer may vary significantly. Likewise, a laser printer may be more expensive initially, but when considering the expected lifetime of the
2 M. Gartenberg, ‘‘Beyond the Numbers: Common TCO Myths Revealed,’’ GartnerGroup Research Note: Technology (March 2, 1998).
284 Chapter 10 Funding IT
printer, compared to an inexpensive alternative, the total cost of ownership may be much less. A similar analysis of a larger IT system clarifies similar alternatives and comparisons.
A major IT investment is for infrastructure. Figure 10.2 uses the hardware, software, network, and data categories to organize the TCO components the manager needs to evaluate for each infrastructure option. This table allows the manager to assess infrastructure components at a medium level of detail and categorically to allocate ‘‘softer’’ costs like administration and support. More or less detail can be used as needed by the business environment. The manager can adapt this framework for use with varying IT infrastructures.
TCO Component Breakdown To clarify how the TCO framework is used, this section examines the hardware cate- gory in greater detail. As used in Figure 10.2, hardware means computing platforms and peripherals. The components listed are somewhat arbitrary, and an organi- zation in which every user possesses every component would be highly unusual. For shared components, such as servers and printers, TCO estimates should be computed per component and then divided among all users who access them.
For more complex situations, such as when only certain groups of users possess certain components, it is wise to segment the hardware analysis by platform. For example, in an organization in which every employee possesses a desktop that accesses a server and half the employees also possess stand-alone laptops that do not access a server, one TCO table could be built for desktop and server hardware and another for laptop hardware. Each table would include software, network, and data costs associated only with its specific platforms.
Soft costs, such as technical support, administration, and training, are easier to estimate than they may first appear. To simplify, these calculations can be broken down further using a table such as Figure 10.3.
The final soft cost, informal support, may be harder to pin down, but it is important nonetheless. Informal support comprises the sometimes highly complex networks that develop among coworkers through which many problems are fixed and much training takes place without the involvement of any official support staff. In many circumstances, these activities can prove more efficient and effective than working through official channels. Still, managers want to analyze the costs of informal support for two reasons:
1. The costs — both in salary and in opportunity — of a nonsupport employee providing informal support may prove significantly higher than analogous costs for a formal support employee. For example, it costs much more in both dollars per hour and foregone management activity for a midlevel manager to help a line employee troubleshoot an e-mail problem than it would for a formal support employee to provide the same service.
2. The quantity of informal support activity in an organization provides an indirect measure of the efficiency of its IT support organization. The
How Much Does IT Cost? 285
Infrastructure Cost per end user of Cost per end user of Category Component Option 1 Option 2 Hardware Desktops
Servers Mobile platforms Printers Archival storage Technical support Administration Training Informal support Retirement
Total Hardware Cost Software OS
Office Suite Database Proprietary Technical support Administration Training Informal support
Total Software Cost Network LAN
WAN Dial-in lines/modems Technical support Administration
Total Network Cost Data Removable media
Onsite backup storage Offsite backup storage
Total Data Cost
FIGURE 10.2 TCO component evaluation.
286 Chapter 10 Funding IT
Responsible Annual Cost/ Total Category Component party hours hour cost
Technical support
Hardware phone support
Call center
In-person hardware troubleshooting
IT operations
Hardware hot swaps IT operations Physical hardware
repair IT operations
Total cost of technical support
Administration Hardware setup System administrator Hardware upgrades/
modifications System administrator
New hardware evaluation
IT operations
Total cost of administration
Training New employee training
IT operations
Ongoing administrator training
Hardware vendor
Total cost of training Total soft costs for hardware
FIGURE 10.3 Soft costs considerations.
formal support organization should respond with sufficient promptness and thoroughness to discourage all but the briefest informal support transactions.
Various IT infrastructure options affect informal support activities differently. For example, a more user-friendly systems interface may alleviate the need for much informal support, justifying a slightly higher software expenditure. Similarly, an investment in support management software may be justified if it reduces the need for informal support. Web-based applications change the equation even further. Those companies who use a vendor-supplied Web-based application may find support activities are provided by the vendor, or the applications are written in such as way as to minimize or eliminate support entirely.
Although putting dollar values on informal support may be a challenge, managers want to gauge the relative potential of each component option to affect the need for informal support.
Building a Business Case 287
TCO as a Management Tool This discussion focused on TCO as a tool for evaluating which infrastructure com- ponents to choose, but TCO also can help managers understand how infrastructure costs break down. Gartner Group research consistently shows that the labor costs associated with an IT infrastructure far outweigh the actual capital investment costs.3 TCO provides the fullest picture of where managers spend their IT dollars. Like other benchmarks, TCO results can be evaluated over time against industry standards (much TCO target data for various IT infrastructure choices are available from industry research firms). Even without comparison data, the numbers that emerge from TCO studies assist in decisions about budgeting, resource allocation, and organizational structure.
However, like the ABC approach, the cost of implementing TCO can be a detriment to the program’s overall success. Both ABC and TCO are complex approaches that may require significant effort to determine the costs to use in the calculations. Managers must weigh the benefits of using these approaches with the costs of obtaining reliable data necessary to make their use successful.
! BUILDING A BUSINESS CASE
To gain support and a ‘‘go-ahead’’ decision on an IT investment (or any business investment, for that matter), a manager must often create a business case. Similar to a legal case, a business case is a structured document that lays out all the relevant information needed to make a go/no-go decision. The business case for an IT project is also a way to establish priorities for investing in different projects, an opportunity to identify how IT and the business will deliver new benefits, gain commitment from business managers, and create a basis for monitoring the investment.4
The components of a business case vary from corporation to corporation, depending on the priorities and decision-making environment. However, there are several primary elements of any business case. They are listed in Figure 10.4. Critical to the business case is the identification of both costs and benefits, both in financial and nonfinancial terms.
Building the business case is more an art than a science. Of particular note is how is a description of the benefits to be gained with the acceptance of the project being sold in the business case. Ward, Daniel, and Peppard5 have suggested framework for identifying and describing both financial and nonfinancial benefits, shown in Figure 10.5. The first step in this framework is to identify each benefit as innovation, or allowing the organization to do new things; improvement, or allowing the organization to do things better; or cessation, stopping things. Then
3 W. Kirwin, ‘‘TCO: The Emerging Manageable Desktop,’’ GartnerGroup Top VIEW (September 24, 1996). 4 John Ward, Elizabeth Daniel, and Joe Peppard, ‘‘Building Better Business Cases for IT Investments’’ MISQE 7, no. 1 (March 2008), 1 – 15. 5 Ibid.
288 Chapter 10 Funding IT
Section or Component Description
Executive Summary One- or two-page description of the overall business case document.
Overview and Introduction Includes a brief business background, the current business situation, a clear statement of the business problem or opportunity, and a recommended solution at a high level.
Assumptions and Rationale Includes issues driving the proposal (could be operational, human resource, environmental, competitive, industry or market trends, financial or otherwise).
Program Summary Includes high-level and then detailed description of the project, well-defined scope, objectives, contacts, resource plan, key metrics (financial and otherwise), implementa- tion plan (high-level discussion and potential impacts) and key components to make this a success.
Financial Discussion and Analysis
Starts with financial summary. Then includes details such as projected costs/revenues/benefits, financial metrics, financial model, cash flow statement, and assumptions that went into creating financial statements. Total Cost of Ownership (TCO) calculations analysis would go in this section.
Benefits and Business Impacts
Starts with business impacts summary. Then includes details on all nonfinancial outcomes such as new busi- ness, transformation, innovations, competitive responses, organizational, supply chain, and human resource impacts.
Schedule and Milestones Outlines the entire schedule for the project, highlights milestones and details of expected metrics at each stage (what makes the go/no-go decision at each stage). If appro- priate, this section can also include a marketing plan and schedule (sometimes this is a separate section).
Risk and Contingency Analysis
Includes details on risks, risk analysis, and contingencies to manage those risks. Includes sensitivity analysis on the scenario(s) proposed and contingencies to manage anticipated consequences. Includes interdependencies and impact they will have on potential outcomes.
Conclusion and Recommendation
Reiterates primary recommendation and draws any neces- sary conclusions
Appendices Can include any backup materials that were not directly included in the body of the document such as detailed financial investment analysis, marketing materials, and competitors’ literature.
FIGURE 10.4 Components of a business case.
Building a Business Case 289
Type of Business Change
Innovation (Do new things)
High
degree of explicitness
Low
Financial Benefits Financial value can be calculated by applying a cost/price or other valid financial formula to a quantifiable benefit
Improvement (Do things better)
Cessation (Stop doing things)
Quantifiable Benefits There is sufficient evidence to forecast how much improvement/benefit should result from the changes.
Measurable Benefits Although this aspect of performance is currently measured, or an approximate measure could be implemented, it is not possible to estimate how much performance will improve when changes are implemented.
Observable Benefits By using agreed criteria, specific individuals or groups will use their experience or judgment to decide the extent the benefit will be realized.
FIGURE 10.5 Classification framework for benefits in a business case. Source: Adapted from John Ward, Elizabeth Daniel, and Joe Peppard, ‘‘Building Better Business Cases for IT Investments,’’ MISQE 7, no. 1 (March 2008): 1 – 15.
the benefits can be classified by degree of explicitness or the ability to assign a value to the benefit. As shown in Figure 10.5, benefits fall into one of these categories:
• Observable — can only be measured by opinion or judgment. These are the subjective, intangible, soft, or qualitative benefits.
• Measurable — There is already a well-accepted way to measure for the benefit (but it may not be a quantifiable measure). Using existing measures to ensure alignment with the business strategy.
• Quantifiable — There is a way to measure the size or magnitude of the benefit. Most business cases revolve around quantifiable benefits, so ensuring that as many benefits as possible have a quantifiable metric is important.
• Financial — There is a way to express the benefit in financial terms. These are the metrics that are most easily used to judge the go-no go decision because financial terms are universal across all business decisions.
Consider this example of a UK-based mobile telephone company. The com- pany’s strategy was to differentiate itself with excellent customer service, and it identified a project to upgrade the call centers as a potential opportunity. Figure 10.6 contains a sample of the cost-risk-benefit analysis for this business case. Note that in this example, costs were described in terms of six categories: purchases, implementation technical consultants, development, infrastructure, business change, and training costs. Risks were categorized as financial risks, technical risks, and organizational risks.6
6 Ibid.
290 Chapter 10 Funding IT
Objective Type
Doing New Things Doing Things Better Stop Doing Things
Benefit: Increased customer retention due to improved service provision Measure: Reduction in customer defections. Avoided defections due to service failure = 1,750 pa Cost per defection = £500—saving of £875,000 pa Benefit Owner: Customer accounts manager
Benefit: 20% reduction in call servicing costs Measure: Cost per service call. Number of calls pa = 5.6 million, total servicing costs = £1.2 million—savings of £240,000 pa Benefit Owner: Telechannel sales manager
Benefit: Customers not switching to competitors’ products and services Measure: Number of defections to competitors. Current number of customers switching = 5,500 pa Benefit Owner: Customer accounts manager
Benefit: Stop call-backs to customers after failed service calls Measure: Number of call- backs. Number in previous years = 1.5 million. Cost per call-back = £0.46—savings of £690,000 pa Benefit Owner: Call center operations manager
Financial
Benefit: Eliminate call waiting times over 2 minutes for customers Measure: Number of calls currently waiting over 2 minutes = 1.1 million Benefit Owner: Call center operations manager
Quantifiable
Benefit: Call center staff able to undertake sales calls/ promote new services Measure: Number of sales calls per staff member or sales per staff member. Current value = 0 (call center currently purely inbound) Benefit Owner: Telechannel sales manager
Measurable
Benefit: Ability to develop future services based on customer data Measure: Quantity and quality of customer profile data Benefit Owner: New service development manager
Benefit: Stop customers becoming frustrated/rude because of service failure Measure: Call center staff opinion Benefit Owner: Call center staff manager
Benefit: Call center staff motivated by being trained about newer services Measure: Increased call center motivation Benefit Owner: Call center staff manager
Observable
Investment Costs Purchase of new call center hardware and software: Cost of implementation technical consultants: Internal systems development costs (for configuration): Infrastructure upgrade costs: Business change costs: Training costs: Total: Net increase in annual systems support and license costs:
£250,000 £120,000 £150,000 £75,000
£270,000 £80,000
£945,000 £80,000
FIGURE 10.6 Cost-risk-benefit analysis for a business case.
IT Portfolio Management 291
Risk Analysis Technical Risks:
Financial Risks:
Organizational Risks:
Complexity of the systems functionality Number of system interfaces and systems being replaced Confidence in some investment costs—especially business change Confidence in the evidence for some of the benefits Business criticality of areas affected by the system The extent of changes to call center processes and practice Limited existing change management capability Call center staff capability to promote more technical services Customer willingness to share information for profiling purposes
FIGURE 10.6 (continued) Cost-risk-benefit analysis for a business case. Source: Adapted from John Ward, Elizabeth Daniel, and Joe Peppard, ‘‘Building Better Business Cases for IT Investments,’’ MISQE 7, no. 1 (March 2008): 1 – 15.
! IT PORTFOLIO MANAGEMENT
Managing the set of systems and programs in an IT organization is similar to managing resources in a financial organization. There are different types of IT investments, and together they form the business’s IT portfolio. IT portfolio management refers to the process of evaluating and approving IT investments as they relate to other current and potential IT investments. It often involves deciding on the right mix of investments from funding, management, and staffing perspectives. The overall goal of IT portfolio management is for the company to fund and invest in the most valuable initiatives that, taken together as a whole, generate maximum benefits to the business.
Professor Peter Weill and colleagues at MIT’s Center for Information Systems Research (CISR) describe four asset classes of IT investments that typically make up the company’s IT portfolio:
• Transactional Systems — systems that streamline or cut costs on the way business is done
• Informational Systems — systems that provide information used to control, manage, communicate, analyze, or collaborate
• Strategic Systems — Systems used to gain competitive advantage in the marketplace
• Infrastructure Systems — the base foundation of shared IT services used for multiple applications such as servers, networks, databases, or laptops
In analyzing the composition of any single company’s IT portfolio, one can come up with a profile of the relative investment made in each asset class. Weill’s study found that the average firm allocates 46% of its total IT investment each year to infrastructure and only 25% of its total IT investment in transactional systems.
292 Chapter 10 Funding IT
Infrastructure 46%
Transactional 25%
Strategic 11%
Informational 18%
FIGURE 10.7 Average company’s IT portfolio profile. Source: !Massachusetts Institute of Technology, 2007. This work was created by MIT’s Sloan Center for Systems Research (CISR).
Figure 10.7 summarizes a typical IT portfolio. At a more detailed level, different industries allocate their IT resources differently. For example, Weill found that ser- vices companies (such as IT Services and professional services) on average, allocate more to infrastructure systems (about 47%), transactional systems (about 27%), and strategic systems (about 13%) but less to informational systems (about 18%).
Managers use a portfolio view of IT investments to manage resources. Decision makers use the portfolio to analyze risk, assess fit with business strategy, and identify opportunities for reducing IT spending. Just like an individual or company’s investment portfolio is aligned with the individual or company’s objectives, the IT portfolio must be aligned with the business strategy. Weill’s work suggests that a different balance between IT investments is needed for a cost-focused strategy compared to an agility-focused strategy. A company with a cost-focused strategy would seek an IT portfolio that helps lower costs as the primary business objective. In that case, Weill’s work suggest that on average 27% of the IT investments are made in transactional investments, suggesting higher use of applications that automate processes which and typically lower operational costs. On the other hand, a company with an agility focus would be more likely to invest a higher percent of their IT portfolio in infrastructure, and less in transactional systems. The infrastructure investment would create a platform that would likely be used to more quickly and nimbly create solutions needed by the business, whereas the transactional systems might lock in the current processes and take more effort and time to change. Figure 10.8 summarizes the differences.
! VALUING IT INVESTMENTS
Monetary costs and benefits are important but not the only considerations in making IT investments. Soft benefits, such as the ability to make future decisions, are often part of the business case for IT investments, making it difficult to measure the payback of the investment.
Several unique factors of the IT function increase the difficulty of assessing value from IT investments. First, in many enterprises, IT is a significant part of the annual budget. Hence it comes under close scrutiny. Second, the systems
Valuing IT Investments 293
Infrastructure Transactional Informational Strategic investments investments investments investments
Average 46% 25% 18% 11% Firm
Cost 44% 27% 18% 11% Focus
Agility 51% 24% 15% 10% Focus
FIGURE 10.8 Comparative IT portfolios for different business strategies. Source: !Massachusetts Institute of Technology, 2007. This work was created by MIT’s Sloan Center for Systems Research (CISR).
themselves are complex, and as already discussed, calculating the costs is an art, not a science. Third, because many IT investments are for infrastructure, the payback period is much longer than other types of capital investments. Fourth, many times the payback cannot be calculated because the investment is a necessity rather than a choice, without any tangible payback. For example, upgrading to a newer version of software or buying a new design of hardware may be required because the older models are broken or simply not supported any longer. Many managers do not want to be placed in the position of having to upgrade simply because the vendor thinks an upgrade is necessary. Instead, managers may resist IT spending on the grounds that the investment adds no incremental value. These factors and more fuel a long-running debate about the value of IT investments.
For example, because of the large expense of preparing for the year 2000, the Y2K crisis strained IT budgets.7 Y2K compliance was a business necessity addressed only by implementing new systems or upgrading existing ones. Limited financial resources caused management executives to examine more closely the expected return on other IT investments. A 1998 survey by InformationWeek found that ‘‘more than 80% of the 150 IS executives at U.S. companies surveyed say their organizations require them to demonstrate the potential revenue, payback, or budget impact of their IT projects.’’8
Thus, a clear need exists to understand the true return on an IT project. Measuring this return is difficult, however. To illustrate, consider the relative ease
7 The Y2K crisis, otherwise known as the Millennium Bug, refers to software that was unable to distinguish between years beginning with the ‘‘20’’ from years beginning with ‘‘19’’. Some programs were not set up to distinguish between ‘‘1919’’ and ‘‘2019’’ for example. The fear was that programs would crash, or act in abnormal ways, when the century turned over. The amount of systems affected by this problem was enormous. Most government and corporations were busy in the latter half of the 1990’s addressing this problem. In reality, however, most of the problems were fixed before the century started, and very few entities experienced the anticipated problems. 8 Bob Violino, ‘‘ROI In the Real World,’’ Information Week (April 27, 1998), p. 2.
294 Chapter 10 Funding IT
with which a manager might analyze whether the enterprise should build a new plant. The first step would be to estimate the costs of construction. The plant capacity dictates project production levels. Demand varies, and construction costs frequently overrun, but the manager can find sufficient information to make a decision about whether to build.
Most of the time, the benefits of investing in IT are less tangible than those of building a plant. Such benefits might include tighter systems integration, faster response time, more accurate data, better leverage to adopt future technologies, among others. How can a manager quantify these intangibles? He or she should also consider many indirect, or downstream, benefits and costs, such as changes in how people behave, where staff report, and how tasks are assigned. In fact, it may be impossible to pinpoint who will benefit from an IT investment when making the decision.9
Despite the difficulty, the task of evaluating IT investments is necessary. Knowing which approaches to use and when to use them are important first steps. A number of approaches are summarized in Figure 10.9. Managers should choose based on the attributes of the project. For example, return on investment (ROI) or payback analysis can be used when detailed analysis is not required, such as when a project is short-lived and its costs and benefits are clear. When the project lasts long enough that the time value of money becomes a factor, net present value (NPV) and economic value added (EVA) are better approaches. EVA is particularly appropriate for capital-intensive projects.
An IT manager may encounter a number of pitfalls when analyzing return on investment. First, not every situation calls for in-depth analysis. Some decisions — such as whether to invest in a new operating system to become compatible with a client operating system — are easy to make. The costs are unlikely to be prohibitively high, and the benefits are clear.
Second, not every evaluation method works in every case. Depending on the assets employed, the duration of the project, and any uncertainty about implementation, one method may work better than another.
Third, circumstances may alter the way a particular valuation method is best used. For instance, in a software implementation, estimates of labor hours required often fall short of actual hours spent. Accordingly, some managers use an ‘‘adjusting’’ factor in their estimates.
Fourth, managers can fall into ‘‘analysis paralysis.’’ Reaching a precise valuation may take longer than is reasonable to make an investment decision. Because a single right valuation may not exist, ‘‘close enough’’ usually suffices. Experience and an eye to the risks of an incorrect valuation help decide when to stop analyzing.
Finally, even when the numbers say a project is not worthwhile, the investment may be necessary to remain competitive. For example, UPS faced little choice but to invest heavily in IT. At the time, FedEx made IT a competitive advantage and was winning the overnight delivery war.
9 John C. Ford, ‘‘Evaluating Investment in IT,’’ Australian Accountant (December 1994), p. 3.
Valuing IT Investments 295
Valuation Method
Return on investment (ROI)
Net present value (NPV)
Economic value added (EVA)
Payback analysis
Internal rate of return (IRR)
Weighted scoring methods
Prototyping
Game theory or role-playing
Simulation
Description
Percentage rate that measures the relationship between the amount the business gets back from an investment and the amount invested using the formula: ROI = (Revenue- Investment)/Investment. Although popular and easy to use and understand, ROI lacks sophistication in assessing intangible benefits and costs. Finance departments typically use NPV because it accounts for the time value of money. After discounting and then adding the dollar inflows and outflows, a positive NPV indicates a project should be undertaken, as long as other IT investments do not have higher values. It is calculated by discounting the costs and benefits for each year of the system’s lifetime using the present value factor calculated each year as 1/(1+ discount rate) year.
EVA accounts for opportunity costs of capital to measure true economic profit and revalues historical costs to give an accurate picture of the true market value of assets.a EVA is sufficiently complex that consultants typically are required to implement it. It provides no hard and fast rules for intang- ibles. Calculating EVA is simple: EVA = Net operating profit after taxes – [(Capital)(Cost of capital)].a
Simple, popular method that determines the payback period, or how much time will lapse before accrued benefits overtake accrued and continuing costs. Calculation is made to determine the return that the IT investment would have, and then it is compared to the corporate policy on rate of return. If IT investment’s rate of return is higher than the corporate policy, the project is considered a good investment. Costs and revenues/savings are weighted based on their strategic importance, level of accuracy or confidence, and comparable investment opportunities.
A scaled-down version of a system is tested for its costs and benefits. This approach is useful when the impact of the IT investment seems unclear. These approaches may reveal behavioral changes or new tasks attributable to a new system. They are less expensive than prototyping. A model is used to test the impact of a new system or series of tasks. This low-cost method surfaces problems and allows system sensitivities to be analyzed.
a http://www.sternstewart.com.
FIGURE 10.9 Valuation methods.
296 Chapter 10 Funding IT
! MONITORING IT INVESTMENTS
An old adage says: ‘‘If you can’t measure it, you can’t manage it.’’ Management’s role is to ensure that the money spent on IT results in benefits for the organization. Therefore, common, accepted set of metrics must be created, and those metrics must be monitored and communicated to senior management and customers of the IT department. These metrics are often financial in nature (i.e., ROI, NPV). But financial measures are only one category of measures used to manage IT investments. Other MIS metrics include logs of errors encountered by users, end-user surveys, user turnaround time, logs of computer and communication up-/downtime, system response time, and percentage of projects completed on time and/or within budget. Additional, business-focused metrics might include measures such as the number of contacts with external customers, sales revenue accrued from web channels, and new business leads generated.
The Balanced Scorecard Deciding on appropriate measures is half of the equation for effective MIS organizations. The other half of the equation is ensuring that those measures are accurately communicated to the business. Two methods for communicating these metrics are the scorecards and dashboards.
Financial measures may be the language of stockholders, but managers understand that they can be misleading if used as the sole means of making management decisions. One methodology used to solve this problem, created by Robert Kaplan and David Norton, and first described in the Harvard Business Review in 1992, is the balanced scorecard, which focuses attention on the organization’s value drivers (which include, but are not limited to, financial performance).10 Companies use it to assess the full impact of their corporate strategies on their customers and workforce, as well as their financial performance.
This methodology allows managers to look at the business from four per- spectives: customer, internal business, innovation/learning, and financial. For each perspective, the goals and measures are designed to answer these basic questions:
• How do customers see us? (Customer perspective) • At what must we excel? (Internal business perspective) • Can we continue to improve and create value? (Innovation and learning
perspective) • How do we look to shareholders? (Financial perspective)
Figure 10.10 graphically shows the relationship of these perspectives. Since the introduction of the Balanced Scorecard, many have modified it
or adapted it to apply to their particular organization. Managers of information
10 For more detail, see R. Kaplan and D. Norton, ‘‘The Balanced Scorecard — Measures That Drive Performance,’’ Harvard Business Review (January – February 1992).
Monitoring IT Investments 297
Financial Perspective
Goals Measures
Goals Measures
Goals Measures
Goals Measures
Customer Perspective
Learning Perspectives
Internal Perspective
FIGURE 10.10 The balanced scorecard perspectives. Source: Adapted from Kaplan and Norton, ‘‘The Balanced Scorecard — Measures That Drive Perfor- mance,’’ Harvard Business Review (January – February 1992): 72.
technology found the concept of a scorecard useful in managing and communicating the value of the IT department. For example, US West used this methodology when it undertook an e-commerce project. The manager of this project described its use:
The Balanced Scorecard approach defined goals in areas beyond the technical, e-commerce platform. It helped us look at internal processes, employee impact and finances. It meant getting the associated computer systems Y2K compliant in the internal processes category, implementing an IT career structure in the employee learning category and meeting overall budget commitments in the finan- cial category. The Balanced Scorecard helped us organize our thoughts, and it was then used for all of our IT planning.11
Applying the categories of the balanced scorecard to IT might mean inter- preting them more broadly than originally conceived by Kaplan and Norton. For example, the original scorecard speaks of the customer perspective, but for the MIS scorecard, the customer might be a user within the company, not the external
11 Adapted from Robin Robinson, ‘‘Balanced Scorecard,’’ Computerworld (January 24, 2000).
298 Chapter 10 Funding IT
Dimension
Customer perspective
Internal business perspective
Innovating and learning perspective
Financial perspective
Description
How do customers see us? Measures that reflect factors that really matter to customers
What must we excel at? Measures of what the company must do internally to meet customer expectations
Can we continue to improve and create value? Measures of the company’s ability to innovate, improve, and learn
How do we look to shareholders? Measures to indicate contribution of activities to the bottom line
Example IT Measures
Impact of IT projects on users, impact of IT’s reputation among users, and user-defined operational metrics
IT process metrics, project completion rates, and system operational performance metrics
IT R&D, new technology introduction success rate, training metrics
IT project ROI, NPV, IRR, cost/benefit, TCO, ABC
FIGURE 10.11 Balanced scorecard applied to IT departments.
customer of the company. The questions asked when using this methodology within the IT department are summarized in Figure 10.11.
David Norton commented, ‘‘[D]on’t start with an emphasis on metrics — start with your strategy and use metrics to make it understandable and measurable (that is, to communicate it to those expected to make it happen and to manage it).’’12 He found the balanced scorecard to be the most effective management framework for achieving organizational alignment and strategic success.
FirstEnergy, a multibillion-dollar utility company, provides a good example of how the MIS scorecard can be used. The company set a strategic goal of creating ‘‘raving fans’’ among its customers. In addition, they identified three other business value drivers: reliability, finance, and winning culture. The MIS group interpreted ‘‘raving fans’’ to mean satisfied internal customers. They used three metrics to measure their performance along this dimension:13
• Percentage of projects completed on time and on budget
12 ‘‘Ask the Source: Interview with David Norton,’’ CIO Magazine (July 25, 2002), available at www.cio.com (accessed February 22, 2003). 13 Adapted from Eric Berkman, ‘‘How to Use the Balanced Scorecard,’’ CIO Magazine (May 15, 2002).
Monitoring IT Investments 299
• Percentage of projects released to the customer by agreed-on delivery date
• Client satisfaction recorded on customer surveys done at the end of a project
A scorecard used within the IT department helps senior IS managers under- stand their organization’s performance and measure it in a way that supports its business strategy. The IT scorecard is linked to the corporate scorecard and ensures that the measures used by IT are those that support the corporate goals. At DuPont Engineering, the balanced scorecard methodology forces every action to be linked to a corporate goal, which helps promote alignment and eliminate projects with little potential impact. The conversations between IT and the business focus on strategic goals and impact rather than on technology and capabilities.14
IT Dashboards Scorecards provide summary information gathered over a period of time. Another common MIS management monitoring tool is the IT dashboard, which provides a snapshot of metrics at any given point in time. Much like the dashboard of an auto- mobile or airplane, the IT dashboard summarizes key metrics for senior managers in a manner that provides quick identification of the status of the organization. Like scorecards, dashboards are useful outside the IT department and are often found in executive offices as a tool for keeping current on critical measures of the organiza- tion. For this section, we focus on the use of these tools within the IT department.
Dashboards provide frequently updated information on areas of interest within the IT department. Depending on who is actually using the dashboard, the data tend to focus on project status or operational systems status. For example, a dashboard used by GM North America’s IT leadership team contains a metric designed to monitor project status.15 Because senior managers question the overall health of a project rather than the details, the dashboard they designed provides red, yellow, or green highlights for rapid comprehension. A green highlight means that the project is progressing as planned. A yellow highlight means at least one key target has been missed. A red highlight means the project is significantly behind and needs some attention or resources to get back on track.
At GM, each project is tracked and rated monthly. GM uses four dashboard criteria: (1) performance to budget, (2) performance to schedule, (3) delivery of business results, and (4) risk. At the beginning of a project, these metrics are defined and acceptable levels set. The project manager assigns a color status monthly, based on the defined criteria, and the results are reported in a spreadsheet. When managers look at the dashboard, they can immediately tell whether projects are on schedule based on the amount of green, yellow, or red on the dashboard. They can then drill into yellow or red metrics to get the projects back on track.
14 Ibid. 15 Adapted from Tracy Mayor, ‘‘Red Light, Green Light,’’ CIO Magazine (October 1, 2001).
300 Chapter 10 Funding IT
The dashboard provides an easy way to identify where their attention should be focused. The director of IT operations explains, ‘‘Red means I need more money, people or better business buy-in.. . . The dashboard provides an early warning system that allows IT managers to identify and correct problems before they become big enough to derail a project.’’16
Dashboards are useful for projects, but they have additional applications within the IT department. A number of organizations also use a similar dashboard to track operations to measure network performance, system availability, help desk satisfaction, and a number of other key performance data. Green means the metric is within acceptable limits; yellow means the metric has slipped once or twice; and red means the metric is consistently outside the acceptable range.
At Intel, the MIS department uses a ‘‘CIO dashboard’’ that condenses about 100 separate pieces of paper into one unified set of indicators in a matrix format.17 Each key topic area is represented by a trend indicator as well as a status indicator. The Intel dashboard also uses green-yellow-red, as well as an arrow to indicate up, down, or sideways movement of a trend. All Intel employees, including IT staff, can scan the dashboard, which is electronically stored and updated, on the Intel intranet. In this way, issues can be identified and handled without waiting for the monthly CIO meeting, and dashboard statistics are monitored frequently to enable proactive behavior. In Intel’s case, the dashboard improved both the reporting process, as well as team communication, because it made information available in real time in an easy-to-read manner.
Dashboards are built on the information contained in the other applications, databases, and analytical systems of the organization (see Chapter 12 for a more complete discussion of business intelligence and business analytics). Figure 10.12 contains the architecture of a sample dashboard for Western Digital, a $3 billion global designer and manufacturer of high-performance hard drives for PCs, networks, storage devices, and entertainment systems.18
! OPTIONS PRICING
Options pricing has long been used on financial assets as a method of locking in a price to be paid in the future. For example, you may have been able to purchase an option to buy 500 shares of Cisco stock at $50 per share on January 1, 2005, for a price (i.e., $600). The concept of options can be extended to evaluating IT investments. In this case, an IT project is viewed as an option to exchange the cost of the project for its benefits down the road. In particular, investing in one phase
16 Ibid. 17 Adapted from Johanna Ambrosio, ‘‘Walking the Walls No More,’’ Computerworld (July 6, 2001). 18 Robert Houghton, O. A. El Sawy, P. Gray, C. Donegan, and A. Joshi, ‘‘Vigilant Information Systems for Managing Enterprises in Dynamic Supply Chains: Real-Time Dashboards at Western Digital,’’ MISQE 3, no. 1 (March 2004), 19 – 35.
Options Pricing 301
Corporate Dashboards Planning / Forecasting
Revenue Positions Inventory Positions
BMIS (Financial
Performance)
ERP Logistics Point Of
Sale
Supplier Quality System
Raw Data Drive Cost, Customer Order, Customer Payment, Test Data, Build Data, etc.....
Mfg. Execution System
Marginal Monitoring
System
Failure Analysis System
QIS (Product
Performance)
Mitec Reporting (Factory Performance)
Factory Dashboard Component Inventory
Line Utilization Yield
Dashboards Highly Summarized Key Metric Driven
Visualization and Alert
Business Intelligence Cross Application Query / Data Mining
Statistical Analysis
Functional Applications Transaction Based Standard Reporting
Highly focused
Raw Data Feeds Transaction System
FIGURE 10.12 Example Architecture of a Dashboard. Source: Houghton, Robert, et al. ‘‘Vigilant Information Systems For Managing Enterprises in Dynamic Supply Chains: Real-Time Dashboards at Western Digital,’’ MISQE, Vol. 3 No. 1, March 2004.
of an IT project may result in an option to invest in the next phase, as long as the project is not terminated before then.
The reason that options pricing is so appealing is that it offers management the opportunity to take some future action (such as abandoning, deferring, or expanding the scale of a project) in response to uncertainty about changes in the business and its environment. Options pricing offers a risk-hedging strategy to minimize the negative impact of risk when uncertainty can be resolved by waiting to see what happens. To be applied, managers need to have a project that can be divided into investment stages and be armed with estimates of costs of the project at each stage, the projected revenues or savings, and the probability of these costs and revenues/savings being realized.
Figure 10.13 offers a simple example of how options pricing would work for a new CRM system that has two major components: a customer identification module and a customer tracking module. (Note: In this model all costs and revenues reflect discounting.) The customer identification module is projected
302 Chapter 10 Funding IT
2005 Net Present Value View
Option Pricing View 2005
$130,000
$130,000
2006
2006
(0.5)($350,000 – $100,000)
(0.5)($20,000 – $100,000)
(0.5)($350,000 – $100,000)
(0.5)($0)
FIGURE 10.13 NPV vs. option pricing view. Source: Adapted from Ram Kumar, ‘‘Managing Risks in IT Projects: An Options Perspective,’’ Information & Management 40 (2002): 63 – 74.
to cost $130,000 in 2005, and the customer tracking module, which is built on the customer identification module, is estimated to cost $100,000 in 2006. The customer identification module has a 50% chance of generating $350,000 in additional revenues in 2006 if conditions are favorable. If they are unfavorable, revenues are projected to be only $20,000. The net present value (NPV) view would assume a 50% chance of positive net revenue of $250,000 (i.e., $350,000 – $100,000) in 2006, and a 50% chance of loss of $80,000 (i.e., $20,000 – $100,000) in 2006. Options pricing views this investment opportunity a little differently. With options pricing there is a 50% chance of net revenue of $250,000 and a 50% chance of net revenue of $0 a year later because the option to invest $100,000 in the customer tracking module need not be exercised if conditions are unfavorable.
Conceptualizing risk hedging in terms of options can help managers better understand and manage IT investment decisions. It offers an analysis approach that matches the way many senior managers think about the risk in making invest- ments. Sometimes it may result in investment decisions that would be rejected based on NPV or cost-benefit analysis. For example, IT infrastructure invest- ments often fare poorly on NPV analysis because the immediate expectation of payback is limited. However, from an options pricing perspective these invest- ments provide the business with opportunities that would not be possible without the IT investment. Ideally, the investment yields applications with measurable revenue.
Options Pricing 303
Option pricing is especially applicable in the following situations:19
• When an investment decision can be deferred. When considerable uncer- tainty surrounds a major project, dividing it into ‘‘chunks’’ allows managers to monitor their investment over time.
• In helping managers strike a balance between waiting to obtain valu- able information and forgoing revenues or strategic benefits from an implemented project. For example, Yankee 24 could have used options pricing when deciding to offer a POS debit card network to its member institutions. Yankee 24 was established in 1984 to provide electronic banking network services, such as ATMs, to more than 200 member institutions. As early as 1987, Yankee’s president, Richard Yanak, realized the potential for a POS network. If customer acceptance were as slow as it had been in California a decade earlier, revenues would be low and could not offset the heavy investment required for network infrastructure. The question that options pricing could have resolved was how long should Yankee wait before investing in this infrastructure and POS technology without giving its competitor, the New York Cash Exchange, a first mover advantage.
• For emerging technology investments. For example, IBM OS/2-based computing infrastructures became less attractive as Microsoft Windows NT gained a large installed base in the world of client/server computing. Thus, the use of IT projects with a phased rollout of an OS/2 platform, or of applications depending on OS/2 for critical support, would have been negatively affected over time using an options pricing model.
• For prototyping investments. When managers are uncertain about whether an application can ‘‘do the job,’’ a prototype provides value in the options that it offers the firm for future actions.
• For technology-as-product investments. When the technology is at the core of a product, issues of level of commitment, timing, rollout, deferment, and abandonment can be considered more fully.
Like all the evaluation approaches, options pricing has a downside.20 Option value calculations are sensitive to certain parameters, especially volatility. Having multiple stakeholders involved in estimation and calculating for a range of param- eter values are two strategies that can help lessen this sensitivity. Options pricing may be attractive for infrastructure investments that open the door to possible applications in the future, but a number of assumptions must be made about those
19 M. Benaroch and R. J. Kauffman, ‘‘A Case for Using Real Options Pricing Analysis to Evaluate Information Technology Project Investments,’’ Information Systems Research 10:1 (1999), pp. 70 – 86. 20 Ram Kumar, ‘‘Managing Risks in IT Projects: An Options Perspective,’’ Information & Management 40 (2002), pp. 63 – 74.
304 Chapter 10 Funding IT
opportunities for the options model to work. However, the probability of all the assumptions coming true is small.
! FOOD FOR THOUGHT: WHO PAYS FOR THE INTERNET?
There are over 1.4 billion users of the Internet, an estimated 21.9% of the world’s population,21 and not one of them pays a bill to the Internet. Although everyone uses the Internet, the question arises, ‘‘Who pays for the Internet?’’ Most of us use the Internet every day, and although the ads we may be forced to watch on the pages we seek are annoying, they do not pay for the Internet. Individuals pay a service provider, such as a telephone company or cable provider, to access the Internet, but the service provider is like a gatekeeper. That company lets you into the Internet. Likewise, many of the content providers fund their own Web sites and applications either through standard business practices, such as marketing budgets or allocation methods to sponsoring departments. But that doesn’t pay for the Internet either.
There is no ‘‘Internet Incorporated’’ who runs and pays for the Internet. There are a number of organizations who have responsibilities for portions of the management. For example, the Internet Society (ISOC), a nonprofit, nongovernment organization with thousands of members from all over the world make up ISOC member organizations and address issues of how to generate progress and growth. The Internet Engineering Task Force (IETF), a large open international community of network designers, vendors, and researchers, is concerned with the evolution of the Internet architecture and operation. The Internet Corporation for Assigned Names and Number (ICANN) coordinates the technical elements of the Domain Name System (DNS) and works with numerous private companies who help users get their own domain name. There are numerous other organizations in this mix who oversee standards, domain names, and architecture.
So who pays for the Internet? The U.S. federal government, through the National Science Foundation (NSF), subsidizes a portion of the Internet to provide a communications and collaboration backbone for science, engineering. and education. Academic institutions and commercial businesses bear some of the cost by making a connection available to employees, students, and customers. Service providers pay for computers and networks that are linked together over backbone networks. When commercial ventures pay for the computers that house their Web sites, they are paying for the Internet. Users pay their access fees to service providers, so in a sense, part of the cost is passed on to the actual users themselves.
So the Internet is actually paid for by everyone who uses it. It is the ultimate peer-to-peer network. Costs are covered by those who pay for the computers that
21 www.internetworldstats.com/stats.htm (accessed on August 8, 2008).
Summary 305
host the applications, by provider charges for network usage, and through taxes that then in turn fund the NSF. It’s interesting to note that although most think that the Internet is free, it’s actually not free. But the costs are covered in various innovative ways.
! SUMMARY • IT is funded using one of three methods: chargeback, allocation, or corporate
budget. • Chargeback systems are viewed as the most equitable method of IT cost recovery
because costs are distributed based on usage. Creating an accounting system to record the information necessary to do a chargeback system can be expensive and time consuming and usually has no other useful application.
• Allocation systems provide a simpler method to recover costs, because they do not involve recording system usage to allocate costs. However, allocation systems can sometimes penalize groups with low usage.
• Corporate budgeting systems do not allocate costs at all. Instead, the CIO seeks and receives a budget from the corporate overhead account. This method of funding IT does not require any usage recordkeeping, but is also most likely to be abused if the users perceive ‘‘it is free.’’
• Total cost of ownership is a technique to understand all the costs, beyond the initial investment costs, associated with owning and operating an information system. It is most useful as a tool to help evaluate which infrastructure components to choose and to help understand how infrastructure costs occur.
• Activity-based costing is another technique to group costs into a meaningful bucket. Costs are accounted for based on the activity, or product or service, they support. ABC is useful for allocating large overhead expenses.
• The portfolio of IT investments must be carefully evaluated and managed. • ROI is difficult, at best, to calculate for IT investments because the benefits are
often not tangible. The benefits might be difficult to quantify, difficult to observe, or long range in scope.
• Popular metrics for IT investments measure quality of information outputs, IT contributions to a firm’s financial performance, operational efficiency, management/user attitudes, and the adequacy of systems development practices.
• A business case is a tool used to support a decision or a proposal of a new investment. It is a document containing a project description, financial analysis, marketing analysis, and all other relevant documentation to assist managers in making a go/no-go decision.
• Benefits articulated in a business case can be categorized as observable, mea- surable, quantifiable, and financial. These benefits are often for innovations, improvements, or cessation.
• Monitoring and communicating the status and benefits of IT is often done through the use of balanced scorecards and IT dashboards.
• Options pricing offers a risk-hedging strategy to minimize the negative impact of risk when resolving uncertainty by waiting to see what happens.
306 Chapter 10 Funding IT
! KEY TERMS activity-based costing
(ABC) (p. 282) allocation funding method
(p. 280) business case (p. 287) balanced scorecard
(p. 296) chargeback funding
method (p. 279)
corporate budget funding method (p. 281)
dashboard (p. 299) economic value added
(EVA) (p. 294) IT portfolio management
(p. 291) net present value (NPV)
(p. 294)
options pricing (p. 301) return on investment
(ROI) (p. 294) total cost of ownership
(TCO) (p. 283)
! DISCUSSION QUESTIONS 1. Under what conditions would you recommend using each of these funding methods: allocation, chargeback, and corporate budgeting?
2. Describe the conditions under which ROI, payback period, NPV, and EVA are most appropriately applied.
3. A new inventory management system for ABC Company could be developed at a cost of $250,000. The estimated net operating costs and estimated net benefits over six years of operation would be:
Year Estimated Net Operating Costs Estimated Net Benefits
0 $250,000 $ 0 1 7,000 52,000 2 9,400 68,000 3 11,000 82,000 4 14,000 115,000 5 15,000 120,000 6 16,000 120,000
a. What would the payback period be for this investment? Would it be a good or bad investment? Why? b. What is the ROI for this investment? c. Assuming a 15% discount rate, what is this investment’s NPV?
4. Would you suggest using options pricing on the investment described in Question 3? Why or why not?
5. Compare and contrast the IT scorecard and dashboard approaches.
6. TCO is one way to account for costs associated with a specific infrastructure. This method does not include additional costs such as disposal costs — the cost to get rid of the system when it is no longer of use. What other additional costs might be of importance in making total cost calculations?
Case Study 307
CASE STUDY 10-1
TROON GOLF
Troon Golf, headquartered in Scottsdale, Arizona, is one of the world’s leading luxury-brand golf management and marketing firm with 197 golf courses worldwide in its portfolio. When it saw its IT expenses spiraling out of control, Cary Westmark, its vice president for technology decided to introduce the concept of total cost of ownership. Like most companies, managers had viewed hardware as one-time expense and had failed to recognize the hidden cost of operating and maintaining the hardware. Often support costs increased over the projected life of IT, contributing to unexpected rise in IT expenses. For better planning of IT costs and to develop a funding mechanism for IT projects throughout their planned lives, managers created a strategic replacement program. Under the program, managers calculated total cost by including cost of technical support, user productivity loss, downtime loss, and any associated data quality loss. This allowed Troon management to refresh its aging hardware at the optimal cost level. As a result, its support costs reduced from $800 per month to $300, saving roughly over $50,000.
Discussion Questions
1. Why does the TCO approach allow Troon management to refresh its hardware at the optimal cost level?
2. Why, in your opinion, were IT expenses spiraling out of control before the TCO system? What are examples of the hidden costs of operating and maintaining the hardware?
3. If you were the head of marketing for Troon, what benefit would you receive from Mr. Westmark’s decision to implement TCO?
Source: Adapted from ‘‘Slicing Through IT Costs,’’ Baseline Magazine, March 31, 2008.
CASE STUDY 10-2
VALUING IT
In May 2003, writer Nick Carr lobbed a hand grenade into the IT world. He published an article in Harvard Business Review titled ‘‘IT Doesn’t Matter.’’ In that article, Carr asserted that as information technology’s power and ubiquity grows, its strategic importance diminishes. The influence of infrastructure investments in technology is not felt at the individual company level, but rather in the macroeconomic level, he continued. He compared IT to railroads, viewing it as simply a transport mechanism carrying digital information, just as railroads carried goods. ‘‘Like any transport mechanism, it is far more valuable when shared than when used in isolation. . . . For most business applications today, the benefits of customization would be overwhelmed by the costs of isolation,’’ Carr suggested. There are few opportunities to gain a competitive advantage from IT, Carr suggests. He described a number of companies such as Dell Computer, American Airlines, and Federal Express, who were at the proverbial right place at the right time and who
308 Chapter 10 Funding IT
were able to get a competitive edge by strategic IT applications. But the window for such advantage is closing, and perhaps was only open briefly. Carr continued,
The opportunities for gaining IT based advantage are already dwindling. Best Practices are now quickly built into software or otherwise replicated. And as for IT-spurred industry transformations, most of the ones that are going to happen have likely already happened or are in the process of happening. Industries and markets will continue to evolve, of course, and some will undergo fundamental changes — the future of the music business, for example, continues to be in doubt. But history shows that the power of an infrastructural technology to transform industries always diminishes as its build out nears completion.
Carr believes that companies should no longer seek competitive advantage from IT investments. ‘‘The key to success, for the vast majority of companies, is no longer to seek advantage aggressively but to manage costs and risks meticulously,’’ he concluded.
Discussion Questions
1. Do you agree with Carr that as information technology’s power and ubiquity grows, its strategic importance diminishes? Why or why not?
2. Where do you think the next IT-based strategic advantage may occur? Give an example. 3. Consider the IT portfolio management triangle presented in this chapter. Would Carr’s
arguments hold for all types of IT investments or just for infrastructure investments? Explain.
4. The original article in Harvard Business Review raised a number of questions by senior business managers about their IT investment. As an IT manager, what questions would you anticipate you would have to respond to, and what would be your response?
Source: Adapted from Nicholas Carr, ‘‘IT Doesn’t Matter,’’ Harvard Business Review (May 2003): 41 – 49.
!CHAPTER 11 PROJECT MANAGEMENT1
The Rural Payments Agency (RPA), an agency responsible for administering agricultural subsidies to UK farmers, blamed poor planning and lack of testing of their IT system for delays in paying out £1.5bn of EU subsidies. The UK government developed a complex system for administering the Single Payment Scheme, which maps farmers’ land to a database. By the end of 2006, only 15% of the subsidies had been paid to farmers.
An independent watchdog group investigated the situation and learned that the implementation of the system began before final specifications and regulations were agreed on by the European Commission. The RPA then had to make many substantial changes in the system after implementation. Further, the investigation found that testing did not take into account the real environment, leading to unanticipated work to populate the database in the first place.
Where was the project manager for the project? Despite receiving three ‘‘red’’ warnings from the Office of Government Commerce during reviews, the implementation continued. Time was not built into the schedule for testing the whole system as well as the individual components. The components were not compatible with the business processes they were supposed to support. The cost so far of the project was £122m, which was £46.5m more than estimated. As of the writing of this case the system was still not stable.2
This example highlights the possible financial and social consequences of a failed information systems (IS) project. Such failures occur at an astonishing rate. The Standish Group, a technology research firm, found that 67% of all software projects are challenged — that is, delivered late or over budget or simply fail to meet their performance criteria.3 Business projects increasingly rely on IS to attain their objectives, especially with the increased focus to do business on the Internet. Thus, managing a business project means managing, often to a large degree, an
1 The authors wish to acknowledge and thank W. Thomas Cannon, MBA 1999, for his help in researching and writing early drafts of this chapter. 2 Adapted from http://www.silicon.com/publicsector/0,3800010403,39168359,00.htm (accessed on July 28 2008). 3 The information from the Standish Group CHAOS Report for 2006 was quoted in C. Sauer, A. Gemino, and B. H. Reich, ‘‘The Impact of Size and Volatility on IT Project Performance,’’ Communications of the ACM 50, no. 11 (November 2007), 79 – 84.
309
310 Chapter 11 Project Management
information systems project. To succeed, a general manager must be a project manager and must learn how to manage this type of risk.
In the current business environment, the quality that differentiates firms in the marketplace — and destines them for success or failure — is often the ability to adapt existing business processes and systems to new, innovative ideas faster than the competition. The process of continual adaptation to the changing marketplace drives the need for business change and thus for successful project management. Typical adaptation projects include the following elements:
• Rightsizing the organization • Reengineering business processes • Adopting more comprehensive, integrative processes Projects comprise a set of one-time activities that can transform the current
situation into the desired new one. Firms seek to compete through new products and processes, but the work of initially building or radically changing them falls outside the scope of normal business operations. That is where projects come in. When work can only be accomplished through methods that fundamentally differ from those employed to run daily operations, the skilled project manager plays a crucial role.
Successful business strategy requires executive management to decide which objectives can be met through normal daily operations and which require special- ized project management. Virtually all projects involve both information technology (IT) and information flow components Many projects involve the Internet, using Web applications in the systems design. Rapidly changing business situations make it difficult to keep the IT elements aligned with business strategy. Furthermore, the complexity of IT-intensive projects has increased over the years, magnifying the risk that the finished product or process will no longer satisfy the needs of the business originally targeted to benefit from the project in the first place. Thus, learning to manage projects successfully, especially the IT component of the projects, is a crucial competency for every manager. Executive management no longer has an option but to consider skilled IT project management as fundamental to business success.
This chapter provides an overview of what a project is and how to manage one. It begins with a more general discussion of project management, then continues with aspects of IT-intensive projects that make them uniquely challenging. Finally, it identifies the issues that shape the role of the general manager in such projects and help them to manage risk.
! WHAT DEFINES A PROJECT?
In varying degrees, organizations combine two types of work — projects and operations — to transform resources into profits. Both types require people and a flow of resources. The flight of an airplane from its point of departure to its destination is an operation that requires a pilot and crew, the use of an airplane,
What Defines a Project? 311
Characteristics Operations Projects
Labor skills Low High Training time Low High Worker autonomy Low High Compensation system Hourly or weekly wage Lump sum for project Material input requirements High degree of certainty Uncertain Supplier ties Longer duration Shorter duration
More formal Less formal Raw materials inventory Large Small Scheduling complexity Lower Higher Quality control Formal Informal Information flows Less important Very important Worker-mgmt communication Less important Very important Duration On-going Temporary Product or service Repetitive Unique
FIGURE 11.1 Characteristics of operational and project work.
and fuel. The operation is repetitive: After the plane is refueled, it takes new passengers to another destination. The continuous operation the plane creates is a transportation service. However, developing the design for such a plane is a project that may require years of work by many people. When the design is completed, the work ends. Figure 11.1 compares characteristics of both project and operational work. The last two characteristics are distinctive and form the basis for the following formal definition:
[A] project is a temporary endeavor undertaken to create a unique product or service. Temporary means that every project has a definite beginning and a definite end. Unique means that the product or service is different in some distinguishing way from all similar products or services.4
To organize the work facing a project team, the project manager may break a project into subprojects. He or she then organizes these subprojects around distinct activities, such as quality control testing. This organizing method allows the project manager to contract certain kinds of work externally to limit costs or other drains on crucial project resources. At the macro level, a general manager may choose to organize various projects as elements of a larger program, if doing so creates efficiencies. Such programs then provide a framework from which to manage competing resource requirements and shifting priorities among a set of projects.
4 Project Management Institute Standards Committee, A Guide to the Project Management Body of Knowledge (Project Management Institute, 1996).
312 Chapter 11 Project Management
! WHAT IS PROJECT MANAGEMENT?
Project management is the ‘‘application of knowledge, skills, tools, and tech- niques to project activities in order to meet or exceed stakeholder needs and expectation from a project.’’5 Project management always involves continual trade-offs, and it is the manager’s job to manage them. Even the tragic sinking of the Titanic has been attributed, in part, to project trade-offs. The company that built the Titanic, Harland and Wolff of Belfast, Northern Ireland, had difficulty finding the millions of rivets it needed for the three ships it was building at the same time. Under time and cost pressures to build these ships, the company managers decided to sacrifice quality by purchasing low-grade rivets that were used on some parts of the Titanic. When making the trade-offs, it was unlikely that the company’s management knew that they were purchasing something so substandard that their ship would sink if it hit an iceberg. Nonetheless, the trade-off proved disastrous.6
Trade-offs can be subsumed in the project triangle (see Figure 11.2), which highlights the importance of balancing scope, time, and cost. Scope may be divided into product scope (the detailed description of the product’s quality, features, and functions), and project scope (the work required to deliver a product or service with the intended product scope). Time refers to the time required to complete the project, whereas cost encompasses all the resources required to carry out the project. In the tragic case of the Titanic, the managers were willing to trade off quality for lower-cost rivets that allowed them to build all three ships (scope) in a more timely fashion (time). In contrast, a successful balance of scope, time, and cost yields a high-quality project — one in which the needs and expectations of the users are met. The tricky part of project management is successfully juggling these three elements while on a high wire, which amounts to shifting the triangle’s base to keep it in balance. Changes in any one of the sides of the triangle affect one or both of the other sides. For example, if the project scope increases, more time and/or more resources (cost) are needed to do the additional work. This increase in scope after a project has begun is aptly called scope creep. In most projects only
Time Cost
Scope
QUALITY
FIGURE 11.2 Project triangle.
5 Ibid. 6 This research was described in J. H. McCarty and T. Foecke, What Really Sank the Titanic, 2007 and is based on J. H. McCarty’s dissertation.
What is Project Management? 313
two of these elements can be optimized, and the third must be adjusted to maintain balance. For example, a project with a fixed budget and fixed deadline may need to restrict scope. Likewise, a project that must be completed in a short period of time, with a large scope, may need flexibility in budget to obtain the resources necessary to meet the goal. It is important that the project stakeholders decide on the overriding ‘‘key success factor’’ (i.e., time, cost, or scope), though the project manager has the important responsibility of demonstrating to the stakeholders the impact on the project of selecting any of these. In the RPA case at the beginning of this chapter, scope was the key success factor, which failed to be managed appropriately, ultimately resulting in a much longer time and much higher cost.
But the key success factor is only one metric to use when managing a project. Stakeholders are concerned about all facets of the project. Measuring and tracking progress is often done by tracking time (How are we doing compared to the schedule?), cost (How are we doing compared to the budget?), scope (Does the scope continue to be reasonable?), as well as resources (How much of our resources have we consumed so far?), quality (Is the quality of the output/deliverables at the level required for success?), and risks (How are we doing managing the risk associated with this project?).
The project manager’s role is to effectively and efficiently manage the activities necessary to complete the project juggling competing demands. Typical activities include the following:
• Ensuring progress of the project according to defined metrics • Identifying risks and assessing their probability of occurrence • Ensuring progress toward deliverables within constraints of time and
resources • Running coordination meetings of the project team • Negotiating for resources on behalf of the project in light of its scope
When a general manager oversees more than one project, his or her role can vary on each project. For example, the manager may be the customer for any given project, as well as the source of its resources. These dual roles can make it easier for the general manager to ensure attention to both a project’s risks and its business value.
Business projects are often initiated because of a successful business case. A successful project begins with a well-written business case that spells out the components of the project. The business case clearly articulates the details of the project and argues for resources for the project, For example, UPS prioritizes projects on the strength of their business cases and financial metrics. They also make nonfinancial considerations such as weighing international projects more heavily to spur the company’s growth. The components of a business case and the financial metrics are discussed in Chapter 10.7
7 UPS IT Governance: The Key to Aligning Technology Initiatives with Business Direction, http://www.pressroom.ups.com (accessed July 22, 2008).
314 Chapter 11 Project Management
The process used to develop the business case sets the foundation for the project itself. Therefore detailed planning, along with contingency planning, is an important part of project management. It is often in the planning phase that implementation issues, areas of concern, and gaps are first identified. Further, a strong business plan gives all the project team a reference document to help guide decisions and activities.
Project management software is often used to manage projects and keep track of key metrics. Programs such as Microsoft Project, Intuit Quickbase, and many others keep track of team members, deliverables, schedules, budgets, priorities, tasks, and other resources. Many of these programs provide a dashboard of key metrics to help project managers quickly identify areas of concern or potentially critical issues that need attention.
! PROJECT ELEMENTS
Project work requires in-depth situational analyses and the organization of complex activities into often coincident sequences of discrete tasks. The outcomes of each activity must be tested and integrated into the larger process to produce the desired result. The number of variables affecting the performance of such work is potentially enormous.
Four elements essential for any project include (1) a common project vocabu- lary, (2) teamwork, (3) a project cycle plan, and (4) project management. A common project vocabulary allows all those involved with the project to understand the project and communicate effectively. Teamwork ensures that all parts of the project come together correctly and efficiently. The plan represents the methodology and schedule to be used by the team to execute the project. Finally, management is necessary to make sure the entire project is executed appropriately and coordi- nated properly. As a result of good project management, the project scope can be realistically defined, and the project can be completed on time and within budget.
It is essential to understand the interrelationships among these elements and with the project itself. Both a commitment to teamwork and a common project vocabulary must permeate the management of a project throughout its life. The project plan consists of the sequential steps of organizing and tracking the work of the team. Finally, project management itself comprises a set of tools to balance competing demands for resources and ensure the completion of work at each step and as situational elements evolve through the project plan.
Common Project Vocabulary The typical project teams include a variety of members from different backgrounds and different parts of the organization. Often the team is made up of consultants who are new to the organization, a growing number of technical specialists, and business members. Each area of expertise represented by team members uses a different technical vocabulary. When used together in the team context, these different vocabularies make it difficult to carry on conversations, meetings, and
Project Elements 315
correspondence. For example, a market research analyst and software analyst may use words unique to their specialty or attach different meanings to the same words. To avoid misunderstandings, project team members should commit to a consistent meaning for terms used on their project. After agreeing on definitions and common meanings, the project team should record and explain the terms in its own common project vocabulary. The common project vocabulary includes many terms and meanings that are unfamiliar to the general manager and the team’s other business members. To improve their communications with general managers, users, and other nontechnical people, technical people should limit their use of acronyms and cryptic words and should strive to place only the most critical ones in the common project vocabulary.
Teamwork Business teams often fail because members don’t understand the nature of the work required to make their team effective. Teamwork begins by clearly defining the team’s objectives and each member’s role in achieving these objectives. Teams need to have a common standard of conduct, shared rewards, a shared understanding of roles, and team spirit. Project managers should leverage team member skills, knowledge, experiences, and capabilities when assigning the team members to complete specific activities on an as-needed basis. In addition to their completing team activities, team members also represent their departments and transmit information about their department to other team members. Such information sharing constitutes the first step toward building consensus on critical project issues that affect the entire organization. Thus, effective project managers use teamwork both to organize and apply human resources and to collect and share information throughout the organization.
Project Cycle Plan The project cycle plan organizes discrete project activities and sequences them in steps along a timeline so that the project delivers according to the requirements of customers and stakeholders. It identifies critical beginning and end dates and breaks the work spanning these dates into phases. Using the plan, the time and resources needed to complete the work based on the project’s scope are identified, and tasks are assigned to team members. The general manager tracks the phases to coordinate the eventual transition from project to operational status, a process that culminates on the ‘‘go live’’ date. The project manager uses the phases to control the progress of work. He or she may establish control gates at various points along the way to verify that project work to date has met key requirements regarding cost, quality, and features. If it has not met these requirements, he or she can make corrections to the project plan and adjust the cycle as necessary.
The project cycle plan can be developed using various approaches and software tools. The three most common approaches are the project evaluation and review technique (PERT), critical path method (CPM), and Gantt chart. PERT identifies the tasks within the project, orders the tasks in a time sequence, identifies their
316 Chapter 11 Project Management
interdependencies, and estimates the time required to complete the task. Tasks that must be performed individually and that, together, account for the total elapsed time of the project are considered to be critical tasks. Noncritical tasks are those for which some slack time can be built into the schedules without affecting the duration of the entire project. A PERT chart is shown in Figure 11.3.
CPM is a project planning and scheduling tool that is similar to PERT. Unlike PERT, CPM incorporates a capability for identifying relationships between costs and the completion date of a project, as well as the amount and value of resources that must be applied in alternative situations. The two approaches differ in terms of time estimates. PERT builds on broad estimates about the time needed to complete project tasks. It calculates the optimistic, most probable, and pessimistic time estimates for each task. In contrast, CPM assumes that all time requirements for completion of individual tasks are relatively predictable. Because of these differences, CPM tends to be used on projects for which direct relationships can be established between time and resources (costs).
Gantt charts are a commonly used visual tool for displaying time relationships of project tasks and for monitoring the progress toward project completion. Gantt charts list project tasks. For each task, a bar indicates the relative amount of time expected to complete the task. Milestones (i.e., due dates) are noted with diamonds. At the start of the project, Gantt charts are useful for planning purposes. As the project progresses, the chart is modified to reflect the extent to which each task is completed at the time the project is monitored. A Gantt chart is displayed in Figure 11.4.
Figure 11.5 compares a generic project cycle plan with one for a typical high-tech commercial business and with one for an investigative task force. Notice that although each of these plans has unique phases, all can loosely be described by three periods (shown at the top of the diagram): requirements period, development period, and production/distribution period.
Elements of Project Management The nine elements described in this section represent management skills that can be organized into a toolbox of sorts. Each element addresses a specific factor that affects a project’s chances of success. The challenge facing a project manager is to learn and apply the techniques properly in the situations that require them. The elements include (1) identification of requirements, (2) organizational integration, (3) team management, (4) risk and opportunity management, (5) project control, (6) project visibility, (7) project status, (8) corrective action, and (9) project leadership. Figure 11.6 summarizes these elements, the rationale behind the element, and how a project manager would attend to that element.
The leadership of a project guides the other eight elements. Lack of leadership can result in unmotivated people doing the wrong things and ultimately derailing the project. Strong project leaders skillfully manage team composition, reward sys- tems, and other techniques to focus, align, and motivate team members. Figure 11.7 reflects the inverse relationship between the magnitude of the project leader’s role
1In iti
at io
n ph
as e
be gi
ns
0 da
ys
1/ 15
/0 3
1/ 15
/0 3
A pp
ro va
l m ee
tin g
1
1 da
y
2/ 5/
03 2/
5/ 03
5
B ac
kg ro
un d
re ad
in g
12 d
ay s
1/ 15
/0 3
1/ 30
/0 3
2 C on
du ct
fe as
ib ilit
y st
ud y
10 d
ay s
1/ 15
/0 3
1/ 28
/0 3
3 Ta lk
w ith
s el
ec t g
ro up
of
c us
to m
er s 1
5 da
ys
1/ 15
/0 3
2/ 4/
03
4
R eq
ui re
m en
ts d
ef in
iti on
ph
as e
be gi
ns
0 da
ys
2/ 5/
03 2/
5/ 03
6
P ro
bl em
d ef
in iti
on
3 da
ys
2/ 6/
03 2/
10 /0
3
7 N ee
ds a
ss es
sm en
t
5 da
ys
2/ 6/
03 2/
12 /0
3
8
A pp
ro va
l m ee
tin g
2
1 da
y
2/ 13
/0 3
2/ 13
/0 3
9 Fu nc
tio na
l d es
ig n
ph
as e
be gi
ns
5 da
ys
2/ 6/
03 2/
12 /0
3
8
D ev
el op
s pe
ci fic
at io
ns
14 d
ay s
2/ 14
/0 3
3/ 5/
03
11 C on
ce pt
ua l s
ys te
m
de si
gn 5
da ys
3/ 6/
03 3/
12 /0
3
12 A pp
ro va
l m ee
tin g
3
1 da
y
3/ 13
/0 3
3/ 13
/0 3
13 ID
N am
e D ur
at io
n
S ta
rt Fi
ni sh
C rit
ic al
N on
cr iti
ca l
N on
cr iti
ca l M
ile st
on e
C rit
ic al
M ile
st on
e
Ke y
FI G
U RE
11 .3
P E
R T
ch ar
t.
317
ID 1 2 3 4 5 6 7 8 9 10 11 12 13
Ta sk
N am
e
In it
ia ti
on P
ha se
B eg
in s
B ac
kg ro
un d
re ad
in g
C on
du ct
fe as
ib ili
ty s
tu dy
Ta lk
w it
h se
le ct
g ro
up o
f c us
to m
er s
A pp
ro va
l m ee
ti ng
1
R eq
ui re
m en
ts d
ef in
it io
n ph
as e
B
P ro
bl em
d ef
in it
io n
N ee
ds a
ss es
sm en
t
A pp
ro va
l M ee
ti ng
2
F un
ct io
na l d
es ig
n ph
as e
be gi
ns
D ev
el op
s pe
ci fi
ca ti
on s
C on
ce pt
ua l s
ys te
m d
es ig
n
A pp
ro va
l m ee
ti ng
3
D ur
at io
n
0 da
ys
12 d
ay s
10 d
ay s
15 d
ay s
1 da
y
0 da
ys
3 da
ys
5 da
ys
1 da
y
0 da
ys
14 d
ay s
5 da
ys
1 da
y
15 18
21 24
27 30
2 5
8 11
14 17
20 23
26 1
4 7
10
1/ 15
2/ 5
2/ 13
F eb
ru ar
y M
ar ch
Ta sk
Sp lit
P ro
gr es
s M
ile st
on e
FI G
U RE
11 .4
G an
tt ch
ar t.
318
IT Projects 319
Requirements Definition Period
Deployment/ Dissemination PeriodProduction Period
Investigation Task Force
Typical High Tech Commercial Business
User requirement definition
Research concept definition
Information use specification
Collection planning phase
Collection and analysis phase
Draft report phase
Publication phase
Distribution phase
Product requirements phase
Product definition phase
Product proposal phase
Product develop- ment phase
Engineer model phase
Internal test phase
External test phase
Production phase
Manufacturing sales & support phase
Generic Project Cycle Template
User require- ment definition phase
Concept definition phase
System specifi- cation phase
Acqui- sition planning phase
Source selection phase
Development phase
Verification phase
Deploy- ment or produc- tion phase
Operations/ maintenance or sales/ support phase
Deacti- vate phase
FIGURE 11.5 Project cycle template. Source: Adapted from K. Forsberg, H. Mooz, and H. Cotterman, Visualizing Project Management (Hoboken, NJ: John Wiley & Sons, 1996). Used with permission.
and the experience and commitment of the team. In organizations with strong processes for project management and professionals trained for this activity, the need for aggressive project leadership is reduced. However, strong project leaders are needed to help the organization develop project competency to begin with.
! IT PROJECTS
IT projects are a specific type of business project. Much research has been done to observe, understand, and help managers increase chances of success of IT projects. One of the sayings in the industry is that there is no such thing as an IT project; all projects are really business projects involving varying degrees of IT. Sometimes, managing the IT component of a project is referred to separately as an IT project, not only for simplicity, but also because the business world perceives that managing an IT project is somehow different from managing any other type of project. However, projects done by the IT department typically include an associated business case; and even though the project owner may be an IT person, mounting evidence indicates that IT projects are just business projects involving significant amounts of technology. The more complex the IT aspect of the project, the higher is the risk of failure of the project.
IT projects are difficult to estimate, despite the increasing amount of attention given to mastering this task. Like the case of the RPA’s Single Payment Scheme most software projects fail to meet their schedules and budgets. Managers attribute
320 Chapter 11 Project Management
Element Description Rationale Major Focus
Identification of Requirements
The items to be delivered by the project.
Mismanagement of requirements and scope is a primary cause of failure.
Formulative
Organizational Integration
The structure of the team, including reporting relationships and reward systems.
Structure around key activities, people, and resources helps manage the process.
Formulative
Team Management
The team assigned to work on the project.
Teams are often newly formed around projects and can include contrac- tors and vendors.
Formulative
Risk and Opportunity Management
The potentially derailing events, the probability of occurrence, and the potential impact.
Planning provides road map and contingencies to guide project process.
Proactive
Project Control The systems used to mea- sure the project’s status, outcomes, and exceptions.
Controls identify whether project is proceeding appropriately.
Proactive
Project Visibility
The techniques used to manage commu- nication among team members and with other stakeholders.
Communication keeps all stakeholders informed.
Proactive
Project Status The measure of the project’s performance against the plan to iden- tify needed adjustments.
Hard metrics, measures and variances provide support for manage- rial intuition of project’s progress.
Variance Control
Corrective Action
The activities to place the project back on track after a variation from the plan is detected.
Innovative actions may be needed to get project back on track.
Reactive
Project Leadership
The management qual- ity that binds the other elements together.
Management creates team energy and incen- tive to complete project plan.
Motivate
FIGURE 11.6 Elements of project management. Source: K. Forsberg, H. Mooz, and H. Cotterman, Visualizing Project Management (Hoboken, NJ: John Wiley & Sons, 1996). Used with permission.
IT Projects 321
More leadership needed
Less leadership needed
No PM process exists Team is new to PM process Team does not value process
PM process exists Team is fully trained in process Team values process
Project leadership
PM process
FIGURE 11.7 Project leadership vs. project management (PM) process.
that failure to poor estimating techniques, poorly monitored progress protocols, and the idea that schedule slippage can be solved by simply adding additional people.8 Not only does this assume that people and months are interchangeable, but also if the project is off schedule, it may be that the project was incorrectly designed in the first place, and putting additional people on the project just hastens the process to an inappropriate end.
Many projects are measured in ‘‘man-months,’’ the most common unit for discussing the size of a project. For example, a project that takes 100 man-months means that it will take one person 100 months to do the work, or 100 people can do it in a month. A recent study found that managing projects using the man-months metric was linked to more underperforming projects than managing projects using any other metric of size (i.e., budget, duration, team size).9 Man-months may be a poor metric for project management because some projects cannot be sped up with additional people. An analogy is that of pregnancy. It takes one woman nine months to carry a baby, and putting nine people on the job for one month cannot speed up the process. Software systems often involve highly interactive, complex sets of tasks that rely on each other to make a completed system. In some cases additional people can speed up the process, but most projects cannot be made more efficient simply by adding labor. Often, adding people to a late project only makes the project later.10
Measuring how well the system meets specifications and business requirements laid out in the project scope is more complex. Metrics for functionality are typically divided along lines of business functionality and system functionality. The first set of measures are those derived specifically from the requirements and business needs
8 Frederick Brooks, The Mythical Man-Month: Essays on Software Engineering (Reading, MA: Addison-Wesley, 1982). 9 Sauer et al., ‘‘The Impact of Size and Volatility on IT Project Performance.’’ 10 Brooks, The Mythical Man-Month.
322 Chapter 11 Project Management
that generated the project, such as automating the order entry process or building a knowledge management system for product design. In examples such as these, a set of metrics can be derived to measure whether the system meets expectations. However, other aspects of functionality, related to the system itself, are also impor- tant to measure. An example is usability, or how well individuals can and do use the system. Sample measures might be the number of users who use the system, their satisfaction with the system, the time it takes them to learn the system, the speed of performance, and the rate of errors made by users. Another common metric is system reliability. For example, one might measure the amount of time the system is up (or running) and the amount of time the system is down (or not running).
! IT PROJECT DEVELOPMENT METHODOLOGIES
The choice of development methodologies and managerial influences also distin- guish IT projects from other projects. The general manager needs to understand the issues specific to the IT aspects of projects to select the right management tools for the particular challenges presented in such projects. Traditionally IT professionals use four main methodologies to manage the technology projects. Of those methods, systems development life cycle (SDLC) is a popular method for developing information systems. Other traditional methods are prototyping, rapid applications development (RAD), and joint applications development (JAD).
Systems Development Life Cycle Systems development is the set of activities used to create an IS. The SDLC typically refers to the process of designing and delivering the entire system. Although the system includes the hardware, software, networking, and data (as discussed in Chapter 6), the SDLC generally is used in one of two distinct ways. On the one hand, SDLC is the general project plan of all the activities that must take place for the entire system to be put into operation, including the analysis and feasibility study, the development or acquisition of components, the implementation activities, the maintenance activities, and the retirement activities. In the context of an information system, however, SDLC can refer to a highly structured, disciplined, and formal process for design and development of system software. In either view, the SDLC is grounded on the systems approach and allows the developer to focus on system goals and trade-offs.
SDLC refers to a process in which the phases of the project are well documented, milestones are clearly identified, and all individuals involved in the project fully understand what exactly the project consists of and when deliverables are to be made. This approach is much more structured than other development approaches, such as prototyping, RAD, or JAD. However, despite being a highly structured approach, no single well-accepted SDLC process exists.
For any specific organization, and for a specific project, the actual tasks under each phase may vary. In addition, the checkpoints, metrics, and documentation may vary somewhat. SDLC typically consists of seven phases (see Figure 11.8).
IT Project Development Methodologies 323
Phase Description Sample Activities
Initiation and feasibility
Project is begun with a formal initiation and overall project is understood by IS and user/ customers.
Document project objectives, scope, benefits, assumptions, constraints, estimated costs and schedule, and user commitment mechanisms.
Requirements definition
The system specifications are identified and documented.
Define business functionality; review existing systems; identify current problems and issues; identify and prioritize user requirements; identify potential solutions; develop user accep- tance plan, user documentation needs, and user training strategy.
Functional design
The system is designed. Complete a detailed analysis of new system including entity-relationship diagrams, data-flow diagrams, and functional design diagrams; define security needs; revise system architecture; identify standards, define systems acceptance criteria; define test scenarios; revise implementation strategy; freeze design.
Technical design and con- struction
The system is built. Finalize architecture, technical issues, standards and data needs; complete technical definition of data access, programming flows, interfaces, special needs, inter-system processing, conversion strategy, and test plans; construct system; revise schedule, plan, and costs, as necessary.
Verification The system is reviewed to make sure it meets specifications and requirements.
Finalize verification testing, stress testing, user testing, security testing, error handling procedures designed, end-user training, documentation and support.
Implementation The system is brought up for use.
Put system into production envi- ronment; establish security proce- dures; deliver user documentation; execute training and complete monitoring of system.
Maintenance and review
The system is maintained and repaired as needed throughout its lifetime.
Conduct user review and evaluation, and internal review and evaluation; check metrics to ensure usability, reliability, utility, cost, satisfaction, business value, etc.
FIGURE 11.8 Systems development life cycle (SDLC) phases.
324 Chapter 11 Project Management
Each phase is carefully planned and documented. The first phase, project ini- tiation, is where it is first considered and scoped. Approval is acquired before proceeding to the second phase, after it is determined that the project is techni- cally, operationally, and financially feasible. The second phase is the requirements definition phase, where the problem is defined and needs and prerequisites are assessed and documented. Often the requirements are determined by studying the existing systems. Again, approval is obtained before proceeding. The third phase involves the functional design, at which point the specifications are discussed and documented.
The system is designed in conceptual terms. Approval is obtained on the functional specifications before technical design is begun. At phase four, functional specifications are translated into a technical design, and construction takes place. Here the system is actually built. If the system is acquired, it is at this point customized as needed for the business environment. Following construction is the verification phase, where the system is tested to ensure usability, security, operability, and that it meets the specifications for which it is designed. Multiple levels of testing are performed in this phase: unit testing, pairs testing, system testing, and acceptance testing.
After acceptance testing, project sign-off and approval signal that the system is acceptable to the users, and implementation, the sixth phase, begins. This phase is the ‘‘cutover’’ where the new system is put in operation and all links are established. Cutover may be performed in several ways: The old system may run alongside the new system (parallel conversion), the old system may stop running as soon as the new system is installed (direct cutover), or the new system may be installed in stages across locations, or in phases. The safest way to convert from an old system to a new system is parallel conversion because if the new system fails, users easily can revert to the old system. The riskiest approach is direct cutover because there is no backup system to turn to in the event of problems with the new system. Usually direct cutover is reserved from smaller, less-critical systems or for systems that were not previously available. Another instance when direct cutover was a good idea was Dagen H (Högertrafik day) on September 3, 1967, when Swedish drivers were to change from driving on the left-hand to the right-hand side of the road. On Dagen H, all vehicles on the road had to come to a complete stop at 04:50, then carefully change to the right-hand side of the road and stop again before being allowed to proceed at 05:00.11
Finally, the system enters the maintenance and review phase, where an evaluation is conducted to ensure the system continues to meet the needs for which it was designed. The system development project is evaluated using post-project feedback (sometimes called post-implementation audit) from all involved in the project. Feedback can be in the form of a formal survey or interview, a team debrief meeting, or informal solicitation through e-mail or Web-based social networking site. Post-project feedback brings closure to the project by identifying what went
11 Dagen H, wikipedia, http://en.wikipedia.org/wiki/Dagen H
IT Project Development Methodologies 325
right and what could be done better next time. Maintenance and enhancements are conducted on the system until it is decided that a new system should be developed and the SDLC begins anew. The maintenance and review phase is typically the longest phase of the life cycle.
Prototyping Several problems arise with using traditional SDLC methodology for current IT projects. First, many systems projects fail to meet objectives, even with the structure of SDLC. The primary reason is often because the skills needed to estimate costs and schedules are difficult to obtain, and each project is often so unique that previous experience may not provide the skills needed for the current project. Second, even though objectives that were specified for the system were met, those objectives may reflect a scope that is too broad or too narrow. Thus, the problem the system was designed to solve may still exist, or the opportunity that it was to capitalize on may not be appropriately leveraged. Third, organizations need to respond quickly because of the dynamic nature of the business environment. Not enough time is available to adequately do each step of the SDLC for each IT project. Therefore, three other methodologies have become popular: prototyping, RAD, and JAD. These methodologies all use an iterative approach, as shown in Figure 11.9.
Prototyping is a type of evolutionary development, the method of building systems where developers get the general idea of what is needed by the users, and then build a fast, high-level version of the system as the beginning of the project. The idea of prototyping is to quickly get a version of the software in the hands of the users and to jointly evolve the system through a series of iterative cycles of
System Concept
Version “1”
Version “2”
Version “N”
FIGURE 11.9 Iterative approach to systems development.
326 Chapter 11 Project Management
design. In this way, the system is done either when the users are happy with the design or when the system is proven impossible, too costly, or too complex. Some IS groups use prototyping as a methodology by itself because users are involved in the development much more closely than is possible with the traditional SDLC process. Users see the day-to-day growth of the system and contribute frequently to the development process. Through this iterative process, the system requirements usually are made clear.
The drawbacks to this methodology are, first, documentation may be more difficult to write. Because the system evolves, it takes much more discipline to ensure the documentation is adequate. Second, because users see the prototype develop, they often do not understand that a final prototype may not be scalable to an operational version of the system without additional costs and organizational commitments. Once users see a working model, they assume the work is also almost done, which is not usually the case. An operational version of the system needs to be developed. However, an operational version may be difficult to complete because the user is unwilling to give up a system that is up and running, and they often have unrealistic expectations about the amount of work involved in creating an operational version. This reluctance leads to the fourth drawback. Because it may be nearly impossible to definitively say when the prototype is done, the prototyping development process may be difficult to manage. Fifth, this approach is not suitable for all systems. It is difficult to integrate across a broad range of requirements, which makes this approach suited for ‘‘quick-and-dirty’’ types of systems. Developers should rely on a more structured approach such as the SDLC for extremely large and complex systems. Finally, because of the speed of development, system design flaws may be more prevalent in this approach, and the system may be harder to maintain than when the system is developed using the SDLC.
Rapid Applications Development and Joint Applications Development Rapid applications development (RAD) is similar to prototyping in that it is an interactive process, in which tools are used to drastically speed up the development process. RAD systems typically have tools for developing the user interface — called the graphical user interface (GUI) — reusable code, code gen- eration, and programming language testing and debugging. These tools make it easy for the developer to build a library of standard sets of code (sometimes called objects) that can easily be used (and reused) in multiple applications. Similarly, RAD systems typically have the ability to allow the developer to simply ‘‘drag and drop’’ objects into the design, and the RAD system automatically writes the code necessary to include that functionality. Finally, the system includes a set of tools to create, test, and debug the programs written in the pure programming lan- guage. RAD is commonly used for developing user interfaces and rewriting legacy applications. It may incorporate prototyping to involve users early and actively in the design process. Although RAD is an approach that works well in the increas- ingly dynamic environment of systems developers, it does have some drawbacks.
IT Project Development Methodologies 327
Sometimes basic principles of software development (e.g., programming standards, documentation, data-naming standards, backup and recovery) are overlooked in the race to finish the project. Also, the process may be so speedy that requirements are frozen too early.12
Joint applications development (JAD) is a version of RAD or prototyping in which users are more integrally involved, as a group, with the entire development process up to and, in some cases, including coding. JAD uses a group approach to elicit requirements in a complete manner. Interviewing groups of users saves interviewing and data collection time, but it can be expensive in terms of the travel and living expenses needed to get the participants together. A summary of the advantages and disadvantages of the SDLC, prototyping, RAD, and JAD are found in Figure 11.10.
Methodology
SDLC
Prototyping
RAD
JAD
Advantages
• Structured approach with milestones and approvals for each phase • Uses system approach • Focuses on goals and trade-offs • Emphasizes documentation
• Improved user communications • Users like it • Speeds up development process • Good for eliciting system requirements • Provides a tangible model to serve as basis for production version
• Speed of development • Heavy user participation • Use of GUI and other development tools
• Saves interviewing and data collection time • Structured process • Highly collaborative with business
Disadvantages
• Systems often fail to meet objectives • Needed skills are often difficult to obtain • Scope may be defined too broadly or too narrowly • Very time consuming
• Often underdocumented • Not designed to be an operational version • Often creates unrealistic expectations • Difficult-to-manage development process • Integration often difficult • Design flaws more prevalent than in SDLC • Often hard to maintain
• Requirements frozen too early • Basic standards often overlooked
• Expensive • Low use of technology
FIGURE 11.10 Comparison of IT project development methodologies.
12 Joey F. George, ‘‘The Origins of Software: Acquiring Systems at the End of the Century,’’ in R. Zmud (ed.), Framing the Domains of IT Management (Cincinnati, OH: Pinnaflex Education Resources, 2000).
328 Chapter 11 Project Management
Other Development Methodologies One of the dangers that developers face is pretending to follow a predictable development process when they really can’t. In response to this challenge, agile development methodologies are being championed. These include XP (Extreme Programming), Crystal, Scrum, Feature-Driven Development, and Dynamic System Development Method (DSDM). To deal with unpredictability, agile methodologies tend to be people- rather than process-oriented. They adapt to changing requirements by iteratively developing systems in small stages and then testing the new code extensively. The mantra for agile programming is ‘‘Code a little; test a little.’’ Some agile methodologies build on existing methodologies. For example, DSDM is an extension of RAD used in the United Kingdom that draws on the underlying principles of active user interaction, frequent deliveries, and empowered teams. It is based on three types of cycles (i.e., functional model cycle, design and build cycle, and the implementation cycle) that occur (and reoccur) in cycles of between two and six weeks. In contrast is XP, a more prescriptive agile methodology that revolves around 12 practices, including pair programming, test-driven development, simple design, and small releases.13
Object-oriented development is becoming increasingly popular as a way to avoid the pitfalls of procedural methodologies. Object-oriented development, unlike more traditional development using the SDLC, builds on the con- cept of objects. An object encapsulates both the data stored about an entity and the operations that manipulate that data. A program developed using an object orientation is basically a collection of objects. The object orientation makes it easier for developers to think in terms of reusable components. Using existing components can save programming time. Such component-based devel- opment, however, assumes that the components have been saved in a repository and can be retrieved when needed. It also assumes that the components in the programs in newly developed information systems can communicate with one another.
Many good references are available for systems development, but further detail is beyond the scope of this text. The interested general manager is referred to a more detailed systems development text for a deeper understanding of this critical IS process.
! MANAGERIAL INFLUENCES
General managers face a broad range of influences during the development of projects. Many of these technical, organizational, and socioeconomic influences are relatively unique to IT projects.
13 Kent Beck, Extreme Programming Explained: Embrace Change (Reading, MA: Addison Wesley Longman, Inc., 1999).
Managerial Influences 329
Technical Influences Complex technical issues potentially command attention that might be better focused on business and budget issues. General managers who are uncomfort- able with technology often either ignore the issues, delegating entirely to the IS organization, or focus inappropriate attention on managing the technology to counter their fear. The technical aspects of IT projects do require spe- cial attention, but no more than the people, financial, or other resources of the project.
Three software tools used to aid in managing the technical issues are the software development library, an automated audit trail, and software metrics. The software development library is a controlled collection of software, documentation, test data, and associated tools. Programs, utilities, and other software modules are kept here for several reasons. First is integrity. With multiple copies of a piece of software floating around an organization, it is difficult to know which copy is the actual one for the project. The software library keeps the copy that other modules can use to ensure that the correct version is available. Second is reuse. A software library is useful for programmers who need code, but do not know where to find it. The library is the storage area where programmers would look for code they want to reuse in their module. Third is control. Not only does the library ensure that the software is the right one, but it can also make sure that only those authorized to work on the code have access to it.
Another tool, an automated audit trail, allows the team to track each change made to the code. Each step is recorded in such a way as to capture exactly what was done, making it possible to undo if necessary. The ability to trace each step is important should a problem be found. It allows the troubleshooter to retrace and in some cases to regenerate old code to identify where the problem originates. Further, some quality assurance processes require analysis of the generation process, and the audit trail provides that information.
Software metrics are another tool used to manage the technical aspects of the project. The following list serves to identify some of the key terms that a general manager is likely to encounter.
• Source lines of code (SLOC): The number of lines of code in the source file of the software product
• Source statement: The number of statements in the source file • Function points: The functional requirements of the software product,
which can be estimated earlier than total lines of code • Inheritance depth: The number of levels through which values must be
remembered in a software object • Schedule slip: The current scheduled time divided by the original sched-
uled time • Percentage complete: The progress of a software product measured in
terms of days or effort
330 Chapter 11 Project Management
Taken together, these tools can help the team to manage technical aspects of a project in such a way as to maintain a balance with other business aspects.
Managing Organizational and Socioeconomic Influences The general manager must understand and anticipate the influences of organi- zational control systems and culture variables (see Chapter 1 for a discussion of these factors): The control systems used for non-project-based operations usually do not support project management in an efficient manner. For example, financial reporting systems designed for daily transaction-based operations do not fit well with the reporting needs of a project. Knowing daily profit and loss may not be the best metric for managing a project. A better system would link financial and other metrics with the goals of project stakeholders such as project cost or completion progress. A consultant who bills monthly based on the percentage of the project that is complete should be monitored with a financial system that tracks resource costs based on percentage complete. The general manager should strive to align the organizational systems with project goals.
The organizational culture influences the leadership style of the project manager and the communication between team members. When selecting a project manager, cultural factors should be evaluated. For example, a culture that rewards individual achievement over team participation may hinder a project team. Members might hoard information instead of sharing it. A leader who sets the example for the team has the opportunity to either eliminate or reinforce these barriers. Project time and leadership might also be allocated to help the project teamwork through these barriers.
Socioeconomic influences on projects include government and industry stan- dards, globalization, and cultural issues. Trends external to the organization, such as changes in industry standards and regulations, usually affect all projects in varying degrees. An example is the growth of Java as an operating standard for Web-developed applications. This factor greatly affected projects written in other languages. Programmers were increasingly difficult to find, and many of the best and brightest only wanted jobs in the newest language. In certain cases the stan- dards or regulations may not be known, and managing them means including possible scenarios in the risk management program. Globalization trends create the need for projects that span time zones, oceans, and national boundaries, adding to already complex conditions. Cultural influences, such as economic, ethical, and religious factors, affect the relationships between people and between organi- zations. All these factors need to be considered in the project decisions made by the general manager. These influences should not be underestimated — every management text considers them important enough to warrant extensive coverage.
! MANAGING PROJECT RISK
IT projects are often distinguished from many non-IT projects on the basis of their high levels of risk. Although every manager has an innate understanding of
Managing Project Risk 331
what risk is, there is little consensus as to the definition of risk. Risk is perceived as the possibility of additional cost or loss due to the choice of alternative. Some alternatives have a lower associated risk than others. Risk can be quantified by assigning a probability of occurrence and a financial consequence to each alternative. We consider risk to be a function of complexity, clarity, and size.
Complexity The first determinant of risk on an IT project is the complexity level, or the extent of difficulty and interdependent components, of the project. Several factors contribute to greater complexity in IT projects. The first is the sheer pace of technological change. The increasing numbers of products and technologies affecting the marketplace cause rapidly changing views of any firm’s future business situation. For example, introducing a new programming language such as Java creates significantly different ideas in people’s minds about the future direction of Web development. Such uncertainty can make it difficult for project team members to identify and agree on common goals. This fast rate of change also creates new vocabularies to learn as technologies are implemented, which can undermine effective communication.
The development of more complex technologies accelerates the trend toward increased specialization among members of a project team and multiplies the number of interdependencies that must be tracked in project management. Team members must be trained to work on the new technologies. More subprojects must be managed, which, in turn, means developing a corresponding number of interfaces to integrate the pieces (i.e., subprojects) back into a whole.
High complexity played a part in the 2008 failure at Heathrow’s Terminal 5.14 The terminal project involved 180 IT suppliers and over 160 IT systems. There are more than 9,000 devices connected to it along with another 2,100 PCs. The system includes 175 lifts (elevators), 131 escalators, and 18 km of conveyor belts for baggage handling. According to the British Airports authority (BAA), ‘‘It has taken 400,000 man-hours of software engineering just to develop the complex system, and coding is set to continue even after installation begins.’’ The British Airways CIO was quoted as saying that ‘‘even the construction of T5 involved creating a small town with a full telecommunications network for the construction workers, merely to enable the terminal to be built.’’15 But the failure in 2008 resulted in cancelled flights, lost baggage, substantial delays and frustrated customers and employees. According to blogger Michael Krigsman, ‘‘the systems incorporated in T5 severely taxed BA’s planning, testing and deployment capabilities.’’16
Complexity can be determined once the context of the project has been established. Consider the hypothetical case of a manager given six months and
14 Adapted from Michael Krigsman, blogs.zdnet.com/projectfailures/?p=681 (accessed July 28, 2008). 15 CIO UK at www.cio.co.uk/concern/change/news/index.cfm?articleid=2487&pn=2. 16 Michael Krigsman, blogs.zdnet.com/projectfailures/?p=681. August 1, 2008.
332 Chapter 11 Project Management
$500,000 to build a corporate Web site to sell products directly to customers. Questions that might be used to build context for this case include the following:
• How many products will this Web site sell? • Will this site support global, national, regional, or local sales? • How will this sales process interface with the existing customer fulfillment
process? • Does the company possess the technical expertise in-house to build
the site? • What other corporate systems and processes will this project affect? • How and when will these other systems be coordinated?
Clarity A project is more risky if it is hard to define. Clarity is concerned with the ability to define the requirements of the system. A project has low clarity if the users cannot easily state their needs or define what they want from the system. The project also has low clarity if user demands for the system or regulations that guide the structure of the system change considerably over the life of a project. A project with high clarity is one in which the systems requirements do not change and can be easily documented. Purchasing a scheduling software package that applies scheduling rules across a broad range of organizations would be an example of a high-clarity project for most firms.
Size Size also plays a big role in project risk. All other things being equal, big projects are riskier than smaller ones. A project can be considered big if it has the following characteristics:
• Large budget relative to other budgets in the organization • Large number of team members (and hence reflecting a large number of
man-months) • Large number of organizational units involved in the project • Large number of programs/components • Large number of function points or lines of code
It is important to consider the relative size.17 At a small company with an average project budget of $30,000, $90,000 would be a large project. However, to a major corporation that just spent $2 million implementing an ERP, a $90,000 budget would be peanuts.
17 L. Applegate, F. W. McFarlan, and J. L. McKenney, Corporate Information Systems Management: Text and Cases, 5th ed. (Boston: Irwin McGraw-Hill, 1999).
Managing Project Risk 333
Managing Project Risk Level The IS project management literature usually views risk management as a two-stage process: first the risk is assessed and then actions are taken to control it.18 The project’s complexity, clarity, and size determine its risk. Varying levels of these three determinants differentially affect the amount of project risk. At one extreme, large, highly complex projects that are low in clarity are extremely risky. In contrast, small projects that are low in complexity and high in clarity are low risk. Everything else is somewhere in between.
The level of risk determines how formal the project management system and detailed the planning should be. When it is difficult to estimate how long or how much a project will cost because it is so complex or what should be done because its clarity is so low, formal management practices or planning is inappropriate. A high level of planning is not only almost impossible in these circumstances because of the uncertainty surrounding the project, but it also makes it difficult to adapt to external changes that are bound to occur. On the other hand, formal planning tools may be useful in low-risk projects because they can help structure the sequence of tasks as well as provide realistic cost and time targets.19
Managing the Complexity Aspects of Project Risk
The more complex the project, the greater is the risk. The increasing dependence on IT in all aspects of business means that managing the risk level of an IT project is critical to a general manager’s job. Organizations increasingly embed IT deeper into their business processes, raising efficiency but also increasing risk. Many companies now rely entirely on IT for their revenue-generating processes, whether the process uses the Internet or not. For example, airlines are dependent on IT for generating reservations and ultimately sales. If the reservation system goes down, that is, if it fails, agents simply cannot sell tickets. In addition, even though the airplanes technically can fly if the reservation system fails, the airline cannot manage seat assignments, baggage, or passenger loads without the reservation system. In short, the airline would have to stop doing business should its reservation system fail. That type of dependence on IT raises the risk levels associated with adding or changing the system. The manager may adopt several strategies in dealing with complexity, including leveraging the technical skills of the team, relying on consultants to help deal with project complexity, and other internal integration strategies.
Leveraging the Technical Skills of the Team When a project is complex, it is helpful to have a leader with experience in similar situations, or who can translate
18 R. Schmidt, K. Lyytinen, M. Keil, and P. Cule, ‘‘Identifying Software Project Risks: An International Delphi Study,’’ Journal of Management Information Systems 17:4 (Spring 2001), pp. 5 – 36. 19 H. Barki, S. Rivard, and J. Talbot, ‘‘An Integrative Contingency Model of Software Project Risk Management,’’ Journal of Management Information Systems 17:4 (Spring 2001), pp. 37 – 69.
334 Chapter 11 Project Management
experiences in many different situations to this new complex one. For projects high in complexity, it also helps to have team members with significant work experience, especially if it is related.
Relying on Consultants and Vendors Few organizations develop or maintain the in-house capabilities they need to complete complex IT projects. Risk-averse managers want people who possess crucial IT knowledge and skills. Often that skill set can be attained only from previous experience on similar IT projects. Such people are easier to find at consulting firms because consultants’ work is primarily project based. Consulting firms rely on processes that develop the knowledge and experience of their professionals. Thus, managers often choose to ‘‘lease’’ effective IT team skills rather than try to build them within their own people. However, the project manager must balance the benefits achieved from bringing in outsiders with the costs of not developing that skill set in house. When the project is over and the consultants leave, will the organization be able to manage without them? Having too many outsiders on a team also makes alignment more difficult. Outsiders may have different objectives, such as selling more business, or learning new skills, which might conflict with the project manager’s goal of completing the project.
Integrating Within the Organization Highly complex projects require good communication among the team members, which helps them to operate as an integrated unit. Ways of increasing internal integration include holding frequent team meetings, documenting critical project decisions, and conducting regular technical status reviews.20 These approaches ensure that all team members are ‘‘on the same page’’ and are aware of project requirements and milestones.
Managing Clarity Aspects of Project Risk
When a project has low clarity, project managers need to rely more heavily on the users to define system requirements. It means managing project stakeholders and sustaining commitment to projects.
Managing Project Stakeholders A project’s low clarity may be the result of its multiple stakeholders’ conflicting needs and expectations for the system. Stakeholders are individuals and organizations that are actively involved in the project, or whose interests may be positively or negatively affected as a result of project execution or successful project completion.21 The project manager must balance the goals of the various project stakeholders to achieve desired project outcomes. The project manager may also need to specifically manage stakeholders.
20 Barki et al., ‘‘An Integrative Contingency Model of Software Project Risk Management’’; and Applegate et al., Corporate Information Systems Management. 21 Project Management Institute Standards Committee, A Guide to the Project Management Body of Knowledge (Project Management Institute, 1996), p. 15.
Managing Project Risk 335
It is not always a simple task to identify project stakeholders. They may be employees, managers, users, other departments, or even customers. However, failure to manage these stakeholders can lead to costly mistakes later in the project if a particular group is not supportive of the project.
Key stakeholders on every project include the following:22
• Project manager: This individual is responsible for managing the project. • Customer: This individual or organization uses the project product. Multi-
ple layers of customers may be involved. For example, the customers for a new pharmaceutical product may include the doctors who prescribe it, the patients who take it, and the insurers who pay for it.
• Performing organization: This enterprise provides the employees who are most directly involved in doing the work of the project.
• Sponsor: This individual or group within the performing organization pro- vides the financial resources, in cash or in kind, for the project.
Managing the expectations and needs of these people often involves both the project manager and the general manager. Project sponsors are especially critical for IT projects with organizational change components. Sponsors use their power and influence to remove project barriers by gathering support from various social and political groups both inside and outside the organization. They often prove to be valuable when participating in communication efforts to build the visibility of the project.
Sustaining Commitment to Projects A key job of the project management team is to gain commitment from stakeholders and to sustain that commitment throughout the life of the project. Research indicates four primary types of determinants of commitment to projects (see Figure 11.11)23 They include project determinants, psychological determinants, social determinants, and organizational determinants. Project teams often focus on only the project factors, ignoring the other three types because of their complexity. By identifying how these factors are manifested in an organization, however, project managers can use tactics to ensure a sustained commitment. For example, to maintain commitment, a project team might continually remind stakeholders of the benefits to be gained from completion of this project. Likewise, assigning the right project champion the task of selling the project to all levels of the organization can maintain commitment. Other strategies to encourage stakeholder, especially user, buy-in so that they can help clarify project requirements are making a user
22 Ibid. 23 See, for example, Mark Keil, ‘‘Pulling the Plug: Software Project Management and the Problem of Project Escalation,’’ MIS Quarterly 19:4 (December 1995), pp. 421 – 447; and Michael Newman and Rajiv Sabherwal, ‘‘Determinants of Commitment to Information Systems Development: A Longitudinal Investigation,’’ MIS Quarterly 20:1 (March 1996), pp. 23 – 54.
336 Chapter 11 Project Management
Determinant Description Example
Project Objective attributes of the project such as cost, benefits, expected difficulty, and duration.
Projects are more likely to have higher commitment if they involve a large potential payoff.
Psychological Factors managers use to convince themselves things are not so bad, such as previous experience, personal responsibility for outcome, and biases.
Projects are more likely to have higher commitment when there is a previous history of success.
Social Elements of the various groups involved in the process, such as rivalry, norms for consistency, and need for external validation.
Projects are more likely to have higher commitment when external stakeholders have been publicly led to believe the project will be successful.
Organizational Structural attributes of the organization, such as political support, and alignment with values and goals.
Projects are more likely to have higher commitment when there is strong political support from executive levels.
FIGURE 11.11 Determinants of commitment for IT projects. Source: Adapted from Mark Keil, ‘‘Pulling the Plug: Software Project Management and the Problem of Project Escalation,’’ MIS Quarterly (December 1995); and Michael Newman and Rajiv Sabherwal, ‘‘Determinants of Commitment to Information Systems Development: A Longitudinal Investigation,’’ MIS Quarterly (March 1996).
the project team leader; placing key stakeholders on the project team; placing key stakeholders in charge of the change process, training, or installing the system; and formally involving stakeholders in the specification approval process.
Pulling the Plug These various risk management strategies are designed to turn potentially troubled projects into successful ones. Often, projects in trouble persist long after they should be abandoned. Research shows that the amount of money already spent on a project biases managers toward continuing to fund the project, even if its prospects for success are questionable.24 Other factors can also enter in the decision to keep projects too long. For example, when the penalties for failure within an organization are high, project teams are often willing to go to great lengths to ensure that their project persists, even if it means extending resources.
24 M. Keil, et al, ‘‘A Cross-Cultural Study on Escalation of Commitment Behavior in Software Projects,’’ MIS Quarterly 24:2 (2000), pp. 299 – 325.
Managing Project Risk 337
Also, a propensity for taking risks or an emotional attachment to the project by powerful individuals within the organization can contribute to a troubled project continuing well beyond reasonable time limits.
Gauging Success How does a manager know when a project has been a success? At the start of the project, the general manager who built the business case would have considered several aspects based on achieving the business goals. Care is needed to prevent forming a set of goals that is too narrow or too broad. It is important that the goals be measurable so that they can be used throughout the project to provide the project manager with real-time feedback.
Four dimensions of success are shown in Figure 11.12. The dimensions are defined as follows:
• Resource constraints: Does the project meet the established time and budget criteria? Most projects set some measure of success along this dimension, which is a short-term success metric that is easy to measure.
• Impact on customers: How much benefit does the customer receive from this project? Although some IT projects are transparent to the organization’s end customer, every project can be measured on the benefit to the immediate customer of the IS. This dimension includes performance and technical specification measurements.
• Business success: How high are the profits and how long do they last? Did the project meet its return on investment goals? This dimension must be aligned with the business strategy of the organization.
• Prepare the future: Has the project altered the infrastructure of the orga- nization so that in the future business success and customer impact are more likely? Today many companies are building Internet infrastructures in anticipation of future business and customer benefits. Overall success of this strategy will only be measurable in the future, although projects underway now can be evaluated on how well they prepare the business for future opportunities.
What other considerations should be made when defining success? Is it enough just to complete a project? Is it necessary to finish on time and on budget? What other dimensions are important? The type of project can greatly influence how critical each of these dimensions is in determining the overall success of the project. It is the responsibility of the general manager to coordinate the overall business strategy of the company with the project type and the project success measurements. In this way, the necessary organizational changes can be coordinated to support the new information system. After the project is completed, a post-project feedback (post-implementation audit) should be completed to ensure that the system met its requirements and the system development process was a good one.
338 Chapter 11 Project Management
Success Dimension Low Tech Medium Tech High Tech
Existing technologies with new features
Most technologies are new but available before the project
New, untested technologies
Resource Constraint
Important Overruns accept- able
Overruns most likely
Impact on Customers
Added value Significantly improved capabilities
Quantum leap in effectiveness
Business Success Profit; Return on Investment
High profits; Market share
High, but may come much later; Market leader
Prepare the Future Gain additional capabilities
New market; New service
Leadership-core and future technologies
FIGURE 11.12 Success dimensions for various project types. Source: Adapted from Aaron Shenhar, Dov Dvir, and Ofer Levy, ‘‘Project Success: A Multidimensional Strategic Approach,’’ Technology and Innovation Management Division (1998).
! THE PMO
Although managing projects is not a new set of activities for management, it is a struggle for many to bring a project in on time, on budget, and within scope. Some organizations create a Project Management Office (PMO) to boost efficiency, gather expertise, and improve project delivery. A PMO is created to bring discipline to the project management activities within the enterprise. The Sarbanes – Oxley Act is also a driver because it forces companies to pay closer attention to project expenses and progress. Although companies may not immediately realize cost savings, the increased efficiencies and project discipline may eventually lead to cost savings.
PMOs can be expected to function in the following seven areas, according to CIO Magazine:
• Project support • Project management process and methodology • Training • Project manager home base • Internal consulting and mentoring • Project management software tools and support • Portfolio management (managing multiple projects)
Food for Thought: Open Sourcing 339
The responsibilities of a PMO range widely, based on the preferences of the CIO under which the PMO typically falls. Sometimes the PMO is simply a clearinghouse for best practices in project management, and other times it is the organization that more formally manages all major projects. At risk man- agement company Assurant Group, for example, a number of project managers work in the PMO under the direction of the COO. Using well-defined soft- ware development and project management methodologies, these PMO managers work with business managers to refine their project management efforts — from requirements definition to post-implementation audits. Within four years of the installation of its PMO, 97% of Assurant’s projects were delivered on schedule and within budget.25
The structure of the PMO may vary, but usually mirrors the organization, culture, and bureaucracy of the CIO’s organization. If the culture is rigid and strictly controlled, then the PMO will likely have first-hand and significant oversight of projects. Likewise, if the culture is collaborative and open, then the PMO will likely play a more coordinating role.
! FOOD FOR THOUGHT: OPEN SOURCING
Linux, the brainchild of Linus Torvalds, is a world-class operating system cre- ated from part-time hacking by several thousand developers scattered all over the planet and connected only by the Internet. This system was built using a development approach called open sourcing, or the process of building and improving ‘‘free’’ software by an Internet community. Torvalds managed the development process by releasing early and often, delegating as much as possible, being open to new ideas, and archiving and managing the various versions of the software.
Eric Raymond, the author of The Cathedral and the Bazaar, suggests that the Linux community resembles a great bazaar of differing agendas and approaches (with submissions from anyone) out of which a coherent and stable system emerged. This development approach is in contrast to cathedrals, in which software is carefully crafted by company employees working in isolation. The most frequently cited example of a cathedral is Microsoft, a company known, if not ridiculed, for espousing a proprietary approach to software development.26
Software is open source software (OSS) if it is released under a license approved by the Open Source Initiative (OSI). The most widely used OSI license
25 M. Santosus, ‘‘Why You Need a Project Management Office (PMO),’’ CIO Magazine, http:// www.cio.com/article/29887/Why You Need a Project Management Office PMO /1 (accessed July 15, 2008). 26 Eric S. Raymond, ‘‘The Cathedral and the Bazaar,’’ available at http://www.tuxedo.org/!esr/writings/cathedral-bazaar/ (accessed June 27, 2002).
340 Chapter 11 Project Management
is the GNU general public license (GPL), which is premised on the concept of free software. Free software offers the following freedoms for the software users:27
• The freedom to run the program, for any purpose. • The freedom to study how the program works, and adapt it to your needs.
Access to the source code is a precondition for this. • The freedom to distribute copies so that you can help your neighbor. • The freedom to improve and release your improvements to the public, so
that the whole community benefits. Access to source code is a precondi- tion for this.
A user who modifies the software must observe the rule of copyleft, which stipulates that the user cannot add restrictions to deny other people their central freedoms regarding the free software.
Open sourcing is a movement that offers a speedy way to develop software. Further, because it is made available to a whole community, testing is widespread. Finally, its price is always right — it is free. However, a number of managerial issues are associated with its use in a business organization.
• Preservation of intellectual property. The software is open to the whole community. It cannot be sold, and its use cannot be restricted. So the community is the ‘‘owner’’ of the code. Yet, how are the contributions of individuals recognized?
• Updating and maintaining open source code. A strength of the open source movement is that it is open to the manipulation of members of an entire community. That very strength makes it difficult to channel the updating and maintenance of code.
• Competitive advantage. Because the code is available to all, a company would not want to open-source a system that it hopes can give it a competitive advantage.
• Tech support. The code may be free, but technical support usually isn’t. Users of a system that was open-sourced must still be trained and supported.
• Standards. Standards are open. Yet in a technical world that is filled with incompatible standards, open sourcing may be unable to charter a viable strategy for selecting and using standards.
Applications written following the open source standards were initially rejected by corporate IT organizations. Executives wondered how code that was free, open, and available to all could be counted on to support critical business applications. However, a number of case studies recorded by OSI highlight the benefits
27 GNU Project — Free Software Foundation, ‘‘The Free Software Definition,’’ available at http://www.gnu.org/philosophy/free-sw.html (accessed April 3, 2002).
Summary 341
of open source code. In addition to Linux, Mozilla (a popular Web browser core), Apache (Web server), PERL (Web scripting language) OpenOffice (a Sun Microsystems-originated set of office applications that support the Microsoft Office suite formats), and PNG (graphics file format) are all examples of very popular software that is based on open source. In some cases, companies now sponsor OSS projects by directly contributing resources to their development. For example, IBM contributed developers to work on Apache’s Web server. In other cases, companies provide commercial support for OSS products, such as RedHat does with Linux. Advances in the applications available on the Internet, particularly many of the Web 2.0 applications that are making their way slowly into the corporate infrastructure, are open sourced.
! SUMMARY • A general manager fulfills an important role in project management. As a par-
ticipant, the general manager may be called on to select the project manager, to provide resources to the project manager, and to provide direction to the project.
• The business case provides foundation for a well-managed project by specifying the objectives of the project, the required resources, the critical elements, and the stakeholders.
• Project management involves continual trade-offs. The project triangle high- lights the need to delicately balance cost, time, and scope to achieve quality in a project.
• Four important project elements are common project vocabulary, teamwork, project cycle plan, and project management.
• Understanding the complexity of the project, the environment in which it is developed, and the dimensions used to measure project success allows the general manager to balance the trade-offs necessary for using resources effectively and to keep the project’s direction aligned with the company’s business strategy.
• Four popular information technology project development methodologies are the SDLC, prototyping, JAD, and RAD. Each of these methodologies offers both advantages and drawbacks. Other methodologies are emerging.
• In increasingly dynamic environments, it is important to manage project risk. Project risk is a function of project size, clarity, and level of complexity. For low-clarity projects, it is important to interface with users and gain their com- mitment in the project. Projects that are highly complex require leveraging the technical skills of the team members, bringing in consultants when necessary, and using other strategies to promote internal integration.
• The PMO, Project Management Office, brings focus and efficiency to project man- agement activities. Often the PMO is a formal organization under the CIO.
• Projects are here to stay, and every general manager must be a project manager at some point in his or her career. As a project manager, the general manager is expected to lead the daily activities of the project. This chapter offers insight into the necessary skills, processes, and roles that project management requires.
342 Chapter 11 Project Management
! KEY TERMS agile development (p. 328) direct cutover (p. 324) joint applications
development (JAD) (p. 327)
object (p. 328) open sourcing (p. 339)
open source software (OSS) (p. 339)
parallel conversion (p. 324)
project (p. 311) project management
(p. 312)
project management office (PMO) (p. 338)
prototyping (p. 325) rapid applications
development (RAD) (p. 326)
systems development life cycle (SDLC) (p. 322)
! DISCUSSION QUESTIONS 1. What are the trade-offs between cost, quality, and time when designing a project plan? What criteria should managers use to manage this trade-off?
2. Why does it often take a long time before troubled projects are abandoned or brought under control?
3. What are the critical success factors for a project manager? What skills should managers look for when hiring someone who would be successful in this job?
4. What determines the level of technical risk associated with a project? What determines the level of organizational risk? How can a general manager assist in minimizing these risk components?
5. Lego’s Mindstorms Robotics Invention System was designed for 12-year-olds. But after more than a decade of development at the MIT Media Lab using the latest advances in artificial intelligence, the toy created an enormous buzz among grown-up hackers. Despite its stiff $199 price tag, Mindstorms sold so quickly that store shelves were emptied two weeks before its first Christmas in 1998. In its first year, a staggering 100,000 kits were sold, far beyond the 12,000 units the company had projected. Seventy percent of Mindstorms’ early customers were old enough to vote. These customers bought the software with the intention of hacking it. They wanted to make the software more flexible and powerful. They deciphered Mindstorms’ proprietary code, posted it on the Internet, began writing new advanced software, and even wrote a new operating system for their robots. To date Lego has done nothing to stop this open source movement, even though thousands of Lego’s customers now operate their robots with software the company didn’t produce or endorse and can’t support. The software may end up damaging the robot’s expensive infrared sensors and motors.28
a. What are the advantages of Lego’s approach to open sourcing? b. What are the disadvantages of Lego’s approach to open sourcing? c. How should Lego manage the open source movement?
28 Excerpted from Paul Keegan, ‘‘Lego: Intellectual Property Is Not a Toy,’’ Business 2.0 (October 2001), available at http://www.business2.com/articles/mag/0,1640,16981,FF.html (accessed June 27, 2002).
Case Study 343
CASE STUDY 11-1
SABRE HOLDINGS
Sabre Holdings Corp. embarked on a $100-million-plus project to rebuild their air-travel reservation system. The old system was designed when assembly code was the rage; the system was 10 million lines of code. The new system was designed for C++ and Java, using servers and databases that were not even possible when the original system was built. That means the new system was a complete redo. And they brought the system in on time and on budget. How did they do it?
It was no small feat this time around. In 1988, Sabre managers tried to overhaul the system and spent $125 million. The project was well planned and broken into manageable pieces to be built in parallel, as was the prevailing project management advice at the time. After 3 1/2 years of development, it didn’t work. Partners like Budget Rent a Car and Hilton and Marriott hotel chains were scheduled to use it. But a few weeks before the due date, the entire project was scrapped.
But this time, managers took a different approach similar to agile programming for this project. First they did the project as a series of small steps, each providing functionality that can be tweaked or redesigned as necessary. Small steps make it possible to change direction or even respond to changes in technology without disrupting the entire project. For example, functions originally targeted for one type of server were rearchitected for a different server. In addition, Linux servers, which did not look viable when the project began, could be used later when they were proven to be appropriate for this environment. Second, the small steps make it possible to go live with each iteration of the system before beginning the next step. This ensures that the system works and meets the users’ needs.
Observers noted, ‘‘That doesn’t sound like a big IT project. Everything we expect from a big IT project is missing: The grand, detailed plan; the divide-at-the- start-and-integrate-at-the-end strategy; the years-before-it-goes-live schedule. That approach has doomed big IT projects for generations. IT had too much risk built into it, requiring too many predictions in the face of too much change, and depending on too much perfection in execution.’’29
Discussion Questions
1. In what ways do you think this project was managed differently than the 1988 overhaul project? What are the advantages of agile programming in this situation?
2. What were the risks Sabre Holdings faced when they decided to redesign their reserva- tion systems? What actions did they take to minimize the risks?
3. How did the Sabre project managers ensure that the system met users’ needs?
Source: Adapted from Frank Hayes, ‘‘Big IT: Doomed’’ (June 2004), http://www.computerworld.com/ action/article.do?command=viewArticleBasic&articleId=93641&paageNumber=1.
29 http://www.computerworld.com/managementtopics/management/project/story/0,10801, 93641,00.html.
344 Chapter 11 Project Management
CASE STUDY 11-2
DEALING WITH TRAFFIC JAMS IN LONDON
It’s hard to think of traffic in any big city as being good. But London’s traffic at the turn of the millennium may have been far worse than that of the average metropolis. When driving in London’s downtown area, drivers spent around half their time waiting in traffic, incurring 2.3 minutes of delay for every kilometer they traveled. To get its horrendous traffic jams under control, the city government decided to marry information technology with 699 cameras at 203 sites in the 8 square miles targeted for congestion control. Rather than wait in lines to pay a toll, drivers now pay for a daily toll when they drive their cars in the areas marked by a red C logo painted on signs and streets. To verify their being in toll areas, the cameras daily take over a quarter of a million pictures of the license plates of cars in designated areas. Motorists who don’t pay the toll that day are automatically fined about $130. The fines and tolls resulted in a project payback period of about one and a half years. In ten years this will translate into total revenues of $2.2 billion — all of which will be used to improve London’s public transportation systems. Further, as of March 2003, traffic in the city’s center had fallen by an unexpectedly high 20%, improving journey times by 5% and saving drivers 2 million to 3 million hours of frustration every year.
The project risks were obvious from the outset. The project faced a tight implementation timetable, there was no preexisting model anywhere in the world to follow, and a brand-new transit authority working under a brand-new mayor faced the challenge of integrating new technologies. The narrow, convoluted streets that were hundreds of years old did not lend themselves to collecting tolls. Cameras needed to be situated carefully to achieve sufficiently high levels of number recognition accuracy. For the new mayor, the political risk was huge, as failure of the system would be extremely damaging to his career.
The department implementing the system, Transport for London, recognized its own limitations in terms of experience, IT ability, and management time. Consequently, Trans- port for London decided to outsource critical elements of the project management first to consultants from PricewaterhouseCooper and then Deloitte & Touche.
Early in the project, project managers identified the critical technical elements and divided the project into five ‘‘packages’’ that could, if required, be bought and managed separately. These included (1) the camera component; (2) the image store component that collected images, converted them into license numbers, and condensed the images (duplicates would occur when one vehicle was photographed by several cameras); (3) the telecommunications links between the cameras and the image store component; (4) the customer services infrastructure, including the ability to pay by phone, Web, and mail; and (5) an extensive network of retail outlet kiosks and gas stations where people could pay the toll.
Even at this early stage, risk aversion played a role. Instead of combining the customer services infrastructure and the retail side into a single customer-facing operation, retail was seen as a big enough challenge to be bought and managed separately. To reduce the risks, the technologies selected for each of the five packages were the best available.
Transport for London requested bids on the project early in 2001. The estimated $116.2 million project was large enough to require listing in the European Union’s public-sector register, and tenders were open to companies throughout Europe. Separate bids could be tendered for the camera and communications packages, whereas the remaining three could receive bids on a combined basis or individually. The bid process was managed by Deloitte
Case Study 345
& Touche, who narrowed the original 40 bids to 4. Then two of these bidders undertook a three-month technical design study to focus on issues such as data throughput, how the retail channels would work, how to achieve the best number recognition performance, and what payments might be expected through each payment channel. Although both bidders were paid for their technical design, it was decided that the benefits of contracting the two analyses for improving overall project quality would outweigh the cost of paying the losing bidder. The Capita Group, the winning bidder, gained confidence through the process that their technical design, especially for the challenging image store component, was viable.
From the technical point of view, the greatest challenge was the creation and management of the image store. This component had to process a million records each day (picture those 250,000 vehicles moving about the city center all day) — as well as store them for evidentiary purposes for the subsequent prosecution of nonpayers. Meeting the challenge meant carefully evaluating design considerations (such as using the most reliable technology available) and writing software code that would automatically detect which image of a passing vehicle would yield the most accurate number recognition. Simon Pilling, executive director at Capita, who was in charge of the project, stated: ‘‘The deadlines were very tight and were politically driven, and it highlighted where the risks were.’’ Capita’s contract included clear milestones and damages against the contractor for failure to deliver on time. Deloitte was hired to rigorously monitor Capita’s progress in completing the estimated 300 years of effort that would be required to complete the project in the space of a year. The targeted deadline for completion was February 17, 2003.
Capita had successfully bid for the image store, customer payments, and the links to retailers’ packages. So that Transport for London could deal with one prime contractor, it awarded Capita the remaining two project packages related to managing the camera and communications. Selecting one company made the task easier. Capita responded by physically locating all people working on the project together in a single building in Coventry, in central England.
The project was delivered on time and on budget, and it has reduced traffic congestion more than originally projected. Its success was attributed to several project management aspects. First, scope creep was vigorously guarded against by limiting changes to the requirements. One of the few changes was an option for motorists to pay tolls through the popular SMS text messaging format. Second, Capita’s deliverables were spread out over a manageable time scale, rather than concentrated toward the project’s end. And third, there was strong top management support from political leaders.
Discussion Questions
1. Assess the risks of this project. Given your assessment of the project complexity, clarity, and size, what management strategies would you recommend? What, if any, of these strategies were adopted in this project?
2. Describe the development methodology that was applied to this project. Was this the most appropriate approach? Provide a rationale for your response.
3. When a project is outsourced, who should manage the project — the internal group or the outsourcer? Why?
Source: Adapted from Malcolm Wheatley, ‘‘How IT Fixed London’s Traffic Woes,’’ CIO Magazine (July 15, 2003).
!CHAPTER 12 MANAGING BUSINESS KNOWLEDGE1
Harrah’s, the largest gaming company in the world by some measures, found a way to more than double revenues by collecting and then analyzing customer data. According to CEO Gary Loveman, ‘‘We’ve come out top in the casino wars by min- ing our customer data deeply, running marketing experiments, and using the results to implement finely tuned marketing and service delivery strategies that keep our customers coming back.’’2 This is more than just implementing loyalty cards to track customer activity and reward ‘‘frequent buyers.’’ In 2000, Harrah’s was valued at close to $3 billion. When it was sold 7 years later to a private equity group, it was valued at $17 billion. Much of that increase was credited to the innovative and widespread use of business analytics to turn around the gaming company.
Analytics at Harrah’s begins when a customer is issued a Loyalty Card. Similar to the ubiquitous cards used by airlines, grocery stores, and even coffeehouses, the Harrah’s card tracks customer usage of the various games offered in their casinos. What differentiates Harrah’s is what they do with the information they collect from their loyalty program. Harrah’s uses sophisticated analytical tools to understand as much as possible about their customers. For example, they thought their best customers were high rollers. In fact, they found that 82% of revenues came from 26% of customers, and they were not the gold cuff-link-wearing, limousine-riding high rollers, but average, middle-aged, and seniors. The management at Harrah’s wanted to know what motivated these customers. They conducted experiments and focus groups, using well-structured experiments designed to gather data and test hypotheses. They found that these customers were motivated by reduced rates on hotel rooms, or if they lived in the area, free chips. Special gifts and expensive rooms were not as effective as incentive. They studied the customer’s value over time and identified ways to increase spending on repeat visits. For example, when they looked at the data about their best customers, they learned that these customers wanted service quickly. So Harrah’s found ways to reduce the wait at the
1 The authors wish to acknowledge and thank Ben Ballengee, MBA 1993, PhD 2001, for his help in researching and writing early drafts of this chapter. 2 Gary Loveman, ‘‘Diamonds in the Data Mine,’’ Harvard Business Review (May 2003): 110.
346
Knowledge Management 347
valet parking lot and at the restaurants. Diamond customers, those that were the very best customers, rarely waited in line at all, providing a very visible ‘‘reward’’ for their business and motivating others to seek Diamond-level status (something they could earn through the loyalty card program). They studied individual behaviors and created a program that was custom tailored to each customer offering specific incentives based on the results of their analytical models. As Loveman described, ‘‘If we discovered that a customer who spends $1000 per month with us hadn’t visited us in three months, a letter or telephone call would invite him back. If we learned that he lost money during his last visit, we invited him back for a special event.’’3 They found ways to keep the small-level gamblers in the casino longer and to lure them back again at very low costs. Analytics drives their business, and the results have turned the company into a model for successfully integrating technical algorithms with marketing techniques.
This chapter provides an overview of some of the ways business manage their collective knowledge. Enterprises have long sought a way to harness the value locked inside the extensive data they collect and store about customers, markets, competitors, products, people, and processes. This chapter will review some of the basic concepts of knowledge management, then look at business intelligence, including business analytics.
! KNOWLEDGE MANAGEMENT
Knowledge management includes the processes necessary to generate, capture, codify, and transfer knowledge across the organization to achieve competitive advantage. Individuals are the ultimate source of organizational knowledge. The organization gains only limited benefit from knowledge isolated within individuals or among workgroups; to obtain the full value of knowledge, it must be captured and transferred across the organization. In this chapter, we focus on knowledge management as infrastructure for business applications.
Knowledge management is related to information systems (IS) in three ways. First, information technologies make up the infrastructure for knowledge management systems. Second, knowledge management systems make up the data infrastructure for many IS and applications. The knowledge management system provides the source for information needed to run the business. Third, in the increased use of business analytics like that used at Harrah’s in the opening example, knowledge management is often referred to as an application of IS, much like e-mail, word processing, and spreadsheets. It is increasingly being used as a business application itself in such forms as document management, information retrieval, data mining, data warehousing, and data visualization.
Two other terms frequently encountered in discussions of knowledge are intellectual capital and intellectual property. Intellectual capital is defined
3 Loveman, ‘‘Diamonds in the Data Mind,’’ 112.
348 Chapter 12 Managing Business Knowledge
as knowledge that has been identified, captured, and leveraged to produce higher-value goods or services or some other competitive advantage for the firm. Both knowledge management and intellectual capital are often used impre- cisely and interchangeably to describe similar concepts. Information technology (IT) provides an infrastructure for capturing and transferring knowledge, but does not create knowledge and cannot guarantee its sharing or use.
Intellectual property allows individuals to own their creativity and innovation in the same way that they can own physical property. Owners can be rewarded for the use of their ideas and can have a say in how their ideas are used. To protect their ideas, owners typically apply for and are granted intellectual property rights, though some protection such as copyright arises automatically, without any registration, as soon as a record is made in some form of what has been created. The four main types of intellectual property are patents for inventions, trademarks for brand identity, designs for product appearance, and copyrights for literary and artistic material, music, films, sound recordings, broadcasts, and software.4 In 2002, the music sharing Web site Napster raised controversial issues long surrounding the practice of copyright. The Audio Home Recording Act (1992) was passed in the United States to prevent serial copying, but this didn’t seem to apply to Napster, who only facilitated sharing. Although the act protected intellectual property, it also confirmed the freedom to copy music for personal use. In 1998, the more stringent Digital Millennium Copyright Act (DCMA) passed by a unanimous vote in the U.S. Senate with the active support of the entertainment industry.5 The DCMA makes it a crime to circumvent copy protection, even if that copy protection impairs rights established by the Audio Home Recording Act. Furthermore, the Digital Tech Corps Act of 2002, passed in the U.S. House of Representatives, seeks to protect intellectual property by placing a lifetime ban on employees from revealing trade secrets, and imposing a criminal penalty of up to five years in prison and a $50,000 fine.6 More recently a senior-level position, Coordinator for International Intellectual Property Enforcement in the U.S. Department of Commerce, was created to coordinate the battle against global piracy of intellectual property.
! DATA, INFORMATION, AND KNOWLEDGE
The terms data, information, and knowledge are often used interchangeably, but have significant and discrete meanings within the knowledge management domain. As was first presented in the introduction of this textbook, the differences are shown in Figure 12.1. Data are specific, objective facts or observations, such as
4 ‘‘What Is Intellectual Property or IP?’’ available at http://www.intellectual-property.gov.uk/ std/faq/question1.htm (accessed June 25, 2002). 5 On March 10, 2004, the European Union passed the EU Copyright Directive, which is similar in many ways to DCMA. 6 Jason Miller, ‘‘House Passes IT Employee Exchange Program,’’ Government Computer News, available at http://www.gcn.com/vol1 no1/regulation/18347-1.html (accessed June 25, 2002).
Data, Information, and Knowledge 349
Simple observations of states of the world • Easily captured • Easily structured • Easily transferred • Compact, quantifiable
Data
More human contribution
Greater value
Valuable information from the human mind; includes reflection, synthesis, context • Hard to capture electronically • Hard to structure • Often tacit • Hard to transfer • Highly personal to the source
Knowledge
Data endowed with relevance and purpose • Requires unit of analysis • Needs consensus on meaning • Human mediation necessary • Often garbled in transmission
Information
Data Information Knowledge
FIGURE 12.1 The relationships between data, information, and knowledge. Source: Adapted from Thomas H. Davenport, Information Ecology (New York: Oxford University Press, 1997), 9.
‘‘inventory contains 45 units.’’ Standing alone, such facts have no intrinsic meaning, but can be easily captured, transmitted, and stored electronically.
Information is defined by Peter Drucker as ‘‘data endowed with relevance and purpose.’’7 People turn data into information by organizing them into some unit of analysis (e.g., dollars, dates, or customers). Deciding on the appropriate unit of analysis involves interpreting the context of the data and summarizing them into a more condensed form. Consensus must be reached on the unit of analysis.
Knowledge is a mix of contextual information, experiences, rules, and values. It is richer and deeper than information and more valuable because someone has thought deeply about that information and added his or her own unique experience, judgment, and wisdom. One way of thinking about knowledge is to consider the different types of knowing.8 Knowing what often is based on assembling information and eventually applying it. It requires the ability to recognize, describe, and classify concepts and things. The process of applying knowledge helps generate knowing how to do something. This kind of knowing
7 Peter F. Drucker, ‘‘The Coming of the New Organization,’’ Harvard Business Review (January – February 1988), 45 – 53. 8 M. H. Zack, ‘‘Managing Codified Knowledge,’’ Sloan Management Review 40, no. 4 (1999), 45 – 58.
350 Chapter 12 Managing Business Knowledge
Know-Why
Know-What Know-How
Information Procedure
Application
Experience
Reasoning
FIGURE 12.2 Taxonomy of knowledge. Source: H-W. Kim and S. M. Kwak, ‘‘Linkage of Knowledge Management to Decision Support: A System Dynamics Approach,’’ presented at the National University of Singapore, July 2002.
requires an understanding of an appropriate sequence of events or the ability to perform a particular set of actions. Sometimes the first inkling of knowing how to do something stems from an understanding of procedures, routines, and rules. Knowing how to do something is fully learned by actually experiencing a situation. Finally knowing how and knowing what can be synthesized through a reasoning process that results in knowing why. Knowing why is the causal knowledge of why something occurs. These types of knowing are modeled in Figure 12.2.
Values and beliefs are also a component of knowledge; they determine the interpretation and the organization of knowledge. Tom Davenport and Larry Prusak, experts who have written about this relationship, say, ‘‘The power of knowledge to organize, select, learn, and judge comes from values and beliefs as much as and probably more than, from information and logic.’’9 Knowledge also involves the synthesis of multiple sources of information over time.10 The amount of human contribution increases along the continuum from data to information to knowledge. Computers work well for managing data, but are less efficient at managing information. The more complex and ill-defined elements of knowledge (for example, ‘‘tacit’’ knowledge, described later in this chapter) are difficult if not impossible to capture electronically.
Tacit versus Explicit Knowledge Knowledge can be further classified into two types: tacit and explicit. Tacit knowledge was first described by philosopher Michael Polyani in his book, The Tacit Dimension, with the classic assertion that ‘‘We can know more than we can tell.’’11 For example, try writing a memorandum, or even explaining verbally,
9 Thomas H. Davenport and Laurence Prusak, Working Knowledge (Boston: Harvard Business School Press, 1998), 12. 10 Thomas H. Davenport, Information Ecology (New York: Oxford University Press, 1997), 9 – 10. 11 Michael Polanyi, The Tacit Dimension, 1966 ed. (Magnolia, MA: Peter Smith, 1983), 4.
From Managing Knowledge to Business Intelligence 351
how to swim or ride a bicycle. Tacit knowledge is personal, context-specific, and hard to formalize and communicate. It consists of experiences, beliefs, and skills. Tacit knowledge is entirely subjective and is often acquired through physically practicing a skill or activity.
In 2007, Tom Brady broke the NFL single-season record for the most passing touchdowns with 50. It would be nearly impossible to verbally describe all the factors that Brady had to consider when making those passes, yet he knew who to throw the ball to, where to put the ball, and why to make that throw, all in a matter of seconds. Brady’s ability to pass the football incorporates so much of his own personal experience and kinesthetic memory that it is impossible to separate that knowledge from the player himself. His bone structure, muscular development, and the nerves between his arm and his brain all make it possible for him to throw the types of passes he does.
IT has traditionally focused on explicit knowledge, that is, knowledge that can be easily collected, organized, and transferred through digital means, such as a memorandum or financial report. Individuals, however, possess both tacit and explicit knowledge. Explicit knowledge, such as the knowledge gained from reading this textbook, is objective, theoretical, and codified for transmission in a formal, systematic method using grammar, syntax, and the printed word. Figure 12.3 summarizes these differences.
! FROM MANAGING KNOWLEDGE TO BUSINESS INTELLIGENCE
Managing knowledge is not a new concept,12 but it has been invigorated and enabled by new technologies for collaborative systems, the emergence of the Inter- net and intranets, which in themselves act as a large, geographically distributed
Tacit Knowledge Explicit Knowledge • Knowing how to identify the key
issues necessary to solve a problem • Applying similar experiences from
past situations • Estimating work required based on
intuition and experience • Deciding on an appropriate course of
action
• Procedures listed in a manual • Books and articles • News reports and financial statements • Information left over from past
projects
FIGURE 12.3 Examples of explicit and tacit knowledge.
12 The cuneiform texts found at the ancient city Ebla (Tall Mardikh) in Syria are, at more than 4,000 years old, some of the earliest known attempts to record and organize information.
352 Chapter 12 Managing Business Knowledge
knowledge repository, and the well-publicized successes of companies using busi- ness analytics, like Harrah’s. The discipline draws from many established sources, including anthropology, cognitive psychology, management, sociology, artificial intelligence, IT, and library science. Knowledge management remains, however, an emerging discipline, with few generally accepted standards or definitions of key concepts.
Business intelligence (BI) is the term used to describe the set of technologies and processes that use data to understand and analyze business performance.13 Although some may argue with this relationship, business intelligence can be considered a component of knowledge management. Knowledge management deals with the processes necessary to capture, codify, and make sense of all types of knowledge as described earlier. Business intelligence is more specifically about extracting knowledge from data. Davenport and Harris suggest that business analytics is the term used to refer to the use of quantitative and predictive models and fact-based management to drive decisions. By this definition, business analytics is a subset of BI.
The most profound aspect of knowledge management and business intelli- gence is that, ultimately, an organization’s only sustainable competitive advantage lies in what its employees know and how they apply that knowledge to business problems. Exaggerated promises and heightened expectations, couched in the hyperbole of technology vendors and consultants, may create unrealistic expecta- tions. Knowledge management is not a magic bullet, that is, an appropriate solution for all business problems. While reading this chapter, managers should consider the implications of managing knowledge, but should not believe that knowledge management by itself is the sole answer for managerial success. Knowledge must serve the broader goals of the organization, and analytics alone do not create com- petitive advantage. How the information is used and how the knowledge is linked back to business processes are important components of knowledge management.
! WHY MANAGE KNOWLEDGE?
Although knowledge has always been important to the success of organizations, it was presumed that the natural, informal flow of knowledge was sufficient to meet organizational needs and that no explicit effort had to be made to manage that knowledge. The value chain,14 discussed in earlier chapters of this text, illustrates the need for knowledge in such diverse areas as raw materials handling, operations, manufacturing, sales and marketing, product distribution, customer service, firm infrastructure, human resources, research and development (R&D), and purchasing. Each element of the chain, for example R&D, also becomes
13 Thomas Davenport and Jeanne Harris, Competing on Analytics (Harvard Business School Press, 2007), 7. 14 Michael E. Porter, Competitive Advantage: Creating and Sustaining Superior Performance (New York: Free Press, 1985), 39 – 43.
Why Manage Knowledge? 353
knowledge intensive: technological developments, market trends, product design, and customer requirements must all be known and managed. In short, information and knowledge are now the basis for competition. Several trends highlight the need for businesses to manage knowledge for competitive advantage. Figure 12.4 summarizes these trends.
Sharing Best Practices As the workplace becomes more complex and chaotic, workers and managers seek ways to share knowledge. The familiar scenario is that of an experienced guru within a business, sought by others within the organization who want to learn from the guru’s experience. Sharing best practices is the concept of leveraging knowledge gained by a subset of an organization. It is increasingly important for organizations whose livelihood depends on applying expertise, such as accounting firms, consulting firms, training firms, architectural firms, and engineering firms. In these types of environments, it is inefficient to have everyone ‘‘reinvent the wheel’’ themselves. Rather, managers set up knowledge management systems to capture best practices and to disseminate that experience throughout the firm.
Institutionalizing best practices by embedding them in IT makes it more efficient for an organization to handle routine, linear, and predictable situations in stable environments. When major, discontinuous change is involved, the basic
Why manage knowledge?
Embedded Knowledge • Smart products • Blurring of distinction between service and manufacturing firms • Value-added through intangibles
Rapid Change • Avoid obsolescence • Build on previous work • Streamline processes • Sense and respond to change
Globalization • Decreased cycle times • Increased competitive pressures • Global access to knowledge • Adapting to local conditions
Downsizing • Loss of knowledge • Portability of workers • Lack of time and resources for knowledge acquisition
Managing Overload • Inability to assimilate knowledge • Data organization and storage is needed
Sustainable Competitive Advantage • Shorter life cycle of innovation • Knowledge as an infinite resource • Direct bottom-line returns
Sharing Best Practices • Avoid “reinventing the wheel” • Build on previous work
FIGURE 12.4 Reasons for managing knowledge. Source: Adapted from IBM Global Services. Used with permission.
354 Chapter 12 Managing Business Knowledge
premises of the best practices stored in organizational knowledge bases must be constantly reevaluated.15
Globalization New computing and telecommunications technologies allow data, information, and knowledge, albeit explicit knowledge, to flow instantly around the world, resulting in the emergence of an interconnected global economy. In the past, land, labor, and capital gave nation-states their comparative economic advantage. As a greater percentage of economic growth arises from the knowledge sector, comparative advantage derives instead from the collective ability to leverage what people know. Knowledge-based businesses seem to grow according to previously unforeseen patterns, creating new markets, and attracting and producing innovations with little need for the traditional requirements of land, labor, and capital.
Peter Drucker described this trend as follows:
Another implication [of the emerging knowledge society] is that how well an indi- vidual, an organization, an industry, a country, does in acquiring and applying knowledge will become the key competitive factor. The knowledge society will inevitably become far more competitive than any society we have yet known — for the simple reason that with knowledge being universally accessible, there will be no excuses for nonperformance. . .16
Rapid Change Rapid change means that existing knowledge becomes obsolete faster and that employees must learn new skills in less time. New technologies and unexpected forms of competition are announced daily. To keep up, new tools, processes, and strategies must be introduced. Knowledge management provides a way to optimize the use of existing knowledge and streamline the transfer and absorption of new knowledge across the firm. Rather than ‘‘reinventing the wheel,’’ firms can customize preexisting solutions for unique customer needs. The combination of knowledge-intensive businesses, highly skilled knowledge workers, and new and relatively inexpensive computing and telecommunications technologies creates the need to organize and transfer information and knowledge in new ways. Firms must be able to sense and respond to changing trends and markets, encourage creativity and innovation, and help knowledge workers to continuously learn and improve their productivity.
Downsizing Downsizing initiatives tend to eliminate employees and remove knowledge, in the form of experience, from the organization. By firing experienced workers and
15 Yogesh Malhotra, ‘‘Knowledge Management in Inquiring Organizations,’’ in Proceedings of 3rd Americas Conference on Information Systems (Philosophy of Information Systems Mini-Track), Indianapolis, IN, August 15 – 17, 1997, 293 – 295; available at http://www.brint.com/km/km.htm. 16 Peter F. Drucker, ‘‘The Age of Social Transformation,’’ The Atlantic Monthly (November 1994).
Why Manage Knowledge? 355
driving away the talented, important knowledge captured in the heads of former employees is lost. A change in corporate direction can result in the wholesale firing (sometimes incorrectly called a ‘‘restructuring’’) of an entire class of employees with specialized knowledge. As a result, veteran employees with extensive knowledge about an organization and its processes become increasingly rare. New employees, even if educated in the subject matter, need time and experience to develop specialized knowledge unique to the firm.
Downsizing also changes the traditional contract between firms and their employees, creating a more mobile workforce than in the past. The changing contract results in an organizational knowledge base that becomes more volatile with employee transience. As workers change jobs more frequently, retaining knowledge within the organization, rather than in the heads of individuals, becomes more important.
By reducing the number of employees, firms increase the pressure on those remaining to accomplish more with less. Fewer employees are available to maintain and update the organization’s knowledge, and less slack time is available for acquiring new knowledge. Concurrently, the speed of innovation is increasing so that knowledge evolves and must be assimilated at a more rapid rate.
Managing Information and Communication Overload The growth of information resources along with the accelerating rate of techno- logical change produces a mass of information that often exceeds the ability of managers and employees to assimilate and use it productively. Individuals com- plain of receiving hundreds of e-mail messages, in addition to voice mail messages, faxes, regular telephone calls, and paper mail. As one manager put it, ‘‘If I am to keep up with my job I have to spend all of my time, both on and supposedly off the job, communicating. I don’t have a life anymore.’’17 One research report found that this flood of communication translates into white-collar workers spending a total of two hours each day on e-mail alone, and as many as 10 billion nonspam e-mail messages are received per day.18 No wonder managers complain of being stressed and overwhelmed as a result.
Knowledge Embedded in Products Products and services are becoming increasingly complex, giving them a significant information component. Consulting firms, software manufacturers, and research laboratories all sell knowledge. Managing that knowledge is as important to them as managing inventory is to a manufacturing firm. However, other firms not traditionally viewed as knowledge-based are beginning to realize that much of the value in their products lies in the knowledge embedded in those products. Traditional manufacturing firms differentiate themselves from their competitors
17 Thomas H. Davenport, Information Ecology (New York: Oxford University Press, 1997), 48. 18 T. Davenport and J. C. Beck, The Attention Economy (Boston: Harvard Business School Press, 2001), 190 – 191.
356 Chapter 12 Managing Business Knowledge
by offering products that embed specialized knowledge. One classic example is the development of an automatic bread-baking machine by the Japanese firm Matsushita. To design the machine, Matsushita sought out a master baker, observed his techniques, and incorporated those techniques into the machine’s functionality.19 The intangibles that add the most value to goods and services are becoming increasingly knowledge based, such as creativity, engineering, design, marketing, customer knowledge, and innovation.
Sustainable Competitive Advantage Perhaps the best reason for knowledge management is that it can be a source of lasting and sustainable competitive advantage. It has become increasingly difficult to prevent competitors from copying and improving on new products and processes. The mobility of workers, the availability of powerful and relatively inexpensive technology, and reverse engineering make the advantages of new products and efficient processes more difficult to maintain. The life cycle of innovation is growing shorter. Competitors can usually meet or exceed the standards of price and quality developed by the market leader in a short period of time. Before that happens, however, the company managing its knowledge can move to new levels of efficiency, quality, and creativity. Unlike raw material, knowledge is not depleted through use. Shared knowledge enriches the recipient while still remaining with the original source. Knowledge is not governed by the law of diminishing returns; on the contrary, the more knowledge that is shared and used, the more new knowledge that is generated. In an age of increasing competition and unprecedented change, only one sustainable competitive advantage remains: the capacity to learn.
! KNOWLEDGE MANAGEMENT PROCESSES
Knowledge management involves four main processes: the generation, capture, codification, and transfer of knowledge. Knowledge generation includes all activities that discover ‘‘new’’ knowledge, whether such knowledge is new to the individual, the firm, or the entire discipline. Knowledge capture involves continuous processes of scanning, organizing, and packaging knowledge after it has been generated. Knowledge codification is the representation of knowledge in a manner that can be easily accessed and transferred. Knowledge transfer involves transmitting knowledge from one person or group to another, and the absorption of that knowledge. Without absorption, a transfer of knowledge does not occur. Generation, codification, and transfer all take place constantly without management intervention. Knowledge management seeks to enhance the efficiency and effectiveness of these activities and leverage their value for the firm as well as the individual. Knowledge management is a dynamic and continuously evolving process.
19 Ikujiro Nonaka and Hirotaka Takeuchi, The Knowledge-Creating Company (New York: Oxford University Press, 1995), 100.
Knowledge Management Processes 357
Knowledge Generation
Buy or Rent
Shared Problem Solving
Creating (R&D)
Communities of PracticeAdaptation
FIGURE 12.5 Knowledge generation strategies.
Knowledge Generation Knowledge generation concerns the intentional activities of an organization to acquire or create new knowledge. In this context, knowledge does not have to be newly created, only new to the organization. The two primary ways of generating knowledge are knowledge creation (exploration) and knowledge sharing (exploita- tion).20 Knowledge creation (exploration) involves experimenting, seeking, and discovering knowledge about alternatives. It generates new knowledge. Knowledge sharing (exploitation) uses and develops available knowledge. It tends to be faster than knowledge creation. Techniques for knowledge generation are summarized in Figure 12.5. Exploration techniques include creation and adaptation to changing circumstances. Exploitation techniques include purchase or rental, shared prob- lem solving, and development through informal networks. Facilitating knowledge generation promotes continuous innovation and growth of knowledge in the firm.
Research and Development True creation of knowledge is the rarest form of knowledge generation. Besides funding outside research, another way to create knowledge is through use of a dedicated R&D unit. Financial returns on research often take years to develop. Realizing value from R&D depends largely, however, on how effectively the new knowledge is communicated and applied across the rest of the firm.
Knowledge generated by R&D efforts, or by individuals, frequently arises from synthesis. Most new inventions are not based on entirely new ideas, but combine knowledge from different sources in unique ways so that new ideas emerge. For example, the first airplane was an innovative synthesis of three preexisting ideas: the bicycle, the motor, and the airfoil.21 Synthesis brings disparate pieces of knowledge together, often from extremely diverse sources, then seeks interesting and useful relationships among them.
20 D. A. Levinthal and J. G. March, ‘‘The Myopia of Learning,’’ Strategic Management Journal 14 (Winter 1993), 95 – 112. 21 Rudy Ruggles, ‘‘Knowledge Tools: Using Technology to Manage Knowledge Better,’’ Working paper, Ernst & Young Center for Business Innovation (July 28 1997), available at http://www.businessinnovation.ey.com/mko/pdf/TOOLS.PDF.
358 Chapter 12 Managing Business Knowledge
Adaptation
Firms must often generate knowledge in response to external threats; new products or competitors, changes in economic or social conditions, and government reg- ulation are examples. These outside threats force knowledge generation because if the firm does not change, it will cease to exist.22 Adaptation is the ability to apply existing resources in new ways when external changes make old ways of doing business prohibitive. A firm’s ability to adapt is based on two factors: having sufficient internal resources to accomplish change and being open and willing to change. A firm’s core capabilities (i.e., competitive advantages built up over time that cannot be easily duplicated) can simultaneously be core rigidities (i.e., the unwillingness to modify tried-and-true business practices).
Buy or Rent
Knowledge may be acquired by purchasing it or by hiring individuals, either as employees or consultants, who possess the desired knowledge. Another technique is to support outside research in exchange for rights to the first commercial use of the results.
One example of this type of purchase is cell-phone manufacturer Nokia Corporation’s acquisition of software company Symbian in 2008. The acquisition gave Nokia access to valuable software that created a direct competitor to Google’s cellphone-software service.23 To have built this software would have taken expertise and time, possibly keeping Nokia out of the business at a critical time.
Shared Problem Solving
Also called ‘‘fusion,’’ shared problem solving brings together people with different backgrounds and cognitive styles to work on the same problem. Although this practice can cause divisiveness, it also provides opportunities for creative solutions. Even the most intelligent individuals can be bound by prior experience and personal style when attacking a problem.
The creative energy generated by problem-solving groups with diverse back- grounds has been termed creative abrasion.24 The term diversity, as used to describe the backgrounds of individuals in the group, should not be equated with race- or gender-based diversity as popularly conceived; rather, the key element of diversity for shared problem solving is a difference in cognitive styles. Creative abrasion does, however, require some common ground among group members, namely, a common vocabulary or shared elements of knowledge about the problem and the organization.
22 Although theoretically related, a discussion of self-organizing, complex adaptive systems is beyond the scope of this chapter. See, generally, Stuart A. Kauffman, At Home in the Universe: The Search for the Laws of Self-Organization and Complexity (New York: Oxford University Press, 1995). 23 Online.wsj.com (accessed July 28, 2008). 24 Dorothy Leonard, Wellsprings of Knowledge (Boston: Harvard Business School Press, 1995), 63.
Knowledge Management Processes 359
This overlapping knowledge is sometimes referred to as ‘‘knowledge redun- dancy’’ and provides a basis for group members to communicate about the problem.25 Some cultural ideas that can help fusion work more effectively include (1) fostering awareness of the value of the knowledge sought and a willingness to invest in it, (2) emphasizing the creative potential inherent in different styles of thinking and viewing the differences as positive, and (3) clearly specifying the parameters of the problem to focus the group on a common goal.26
Communities of Practice
Informal, self-organizing networks within firms are another source of knowledge generation. Known as communities of practice, these groups are composed of workers who share common interests and objectives, but who are not necessarily employed in the same organization, same department, or same physical location and who often occupy different roles on the organization chart. Communities of practice are held together by a common sense of purpose and a need to know what other members of the network know. Members’ effective collaboration can generate new knowledge.
Managers can nurture knowledge generation by providing sufficient time and incentives for employees to collaborate and exchange ideas. They can also recognize that knowledge generation is an important activity for the firm and encourage employees to engage in knowledge-generating activities. For example, Google promotes a culture of creativity and innovation in all employees by allowing them to spend 20% of their time on a project of their own choosing. ‘‘[Since] it is axiomatic that a firm’s greatest asset is its knowledge, then the firm that fails to generate new knowledge will probably cease to exist.’’27
Knowledge Codification Generating knowledge by itself is a pointless task. Aside from concerns about intellectual property and proprietary knowledge, once knowledge has been gener- ated, it must be used or shared to be of value. Codification puts the knowledge in a form that makes it possible to easily find and use. Although data can be compared to a record and information to a message, knowledge resembles an inventory. It accumulates and changes over time. Like inventory, knowledge has a ‘‘shelf life’’ to the extent that it may only add value for a period of time, depending on its purpose and use.
The boundaries of knowledge are difficult to identify because of context sensitivity; one person’s crucial fact is another person’s irrelevant trivia. Consider, for example, when an instructor imparts his or her knowledge to a class. Each
25 Ikujiro Nonaka and Hirotaka Takeuchi, The Knowledge-Creating Company (New York: Oxford University Press, 1995), 86. 26 Thomas H. Davenport and Laurence Prusak, Working Knowledge (Boston: Harvard Business School Press, 1998), 62. 27 Ibid., 67.
360 Chapter 12 Managing Business Knowledge
student in the class hears the same information, but acquires different knowledge. The instructor’s personal knowledge exists in the world that he or she knows. When that instructor imparts it, it leaves that world and its associated context. The students receive that which was imparted and then map it against that which they know to make it their own knowledge. Because each student’s base of knowing is different, each will map the information differently and, thus, will have different knowledge.28
In one respect, knowledge capture and codification embody the same idea: although knowledge may be technically ‘‘captured’’ when it resides in a database or on a sheet of paper, that knowledge is unavailable across the firm until it has been codified in a manner that will allow those who need it to find it. Davenport and Prusak identify four basic principles of knowledge codification:29
1. Decide what business goals the codified knowledge will serve (define strategic intent).
2. Identify existing knowledge necessary to achieve strategic intent. 3. Evaluate existing knowledge for usefulness and the ability to be codified. 4. Determine the appropriate medium for codification and distribution.
Knowledge Capture Knowledge capture takes into account the media used in the codification process. The media are used during the three major knowledge capture activities: scanning, organizing, and designing knowledge maps.
Scanning Scanning typically combines electronic and human approaches as a first step in capturing knowledge after strategic knowledge has been identified. Traditionally, electronic scanning captured relevant information from a particular source (pro- vided the information is available electronically), then filtered out redundant or duplicative information. Human analysts then added the most value to the scanning process by using their own knowledge of what is important to the company to provide context, interpretation, comparison, and condensation. Today, there are tools on the Internet that can do much of this type of scanning. RSS feeds for example, make it possible to automatically scan relevant Web sites and filter the way it is displayed.
Humans are also needed to scan and filter the soft, unstructured information available from experts and through rumor. Organizations usually have no formal or centralized scanning process and leave the scanning up to individual employees. However with Web 2.0 sites that aggregate information from various sources, many individuals are able to see just the topics of interest.
28 We are indebted to a reviewer for this example. 29 Thomas H. Davenport and Laurence Prusak, Working Knowledge (Boston: Harvard Business School Press, 1998), 69.
Knowledge Management Processes 361
Organizing This process attempts to take the mass of knowledge accumulated through scanning and structure it into an accessible form. Some structure is necessary to permit rapid access; however, too much structure can effectively hide knowledge from employees whose mental models do not fit those of the organizer. One example would be the index of the Yellow Pages (the real ones, not the knowledge management variety to be discussed later). One person might look under ‘‘car sales’’ and find no entries, while another might look under ‘‘auto dealers’’ and discover a large number of listings. Categorization schemes are always arbitrary and never value-neutral.
The problem of categorizing is especially salient for folksonomies, or sites for collaboratively creating and managing tags for annotating and categorizing content. The best known folksonomies include del.icio.us and Flickr. The keywords for tagging are generated by users of the content. The problem with this classification system is that everyone has different perceptions of the content. Thus, user tags tend to be imprecise, irrelevant, and often very messy. Further, folksonomies are ill-organized because they contain many unlinked variants such as plurals, singulars, spelling errors, and typos.
One scheme for categorizing knowledge uses four broad classifications:30
• Process knowledge. Sometimes referred to as ‘‘best practices,’’ this kind of knowledge is useful for increasing efficiency.
• Factual knowledge. Basic information about people and things that has been synthesized and placed in context; easy to document.
• Catalog knowledge. Individuals who possess catalog knowledge know where things are. These people are like directories of expertise, and while such knowledge can often be codified into a sort of Yellow Pages, the dynamics within organizations change so quickly, some individuals will always be more valuable because they know where to go for the right knowledge.
• Cultural knowledge. Knowing how things actually get done in an organi- zation, culturally and politically. The absence of cultural knowledge can reduce efficiency when employees must learn or relearn invisible norms and behaviors.
Another interesting example of a categorization scheme is Encyclopædia Britannica’s ‘‘Propædia,’’ or ‘‘Outline of Knowledge.’’ The Propædia was originally developed as a framework to classify all knowledge for inclusion in the printed encyclopedia. The designers of the search and retrieval system for Encyclopædia Britannica’s CD-ROM edition and Web site used the Propædia as a benchmark
30 Rudy Ruggles, ‘‘Knowledge Tools: Using Technology to Manage Knowledge Better,’’ Working paper, Ernst & Young Center for Business Innovation (July 28 1997), http://www.businessinnovation .ey.com/mko/pdf/TOOLS.PDF.
362 Chapter 12 Managing Business Knowledge
to measure the effectiveness of their system. The written Propædia structure told them which articles, from various parts of the encyclopedia, should be retrieved by a given query. The developers used the results to optimize their search algorithms.31 The search engine developed from the Propædia is now being used at a Web site developed by Britannica called eBLAST.32 A team of editors and indexers scans and identifies high-quality knowledge resources, which are then concisely described, rated according to consistent standards, and indexed for retrieval using the organizational hierarchy taken from the Propædia. The eBLAST Web navigator uses the Propædia categorization scheme to classify Web sites indexed in the system.
Designing Knowledge Maps
A knowledge map (see Figure 12.6) serves as both a guide to where knowledge exists in an organization and an inventory of the knowledge assets available. Although it may be graphically represented, a knowledge map can consist of nothing more than a list of people, documents, and databases telling employees where to go when they need help. A good knowledge map gives access to resources that would otherwise be difficult or impossible to find. Maps may also identify knowledge networks or communities of practice within the organization.
Several different schemes may be used to map knowledge. A common, but fairly ineffective, way to map knowledge is by its physical location within the firm’s IS, identifying the databases, file servers, document management systems,
A knowledge map shows the location of knowledge resources within a firm
• Individual experts • Networks of practitioners • Documents and databases
Experts
Networks
Documents/Databases
FIGURE 12.6 Contents of knowledge maps. Source: ! IBM Global Services. Used with permission.
31 James Fallows, ‘‘The Java Theory,’’ The Atlantic Monthly (March 1996), 113 – 117. 32 Available at http://www.eblast.com/.
Knowledge Management Processes 363
and groupware locations where it resides. This categorization scheme can help technically astute employees find information quickly because it shows them exactly where to find it. However, physical mapping is primarily of use only to those who are interested in learning the IT architecture of the organization.
Qualitative mapping points to information by topic rather than location. Qualitative mapping can be organized around processes, functions, or concepts. Process mapping uses a generalized model of how a business functions and maps it to the knowledge contained in the organization. Functional mapping is based loosely on the organizational chart and is usually not effective for sharing knowledge across functions, because most workers do not have time to browse through the knowledge assets of other functional areas in hopes of finding something useful. Conceptual mapping is the most useful of these methods for organizing knowledge, but harder to design, build, and maintain. Conceptual maps organize information around objects, such as proposals, customers, or employees. These objects or topical areas contain information originally produced in different functional areas, which leads to transfer of knowledge across the organization.33
Codifying Tacit Knowledge with Narratives Mapping the identities of experts in an organization does not guarantee access to those experts’ knowledge. An expert must have both the time and the willingness to share the knowledge. If the expert is unavailable or leaves the firm, the value of his or her knowledge is lost. A partial answer to this problem is to transfer as much knowledge as possible through mentoring or apprenticeship programs so that important tacit knowledge is not entirely concentrated in one person. Capturing tacit knowledge through narratives provides another answer.
Research shows that knowledge is communicated most effectively through a good story that, told with feeling, resonates with other people. ‘‘War stories’’ can convey a rich and complex understanding of an event or situation in human context, making them one of the most effective ways to both capture tacit knowledge without losing much of its value and transfer it to the listener. Knowledge is most likely to be absorbed if shared in a context that is understood by the listeners. More firms are beginning to circulate videotapes that tell the story, for example, about how an important sale was closed. These narratives ‘‘codify’’ the expert’s tacit knowledge of how to close a sale in a way that conveys much of its underlying meaning.34 The very act of telling the story shapes the firm’s meaning about how expert salespeople should act.
At IDEO, a leading design firm, knowledge is spread through stories and not databases. Typically half the weekly Monday morning meetings are dedicated to
33 Tom Davenport, David DeLong, and Mike Beers, ‘‘Building Successful Knowledge Management Projects,’’ Working paper, Ernst & Young Center for Business Innovation (June 6, 1997), available at http://www.businessinnovation.ey.com/mko/pdf/KPROJE.PDF. 34 Thomas H. Davenport and Laurence Prusak, Working Knowledge (Boston: Harvard Business School Press, 1998), 82.
364 Chapter 12 Managing Business Knowledge
sharing stories about projects or best business practices. ‘‘People hold stories in their heads better than other forms of inform,’’ says IDEO president Tim Brown.35
Knowledge Transfer In their book The Knowledge Creating Company, Ikujiro Nonaka and Hirotaka Takeuchi describe four different modes of knowledge conversion, their term for knowledge transfer (see Figure 12.7). The modes are (1) from tacit knowledge to tacit knowledge, called socialization, (2) from tacit knowledge to explicit knowl- edge, called externalization, (3) from explicit knowledge to explicit knowledge, called combination, and (4) from explicit knowledge to tacit knowledge, called internalization.36
Socialization is the process of sharing experiences; it occurs through obser- vation, imitation, and practice. Common examples of socialization are sharing war stories, apprenticeships, conferences, and casual, unstructured discussions in the office or ‘‘at the water cooler.’’ When the Web is used as the vehicle for transferring, mashups, a Web 2.0 tool, combines data from more than one source to create a distinct, integrated Web service that was not previously available at any of the sources. For example explicit data about real estate sales (i.e., type of
Tacit Knowledge
Explicit Knowledge
Tacit Knowledge Explicit Knowledge
TO
FROM
SOCIALIZATION Transferring tacit knowledge through shared experiences, apprenticeships, mentoring relationships, on-the-job training, "talking at the water cooler"
INTERNALIZATION Converting explicit knowledge into tacit knowledge; learning by doing; studying previously captured explicit knowledge (manuals, documentation) to gain technical know-how
EXTERNALIZATION Articulating and thereby capturing tacit knowledge through use of metaphors, analogies, and models
COMBINATION Combining existing explicit knowledge through exchange and synthesis into new explicit knowledge
FIGURE 12.7 The four modes of knowledge conversion. Source: Ikujiro Nonaka and Hirotaka Takeuchi, The Knowledge-Creating Company (New York: Oxford University Press, 1995), 62.
35 Catherine Fredman, ‘‘The IDEO Difference,’’ Hemispheres (August 2002), 52 – 57. 36 Ikujiro Nonaka and Hirotaka Takeuchi, The Knowledge-Creating Company (New York: Oxford University Press, 1995), 62 – 70.
Competing with Business Analytics 365
property and sale price) could be mapped to explicit cartographic location data available from Google Maps to create a map of recent sales. Internalization is the process of experiencing knowledge through an explicit source. For example, after viewing the videotape and combining the new knowledge conveyed by the narra- tive with prior experiences, a salesperson might close a sale he or she would have otherwise lost.
! COMPETING WITH BUSINESS ANALYTICS
In recent years, many companies have found success competing through bet- ter use of analytics. Companies such as Harrah’s Entertainment, as described at the beginning of this chapter, have turned around an otherwise lackluster business to become a leader in their industry. Capital One has also emerged from a crowded field of financial services firms, to become one of the industry leaders through use of extensive business analytics to continuously create and invent new products and services to reach out to new customers and reinvigorate relationships with existing customers. In their case, the company was founded on the idea that by mining data about individual customers they could create financial service products that addressed what the big players would consider ‘‘‘niche markets,’’ unattractive to the larger players because of the smaller number of potential customers, but profitable nonetheless. Using the customer database of a small bank, and running numerous analytical tests, they identified charac- teristics that would create a profitable service. They learned, for example, that the most profitable customers were ones who charged a large amount, but paid their credit cards off slowly. At the time, most credit cards companies didn’t differentiate between these and other customers. The innovative idea was to create a product that catered to these customers. Today, Capital One runs hun- dreds of experiments, identifying new products that target individual customers. Using analytics to simulate and test is a very low cost way to design and develop these products.37
Sports teams have propelled themselves to league success through business analytics. The systematic use of factual data in proprietary models is credited with helping the Oakland As and the Boston Red Sox. Billy Beane was one of the first general managers in Major League Baseball to build his organization, the Oakland As, around analytics. Although this industry collected data extensively, it was mostly used to manage the game in process. The Oakland As managed by using data on things that they could measure such as the on-base percentage (the number of times a player gets on-base), instead of softer criteria such as determination or effort the player is willing to put in. They used analytics in their recruiting efforts to predict which young players had the best chances of becoming major league players. Their strategy paid off, consistently carrying them to the playoffs
37 Davenport and Harris, Competing on Analytics, 41 – 42.
366 Chapter 12 Managing Business Knowledge
despite a budget for player’s salaries that was a fraction of what some of their competitors had.
One reason for the rise in companies competing on analytics is that many companies in many industries offer similar products and use comparable tech- nologies. Therefore, business processes are among the last remaining points of differentiation, and analytic competitors are wringing every last drop of value from those processes.38 Business analytics fuel fact-based decision making. For example, a company may use inventory reports to figure out what products are selling quickly and which are moving slowly, but a company that uses analytics will also know who is buying them, what price each customer pays, how many items the customer will purchase in a lifetime, what motivates each customer to purchase, and which incentives to offer to increase the revenue from each sale.
Davenport and Harris suggest that companies who successfully compete using their business analytics skills have these five capabilities:
• Hard to duplicate: Because successfully using analytics to compete means having a strong culture and organizational support system, as well as business processes that utilize the results of the analytical analyses, copying the capability is difficult, if not impossible. A competitor may have the same tools, but success comes from how they are used.
• Uniqueness: There are many ways to use business analytics to compete. A specific business will choose a path based on their business, their strategy, their market, their competitors, and their industry.
• Adaptability: Successful companies use analytics across boundaries and in creative ways. Workers are not held back from using analytics, and in fact are encouraged to find new and innovative ways to apply their tools. By creating a culture of analytics, virtually everyone in the organization seeks applications for analytics to enhance their business operations.
• Better than competition: Some organizations are better at applying analyt- ics than others. For example, the Oakland As and the Boston Red Sox are well known for their use of analytics in an industry, Major League Base- ball, well known for its data collection and statistical analysis.
• Renewability: Agility is an important characteristic of sustainable compet- itive advantage. Companies who use analytics for competitive advantage are exceptionally adaptable, continuously reinvest, and constantly renew their capabilities.
! COMPONENTS OF BUSINESS ANALYTICS
To successfully build business analytics capabilities in the enterprise, companies make a significant investment in their technologies, their people, and their strategic
38 Ibid.
Components of Business Analytics 367
Component Definition Example
Data Repository Servers and software used to store data
Data warehouses
Software Tools Applications and processes for statistical analysis, forecasting, pre- dictive modeling, and optimization
Data mining process; forecasting software package
Analytics Environment
Organizational environment that creates and sustains the use of analytics tools
Reward system that encourages the use of the analytics tools; willingness to test or experiment
Skilled Workforce Workforce that has the training, experience, and capability to use the analytics tools
Harrah’s and Capital One have such workforces
FIGURE 12.8 Components of business analytics.
decision-making processes. Four components are needed (these four components are summarized in Figure 12.8).
Data Repositories Data used in the analytical processes must be gathered, codified, and stored. Data warehouses, or collections of data designed to support management decision making, sometimes serve as repositories of organizational knowledge. They contain a wide variety of data used to create a coherent picture of business conditions at a single point in time. In fact, the data contained in data warehouses may represent a large part of a company’s knowledge, for example, the business’s knowledge about its clients and their demographics.
Software Tools At the core of business analytics are the tools An approach that simulates business intelligence is data mining, which is the process of analyzing data warehouses for ‘‘gems’’ that can be used in management decision making. It identifies previously unknown relationships among data. Typically, data mining refers to the process of combing through massive amounts of customer data to understand buying habits and to identify new products, features, and enhancements. The analysis may help a business better understand its customers by answering such questions as: Which customers prefer to contact us via the Web instead through a call center? How are customers in Location X likely to react to the new product that we will introduce next month? How would a proposed change in our sales commission policy likely affect the sales of Product Y? Using data mining to answer such questions helps a business reinforce its successful practices and anticipate future customer preferences.
368 Chapter 12 Managing Business Knowledge
There are four categories of tools that are typically included under the business analytics umbrella. They include39
• Statistical Analysis — answers questions like, ‘‘Why is this happening?’’ • Forecasting/extrapolation — answers questions like, ‘‘What if these trends
continue?’’ • Predictive Modeling — answers questions like, ‘‘What will happen next?’’ • Optimization — answers questions like, ‘‘What is the best that can
happen?’’
These tools are used with the data in the data warehouse to gain insights and support decision making.
Analytics Environment Building an environment that supports and encourages analytics is a critical component. This includes alignment of the corporate culture, the incentive systems, the metrics used to measure success of initiatives, and the processes for using analytics with the objective of building competitive advantage through analytics. For example, one financial services firm encouraged the use of analytics by changing its appraisal system so that demonstration of skills associated applying analytics was made a significant factor in compensation decisions.
Although many companies have some sort of analytical tools in place, most are not used for mainstream decision making, and they certainly do not drive the strategy formulation discussions of the company. To build a competitive advantage from analytics, executives use analytics as an integral component of their business.
Skilled Workforce It’s clear that to be successful with analytics, data and technology must be used. But experts point out that even with the best data and the most sophisticated analytics, people must be involved. Managers must have enough knowledge of analytics to use them in their decision making. Leaders must set examples for the organization by using analytics and requiring that decisions made by others use analytics. Perhaps the most important role is sponsorship. Davenport and Harris point out that it was the CEO-level sponsorship and the corresponding passion for analytics that enabled firms such as Harrah’s and Capital One to achieve the success they did.
! CAVEATS FOR MANAGING KNOWLEDGE
Following such a broad survey, it seems appropriate to conclude with a few caveats. First, recall that knowledge management and business intelligence are emerging disciplines. Viewing knowledge management as a process rather than an end by itself requires managers to remain flexible and open-minded.
39 Ibid.
Food for Thought: Business Experimentation 369
Second, the objective of knowledge management is not always to make knowl- edge more visible or available. Like other assets, it is sometimes in the best interests of the firm to keep knowledge tacit, hidden, and nontransferable. Competitive advantage increasingly depends on knowledge assets that are difficult to reproduce. Retaining knowledge is as much a strategic issue as sharing knowledge.
Third, knowledge can create a shared context for thinking about the future. If the purpose of knowledge management is to help make better decisions, then it should focus on future events. Through the use of multiple scenarios, organizations can create ‘‘memories of the future.’’ The goal is not to know the future, but rather to know what projections influence long-term strategy and short-term tactics.40
Finally, people lie at the heart of knowledge management. Establishing and nurturing a culture that values learning and sharing of knowledge enables effective and efficient knowledge management. Knowledge sharing — subject, of course, to the second caveat already described — must be valued and practiced by all employ- ees for knowledge management to work. The success of knowledge management ultimately depends on a personal and organizational willingness to learn.
! FOOD FOR THOUGHT: BUSINESS EXPERIMENTATION
In his book, Experimentation Matters, Professor Stefan Thomke discusses a con- cept of business experimentation as a means of innovation for organizations.41 Products and services are created and improved using analytics through a process of experimentation. Business experimentation uses controlled, well-designed experiments to innovate and support business strategy. It’s more than testing out a new software package or building a new prototype. Companies who excel at business experimentation are able to create new products and services at a fraction of the cost of similar companies who lack this competency.
Capital One is a primary example of a company built around experimentation. Capital One was founded by two individuals who believed that the data collected by a bank, when systematically analyzed, would reveal new, profitable financial services products. As discussed earlier in this chapter, they ran thousands of experiments on their bank’s customer database to test their initial hypotheses and develop their first products. Today, Capital One managers run several hundred experiments a day to target individual customers and offer innovative financial service products. For example, through structured testing and analysis of their data repositories, managers found that CD interest rates, rollover incentives, and minimum balances had predictable effects on retention rates and new additional deposits. Through experimentation, they increased the business savings retention by 87% and lowered the cost of acquiring new accounts by 83%.42
40 Liam Fahey and Laurence Prusak, ‘‘The Eleven Deadliest Sins of Knowledge Management,’’ California Management Review 40, no. 3 (1998), 265 – 276. 41 Stefan Thomke, Experientation Matters (Harvard Business School Press, 2003). 42 Adapted from Davenport and Harris, Competing on Analytics, 42.
370 Chapter 12 Managing Business Knowledge
The ability to manage uncertainty is fundamental to innovation. Uncertainty can come from many sources. For example, technological uncertainty arises from the concern that the innovation will work as designed. Production uncertainty arises in the unknowns associated with producing the innovation for customers. Market uncertainty arises when the pace of change is so fast that what is a need today may no longer be a need tomorrow, when the innovation gets to market. To resolve uncertainty, managers can turn to experimentation.
At the core of business experimentation is the concept of ‘‘test and learn.’’ Companies who regularly experiment manage their projects as experiments. That means they design their projects with a series of rapid iterations through many experiments where they fail early and often then continue to learn. That means building processes, using technologies, and creating a culture that supports experimentation. Although this sounds easy, most business cultures do not support experimentation. Instead, and especially in an era of tight resources, business leaders expect projects to proceed along a well-planned path from idea to successful implementation. The learning is supposed to take place before the project begins. In a business experiment friendly culture, projects begin with a series of experiments that result in learning, and then as the ideas emerge, the project may proceed to concrete idea then implementation.
Capital One and Harrah’s are both examples of companies who have built a core competency in business experimentation and analytics. Managers have built processes to support experimentation with analytics. Data is collected in vast quantities knowing that the next innovation, and perhaps the entire strategy of the company, will emerge from systematic analysis of the data.
! SUMMARY • Knowledge management is related to information systems (IS) in three ways: (1)
information technologies make up the infrastructure for knowledge management systems; (2) knowledge management systems make up the data infrastructure for many IS and applications; and (3) knowledge management is often referred to as an application of IS.
• Data, information, and knowledge should not be viewed as interchangeable. Knowledge is more valuable than information, which is more valuable than data because of the human contributions involved.
• The two kinds of knowledge are tacit and explicit. Tacit knowledge is personal, context-specific, and hard to formalize and communicate. Explicit knowledge is easily collected, organized, and transferred through digital means.
• Reasons for managing knowledge include benefits derived from sharing best practices, the need to respond to globalization and rapid change, organizational downsizing, the need to manage information and communication overload, controlling knowledge embedded in products, and leveraging knowledge to gain competitive advantage.
• Knowledge management is a dynamic and continuously evolving process that involves knowledge generation, capture, codification, and transfer.
Discussion Questions 371
• Business Intelligence uses data and technologies to understand business perfor- mance. Business Analytics is a component of business intelligence referring to the quantitative and predictive models and fact-based management that drive business decisions.
• Successfully competing with business analytics means that the organization have these five capabilities: hard to duplicate, uniqueness, adaptability, better than competition, and renewability
• Business experiments provide a structured, relatively low cost process for systemat- ically innovating and ultimately creating business strategy, often using analytics and simulation.
! KEY TERMS business analytics (p. 352) business intelligence
(p. 352) business experimentation
(p. 369) combination (p. 364) communities of practice
(p. 359) data (p. 348) data mining (p. 367) data warehouses (p. 367) explicit knowledge
(p. 351)
externalization (p. 364) folksonomies (p. 361) information (p. 349) intellectual capital (p. 347) intellectual property
(p. 348) internalization (p. 364) knowledge (p. 349) knowledge capture
(p. 356) knowledge codification
(p. 356)
knowledge generation (p. 356)
knowledge management (p. 347)
knowledge map (p. 362) knowledge transfer
(p. 356) mashup (p. 364) RSS feeds (p. 360) socialization (p. 364) Tacit knowledge (p. 350)
! DISCUSSION QUESTIONS 1. The terms data, information, and knowledge are often used interchangeably. But as this chapter discussed, they can be seen as three points on a continuum. What, in your opinion, comes after knowledge on this continuum?
2. What is the difference between tacit and explicit knowledge? From your own experience, describe an example of each. How might an organization manage tacit knowledge?
3. What does it take to be a successful competitor using business analytics? What is IT’s role in helping build this competence for the enterprise?
4. How do knowledge maps aid an organization?
5. Do you think that the Digital Millennium Copyright Act is the type of legislation that should be enacted to protect intellectual property? Why or why not?
6. PricewaterhouseCoopers has an elegant, powerful intranet knowledge management system called Knowledge Curve. Knowledge Curve makes available to its consultants and auditors a compendium of best practices, consulting methodologies, new tax and audit insights, links to external Web sites and news services, online training courses, directories of in-house experts, and other forms of explicit knowledge. Yet, according to one of the
372 Chapter 12 Managing Business Knowledge
firm’s managing partners, ‘‘There’s a feeling it’s underutilized. Everybody goes there sometimes, but when they’re looking for expertise, most people go down the hall.’’43 Why do you think that Knowledge Curve is underutilized?
7. How do analytics support business experimentation? Give an example of how a company might use business experimentation to create a new product or service.
CASE STUDY 12-1
GSD&M’S VIRTUAL CROWD USES ANALYTICS
Advertising giant GSD&M has always been on the leading edge at its home, Idea City, in Austin, Texas. This time they are using virtual simulation and collaboration to help their clients develop advertising strategies. They have created a ‘‘virtual marketplace’’ to help test messages, media, and audiences. One of their managers, Maury Giles, head of accountability and analytics, describes it this way
In the same way you can create ‘SimCity,’ you can create a virtual marketplace. Instead of spending $30 million on a campaign, you’re not sure is going to work, you can try it and run it. . .It’s like a simulation of what would happen if we spend this money on this message with this group of people.
The technology lets GSD&M managers set up a simulated population of as many customers as they want. They set up rules, such as what percent likes what products in the market, what city they live in, what their network of friends looks like, what the economy looks like, and what competitors are doing. The system uses its database to simulate customer behavior.
For example, a simulation would help a customer decide if they should use the Web, TV, radio, or some combination to create the results they seek. It’s a tool to help make marketing decisions, but managers must still make those decisions. Although it may take four to six months to set up a simulation, the results are compelling. One manager said that the predictions from their system are within 95% of what actually happens.
Discussion Questions
1. What is the benefit to GSD&M and their clients of using a simulation to predict customer behavior?
2. What other scenarios can you think of that might benefit from this type of simulation? 3. Describe the culture necessary to support GSD&M’s use of simulation as a means of
experimenting with marketing scenarios.
Source: Adapted from Lilly Rockwell, ‘‘GSD&M Taps Virtual Crowds to Test Real Ads,’’ Austin American-Statesman, April 21, 2008, Section D, p. 1.
43 Thomas Stewart, ‘‘The Case Against Knowledge Management,’’ Business 2.0 (February 2002), p. 81.
Case Study 373
CASE STUDY 12-2
THE BRAIN BEHIND THE BIG, BAD BURGER
At a time when most fast-food restaurants were touting nutrition, Hardee’s proudly introduced the Monster Thickburger. This burger boasts a phenomenal 1420 calories and 107 grams of fat. It consists of two, one-third-pound charbroiled 100% Angus beef patties, three slices of American cheese, a dollop of mayonnaise, and four crispy strips of bacon on a toasted buttery sesame seed bun. What on earth was CKE Restaurants, the owners of the Hardee’s chain, thinking?
Because of its Business Intelligence System (BIS), CKE was confident about introducing the Monster Thickburger across the United States on November 15, 2004. A BIS uses data mining, analytical processing, querying, and reporting to process a business’s data and derive insights from it. CKE’s BIS, known ironically inside the company as CPR (CKE Performance Reporting) monitored the performance of its Monster Thickburger in test markets to ensure that the burger contributed to increases in sales and profits at restaurants without cannibalizing sales of other more modest burgers. To do so, CKE’s BIS studied a variety of factors — such as menu mixes, Monster Thickburger production costs, average unit volumes for the Monster Thickburger compared with other burgers, gross profits and total sales for each of the test stores, and the contribution that each menu item (including the Monster Thickburger) made to total sales. Because the sales of Monster Thickburger exceeded expectations in the test markets, CKE developed a $7 million dollar advertising campaign to launch its nationwide introduction. Monster Thickburger sales exceeded expectations, and Hardee’s sales revenues increased immediately. ‘‘The Monster Thickburger was directly responsible for a good deal of that increase,’’ says Brad Haley, Hardee’s executive vice president of marketing.
CKE, partially because of its reliance on CPR, was rescued from the brink of bankruptcy in 2000. It increased sales at restaurants open more than a year, narrowed its overall losses, and finally turned a profit in 2003. CPR, their proprietary system, consists of a Microsoft SQL server database and uses Microsoft development tools to parse and display analytical information. It uses econometric models to provide context and to explain performance. The company reviews and refines these models each month. The econometric models take into consideration 44 factors, including the weather, holidays, coupon activity, discounting, free giveaways, and new products. With the click of a button, for example, a sales downturn can be explained on a screen that shows that 5% of the 8% decrease was due to torrential rain in the Northeast and 2% was due to free giveaways.
In the competitive restaurant chain industry, companies have to be agile and responsive to the dynamic environment that they face. They must align their BIS initiatives with their business strategies. They use the insights derived from their BISs to improve operations and their bottom lines. BISs assist them in making strategic decisions about menu items and closures of underperforming stores, as well as tactical matters such as renegotiating contracts with food suppliers, monitoring food costs, and identifying opportunities to improve inefficient processes. To derive value from their BISs, many restaurant chains have successfully reduced the three biggest barriers to BIS success: voluminous amounts of irrelevant data, poor data quality, and user resistance.
CKE’s CIO and executive vice president of strategic planning, Jeff Chasney, states: ‘‘If you’re just presenting information that’s neat and nice but doesn’t evoke a decision or impart
374 Chapter 12 Managing Business Knowledge
important knowledge, then it’s noise. You have to focus on what are the really important things going on in your business.’’
Chasney stresses a BIS should be different from the plain-vanilla standard corporate reporting tools that have been around for decades. Rather a BIS should provide managers with insights, not just mountains of data. ‘‘There’s nothing worse, in my opinion, than a business intelligence system that reports changes on a weekly basis,’’ he says, ‘‘because those systems don’t provide any context as to what factors are influencing those changes. Without that context, you don’t know whether the data is good or bad; it’s just useless.’’ Chasney further noted: ‘‘If your business intelligence system is not going to improve your decision making and find problem areas to correct and new directions to take, nobody’s going to bother to look at it.’’
When developing a BIS, Chasney advises companies to first analyze their decision-making processes. They must determine the information that executives need to confidently make decisions in rapidly changing environments, as well as their preferred presentation format for that information (for example, as a report, a chart, online, hard copy). Only then can that information be collected, analyzed, and published in their BISs.
In 2000 when he started building CPR, Chasney asked the CEOs and the chief operating officers (COOs) of CKE’s three restaurant chains — Hardee’s, Carl’s Jr., and La Salsa Fresh Mexican Grill — what information is most important to them in their efforts to run their company. The CEO wanted to know what caused changes in sales. The COOs wanted help in exposing business opportunities, as well as clear indicators of underperforming restaurants. The discussions taught Chasney that a BIS needed to add value by focusing on a company’s most important performance indicators: sales and cost of sales; exceptions, such as those areas of the business that are outperforming or underperforming other segments; and historical and forward-looking business trends.
Discussion Questions
1. How does the BIS at CKP add value to the business? 2. What are some tips for developing and using the Business Intelligence System described
in this case? 3. Was the introduction of the Monster Thickburger a good idea or an example of informa-
tion leading to a wrong decision?
Source: Adapted from Meredith Levinson, ‘‘The Brain Behind the Big, Bad Burger and Other Tales of Business Intelligence,’’ CIO Magazine (March 15, 2005), available at http://www.cio.com/ archive/031505/intelligence.html.
!Glossary Administrator: An employee who ‘‘takes care of’’ a computer or a number of comput- ers. Administrator duties typically include backing up data (and restoring it if it is lost), performing routine maintenance, installing software upgrades, troubleshooting problems, and assisting users. ANSI X12: The name of the standard used by EDI applications to allow a soft- ware program on one computer system to relay information back and forth to a soft- ware program on another computer system, thus allowing organizations to exchange data pertinent to business transactions. Application: A software program designed to facilitate a specific practical task, as opposed to control resources. Examples of application programs include Microsoft Word, a word processing application; Lotus 1-2-3, a spreadsheet application; and SAP R/3, an enterprise resource planning application. Contrast to operating system. Archetype: A pattern from decision rights allocation. ASP (Application Service Provider): An Internet-based company that offers a software application used through their Web site. For example, a company might offer small busi- ness applications that a small business owner could use on the Web, rather than buying software to load on their own computers. Authentication: A security process where proof is obtained to verify that the users are truly who they say they are. B2B (Business to Business): Using the Internet to conduct business with business customers. (See B2C.) B2C (Business to Consumer): Using the Internet to conduct business directly with consumers of goods and services. (See B2B.) Backsourcing: A business practice in which a company takes back in-house assets, activities, and skills that are part of its
information systems operations and were previously outsourced to one or more outside IS providers. Bandwidth: The rate at which data can travel through a given medium. The medium may be a network, an internal connection (say from the CPU to RAM), a phone line, etc. For networks and internal connections, bandwidth is typically measured in terms of megabytes per second (MB/sec) or gigabytes per second (GB/sec). Bit: A ‘‘binary digit’’; the smallest unit of data as represented in a computer. A bit can take only the values 0 or 1. Bricks-and-clicks: The term used to refer to businesses with a strong business model on both the Internet and in the physical world. Business Analytics: The use of data, analysis, and modeling to arrive at business decisions. Some organizations use business analytics to create new innovations or to sup- port the modification of existing products or services. Business Diamond: A simple framework for understanding the design of an organiza- tion, linking together the business processes, its values and beliefs, its management control systems, and its tasks and structures. Business Experimentation: A method of studying a business problem that involves the use of a structured process such as the scientific method to learn about the poten- tial success or failure of a product, service, or innovation. Businesses use this method to create new innovations and to study hunches and hypotheses. Often business analytics are used to create frequent, low-cost business experiments. Business Intelligence: This term refers to the broader practice of using technol- ogy, applications, and processes to col- lect and analyze data to support business decisions.
375
376 Glossary
Byte: 8 bits. A byte can be thought of as a ‘‘character’’ of computer data. Captive Center: An overseas subsidiary that is set up to serve the parent company. Companies set up captive centers as an alter- native to offshoring. CIO (Chief Information Officer): The senior-most officer responsible for the infor- mation systems activities within the organi- zation. The CIO is a strategic thinker, not an operational manager. The CIO is typi- cally a member of the senior management team and is involved in all major business decisions that come before that team, bring- ing an information systems perspective to the team. Client/Server: A computing architecture in which one software program (the client) requests and receives data and sometimes instructions from another software program (the server) usually running on a separate computer. In a client/server architecture, the computers running the client program typi- cally require less power and resources (and are therefore less expensive) than the com- puter running the server program. In many corporate situations, a client/server architec- ture can be very cost effective. Client: A software program that requests and receives data and sometimes instruc- tions from another software program, usually running on a separate computer. Cloud Computing: This is a style of infras- tructure where capacity, applications, and services (such as development, maintenance, or security) are provided by a third-party provider over the Internet often on a ‘‘fee for use’’ basis. Customers go to the Web for the services they need. Coaxial Cable (coax): A kind of copper wire typically used in networking. An inner wire is surrounded by insulation, which is sur- rounded by another copper wire and more insulation. Complementor: One of the players in a co-opetitive environment. It is a company whose product or service is used in conjunc- tion with a particular product or service to make a more useful set for the customer. (See Value Net.)
Co-opetition: A business strategy whereby companies cooperate and compete at the same time. Cost Leadership Strategy: A business strategy where the organization aims to be the lowest-cost producer in the marketplace. (See Differentiation Strategy; Focus Strategy.) CPU (Central Processing Unit): The computer hardware on which all computation is done. CRM (Customer Relationship Man- agement): The management activities performed to obtain, enhance, and retain cus- tomers. CRM is a coordinated set of activities revolving around the customer. Crowdsourcing: The act of taking a task traditionally performed by an employee or contractor and outsourcing it to an undefined, generally large group of people, in the form of an open call. Cycle plan: A project management plan that organizes project activities in relation to time. It identifies critical beginning and end dates and breaks the work spanning these dates into phases. The general manager tracks the phases to coordinate the eventual tran- sition from project to operational status, a process that culminates on the ‘‘go live’’ date. Data Mining: The process of analyzing databases for ‘‘gems’’ that will be useful in management decision making. Typically, data mining is used to refer to the process of combing through massive amounts of cus- tomer data to understand buying habits and to identify new products, features, and enhance- ments. Database: A collection of data that is for- matted and organized to facilitate ease of access, searching, updating, addition, and deletion. A database is typically so large that it must be stored on disk, but sections may be kept in RAM for quicker access. The soft- ware program used to manipulate the data in a database is also often referred to as a ‘‘database.’’ DBA (Database Administrator): The person within the information systems depart- ment who manages the data and the database. Typically, this person makes sure that all the
Glossary 377
data that goes into the database is accurate and appropriate, and that all applications and individuals who need access have it. Debugging: The process of examining and testing software and hardware to make sure it operates properly under every condition possible. The term is based on calling any problem a ‘‘bug’’; therefore, eliminating the problem is called ‘‘debugging.’’ Decision Models: Information systems-based model used by managers for scenario planning and evaluation. The information system collects and analyzes the information from automated processes and presents them to the manager to aid in deci- sion making. Differentiation Strategy: A business strategy where the organization qualifies its product or service in a way that allows it to appear unique in the marketplace. (See Cost Leadership Strategy; Focus Strategy.) Digital Signature: A digital code applied to an electronically transmitted message used to prove that the sender of a message (e.g., a file or e-mail message) is truly who he or she claims to be. DSL (Digital Subscriber Line): A tech- nology used for connecting users to the Internet. The connection is typically offered by a telephone company or other independent company to homes and businesses who desire direct, all the time access. DSL subscribers are able to use the Internet without dialing up a server, and the connection is usually of higher speed than dial-up lines. E-business (Electronic Business): Any business activities done electronically within or between businesses. Many use this term to specifically refer to business activities done over the Internet. E-commerce (Electronic Commerce): Transacting business electronically, typically over the Internet or directly with an EDI system. EDI (Electronic Data Interchange): A mechanism for exchanging business data between two computers over some kind of network. EFT (Electronic Funds Transfer): The business transaction of sending payments
directly from a customer’s bank account to a vendor’s bank account electronically. E-learning: Using the Internet to enable training, learning, and knowledge trans- fer. E-learning includes distance learning, computer-based training (CBT), on-demand learning, and Web-based training. E-mail (electronic mail): A way of trans- mitting messages over communication net- works. E-marketplaces: A special application of the Internet that brings together different companies to buy and sell goods and services. Sometimes called ‘‘net-markets’’ or ‘‘virtual markets.’’ Encryption: The translation of data into a code or a form that can be read only by the intended receiver. Data is encrypted using a key or alphanumeric code and can be decrypted only by using the same key. Enterprise 2.0: A term used to describe a company using the technologies and prac- tices resulting from Web 2.0 architectures, applications, and services. Enterprise 2.0 typically means a flat organization with unim- peded information flows between all levels and individuals in the organization. Com- panies adopting these practices seek to be agile, flexible, user driven, on-demand, and transparent. Enterprise Architecture: The term used for a ‘‘blueprint’’ for the corporation that includes the business strategy, the IT archi- tecture, the business processes, and the organization structure and how all these com- ponents relate to each other. Often this term is IT-centric, specifying the IT architecture and all the interrelationships with the struc- ture and processes. ERP (Enterprise Resource Planning Software): A large, highly complex soft- ware program that integrates many business functions under a single application. ERP software can include modules for inventory management, supply chain management, accounting, customer support, order track- ing, human resource management, and so forth. ERP software is typically integrated with a database.
378 Glossary
Ethernet: A standard for local area networks. Ethernet specifies software pro- tocols and hardware specifications for cre- ating a LAN to interconnect two or more computers. There are three common ver- sions of Ethernet: 10Base-T, which pro- vides for bandwidths of up to 10 megabits per second; 100Base-T, which provides 100 megabits per second; and Gigabit Ethernet, which provides 1 gigabit per second. Explicit Knowledge: Objective, theoreti- cal, and codified for transmission in a formal, systematic method using grammar, syntax, and the printed word. (See Tacit Knowledge.) Extranet: A network based on the Internet standard that connects a business with indi- viduals, customers, suppliers, and other stake- holders outside the organization’s boundaries. An extranet typically is similar to the Inter- net; however, it has limited access to those specifically authorized to be part of it. Fiber Optic (or optical fiber): A data transmission medium (and technology) that sends data as pulses of light along a glass or plastic wire or ‘‘fiber.’’ Fiber-optic technol- ogy is capable of far greater bandwidth than copper technologies such as coax. Firewall: A security measure that blocks out undesirable requests for entrance into a Web site and keeps those on the ‘‘inside’’ from reaching outside. Focus Strategy: A business strategy where the organization limits its scope to a narrower segment of the market and tailors its offerings to that group of customers. This strategy has two variants: cost focus, in which the organiza- tion seeks a cost advantage within its segment, and differentiation focus, in which it seeks to distinguish its products or services within the segment. This strategy allows the organization to achieve a local competitive advantage, even if it does not achieve competitive advantage in the marketplace overall. (See Cost Strategy, Differentiation Strategy.) Folksonomy: Collaboratively creating and managing a structure for any type of col- lection, such as a collection of ideas, data, or documents. The term is the merger of ‘‘folk’’ and ‘‘taxonomy,’’ meaning that it is a user-generated taxonomy.
Functional view: The view of an organiza- tion based on the functional departments, typically including manufacturing, engi- neering, logistics, sales, marketing, finance, accounting, and human resources. (See Pro- cess View.) Gigabit (Gb): 1 billion bits. Gigabyte (GB): 1 billion bytes. Governance (in the context of busi- ness enterprises): Making decisions that define expectations, grant power, or verify performance Groupware: Software that enables a group to work together on a project, whether in the same room, or from remote locations, by allowing them simultaneous access to the same files. Calendars, written docu- ments, e-mail messages, discussion tools, and databases can be shared. GUI (Graphical User Interface): The term used to refer to the use of icons, win- dows, colors, and text as the means of repre- senting information and links on the screen of a computer. GUIs give the user the ability to control actions by clicking on objects rather than by typing commands to the operating system. Hard drive: A set of rotating disks used to store computer data. Because hard drives typically have much greater capacity than RAM, they are often also referred to as ‘‘mass storage.’’ Hypercompetition: A theory about indus- tries and marketplaces that suggests that the speed and aggressiveness of moves and countermoves in any given market create an environment in which advantages are quickly gained and lost. A hypercompetitive envi- ronment is one in which conditions change rapidly. HyperText Markup Language (HTML): The language used to write pages for the Internet. It was created by a researcher in Switzerland in 1989 and is part of an Inter- net standard called the HyperText Transport Protocol (the ‘‘http’’ at the beginning of Inter- net addresses), which enables the access of information stored on other Internet comput- ers. ‘‘Hypertext’’ itself is another name for the ‘‘links’’ (or ‘‘hyperlinks,’’ ‘‘hot links,’’ or ‘‘hot spots’’) found on Web pages.
Glossary 379
Informate: A term coined by S. Zuboff to imply adding information to a job or task. The alternative to informate is automate, where the tasks done are simply put on a computer to increase speed and accuracy and to cut costs. Informate, on the other hand, means to bring out the information aspects of the job to assist in assessment, monitoring, and decision making. Information Model: A framework for understanding what information will be cru- cial to the decision, how to get it, and how to use it. Information Resource: The available data, technology, people, and processes within an organization to be used by the manager to perform business processes and tasks. Information System: The combination of technology (the ‘‘what’’), people (the ‘‘who’’), and process (the ‘‘how’’) that an organization uses to produce and manage information Information Systems (IS) Strategy: The plan an organization uses in providing infor- mation services. Information Systems Strategy Triangle: The framework connecting business strategy, information system strategy, and organiza- tional systems strategy. Information Technology: All forms of technology used to create, store, exchange, and use information. Information: Data endowed with rele- vance and purpose; data in a context. Infrastructure: Everything that supports the flow and processing of information in an organization, including hardware, software, data, and network components Insourcing: The situation in which a firm provides IS services or develop IS from its own in-house IS organization. Intellectual capital: The knowledge that has been identified, captured, and leveraged to produce higher-value goods or services or some other competitive advantage for the firm. Internet: The system of computers and networks that together connect individuals and businesses worldwide. The Internet is a global, interconnected network of millions of individual host computers.
Intranet: A network used within a business to communicate between individuals and departments. An Intranet is an applica- tion on the Internet, but limited to internal business use. It is a password-protected set of interconnected nodes that is under the com- pany’s administrative control. (See Extranets.) IS (Information Systems): The technol- ogy (hardware, software, networking, data), people, and processes that an organization uses to manage information. ISDN (Integrated Services Digital Net- work): A standard for transmission of digital signals over ordinary telephone lines at up to 128 kilobits per second. ISP (Internet Service Provider): A com- pany who sells access to the Internet. Usually, the service includes a direct line or dial-up number and a quantity of time for using the connection. The service often includes space for hosting subscriber Web pages and e-mail. IT (Information Technology): The tech- nology component of the information system, usually consisting of the hardware, software, networking, and data. IT governance: Specifying the deci- sion rights and accountability framework to encourage desirable behavior in using IT JAVA: An object-oriented programming language designed to work over networks and commonly used for adding features into Web pages. Kilobit (kb): Approximately 1 thousand bits (i.e., 1024 bits). Kilobyte (kB): Approximately 1 thousand bytes (i.e., 1024 bytes). Knowledge management: The processes necessary to capture, codify, and transfer knowledge across the organization to achieve competitive advantage. Knowledge map: A list of people, doc- uments, and databases telling employees where to go when they need help. A good knowledge map gives access to resources that would otherwise be difficult or impossible to find. Maps may also identify knowledge net- works or communities of practice within the organization. A knowledge map serves as both a guide to where knowledge exists in an orga- nization and an inventory of the knowledge assets available.
380 Glossary
Knowledge repository: A physical or vir- tual place where documents with knowledge embedded in them, such as memos, reports, or news articles, are stored so they can be retrieved easily. Knowledge: Information synthesized and contextualized to provide value. LAN (Local Area Network): A network of interconnected (often via Ethernet) worksta- tions that reside within a limited geographic area (typically within a single building or cam- pus). LANs are typically employed so that the machines on them can share resources such as printers or servers and/or so that they can exchange e-mail or other forms of messages (e.g., to control industrial machinery). Legacy System: Older, mature information system (often 20 to 30 years old) List Server: A type of e-mail mailing list where users subscribe, and when any user sends a message to the server, a copy of the message is sent to everyone on the list. This allows for restricted-access discussion groups: Only subscribed members can participate in or view the discussions because they are transmitted via e-mail. Mainframe: A large, central computer that handles all the functionality of the system Managerial Levers: Organizational, con- trol, and cultural variables that are used by decision makers to effect changes in their organizations. Marketspace: A virtual market where the transactions taking place are all based on information exchange, rather than the exchange of goods and services. Mashup: A term used in the Web2.0 com- munity to mean the combination of data from multiple sources into one Web page, for example, combining Google Maps with real estate data to produce a diagram showing home price ranges for certain neighborhoods. Megabit (Mb): 1 million bits. Megabyte (MB): 1 million bytes. Modem: A device that translates a com- puter’s digital data into an analog format that can be transmitted over standard telephone lines, and vice versa. Modems are necessary to connect one computer to another via a phone line.
Nearshoring: Sourcing service work to a foreign, lower-wage country that is relatively close in distance or time zone (or both). Network Effect: The value of a network node to a person or organization in the network increases when another joins the network. Newsgroup: A type of electronic discussion in which the text of the discussions typically is viewable on an Internet or intranet Web page rather than sent through e-mail. Unless this page is shielded with a firewall or password, outsiders are able to view and/or participate in the discussion. Open Source Software (OSS): Software released under a license approved by the Open Source Initiative (OSI). Operating System (OS): A program that manages all other programs running on, as well as all the resources connected to, a com- puter. Examples include Microsoft Windows, DOS, and UNIX. Oracle: A widely used database program. Organizational Systems: The fundamen- tal elements of a business including people, work processes, structure, and the plan that enables them to work efficiently to achieve business goals. Outsourcing: The business arrangement where third-party providers and vendors man- age the information systems activities. In a typical outsourced arrangement, the company finds vendors to take care of the operational activities, the support activities, and the sys- tems development activities, saving strategic decisions for the internal information systems personnel. Password: A string of arbitrary characters that is known only to a select person or group, used to verify that the user is who he says he is. Platform: The hardware and software on which applications are run. For example, the iPhone is considered a platform for many applications and service that can be run on it. Portal: Easy-to-use Web sites that provide access to search engines, critical information, research, applications, and processes that individuals want.
Glossary 381
Process View: The view of a business from the perspective of the business processes performed. Typically the view is made up of cross-functional processes that transverse dis- ciplines, departments, functions, and even organizations. (See Functional View.) Processes: An interrelated, sequential set of activities and tasks that turn inputs into outputs and have a distinct beginning, a clear deliverable at the end, and a set of metrics that are useful to measure performance. Project Management Office (PMO): The organizational unit within which resides the expertise for managing projects. Protocol: A special, typically standardized, set of rules used by computers to enable com- munication between them. Prototyping: An evolutionary development method for building an information system. Developers get the general idea of what is needed by the users, and then build a fast, high-level version of the system as the begin- ning of the project. The idea of prototyping is to quickly get a version of the software in the hands of the users, and to jointly evolve the system through a series of cycles of design and build, then use and evaluate. RAD (Rapid Application Development): This process is similar to prototyping in that it is an interactive process, where tools are used to speed up development. RAD systems typically have tools for developing the user, reusable code, code generation, and program- ming language testing and debugging. These tools make it easy for the developer to build a library of a common, standard set of code that can easily be used in multiple applications. RAM (Random Access Memory): Com- puter memory that can be accessed at ran- dom, read from, and written to by the CPU. Sometimes also called ‘‘main memory,’’ it is typically used to store currently running pro- grams and their data. RAM requires power to maintain data. Reengineering: The management pro- cess of redesigning business processes in a relatively radical manner. Reengineering traditionally meant taking a ‘‘blank piece of paper’’ and designing (then building) a business process from the beginning. This was intended to help the designers
eliminate any blocks or barriers that the current process or environment might pro- vide. This process is sometimes called BPR, Business Process Redesign or Reengineering or Business Reengineering. Really Simple Syndication or RSS (also called Web feeds): Refers to a structured file format for porting data from one platform or information system to another. SAP: The company that produces the lead- ing ERP software. The software, technically named ‘‘SAP R/3,’’ is often simply referred to as SAP. SDLC (Systems Development Life Cycle): The process of designing and deliv- ering the entire system. SDLC usually means these seven phases: initiation of the project, requirements definition phase, functional design phase, technical design and construc- tion phase, verification phase, implemen- tation phase, and maintenance and review phase. Security Validators: Web sites that val- idate the security level of other sites and provide a ‘‘seal of approval’’ that a particular Web site is protected. Server: A software program or computer intended to provide data and/or instructions to another software program or computer. The hardware on which a server program runs is often also referred to as ‘‘the server.’’ Service-Oriented Architecture (SOA): This is the term used to describe the architec- ture where business processes are built using services delivered over a network (typically the Internet). Services are software that are distinct units of business functionality resid- ing on different parts of a network and can be combined and reused to create business applications. Smart Card: A plastic card with an embed- ded microchip that can be loaded with data, used for telephone calling, electronic cash payments, and other applications, and then periodically ‘‘recharged’’ for additional use. Social Contract Theory: A theory used in business ethics to describe how managers act. The social responsibilities of corporate man- agers by considering the needs of a society with no corporations or other complex busi- ness arrangements. Social contract theorists
382 Glossary
ask what conditions would have to be met for the members of such a society to agree to allow a corporation to be formed. Thus, soci- ety bestows legal recognition on a corporation to allow it to employ social resources toward given ends. Social networking site: A Web site avail- able from a Web-based service that allows members of the service to create a public profile within a bounded system, list other users with whom they share a connection, and view and interact with their list of con- nections and those made by others within the system. Examples are MySpace, Facebook, and LinkedIn. Software-as-a-Service (SaaS): This term is used to describe a model of software deployment that uses the Web to deliver applications on an ‘‘as-needed’’ basis. Often when software is delivered as a service, it runs on a computer on the Internet, rather than on the customer’s computer, and is accessed through a Web browser. Stakeholder Theory: A theory used in business ethics to describe how managers act. This theory suggests that managers, although bound by their relation to stockholders, are entrusted also with a fiduciary responsibility to all those who hold a stake in or a claim on the firm, including employees, customers, vendors, neighbors, and so forth. Standardization: The process of agreeing on technical specifications that will be fol- lowed throughout the infrastructure. Often standards are agreed on for development pro- cesses, technology, methods, practices, and software. Stockholder Theory: A theory used in business ethics to describe how managers act. Stockholders advance capital to corporate managers who act as agents in advancing their ends. The nature of this contract binds man- agers to act in the interest of the shareholders (i.e., to maximize shareholder value). Tacit Knowledge: Personal, context-specific, and hard to formalize and communicate. It consists of experiences, beliefs, and skills. Tacit knowledge is entirely subjective and is often acquired through phy- sically practicing a skill or activity. (See Explicit Knowledge.)
Telecommuting: Combining telecommu- nications with commuting. This term usually means individuals who work from home instead of commuting into an office. How- ever, it is often used to mean anyone who works regularly from a location outside their company’s office. T-Form Organization: An organizational form in which conventional design variables, such as organizational subunits, reporting mechanisms, flow of work, tasks, and compen- sation are combined with technology-enabled components, such as electronic linking, pro- duction automation, electronic work flows and communications, and electronic cus- tomer/supplier relationships. Thick Client: A full-function stand-alone computer that is used, either exclusively or occasionally, as a client in a client/server architecture. Thick clients are typically stan- dard PCs equipped with disk drives and their own copies of commonly used software. Thin Client: Computer hardware designed to be used only as a client in a client/server architecture. Thin clients are also referred to as NCs (Network Computers) or NetPCs (Network PCs) and typically lack disk drives, CD ROM drives, and expansion capability. Total Quality Management (TQM): A management philosophy in which quality metrics drive performance evaluation of peo- ple, processes, and decisions. The objective of TQM is to continually, and often incremen- tally, improve the activities of the business toward the goal of eliminating defects (zero defects) and producing the highest quality outputs possible. Unified Communications (UC): An evolv- ing communications technology architecture that automates and unifies all forms of human and device communications in context and with a common experience. Value Net: The set of players in a co-opetitive environment. It includes a com- pany and its competitors and complementors, as well as their customers and suppliers, and the interactions among all of them. (See Com- plementor.) Video Teleconference (also called video- conference): A set of interactive telecom- munication technologies that allow two or
Glossary 383
more locations to interact via two-way video and audio transmissions simultaneously. Virtual Corporation: A temporary net- work of companies who are linked by infor- mation technology to exploit fast-changing opportunities. Virtual Organization: An organization made up of people living and working from anywhere in the world. The virtual organi- zation may not even have a company head- quarters or company building, but functions much like any other organization. Employees typically use an information systems infras- tructure to communicate, collaborate, and carry out company business. Virtual Private Network (VPN): A pri- vate network that uses a public network such as the Internet to connect remote sites or users. It maintains privacy through the use of a tunneling protocol and security procedures. Virtual Team: Geographically and/or orga- nizationally dispersed coworkers that are assembled using a combination of telecom- munications and information technologies to accomplish an organizational task. Virtual World: A computer-based simu- lated environment intended for its users to inhabit and interact via avatars. Voice over Internet Protocol (VoIP): A method for taking analog audio signals, like the kind you hear when you talk on the phone, and turning them into digital data that can be transmitted over the Internet WAN (Wide Area Network): A computer network that spans multiple offices, often
dispersed over a wide geographic area. A WAN typically consists of transmission lines leased from telephone companies. Web 2.0: The term given to the Internet and its applications that support collabora- tion, social networking, social media, RSS, mashups, and a number of other information sharing tools. The term is used to distinguish it from Web1.0, which was mostly used for transactions and information dissemination. Web 2.0 is not about different technical spec- ifications, but about using the Internet in different ways from Web 1.0. Web Logs (Blogs): Online journals that link together into a very large network of information sharing. Web Services: The software systems that are offered over the Internet and executed on a third party’s hardware. Often Web services refer to a more fundamental software that use XML messages and follow SOAP (simple object access protocol) standards. Wiki: Software that allows users to work collaboratively to create, edit, and link Web pages easily. WWW (World Wide Web): A system for accessing much of information on the Internet, via the use of specially formatted documents. WWW is used interchangeably with the term ‘‘Internet.’’ Zero Time Organization: An organiza- tion designed around responding instantly to customers, employees, suppliers, and other stakeholder demands.
!Index Abandoning the project,
336 – 337 ABC, 282 – 283 Accessibility, 257 – 258 Accuracy, 256 Activities, 282 – 283 Activity-based costing
(ABC), 282 – 283 Adams, Austin, 191 Adaptation, 358 Alcoa, 233 AllAdvantage.com, 223 Alliances, strategic, 66 – 68
See also Information resources, strategic use of
Allocation funding method, 280 – 281, 282
Amazon.com, 1 – 2, 54, 59, 183, 185
Amazon Web Services (AWS), 188
American Airlines, 69, 307
American West, 94 – 96 Analysis, statistical,
368 Analysis paralysis, 87, 143,
294 Analytical skills, 8 Analytics environment, 368 Anarchy, 235, 236, 241 AOL Time Warner, 69 Apache server, 341 Apple, 25 Applications, 167 Application service provider
(ASP), 208 Aral, Sinan, 291 – 292 Architectural longevity, 176 Architecture, defined, 15,
164 Architecture and
infrastructure, 162 – 186 from architecture to
infrastructure, 165, 167
centralization vs. decentralization, degree of, 170
client/server architecture, 169
cloud computing, 183 – 186
definitions, 163 enterprise architecture,
171 – 174 example illustrating
application of concepts, 181 – 183
mainframe architecture, 168 – 169
managerial considerations (See Architecture and infrastructure, managerial considerations)
manager’s role, 164 – 165
peer-to-peer architecture, 171
principles of architecture, 171, 172
service-oriented architecture, 169 – 170
from strategy to architecture, 165, 166
technological advances, 171, 174, 176
TOGAF, 173 translation, framework for,
167 – 171 Web-oriented
architectures, 171 wireless (mobile)
architecture, 171 Zachman Framework, 173
Architecture and infrastructure, managerial considerations, 174 – 180 differentiating between
architecture and infrastructure, 180
existing architecture, understanding, 174 – 175
financial issues, assessing, 179 – 180
future impacts, 174 strategic time frame,
assessing, 175 – 176 technical issues, assessing
(See Architecture and infrastructure, technical issues)
Architecture and infrastructure, technical issues adaptability, 176 – 177 maintainability, 178 scalability, 177 – 178 security, 178 – 179 standardization, 178 summarized, 180
Architecture development methodology, 173
Arizona Telemedicine Program, 105
Arrest records, 273 ASP, 208 Assertiveness, 91 Assumptions
about business, 10 – 13 about information
systems, 13 – 16 about management, 9 – 10 basic, 9
ATMs, 63, 130, 303 AT&T, 223 Audio Home Recording Act,
348 Authentication, 105, 128,
179, 261 Automated audit trail, 329 Automated Waste Disposal
(AWD), 131 – 132 Automation of work. See
Work design Avon Products, 278 Azoyan, Garen, 214
385
386 Index
Baan, 148 Backsourcing, 206 – 207 Balanced scorecard,
296 – 299 Ballengee, Ben, 346n Bank One, 191 Bargaining power
of buyers, 54, 57 of suppliers, 54 – 55, 57
Barnes and Noble, 1, 59 – 60 Barriers to entry, 53, 175,
257 Baseball, 365, 366 Basic assumptions, 9 BCP, 227 – 228 Beliefs, 89 Best Buy, 98 – 99 Best practices
in enterprise systems, 149 in offshoring, 201, 202 sharing, 353 – 354
Bethlehem Steel, 233 ‘‘Big Brother’’ world, 261 BIS, 351 – 352, 373 – 374 Blocking software, 260 Blogging, 107 Blogs (Web logs), 107 Blown to Bits
(Evans/Wurster), 16 – 17 Blue Hat, 127 BMG Entertainment, 69 Boeing 787 Dreamliner,
160 – 161 Borders Books, 59 Boyd, Ron, 277 BPR, 141 Brandenburger, Adam,
66 – 67 British Petroleum (BP), 210 Broadcast medium security
and controls, 260 Brown, Tim, 364 Browser software security,
260 Buddy, 104 Budget Rent a Car, 343 Building the Information
Age Organization (Cash et al.), 36, 53, 78
Bureaucracy, 81 Business, 10 – 11 Business analyst, 225 Business analytics
competing with, 365 – 366 components of (See
Business analytics, components of)
defined, 352 Business analytics,
components of analytics environment,
368 categories of tools, 368 data repositories, 367 skilled workforce, 368 software tools, 367 – 368 summarized, 367
Business case classification framework
for benefits in, 289 components of, 288 defined, 287 sample of, 290
Business continuity planning (BCP), 227 – 228
Business diamond, 34 – 35, 37
Business ethics. See Ethics Business experimentation,
369 – 370 Business goals, 6 Business intelligence system
(BIS), 351 – 352, 373 – 374 Business knowledge
management. See Knowledge management
Business models, 8, 59, 153 on Internet, 47
Business monarchy, 262 Business process, 138 Business processes,
changing, 134 – 157 business process
reengineering, 141 cross-functional processes,
139, 140 – 141 functional (silo)
perspective, 136 – 137 horizontal integration, 146 incremental change
approaches to, 141 introduction to, 134 – 135 process perspective,
137 – 140 radical change approaches
to, 141 – 142
(See also Radical redesign)
sample business process, 138
shared services (See Shared services)
total quality management, 141
See also Enterprise systems
Business process perspective, 137 – 140
Business process reengineering (BPR), 141
Business solutions, focusing on, 8
Business strategy, defined, 26 See also Information
System Strategy Triangle Business transformation.
See Business processes, changing
Business view functional, 11 – 12 hierarchical, 12 of IT, 3 – 4 process, 12 – 13
Buyers, bargaining power of, 54, 57
Buy or rent, 358
CAD, 159 Cannon, Terry, 19 – 21 Cannon, Thomas, 46n,
309n Capability maturity model
(CMM), 199 Capacity-on-demand, 171 Capita Group, 345 Capital One, 369 – 370 Captain Morgan, 107 Captive centers, 205 – 206 Carl’s Jr., 374 Carnivore, 223 Carr, Nicholas, 21, 307 – 308 Case studies
Automated Waste Disposal, 131 – 132
Boeing 787 Dreamliner, 160 – 161
CKE Restaurants, 373 – 374
Index 387
ethical decision making, 274 – 276
Federal Bureau of Investigation, 96 – 97
Google, 43 – 45 GSD&M’s virtual crowd
uses analytics, 372 Hasbro, 188 IT at UPS, 242 – 243 ‘‘IT Doesn’t Matter’’
(Carr), 21, 307 – 308 Johnson & Johnson, 189 Midwest Family Mutual
Insurance Co. goes green, 276 – 277
overseas outsourcing of medical transcribing, 215 – 217
Roche Group, 41 – 43 Sabre Holdings Corp., 343 Santa Cruz Bicycles, 159 Sodexho Asia Pacific,
213 – 215 Terry Cannon, MBA,
19 – 21 Toyota Motor Sales,
243 – 245 traffic jams (London),
344 – 345 Troon Golf, 306 – 307 US Airways and American
West merger, 94 – 96 virtual teams and virtual
tools, 132 – 133 Catalog knowledge, 361 Categorization scheme,
361 – 363 Cathedral and the Bazaar,
The (Raymond), 339 Cavasin, Vince, 162n Cell phones, 75, 105, 110 Cemex, 134 – 135 Centralized IS organization,
170, 231 – 234 CEO, 219, 221, 223 CFO, 221 Champy, J., 34 Change management, 135
See also Business processes, changing
Chargeback funding method, 279 – 280, 282
Chasney, Jeff, 373 – 374
Chevron Corp., 222 Chief executive officer
(CEO), 219, 221, 223 Chief financial officer
(CFO), 221 Chief information officer
(CIO) business unit, 224 chief financial officer and,
221 chief technology officer
and, 222 dashboard, 300 implementing SoX,
269 – 270 leadership profiles,
240 – 241 lieutenants of, 222 – 223 responsibilities of,
220 – 221 strategic vs.
transformational role of, 221 – 222
as strategist vs. operational manager, 221
technical abilities of, 221 Chief information security
officer (CISO), 222, 223 Chief knowledge officer
(CKO), 222, 223 Chief network officer
(CNO), 222, 223 Chief privacy officer (CPO),
222, 223 Chief resource officer
(CRO), 222, 223 Chief technology officer
(CTO), 222, 223, 224 Children’s Online Privacy
Protection Act, 255 CIO. See Chief information
officer (CIO) CIO dashboard, 300 CIO Magazine, 258 Cisco Systems, 72 CISO, 222, 223 CKE Restaurants, 373 – 374 CKO, 222, 223 Clarity, 332, 334 – 335 Classic management model,
10 Clerical tasks, 113 Client, 169
Client/server architecture, 169
Cloud computing, 183 – 186 CMM, 199 CNO, 222, 223 COBIT, 267 – 268 Coca-Cola vending
machines, 45 Cognizant Technology
Solutions, 76 – 77 Collaboration
changing, 111 – 112 facilitating, 106 – 107 groupware, 107 social networking, 106 virtual world, 107 Web logs (blogs), 107 wiki, 107
Collectivism I: societal collectivism, 91
Collectivism II: in-group collectivism, 91
Combination, 364 Commitment, sustaining,
335 – 336 Committee of Sponsoring
Organizations of the Treadway Commission (COSO), 266 – 267
Commonly used standards, 178
Communication defined, 8 e-mail, 103 – 104 facilitating, 103 – 106 file transfer, 106 instant messaging, 104 patterns, changing, 110 really simple syndication,
105 skills, 122, 222 unified communications,
105 video teleconference,
104 – 105 virtual private network,
106 in virtual teams,
challenges of, 123 Voice over Internet
Protocol, 104 Communities of practice,
359
388 Index
Compensation, 121 Competitive advantage,
62 – 65 Competitive Advantage
(Porter), 27, 352n Competitive advantage,
sustainable, 356 Competitive Strategies
(Porter), 28n Competitors, industry,
55 – 57 Complexity, 331 – 332,
333 – 334 Computer-aided-design
(CAD), 159 Computer-based
development practices, 89 Computer ethics, 270 – 272,
276 – 277 Computer Sciences Corp.,
207 Conceptual flow of process
design, 143 Conceptual mapping, 363 Confidence, 8 Conger, S., 248 Consultants and vendors,
relying on, 334 Continental Airlines, 206,
208 Continental Bank, 208 Control activities, 121,
123 See also Management
control systems Controlling, 9 – 10 Control Objectives for
Information and Related Technology (COBIT), 267 – 268
Control of information accessibility, 257 – 258 accuracy, 256 Mason’s area of
managerial control, 254 PAPA and managers,
258 – 259 privacy, 253 – 255 property, 256 – 257
Cook, Linda, 73 Cookie, 254 Cooper, Barbra, 243 – 245 Co-opetition, 66 – 68
Co-opetition (Branden- burger/Nalebuff), 66 – 67
Copyleft, 340 Core capabilities, 358 Corporate budget funding
method, 281, 282 Corporate downsizing,
354 – 355 Corrective action, 316,
320 COSO, 266 – 267 Cost, 312 Cost focus, 28 – 29 Cost leadership, 27 – 28 Covisint, 67 – 68 CPM, 315 – 316 CPO, 222, 223 Creative abrasion, 358 Creativity, 8 Critical path method
(CPM), 315 – 316 CRM, 60 CRO, 222, 223 Cross-functional processes,
140 – 141 Crowdsourcing, 209 Cryptography, 260 Crystal, 328 CSR, 230 CTO, 222, 223 Culnan, Mary, 127n,
258 – 259 Cultural knowledge, 361 Culture
defined, 89 effective cross-cultural
communication, 90 – 91 GLOBE dimensions of,
90, 91 Hofstede’s dimensions of,
90, 91 levels of culture, 89 national culture,
differences, 90 organizational, 44, 77, 95,
330 outsourcing abroad,
200 – 201 Cuneiform texts, 351n Curiosity, 8 Customer as stakeholder,
335
Customer relationship management (CRM), 60
Customer service request (CSR), 230
Customer services infrastructure, 344
Cutover, 324
DaimlerChrysler, 67 Dashboards, 299 – 300, 301 Data, 168, 348 – 349 Database administrator
(DBA), 108 Data center operations, 195,
207, 210, 229, 230 Data entry, 150, 268 Data flow across borders,
239 Data mining, 367 Data-naming standards,
327 Data repositories, 367, 369 Data warehouses, 367 D’Aveni, R. D., 29 D’Aveni’s hypercompetition
model, 27, 30 – 33, 34 D’Aveni’s new 7 Ss, 31 – 32 Davenport, Thomas H., 13,
15n, 136n, 350, 352, 355n, 359n, 360, 363n, 365n, 366, 368, 369n
Davis, Bob, 198 Davis, Fred, 125 DBA, 108 DB2 Universal Database,
187 DCMA, 348 DDoS, 260 DEC, 168 Decentralized IS
organization, 170, 231 – 234
Decentralized organizational governance, 170
Decision making, ethical, 274 – 276
Decision rights, 77 – 79 Decryption, 260 Deep pockets advantage,
29 – 30 Dell Computer, 25 – 27,
38 – 39, 93, 153, 155, 307
Index 389
Deloitte & Touche, 344 Destroy your business
(DYB) approach, 33 Developers, 89, 223,
225 – 226, 326 Development
methodologies. See Project development methodologies
DHL Worldwide Express, 196
Differentiation, 28 focus, 28 – 29 strategy, 29 – 30
Digital Equipment Company (DEC), 168
Digital Millennium Copyright Act (DCMA), 348
Digital signature, 179 Digital Tech Corps Act,
348 Digitaria, 188 Directive on Data
Protection (EC), 255 – 256 DirectTV, 29 Discontinuous thinking,
136 Disruption, 24, 30, 31, 33 Distributed denial of service
(DDoS), 260 DitchWitch, 239 Diversity, 358 Divisional form, 81 – 82 DNS, 304 Domain Name System
(DNS), 304 Domino, 188 DoubleClick, 252 – 253 Downsizing, 354 – 355 Drew, David, 218 – 219 Drucker, Peter, 13n 349,
354 DSDM, 328 D’Souza, Francisco, 76 Duopoly, IT, 235, 236,
241 DuPont Engineering,
299 DYB, 33 Dynamic System
Development Method (DSDM), 328
Earthlink, 223 Eastman Kodak Company,
207 EBay, 55, 63 Ebersole, Arthur J., 246n EBLAST, 362 EBlaster, 275 – 276 E-business, 148, 195, 214
See also Internet Economics of information,
16 – 17 Economics of things, 16 – 17 Economic value added
(EVA), 294 EDI, 169, 182, 184 EDS, 207 Egalitarianism, general, 91 Electronic data interchange
(EDI), 169, 182, 184 Electronic Data Systems
(EDS), 207 Electronic employee
monitoring, 113 Electronic immigration. See
Offshoring Electronic payment, 55, 153 E-mail, 103 – 104 E-marketplaces, 67, 92 Embedded knowledge in
products, 355 – 356 Employee monitoring
systems, 113 Encryption, 260, 263 Encyclopedia Britannica,
361 – 362 Enterprise architecture,
171 – 174 Enterprise Architecture as
Strategy (Ross, Weill, and Robertson), 172
Enterprise resource planning (ERP) systems cost of, 151 cross-cultural business
processes, 155 – 157 ERP II, 148 integrating, challenges of,
155 purpose of, 148 SAP, 148
Enterprise systems benefits and disadvantages
of, 150 – 152
business process redesign, 154 – 155
characteristics of, 149 – 150 defined, 147 development of, 148 integrated supply chains,
152 – 154 risk involved in, 151 – 152 See also Enterprise
resource planning (ERP) systems
Entry barriers, 53 Eras of information usage,
47 – 48 Ernst & Young, 259, 357n,
361n, 363n ERP II, 148 ERP systems. See
Enterprise resource planning (ERP) systems
Esserman, Laura, 132 – 133 Ethics, 246 – 272
control of information (See Control of information)
critical decision- archetypes in IT governance and security, 262 – 265
customers, 249 – 250 decision making, case
studies, 274 – 276 emerging issues, 247 employee monitoring, 250 ethical decision making
(case studies), 274 – 276 green computing,
270 – 272, 276 – 277 normative theories (See
Normative theories of business ethics)
security and controls, 259 – 262
See also Sarbanes-Oxley Act (SoX) of 2002
European Commission, 309 EVA, 294 Evaluating/evaluation, 85,
86, 87 – 88, 114 Evans, Philip, 16 – 17 Excite@home, 223 Existing knowledge, 354,
360 Explicit knowledge, 351
390 Index
Externalization, 364 Externally focused
resources, 49, 50, 63 – 65 External stakeholders, 148 Extranet, 72, 106, 228, 243 Extrapolation, 368 Extreme Programming
(XP), 328
Factual knowledge, 361 Feature-Driven
Development, 328 Federal Bureau of
Investigation (FBI), 96 – 97
Federalism, 231 – 232, 241 Federal IT, 232, 234, 235,
237, 241 FedEx, 56, 63, 68, 70, 294 Feedback, 87 – 88, 90 Feudal archetype, 235, 236,
241 File transfer, 106 File transfer protocol (FTP),
106 Filtering/blocking software,
260 Financial issues. See
Funding IT Fingerhut, 110 – 111 Firewall, 260, 263 FirstEnergy, 298 Five competitive forces
model bargaining power of
buyers, 54, 57 bargaining power of
suppliers, 54 – 55, 57 industry competitors,
55 – 57 IT influences on, 57 potential threat of new
entrants, 53 – 54, 57 substitute products, threat
of, 55, 57 Flat organization structure,
79, 82 Flexibility, 8 Focus, 28 – 29 Folksonomies, 361 Following the sun, 120 Ford Motor Company, 67 Forecasting, 368
Formal reporting relationships, 79 – 80
Free software, 340 Friedman, Milton,
248 – 249 Friedman, Thomas, 106,
110n, 153, 203n FTP, 106 ‘‘FUD factor’’ (fear,
uncertainty, and doubt), 264
Full outsourcing, 209 Functional form, 81 Functionality, 168 – 170,
321 – 323 Functional mapping, 363 Functional (silo)
perspective, 136 – 137 Functional view of business,
11 – 12 Function points, 329 Funding IT, 278 – 305
activity-based costing (See Activity-based costing (ABC))
approaches to (See Funding IT, approaches to)
balanced scorecard, 296 – 299
business case, building (See Business case)
calculating costs, 281 – 287 (See also Total cost of
ownership (TCO)) dashboards, 299 – 300, 301 Internet, 304 – 305 investments, monitoring,
296 – 300 investments, valuing,
292 – 295 options pricing, 300 – 304 portfolio management,
290 – 292 Funding IT, approaches to
allocation, 280 – 281 chargeback, 279 – 280 comparison of, 279 – 280,
282 corporate budget, 281
Funo, Yuki, 243 Fusion, 358 – 359 Future orientation, 91
Game theory, 295 Gantt chart, 315 – 316,
318 Gartner Group, 4, 179, 219,
283, 287 Gates, Bill, 127 GE, 33, 200 GeneChip, 42 General Dynamics, 208,
251 – 252 General egalitarianism, 91 General Electric (GE), 33 General Electric (GE) Real
Estate, 200 General manager, 328 – 330
See also Manager General Motors (GM), 67,
73, 107, 210, 299 General public license
(GPL), 340 General support, 229 – 230 Generic project cycle
template, 316, 319 Generic strategies
framework, Porter, 26 – 29 Geopolitical risk, 199, 241 Giles, Maury, 372 Global IT considerations,
238 – 240 Globalization, 354 Global virtual teams, 120,
121, 123 GM, 67, 73, 107, 210, 299 GNU general public license
(GPL), 340 Goltara, Ken, 244, 245 Goodyear, 67 Google, 43 – 45 Governance, 231
See also Information technology governance
GPL, 340 Graphical user interface
(GUI), 326 Green computing,
270 – 272 Groupware, 107 Group work, 224 Grow your business (GYB),
333 GSD&M, 372 GUI, 326 GYB, 333
Index 391
Hammer, Michael, 34, 136n, 144
Handheld computers, 46, 59, 61, 64, 140
Hardee’s, 373 – 374 Hardware, 167 Hardware system security
and control, 260 Harrah’s, 346 – 347 Hasbro, 188 Health Insurance Portability
and Accountability Act (HIPAA) of 1996, 255
Hedging (options pricing), 300 – 304
Help desk, 229 – 230 Hershey Foods, 68 Hewlett-Packard, 39 Hierarchical organization
structure, 79, 80 – 82 Hierarchical view of firm, 12 Hilton hotels, 343 HIPAA, 255 Hiring, 113 – 114 Hoffman, Thomas, 278n Home Depot, 130, 233 – 234 Horizontal e-marketplaces,
92 Horizontal integration, 146 ‘‘Hot-rodding,’’ 121 Hot skills, 229 Humane orientation, 91 Human resource
management, 12, 108, 152, 167
Hypercompetition framework, 30 – 33
IBM, 25, 98, 150, 168, 187 – 188, 190 – 191, 206 – 207, 210, 214 – 215, 226, 251, 303, 341
IBM eServer pSeries, 214 IBM Global Business
Services, 214 ICANN, 304 Identity theft, 257 – 258 IDEO, 363 – 364 IDSs, 263 IETF, 304 IFIP, 260n, 261n Illingworth, Dave, 244 IM, 104
Immediately responsive organizations, 92 – 93
In the Age of the Smart Machine: The Future of Work and Power (Zuboff), 109n
India, 76, 124, 199, 201, 203, 204, 205
Industry competitors, 55 – 57 Informal support, 284, 285,
286 Information
characteristics, 15 control of (See Control of
information) defined, 13 – 14, 349 economics of, 16 – 17 eras of usage, 47 – 48 repository, 49, 50, 64 – 65 using ethically (See Ethics)
Information age organization, 248
Informational system, defined, 15 – 16
Informational system hierarchy. See Information hierarchy
Information asset, 49, 50, 65 Information Ecology
(Davenport), 13, 15n, 350n, 355n
Information gathering, 8 Information hierarchy
data, 13 information, 13 – 14 knowledge, 14 – 15 system hierarchy, 15 – 16 wisdom, 15
Information integration, 152 – 153
Information overload, 355 Information processing,
110 – 111 Information repository, 49,
50, 64 – 65 Information resources,
defined, 48 – 49 Information resources,
strategic use of, 46 – 70 co-creating IT, 69 – 70 co-opetition, 66 – 68 customer relationship
management, 60
evaluation questions to ask, 49 – 52
historical overview, 47 – 48 list of, 50 risks, 68 – 69 strategic alliances, 66 supply chain management,
60 – 62 using resource-based view
to attain/sustain competitive advantage, 62 – 65
value chain, altering, 57 – 60
See also Five competitive forces model
Information security education/training/awareness,
264 infrastructure, 263 – 264 investments, 264 matching information
security decisions and archetypes, 263
policies, 262 – 263 strategy, 262
Information systems (IS) assumptions, 13 – 16 business goals supported
by, 6 challenge of, competitive,
5 controls, 259 decisions, how to
participate in, 7 integrating business with,
4 – 5 organizational systems
supported by, 6 – 7 organization chart, 136,
359 people and technology
working together, 4 sourcing (See Information
systems sourcing) strategy, 37 – 38, 40 strategy matrix, 38 use of, organizational
impacts of (See Organizational impacts of IS use)
See also Information technology (IT)
392 Index
Information systems organization, governance of, 218 – 241 architecture and
standards, 226 business continuity
planning, 227 – 228 centralization vs.
decentralization, 170 data center operations,
195, 207, 210, 229, 230 global IT considerations,
238 – 240 human resource
management, 12, 108, 152, 167
information management and database administration, 108
Internet services, 228 – 229 networking services,
228 – 229 new technology
introduction, 4, 298 organization chart, 136,
359 organization roles (See
Information systems organization roles)
outsourcing (See Outsourcing)
process innovation, 230 security, 263 – 264 strategic direction, 225 supplier management,
208, 230 systems development, 225 systems maintenance, 230 technical support, 109,
238, 284, 285, 286 what organization does not
do, 230 – 231 See also Information
technology governance; User management activities
Information systems organization roles, 222 – 234 chief financial officer, 221 chief information officer
(See Chief information officer (CIO))
chief information security officer, 222, 223
chief knowledge officer, 222, 223
chief network officer, 222, 223
chief privacy officer, 222, 223
chief resource officer, 222, 223
chief technology officer, 222, 223
other, 222 – 234 Information systems
sourcing, 190 – 212 backsourcing, 206 – 207 insourcing, 193 outsourcing (See
Outsourcing; Outsourcing abroad)
sourcing decision cycle framework, 192
Information System Strategy Triangle, 22 – 40 business strategy
framework, 25 – 27, 40 defined, 23 differentiation strategy,
variants on, 29 – 30 generic strategies
framework, 27 – 29 halo effect and other
business delusions, 38 – 39
hypercompetition framework, 30 – 33
IS strategy, 37 – 38, 40 IS strategy matrix, 38 organizational strategies,
34 – 37, 40 strategic advantage
models, 33 – 34 strategy relationships, 40
Information technology (IT) architecture, 162 – 186
(See also Architecture and infrastructure)
asset, 49, 50, 65 business view of, 3 – 4 capability, 49, 50 change in, rapid, 5 dashboards, 299 – 300,
301
decisions (See Information technology decisions)
defined, 16 design of work (See Work
design) governance (See
Information technology governance)
infrastructure (See Information technology infrastructure)
investments (See Funding IT)
job losses, 203 – 204 management skills, 8, 49,
50, 63 – 66 portfolio management,
290 – 292 project maintenance (See
Project management) projects, 319, 321 – 322
(See also Project development methodologies)
scorecard, 299 See also Information
systems (IS) Information technology
decisions lack of participating in, 5 participating in, 2 – 3 skills needed to participate
in, 7 Information technology
governance advantages and
disadvantages of organizational approaches, 233
archetypes, 235 – 236, 262 – 265
categories of, major, 235 centralized vs.
decentralized organizational structures, 170, 231 – 234
components of, major, 234 – 235
decision-making mechanisms, 237 – 238
defined, 234 federal IT, 234
Index 393
global considerations, managing, 238 – 240
top performers, 236 – 237 See also Information
systems organization, governance of
Information technology infrastructure defined, 15, 49, 50, 164 information security,
263 – 264 systems development,
63 – 64, 291 – 292 wireless (mobile), 171 See also Architecture and
infrastructure Information Technology
Infrastructure Library (ITIL), 269
Infrastructure. See Information technology infrastructure
In-group collectivism (collectivism II), 91
Inheritance depth, 329 Inside-out resources,
246 – 247, 335 Insourcing, 193, 211 Instant messaging (IM), 104 Integrated supply chains,
152 – 154 Integrating within
organization, 334 Intel, 117, 300 Intellectual capital,
347 – 348 Intellectual property, 347,
348 Internalization, 364 Internal rate of return
(IRR), 180, 278, 295 International Federation of
Information Processing (IFIP), 261n
Internet blogging, 107 business models, 47 common business service
infrastructure, 146 e-business, 148, 195, 214 e-commerce, generic
framework for, 178 – 179 e-learning, 93
electronic payment, 55, 153
e-mail, 103 – 104 e-marketplace, 67, 92 ethics (See Ethics) funding, 304 – 305 identity theft, 257 – 258 infrastructure, 171 messaging and
information distribution infrastructure, 103 – 106
multimedia content, 107 phishing, 263 protocol, 104 search engine, 254, 262,
271 security, 254 – 255,
259 – 262 service provider, 223 services, governance of,
228 – 229 services, managing,
228 – 229 spam, 259 – 260 technical standards, 189 threats to, 259 – 262 Voice over Internet
Protocol, 104 Web services, 1, 170 World Wide Web, 4
Internet checking account, 258
Internet Corporation for Assigned Names and Number (ICANN), 304
Internet Engineering Task Force (IETF), 304
Internet infrastructure, 171 Internet service provider
(ISP), 223 Internet Society (ISOC),
304 Interpersonal skills, 8 Intranet, 103 – 104, 106 Intrusion detection systems
(IDSs), 263 Intuit Quickbase, 314 Investments
monitoring, 296 – 300 valuing, 292 – 295
IRR, 180, 278, 295 ISOC, 304 ISP, 223
‘‘IT Doesn’t Matter’’ (Carr), 21, 307 – 308
IT duopoly, 264 Iterative approach to
systems development, 325 ITIL, 269 IT induced change, gaining
acceptance for, 125 – 127 IT monarchy, 264
JAD, 327 JetBlue, 22 – 25 J&J, 189 Job losses, 203 – 204 Johnson & Johnson (J&J),
189 Joint applications
development (JAD), 327 JP Morgan, 190 – 191 Justice term, 251
Kaplan, Robert, 296, 297 Ketchum, Thomas B., 190 Kifer, Ron, 196 Kmart, 39, 151 Knowledge
assets, 362, 363, 369 capture (See Knowledge
capture) catalog, 361 codification (See
Knowledge codification) conversion, 364 cultural, 361 defined, 14 – 15, 349 – 350 existing, 354, 360 factual, 361 generation (See
Knowledge generation) knowing why, 350 management (See
Knowledge management)
mapping, 362 – 363 process, 361 redundancy, 359 repositories, 49, 50,
64 – 65 tacit, 363 – 364
vs. explicit, 350 – 351 taxonomy of, 350 transfer (See Knowledge
transfer)
394 Index
Knowledge capture defined, 356, 360 knowledge maps,
designing, 362 – 363 organizing, 361 – 362 scanning, 360
Knowledge codification codifying tactic knowledge
with narratives, 363 – 364 defined, 356, 359 – 360 principles of, 360
Knowledge Creating Company, The (Nonaka/Takeachi), 364
Knowledge Curve, 371 – 372 Knowledge generation
adaptation, 358 buy or rent, 358 communities of practice,
359 defined, 356 research and
development, 357 – 358 shared problem solving,
358 – 359 Knowledge management,
346 – 370 adaptation, 358 appropriate media, 360 business analytics,
competing with, 365 – 366
(See also Business analytics, components of)
business experimentation, 369 – 370
business intelligence system, 351 – 352
buy or rent, 358 categorization scheme,
361 – 363 caveats for, 368 – 369 communities of practice,
359 data, 348 – 349 defined, 347 existing knowledge, 354,
360 information, 349 intellectual capital,
347 – 348 intellectual property, 348
knowledge maps, 362 – 363 narratives (storytelling),
363 – 364 processes (See Knowledge
management processes) R&D, 357 – 358 reasons for (See
Knowledge management, reasons for)
scanning, 360 shared problem solving,
358 – 359 strategic intent, 360 See also Knowledge
Knowledge management, reasons for, 352 – 356 best practices, sharing,
353 – 354 competitive advantage,
sustainable, 356 downsizing, 354 – 355 globalization, 354 information and
communication overload, 355
knowledge embedded in products, 355 – 356
rapid change, 354 Knowledge management
processes, 356 – 365 knowledge capture, 356,
360 – 364 knowledge codification,
356, 359 – 360 knowledge generation,
356, 357 – 359 knowledge transfer, 356,
364 – 365 See also individual
headings Knowledge maps, designing,
362 – 363 Knowledge transfer
defined, 356, 364 modes of, 364 – 365
Kodak, 207 – 208 Kraft Foods, 155
Labeling and rating software, 260
Labor cost/savings, 145, 192, 198, 287
Laptop computer, 113, 127, 164, 284
La Salsa Fresh Mexican Grill, 374
Leading, 9 – 10 Lear Corp., 73 – 74 Leavitt, Harold, 111 Lego, 342 Lenovo, 39 Level of risk, 333 Levi Strauss, 233 Linux, 167, 177, 339, 341 ListServ, 103 Living.com, 253 Loch, K. D., 120, 248 London, England (traffic
jams), 344 – 345 Lotus Development Corp.,
273 Lotus Domino, 107, 187 Lotus Notes, 81, 107 Loveman, Gary, 346 – 347
Mailing list server, 103, 105
Mainframe architecture, 168
Maintainability, 178 Majordomo, 103 Management assumptions,
9 – 10 Management control
systems compensating, 121 data collection, 86 – 87 evaluating, 85, 86, 87 – 88,
114 feedback, 87 – 88, 90 incentives, 88 – 89 monitoring, 121 performance evaluation,
87 – 88 performance
measurement, 87 – 88 planning, 86 process control, 83 rewards, 88 – 89 roles of IS in, 85 – 86
Management information systems (MIS) organization, 198, 219, 281
Management model, classic, 10
Index 395
Management value added, 59 – 60
Manager assumptions about, 9 – 10 as disseminator, 11 as disturbance handler, 11 as entrepreneur, 11 as figurehead, 11 IT decisions, lack of
participating in, 5 IT decisions, participating
in, 2 – 3 IT infrastructure, 15 – 16 levers, 35 – 36 as liaison, 11 as monitor, 11 as negotiator, 11 new challenges for,
113 – 115 as resource allocator, 11 roles of, 8, 11 skills of, 8, 49, 50, 63 – 66 as spokesperson, 11 virtual teams, issues in,
121, 123 See also Information
systems organization, governance of; User management activities
Managerial influences organizational, 330 socioeconomic, 330 technical, 329 – 330
Manager/supervisor. See Manager
Managing knowledge. See Knowledge management
Managing people, 113 – 115 Man-months, 321 Mapping knowledge,
362 – 363 Marriott International,
28 – 29, 343 Martin, Bob, 4 Mary Kay, Inc., 94 Mashups, 14 – 15, 364 – 365 Mason, Richard O.,
253 – 254, 256, 259 Massachusetts Mutual Life
Insurance Company, 53 MasterCard, 252, 257 Matrix organization
structure, 79, 82 – 83
Matrix structure, 82 MAYA Viz, 132 McGregor, J., 76n McNerney, James, 218 Messaging and information
distribution infrastructure, 103 – 106
Messaging software, 124 Meta Group, 151, 176 Metrics of success, 138 Metrics software, 329 Micro-news, 107 Microsoft, 127, 177, 339 Microsoft Exchange, 107 Microsoft Office, 178, 341 Microsoft Office Groove,
81, 107 Microsoft Project, 314 Microsoft SQL server, 373 Microsoft Windows NT, 303 Middle management, 15,
111 Middleware, 149 Midwest Family Mutual
Insurance Co., 276 – 277 Millennium Bug, 293n Mindstorms Robotics
Invention System, 342 Mintzberg, Henry, 10 MIS organization, 198, 219,
281 MIS scorecard, 297 – 298 Mission, 25 – 26 Mobile work and
telecommuting. See Telecommuting and mobile work
Mobile workers, 115 Modeling, predictive, 368 Momenta Corp., 68 Monarchy, IT, 235, 236, 241 Monitoring
IT investments, 278 management control
systems, 121 and surveillance software,
250 Monster Thickburger,
373 – 374 Moore’s law, 117n Mori, Mikihiro, 244 Motive Communications,
109
Mozilla, 341 MP3 files, 55 Murch, Ron, 21n Music industry, 348
Nalebuff, Barry, 66 – 67 Naming standards, 226,
327 Napster, 69 Narratives (storytelling),
363 – 364 National Car Rental, 208 National Science
Foundation (NSF), 304 Nearshoring, 204 – 205 Net present value (NPV),
294 Network, 167 Network and software
security controls, 260 Networked organization
structure, 83 – 84 informal, 84 – 85
Network externalities, 51 Networking services,
228 – 229 Network operating systems
software, 260 New entrants, potential
threat of, 53 – 54, 57 New entrants, threat of,
53 – 54, 57 New 7 Ss, D’Aveni’s,
31 – 32 New technology
introduction, 298 Nike, 68 1974 Privacy Act, 255 Nissan, 67 Nokia, 358 Nonaka, Ikujiro, 364 Normative theories of
business ethics social contract theory,
250 – 253 stakeholder theory,
249 – 250 stockholder theory,
248 – 249 Norton, David, 296, 297,
298 NPV, 294 NSF, 304
396 Index
Object, 328 Object-oriented
development, 328 Offshoring
best practices, 201, 202 defined, 118 destinations, selecting,
199 – 200 government actions to
protect against, 203 – 204 government actions to
support, 201 – 203 virtual work, 118 – 119
Online learning, 93 OpenOffice, 341 Open Source Initiative
(OSI), 339 – 341 Open source software
(OSS), 339 – 341 Open sourcing, 339 – 341 Operating system, 149, 167,
177, 260, 271 Opportunity management,
316, 320 Optimization, 368 Options pricing,
300 – 304 Oracle, 45, 56, 132, 148,
152, 155, 156, 169 Organizational culture, 44,
77, 95, 330 Organizational design
variables, 77 – 85 comparison of, 80 decision rights, 77 – 79 flat organization structure,
79, 82 formal reporting
relationships, 79 – 80 hierarchical organization
structure, 79, 80 – 82 matrix organization
structure, 79, 82 – 83 networked organization
structure, 83 – 84 informal, 84 – 85
summarized, 78 Organizational impacts of IS
use, 76 – 93 cultural dimensions,
89 – 92 immediately responsive
organizations, 92 – 93
information age organization, 248
management control systems (See Management control systems)
organizational design (See Organizational design variables)
virtual organization, 99 – 100
virtual teams (See Virtual teams)
Organizational integration, 316, 320
Organizational skills, 8 Organizational strategy,
34 – 37, 40, 77 Organizational structure
flat, 79, 82 hierarchical, 79, 80 – 82 matrix, 79, 82 – 83 networked, 83 – 85 T-form, 84
Organizational systems, 6 – 7 Organization chart, 136, 359 Organizing, 361 – 362 OSI, 339 – 341 OSS, 339 – 341 Otis Elevator, 58 Outside-in resources,
246 – 247, 335 Outsiders
(consultants/vendors), 97, 210, 259, 334
Outsourcing abroad (See Outsourcing
abroad) challenges, 195 – 197 defined, 193 drivers, 194 – 195 full, 209 models (See Outsourcing
models) pitfalls, avoiding, 197 – 198 selective, 210 strategic networks and,
211 – 212 Outsourcing abroad
captive centers, 205 – 206 cultural differences,
200 – 201 nearshoring, 204 – 205
offshoring (See Offshoring) Outsourcing models
application service provider, 208
classic, 207 – 208 crowdsourcing, 209 full vs. selective, 209 – 210 single vs. multiple vendors,
210 – 211 Overload, information and
communication, 355
Palm Inc., 209 PAPA, 253, 254, 258 – 259 Password, 103, 179, 260, 263 Payback analysis, 180, 184,
294, 295 PayPal, 55 PDA, 60, 68, 78 Peer-to-peer architecture,
171 ‘‘People, Planet, Profit’’
(3BL), 271 PeopleSoft, 148, 152 Percentage complete, 329 Performance orientation, 91 Performing organization,
335 PERL, 341 Perot Systems, 210 Personal digital assistant
(PDA), 60, 68, 78 PERT, 315 – 316 PERT chart, 316, 317 P&G, 61 – 62 Phishing, 263 Physical mapping, 363 PICS, 260 Planning
management control systems, 86
skills, 8 synchronized, 153 See also Enterprise
resource planning (ERP) systems
Platform for Internet Content Selection (PICS), 260
Plaxo, 107 PNG, 341 Political stability, 203, 239 Polyani, Michael, 350
Index 397
Portable computer, 113, 117, 127, 164, 284
Portable phones, 75, 110 Portable terminals, 109 Porter, Michael, 12, 27, 28,
52, 53, 57, 352n Porter’s competitive forces
models. See Five competitive forces model
Porter’s generic strategies framework, 26 – 29
Porter’s value chain model, 57 – 60
Portfolio management, 290 – 292
Post-implementation audit, 337
Post-project feedback, 337 Potential threat of new
entrants, 53 – 54, 57 Power distance, 91 Predictive modeling, 368 Premiere Technologies, 213 PricewaterhouseCoopers,
344 Primary activities, 12,
57 – 58, 61 Privacy, 253 – 255 Privacy, accuracy, property,
and accessibility (PAPA), 253, 254, 258 – 259
Problem solving groups, 358 shared, 358 – 359
Process contextual use of, 135 control, 316, 320 defined, 138 innovation, 230 knowledge, 361 mapping, 363 perspective, 137 – 140 view of business, 12 – 13
Procter & Gamble (P&G), 61 – 62
Procurement process, 138 Productivity paradox, 118 Product scope, 312 Profit, 4, 5, 271 – 272, 295 Profit centers, 281, 283 Progressive Insurance, 28 Project
characteristics, 311
control, 316, 320 cycle plan, 315 – 316 cycle template, 319 defined, 310 – 311 elements (See Project
elements) scope, 312 sponsors, 225 status, 316, 320 triangle, 312 visibility, 316, 320
Project development methodologies comparison of, 327 Crystal, 328 Dynamic System
Development Method, 328
Extreme Programming, 328
Feature-Driven Development, 328
joint application development, 327
object-oriented development, 328
prototyping, 325 – 326 rapid application
development, 326 – 327 Scrum, 328 systems development life
cycle, 322 – 325 Project elements
critical path method, 315 – 316
cycle plan, 315 – 316 Gantt chart, 315 – 316, 318 list of, 316, 320 PERT, 315 – 316, 317 project cycle template, 319 teamwork, 315 vocabulary, 314 – 315
Project evaluation and review technique (PERT), 315 – 316, 317
Project leadership, 316, 320
Project management, 309 – 341 IT projects, 319, 321 – 322 managerial influences,
328 – 330 project, 8, 312 – 314
project development methodologies, 322 – 328
project elements, 314 – 319, 320
project risk, managing, 330 – 338
(See also Project risk, managing)
See also individual headings
Project management office (PMO), 338 – 339
Project manager, 335 See also Manager
Project requirements, identification of, 316, 320
Project risk, managing abandoning the project,
336 – 337 clarity, 332, 334 – 335 commitment, sustaining,
335 – 336 complexity, 331 – 332,
333 – 334 consultants and vendors,
relying on, 334 integrating within
organization, 334 level of risk, 333 size, 332 of stakeholders, 334 – 335 success, gauging, 337 – 338 team skills, leveraging,
333 – 334 Propædia (Encyclopedia
Britannica), 361 – 362 Property, 256 – 257 Protocol, 104 – 106 Prototyping, 325 – 326 Prusak, Laurence, 350,
359n, 360, 363n, 369n
Qualitative mapping, 363
RAD, 326 – 327 Radical redesign
agility and, 145 conceptual flow of, 143 vs. incremental change,
141 – 142 method for, 143 process for, 142 – 144
398 Index
Radical redesign (continued)
risk of, 144 – 145 workflow diagram, 143
Radio frequency identification (RFID) technology, 62
Rapid application development (RAD), 326 – 327
Rapid change, 354 Raymond, Eric, 339 RBV, 62 – 63 R&D, 357 – 358 Really simple syndication
(RSS), 105 Real-time medical
diagnosis, 105 Redundancy, knowledge,
359 Reengineering, 141,
144 – 145, 310 Relationship skills, 49, 50,
63, 65 Renault, 67 Rent or buy, 358 Research and development
(R&D), 357 – 358 Resource-based view
(RBV), 62 – 63 Restructuring, 111, 355 Results-Only Work
Environment (ROWE), 98 – 99
Return on investment (ROI), 294
Reuse, 170 Rewards, 88 – 89 Risk hedging (options
pricing), 300 – 304 Ritz-Carlton, 28 – 29, 60 Robertson, David, 172 Roche Group, 41 – 43 ROI, 294 Role-playing, 295 Ross, Jeanne W., 234 – 237,
262n ROWE, 98 – 99 RPA, 309 – 310 RSS feeds, 360 R/3, 148, 155, 162 Rural Payments Agency
(RPA), 309 – 310
Saab Cars USA, 10 SaaS, 170 Sabre Holdings Corp.,
343 ‘‘Safe harbor’’ framework,
255 SalesForce.com, 49 Santa Cruz Bicycles, 159 SAP, 56, 148, 152, 155, 214
NewWeaver Portal, 162 SAP-R3 CRM, 148, 155,
162, 239 Sarbanes-Oxley Act (SoX) of
2002 enactment of, 265 implementing (See
Sarbanes-Oxley Act (SoX) of 2002, implementing)
Information Technology Infrastructure Library, 269
International Standards Organization, 269
IT control weaknesses uncovered by auditors, 265 – 266
role of, 265 Sarbanes-Oxley Act (SoX) of
2002, implementing CIO tactics for, 269 – 270 COBIT, 267 – 268 compliance, 269 COSO, 266 – 267
Scalable, 177 Scanning, 360 Schedule slip, 329 SCM, 60 – 62 Scope, 312 Scope creep, 312 – 313 Scorecard, 296 – 299 Scrum, 328 SDLC, 322 – 325 Search engine, 254, 262, 271 Sears, 206 Secure servers, 179 Security
architecture and infrastructure, technical issues, 178 – 179
browser software security, 260
control tools, 260
critical decision-archetypes in IT governance, 262 – 265
enterprise, promoting, 226 – 227
hardware system security and control, 260
Internet, 254 – 255 with remote workers,
127 – 129 technological security
controls, 259 – 262 validators, 265 See also Information
security Security information
management, 260 Selective outsourcing, 210 Server, 169 Server software security,
260 Service-oriented
architecture (SOA), 169 – 170
7 Ss, D’Aveni’s new, 31 – 32 Shared problem solving,
358 – 359 Shared services
Business Process Management systems, 146 – 147
horizontal integration, 146 model, 146
Shareholder value model, 29 Sharing best practices,
353 – 354 Sharing information across
firms, 60 – 61 Silicon Valley, 132, 275 Silo, 137 Silo (functional)
perspective, 136 – 137 Simulation, 228, 295 Singapore, 156 Six-sigma, 141 Size, 332 Skilled workforce, 368 SLOC, 329 SOA, 169 – 170 Social contract theory,
250 – 253 Socialization, 364 Social networking, 106
Index 399
Social welfare term, 251 Societal collectivism
(collectivism I), 91 Sodexho Alliance, 213 Sodexho Asia Pacific,
213 – 215 Soft costs, 284, 286 Software, 167
blocking, 260 business analytics tools,
367 – 368 computer-aided-design,
159 development library, 329 filtering/blocking, 260 labeling and rating, 260 messaging, 124 metrics, 329 monitoring and
surveillance software, 250
network operating systems software, 260
open source, 339 – 341 server software security,
260 tools, 367 – 368 Web-based, 49
Software-as-a-service (SaaS), 170
Sony, 69 Source lines of code
(SLOC), 329 Source statement, 329 Sourcing decision cycle
framework, 192 Southland Corporation, 210 SoX. See Sarbanes-Oxley Act
(SoX) of 2002 Spam, 259 – 260 SpectorSoft, 275 Sponsor, 225 Stakeholders
external, 148 key, 335 risks, 334 – 335
Stakeholder theory, 249 – 250
Standards, 178 Standish Group, 309 – 310 Statistical analysis, 368 Status reports, 299 – 300 Steel industry, 54
Steering committee, 237 – 238
Stockholder theory, 248 – 249
Storytelling (narratives), 363 – 364
Strassman, Paul, 191n Strategic alliances, 66 – 68
See also Information resources, strategic use of
Strategic direction, 225 Strategic intent, 360 Strategic systems, 291 – 292 Streamline, 68 – 69 Substitute products, threat
of, 55, 57 Success, gauging, 337 – 338 Sun Microsystems, 98, 341 Supervision, 113 – 114 Supervisor. See Manager Supplier bargaining power,
54 – 55, 57 Supplier management, 208,
230 Supply chain, 60 – 62 Supply chain management
(SCM), 60 – 62 Support activities, 58, 60, 61 Support personnel, 226, 230 Sustainable competitive
advantage, 356 Synchronized planning, 153 System hierarchy, 15 – 16 System reliability, 322 Systems developer, 225, 326 Systems development, 225 Systems development life
cycle (SDLC), 322 – 325 Systems maintenance, 230
Tacit Dimension, The (Polyani), 350
Tacit knowledge, 351, 363 – 364
Takeuchi, Hirotaka, 364 TAM, 125 – 126 Taxonomy of knowledge,
350 TCO. See Total cost of
ownership (TCO) Team management, 316,
320
See also Virtual teams Team skills, leveraging,
333 – 334 Technical skill, 49, 50,
63 – 64 Technical support, 109, 238,
284, 285, 286 Technological leveling, 84 Technological security
controls, 259 – 262 Technology acceptance
model (TAM), 125 – 126 Technology-based
instruction, 93 Telecommuting, defined,
115 Telecommuting and mobile
work disadvantages of, 117 – 119 factors driving, 115 – 117 managerial issues in,
119 – 120 security with remote
workers, 127 – 129 virtual teams (See Virtual
teams) Telemedicine, 105 Tesco, 72 – 73 T-form organization, 84 3BL, 271 360-degree feedback, 88 3M, 218 – 219 Time, 312 Timeline, 43, 315 Time Warner, 69 Timing and know-how
advantage, 29 TJX Co., 246 – 247 TOGAF, 173 Tomozoe, Masanao,
244 Torvalds, Linus, 339 Total cost of ownership
(TCO) component breakdown,
284 – 286 component evaluation,
285 defined, 283 as management tool, 287 soft costs, 284, 286
Total quality management (TQM), 141
400 Index
Toyota Motor Sales, 243 – 245
Toys ‘‘R’’ Us, 1, 6 TQM, 141 Trade-offs, 126, 132, 170,
263, 312, 322 Traffic jams (London),
344 – 345 Transactional systems,
291 – 292 Transparency, 239 Transport for London,
344 – 345 Trojan horse, 259 Troon Golf, 306 – 307
Uncertainty avoidance, 91 Unified communications
(UC), 105 United Parcel Service
(UPS), 242 – 243 Unlimited resources model,
30 UPS, 242 – 243 USAA, 198 Usability, 322, 323, 324 US Airways, 94 – 96 User management activities
architecture platforms and standards, establishing, 226
business continuity, planning for, 227 – 228
current processes, innovating, 225
data, managing, 228 data center operations,
229 developing and
maintaining systems, 225 – 226
enterprise security, promoting, 226 – 227
general support, providing, 229 – 230
human resources, managing, 229
information, managing, 228
Internet and network services, managing, 228 – 229
knowledge, managing, 228
(See also Knowledge management)
new technologies, anticipating, 224
strategic direction, participating in, 225
supplier relationships, managing, 226
UTAUT, 126
Valero Energy, 162 – 163 Valuation methods,
294 – 295 Value chain, 57 – 60 Values, 89 Value system, 59, 66 Valuing IT investments,
292 – 295 Variance detection, 85 VCF system, 96 – 97 VeriFone, 100, 233 VeriSign, 275 Vertical axis measures,
141 – 142 Vertical integration, 193,
211 Videoconference, 104 – 105 Video teleconference,
104 – 105 Viento, Ciro, 131 – 132 Virtual case file (VCF)
management system, 96 – 97
Virtualization, 271 Virtual organization, 99 – 100 Virtual private network
(VPN), 106 Virtual teams
defined, 120 disadvantages of, 120 – 121 driving factors of, 116, 120 global, 120, 121, 123 managerial issues in, 121,
123 offshoring, 118 – 119 telecommuting, 116
Virtual teams, challenges of communication, 121, 123 comparison of, 122 diversity, 124 technology, 123 – 124 vs. traditional teams, 122
Virtual world, 107
Visa, 249 – 250, 252 Vivendi International, 69 Voice over Internet Protocol
(VoIP), 104 VPN, 106
Wal-Mart, 4, 26, 28, 39, 54, 61 – 63, 68, 110
War stories, 363, 364 Web. See Internet Web 2.0, 4, 49, 112 – 113,
145 – 146, 210, 211, 341 Web-based application, 2, 6,
55, 93, 176, 208, 286 Web-based architecture,
169, 178, 186 Web-based e-mail,
103 – 104 Web-based instruction, 93 Web-based software, 49 Web-based technologies,
60, 117 Web browser, 254, 341 Web designer, 6, 194, 228 Weber, Max, 81 Webex, 81 Web logs (blogs), 107, 254,
341 Web masters, 108, 228 Web-oriented architectures
(WOAs), 171 Web server, 177, 341 Web services, 1, 170 Web site, 6 Weighted scoring methods,
295 Weill, Peter, 50n, 172,
234 – 237, 262, 291 – 292 Weill and Ross Framework
for IT governance, 234 – 237
Whisler, Thomas, 111 Wiki, 107 Wikipedia, 112 Winning the 3-Legged Race
(Hogue et al.), 24 Wireless (mobile)
infrastructures, 171 Wisdom, 15 WOAs, 171 Work atmosphere, 87 Work design, 98 – 129
framework, 101 – 102
Index 401
information processing, changing, 110 – 111
IT-induced change, accepting, 125 – 127
managing people, new challenges in, 113 – 115
new types of work, creating, 108
organizational decision-making, changing, 110 – 111
required skill mix, 114 – 115
Results-Only Work Environment, 98
types of work created by, new, 108
virtual organization, 99 – 101
way of doing work, changing nature of, 108 – 109
where work is done (See Telecommuting and mobile work)
who does the work (See Telecommuting and mobile work)
See also Collaboration; Communication
Worker health, 255 Workflow coordination,
153 Workflow diagram, 143 Workforce, skilled, 368 The World is Flat
(Friedman), 106, 110n, 153, 203n
World Wide Web (WWW), 4 See also Internet
Wurster, Thomas, 16 – 17
XP, 328
Year 2000 problem (Y2K), 148, 154, 293
Yellow Pages, 361
Zachman Framework, 173 Zahn, David M., 218n Zara, 46 – 47, 56 – 57, 60 – 61,
64 – 65, 78 – 79, 140, 232 Zero time organization,
92 – 93 Zipcar, 74 – 75 Zuboff, Shoshana, 109
- Cover Page
- Title Page
- Dedication
- Copyright Page
- Contents
- Introduction
- The Case for Participating in Decisions about Information Systems
- A Business View
- People and Technology Work Together
- Integrating Business with Technology
- Rapid Change in Technology
- Competitive Challenges
- What If A Manager Doesn’t Participate?
- Information Systems Must Support Business Goals
- Information Systems Must Support Organizational Systems
- What Skills Are Needed to Participate Effectively in Information Technology Decisions?
- How To Participate in Information Systems Decisions
- Organization of the Book
- Basic Assumptions
- Assumptions about Management
- Assumptions about Business
- Functional View
- Process View
- Assumptions about Information Systems
- Information Hierarchy
- System Hierarchy
- Food for Thought: Economics of Information Versus Economics of Things
- Summary
- Key Terms
- Discussion Questions
- Case Study I-1: Terry Cannon, MBA
- Case Study I-2: Anyglobal Company Inc.
- CHAPTER 1 The Information Systems Strategy Triangle
- Brief Overview of Business Strategy Frameworks
- The Generic Strategies Framework
- Variants on the Differentiation Strategy
- Hypercompetition Framework
- Why Are Strategic Advantage Models Essential to Planning for Information Systems?
- Brief Overview of Organizational Strategies
- Brief Overview of Information Systems Strategy
- Food for Thought: The Halo Effect and Other Business Delusions
- Summary
- Business Strategy
- Organizational Strategy
- IS Strategy
- Strategic Relationships
- Key Terms
- Discussion Questions
- Case Study 1-1: Roche’s New Scientific Method
- Case Study 1-2: Google
- CHAPTER 2 Strategic Use of Information Resources
- Evolution of Information Resources
- Information Resources as Strategic Tools
- How Can Information Resources Be Used Strategically?
- Using Information Resources to Influence Competitive Forces
- Using Information Resources to Alter the Value Chain
- Supply Chain Management
- Using the Resource-Based View to Attain and Sustain Competitive Advantage
- Strategic Allia
- Co-opetition
- Risks
- Food for Thought: Co-creating IT and Business Strategy
- Summary
- Key Terms
- Discussion Questions
- Case Study 2-1: Lear Won’t Take A Backseat
- Case Study 2-2: Zipcar
- CHAPTER 3 Organizational Impacts of Information Systems Use
- Information Technology and Organizational Design
- Decision Rights
- Formal Reporting Relationships and Organization Structures
- Hierarchical Organization Structure
- Flat Organization Structure
- Matrix Organization Structure
- Networked Organization Structure
- Informal Networks
- Information Technology and Management Control Systems
- Planning and Information Technology
- Data Collection and Information Technology
- Performance Measurement, Evaluation, and Information Technology
- Incentives and Rewards and Information Technology
- Information Technology and Culture
- Food for Thought: Immediately Responsive Organizations
- Summary
- Key Terms
- Discussion Questions
- Case Study 3-1: US Air and America West Merger Case
- Case Study 3-2: The FBI
- CHAPTER 4 Information Technology and the Design of Work
- Work Design Framework
- How Information Technology Supports Communication and Collaboration
- IT to Facilitate Communication
- IT to Facilitate Collaboration
- How Information Technology Changes the Nature of Work
- Creating New Types of Work
- New Ways to Do Traditional Work
- New Challenges in Managing People
- How Information Technology Changes Where Work Is Done and Who Does It
- Telecommuting and Mobile Work
- Virtual Teams
- Gaining Acceptance for IT-Induced Change
- Food for Thought: Security With Remote Workers
- Summary
- Key Terms
- Discussion Questions
- Case Study 4-1: Automated Waste Disposal, Inc.
- Case Study 4-2: Virtually There?
- CHAPTER 5 Information Technology and Changing Business Processes
- Silo Perspective Versus Business Process Perspective
- Functional (or Silo) Perspective
- Process Perspective
- Zara’s Cross-Functional Processes
- The Tools for Change
- Incremental Change
- Radical Change
- The Process for Radical Redesign
- The Risk of Radical Redesign
- Agility and Constantly Redesigning Processes
- Shared Services
- Business Process Management (BPM) Systems
- Enterprise Systems
- Characteristics of Enterprise Systems
- Benefits and Disadvantages of Enterprise Systems
- Integrated Supply Chains
- When the System Drives the Change
- Challenges for Integrating ERP between Companies
- Food for Thought: Is ERP a Universal Solution?
- Summary
- Key Terms
- Discussion Questions
- Case Study 5-1: Santa Cruz Bicycles
- Case Study 5-2: Boeing 787 Dreamliner
- CHAPTER 6 Architecture and Infrastructure
- From Vision to Implementation
- The Manager’s Role
- The Leap from Strategy to Architecture to Infrastructure
- From Strategy to Architecture
- From Architecture to Infrastructure
- A Framework for the Translation
- Architectural Principles
- Enterprise Architecture
- Other Managerial Considerations
- Understanding Existing Architecture
- Assessing Strategic Time Frame
- Assessing Technical Issues: Adaptability
- Assessing Technical Issues: Scalability
- Assessing Technical Issues: Standardization
- Assessing Technical Issues: Maintainability
- Assessing Technical Issues: Security
- Assessing Financial Issues
- Differentiating between Architecture and Infrastructure
- From Strategy to Architecture to Infrastructure: An Example
- Step 1: Define the Strategic Goals
- Step 2: Translate Strategic Goals to Business Requirements
- Step 3: Apply Strategy-Architecture-Infrastructure Framework
- Step 4: Translate Architecture to Infrastructure
- Step 5: Evaluate Additional Issues
- Food for Thought: Cloud Computing
- Summary
- Key Terms
- Discussion Questions
- Case Study 6-1: Hasbro
- Case Study 6-2: Johnson & Johnson’s Enterprise Architecture
- CHAPTER 7 Information Systems Sourcing
- Sourcing Decision Cycle Framework
- Insourcing
- Outsourcing
- Outsourcing Drivers
- Outsourcing Challenges
- Avoiding Outsourcing Pitfalls
- Outsourcing Abroad
- Offshoring
- Selecting Offshoring Destinations
- Nearshoring
- Captive Centers
- Backsourcing
- Outsourcing Models
- Application Service Provider Model
- Crowdsourcing
- Full versus Selective Outsourcing Models
- Single versus Multiple Vendors
- Food for Thought: Outsourcing and Strategic Networks
- Summary
- Key Terms
- Discussion Questions
- Case Study 7-1: Sodexho Asia Pacific
- Case Study 7-2: Overseas Outsourcing of Medical Transcribing
- CHAPTER 8 Governance of the Information Systems Organization
- Understanding the IS Organization
- Chief Information Officer
- Chief Technology Officer, Chief Privacy Officer, and Other Similar Roles
- What a Manager Can Expect from the IS Organization
- Anticipating New Technologies
- Participating in Setting Strategic Direction
- Innovating Current Processes
- Developing and Maintaining Systems
- Managing Supplier Relationships
- Establishing Architecture Platforms and Standards
- Promoting Enterprise Security
- Planning for Business Continuity
- Managing Data, Information, and Knowledge
- Managing Internet and Network Services
- Managing Human Resources
- Operating Data Center
- Providing General Support
- What the IS Organization Does Not Do
- IT Governance
- Centralized versus Decentralized Organizational Structures
- Another Perspective on IT Governance
- Managing the Global Considerations
- Food for Thought: CIO Leadership Profiles
- Summary
- Key Terms
- Discussion Questions
- Case Study 8-1: IT Governance at UPS
- Case Study 8-2: The Big Fix at Toyota Motor Sales (TMS)
- CHAPTER 9 Using Information Ethically
- Normative Theories of Business Ethics
- Stockholder Theory
- Stakeholder Theory
- Social Contract Theory
- Control of Information
- Privacy
- Accuracy
- Property
- Accessibility
- PAPA and Managers
- Security and Controls
- IT Governance and Security
- Sarbanes–Oxley Act of 2002
- Frameworks for Implementing SoX
- IT and the Implementation of Sarbanes–Oxley Act Compliance
- Other Control Frameworks
- Food for Thought: Green Computing
- Summary
- Key Terms
- Discussion Questions
- Case Study 9-1: Ethical Decision Making
- Situation 1
- Situation 2
- Situation 3
- Situation 4
- Situation 5
- Situation 6
- Case Study 9-2: Midwest Family Mutual Goes Green
- CHAPTER 10 Funding IT
- Funding IT Resources
- Chargeback
- Allocation
- Corporate Budget
- How Much Does IT Cost?
- Activity-Based Costing
- Total Cost of Ownership
- TCO Component Breakdown
- TCO as a Management Tool
- Building a Business Case
- IT Portfolio Management
- Valuing IT Investments
- Monitoring IT Investments
- The Balanced Scorecard
- IT Dashboards
- Options Pricing
- Food For Thought: Who Pays for the Internet?
- Summary
- Key Terms
- Discussion Questions
- Case Study 10-1: Troon Golf
- Case Study 10-2: Valuing IT
- CHAPTER 11 Project Management
- What Defines a Project?
- What is Project Management?
- Project Elements
- Common Project Vocabulary
- Teamwork
- Project Cycle Plan
- Elements of Project Management
- IT Projects
- IT Project Development Methodologies
- Systems Development Life Cycle
- Prototyping
- Rapid Applications Development and Joint Applications Development
- Other Development Methodologies
- Managerial Influences
- Technical Influences
- Managing Organizational and Socioeconomic Influences
- Managing Project Risk
- Complexity
- Clarity
- Size
- Managing Project Risk Level
- Sustaining Commitment to Projects
- Pulling the Plug
- Gauging Success
- The PMO
- Food for Thought: Open Sourcing
- Summary
- Key Terms
- Discussion Questions
- Case Study 11-1: Sabre Holdings
- Case Study 11-2: Dealing with Traffic Jams in London
- CHAPTER 12 Managing Business Knowledge
- Knowledge Management
- Data, Information, and Knowledge
- Tacit versus Explicit Knowledge
- From Managing Knowledge to Business Intelligence
- Why Manage Knowledge?
- Sharing Best Practices
- Globalization
- Rapid Change
- Downsizing
- Managing Information and Communication Overload
- Knowledge Embedded in Products
- Sustainable Competitive Advantage
- Knowledge Management Processes
- Knowledge Generation
- Knowledge Codification
- Knowledge Capture
- Knowledge Transfer
- Competing with Business Analytics
- Components of Business Analytics
- Data Repositories
- Software Tools
- Analytics Environment
- Skilled Workforce
- Caveats for Managing Knowledge
- Food for Thought: Business Experimentation
- Summary
- Key Terms
- Discussion Questions
- Case Study 12-1: GSD&M’s Virtual Crowd Uses Analytics
- Case Study 12-2: The Brain Behind the Big, Bad Burger
- Glossary
- Index
E
6/16/2020 Employees’ collaborative use of green information systems for corporate sustainability: motivation, effort and performance: Information T…
https://www.tandfonline.com/doi/abs/10.1080/02681102.2017.1335281?journalCode=titd20 1/6
Journal
Volume 23, 2017 - Issue 3: Information Technology Enabled Collaboration for Development
Information Technology for Development
858 Views
3 CrossRef citations to date
1 Altmetric
Articles
Employees’ collaborative use of green information systems for corporate sustainability: motivation, effort and performance
,Zhaojun Yang ,Jun Sun ,Yali Zhang &Ying Wang Lisha Cao Pages 486-506 | Published online: 07 Jun 2017
Download citation https://doi.org/10.1080/02681102.2017.1335281
Select Language ▼
Translator disclaimer
Full Article Figures & data References Citations Metrics
Reprints & Permissions Get access
ABSTRACT
Green information system (GIS) innovation plays an important role in corporate
sustainability, especially for the organizations in emerging economies that face both
economic and environmental pressures. To support Sustainable Development,
employees need to work together on tasks using all kinds of GIS functions like online
collaboration and electronic work�ow. Most researchers examine GIS implementation
and usage at either the organizational or individual level, but few have studied the
Log in | Register
6/16/2020 Employees’ collaborative use of green information systems for corporate sustainability: motivation, effort and performance: Information T…
https://www.tandfonline.com/doi/abs/10.1080/02681102.2017.1335281?journalCode=titd20 2/6
a d usage at e t e t e o ga at o a o d dua e e , but e a e stud ed t e
phenomenon from the perspective of technology-enabled collaboration. This study
investigates the motivation, e�ort and performance of collective GIS use at the
operational level. In addition, strategic-level variables including GIS Strategy, Green
Image and Competitive Advantage are included in the research model. Results based
on survey observations collected from China and USA support hypothesized
relationships and reveal interesting cross-country di�erences. GIS Strategy provides
overarching guidance on GIS-enabled collaboration, which yields long-term e�ects on
Green Image and Competitive Advantage. The �ndings provide helpful insights on the
best practices to promote GIS-enabled collaboration for corporate sustainability in
countries and regions at di�erent development stages.
KEYWORDS: Green information systems, collaborative technology use, corporate
sustainability, organizational strategy, Environmental Performance, Green Image
Additional information
Funding
This study was supported by the National Social Science Foundation of China [No. 15BGL040]
and the Fundamental Research Funds for the Central Universities [No. JB160608] awarded to
the �rst author.
Disclosure statement
No potential con�ict of interest was reported by the authors.
Notes on contributors
Zhaojun Yang is an associate professor in The School of Economics and
Management at Xidian University, China. He received a PhD in Management
6/16/2020 Employees’ collaborative use of green information systems for corporate sustainability: motivation, effort and performance: Information T…
https://www.tandfonline.com/doi/abs/10.1080/02681102.2017.1335281?journalCode=titd20 3/6
a age e t at d a U e s ty, C a. e ece ed a a age e t
Information Systems and a Master Degree in Computer science from Northwestern
Polytechnical University, China. His research interests include green IS, SaaS and e-
commerce. He has published more than 30 papers in journals like Information
Systems Frontiers, Journal of Computer Information Systems, Computers in Human
Behavior, International Journal of Mobile Communications. He is also a consultant to
a number of computing SME based in Central China.
Jun Sun is a professor of information systems at the University of Texas Rio Grande
Valley. He received his doctoral degree in Information and Operations Management
from Texas A&M University. Some of his recent publications can be found in
Communications of the ACM, Journal of the Association for Information Science and
Technology, Journal of Computer Information Systems, Industrial Management &
Data Systems, Computers in Human Behavior, Computers & Education,
Communications of the Association for Information Systems, and Health Policy.
Yali Zhang is an associate professor at Northwestern Polytechnical University, China.
She received a PhD in Management. Her research interests include social media,
green IT/IS management, and organization behavior. Her work has appeared in
Computers in Human Behavior, Journal of Computer Information Systems,
International Journal of Services and Standards.
Ying Wang is a lecturer of information systems at the University of Texas Rio Grande
Valley, where she received her PhD. Her work has appeared in Communications of
the AIS, Journal of Computer Information Systems, Computers in Human Behavior,
Industrial Management & Data Systems, Proceedings of International Conferences
on Information Systems and Proceedings of Hawaii International Conference on
System Sciences.
Lisha Cao is a Master’s program student in The School of Economics and
Management at Xidian University, China. Her research interests include Green IS and
e-commerce.
People also read
6/16/2020 Employees’ collaborative use of green information systems for corporate sustainability: motivation, effort and performance: Information T…
https://www.tandfonline.com/doi/abs/10.1080/02681102.2017.1335281?journalCode=titd20 4/6
Article A DEMATEL based approach for investigating barriers in green supply chain management in Canadian manufacturing firms
Jasneet Kaur et al.
International Journal of Production Research Volume 56, 2018 - Issue 1-2
Published online: 31 Oct 2017
Article
The Influence of Green IS Practices on Competitive Advantage: Mediation Role of Green Innovation Performance
Krishnadas Nanath et al.
Information Systems Management Volume 34, 2017 - Issue 1
Published online: 31 Oct 2016
Editorial
Exploring the emerging research topics on information technology- enabled collaboration for development
Xusen Cheng et al.
Information Technology for Development Volume 23, 2017 - Issue 3
Published online: 19 Oct 2017
Article
Organizational Green Motivations for Information Technology: Empirical Study
Alemayehu Molla et al.
Journal of Computer Information Systems Volume 52, 2012 - Issue 3
Published online: 11 Dec 2015
Article
Intended Belief and Actual Behavior in Green Computing in Hong Kong
Article
Increasing collaboration and participation in smart city
6/16/2020 Employees’ collaborative use of green information systems for corporate sustainability: motivation, effort and performance: Information T…
https://www.tandfonline.com/doi/abs/10.1080/02681102.2017.1335281?journalCode=titd20 5/6
Wing S. Chow et al.
Journal of Computer Information Systems Volume 50, 2009 - Issue 2
Published online: 11 Dec 2015
governance: a cross-case analysis of smart city initiatives
Gabriela Viale Pereira et al.
Information Technology for Development Volume 23, 2017 - Issue 3
Published online: 19 Jul 2017
Article
Examining Firms’ Green Information Technology Practices: A Hierarchical View of Key Drivers and Their Effects
Paul Jen-Hwa Hu et al.
Journal of Management Information Systems Volume 33, 2016 - Issue 4
Published online: 10 Feb 2017
Article
Investigating Users' Extrinsic Motivation for Green Personal Computing
Yang Chen et al.
Journal of Computer Information Systems Volume 56, 2016 - Issue 1
Published online: 7 Dec 2015
6/16/2020 Employees’ collaborative use of green information systems for corporate sustainability: motivation, effort and performance: Information T…
https://www.tandfonline.com/doi/abs/10.1080/02681102.2017.1335281?journalCode=titd20 6/6
Information for
Authors
Editors
Librarians
Societies
Open access
Overview
Open journals
Open Select
Cogent OA
Help and info
Help & contact
Newsroom
Commercial services
All journals
Books
Sign me up
Keep up to date
Register to receive personalised research and resources by email
Copyright © 2020 Informa UK Limited Privacy policy Cookies Terms & conditions Accessibility
Registered in England & Wales No. 3099067 5 Howick Place | London | SW1P 1WG
Mutual Understanding in Information Systems Development Changes within and across Projects.pdf
RESEARCH ARTICLE
MUTUAL UNDERSTANDING IN INFORMATION SYSTEMS DEVELOPMENT: CHANGES WITHIN AND ACROSS PROJECTS1
Tracy A. Jenkin and Yolande E. Chan Smith School of Business, Queen’s University,
Kingston, ON CANADA K7L 3N6 {[email protected]} {[email protected]}
Rajiv Sabherwal Sam M. Walton College of Business, University of Arkansas,
Fayetteville, AR 72701 U.S.A. {[email protected]}
Although information systems development (ISD) projects are critical to organizations and improving them has been the focus of considerable research, successful projects remain elusive. Focusing on the cognitive aspects of ISD projects, we investigate how and why mutual understanding (MU) among key stakeholder groups (business and information technology managers, users, and developers) changes within and across projects, and how it affects project success. We examine relationships among project planning and control mechanisms; sensegiving and sensemaking activities by, and MU among, these stakeholder groups; and project success. Combining deductive and inductive approaches for theory building, we develop an initial model based on the literature and then modify it based on the results of a longitudinal embedded mixed-methods study of 13 projects at 2 organizations over a 10-year period. The results provide insights into the development of MU within projects, including (1) how MU changes during projects as a result of cognitive activities (sensegiving and sensemaking); (2) how planning and control mechanisms (and the associated artifacts) affect these cognitive activities; (3) how MU, and achieving it early in the project, affects success; and (4) how stakeholder engagement (in terms of depth, scope, and timing) affects the relationships in (1) and (2). The results also indi- cate that project management mechanisms, stakeholder engagement, and MU may change (either improve or deteriorate) across projects, depending on the disagreements among stakeholders in previous projects, the introduction of new project elements in subsequent projects, and the reflection on previous projects.
Keywords: Information systems development, project planning, project control, cognition, sensegiving, sensemaking, mutual understanding, project stakeholders
Introduction 1
Despite being crucial to organizations (Gemino et al. 2007; Wallace et al. 2004), information systems development (ISD) projects continue to show a propensity to fail, with less than half being successful (Hughes et al. 2017; Standish 2015). This is attributed to reasons such as technical complexity,
dynamic power structures, and uncertain and changing requirements (e.g., Davidson 2002; Hughes et al. 2017). Con- sistent with the need to share knowledge among information technology (IT) and business project stakeholders (managers and staff) to address such issues, the primary causes for ISD problems are seen as sociocognitive (Lyytinen 1987; Newman and Noble 1990), such as stakeholders’ conceptions of reality that are different (Cronin and Weingart 2007; Rai et al. 2009) and evolving (Vlaar et al. 2008). Thus, mutual understanding (MU) among key stakeholders (business and IT managers, users, and developers), or the extent to which they have a shared conception of the ISD project, is important to project
1Arun Rai was the accepting senior editor for this paper.
The appendices for this paper are located in the “Online Supplements” section of MIS Quarterly’s website (https://misq.org).
DOI: 10.25300/MISQ/2019/13980 MIS Quarterly Vol. 43 No. 2, pp. 649-671/June 2019 649
Jenkin et al./Mutual Understanding in IS Development
success. However, MU itself may change, developing or deteriorating, over time (Davidson 2002; Gregory et al. 2013). In this article, we focus on such changes in MU among stakeholders.
The changes in MU among stakeholders can be understood using prior theoretical work on sensegiving and sensemaking (e.g., Vlaar et al. 2008; Weick 1995). Sensegiving involves framing and sharing information, including narratives, explanations, and signals by some individuals to influence how others think and act (Gioia and Chittipeddi 1991; Vlaar et al. 2008), whereas sensemaking involves individuals accessing and interpreting information to develop compre- hension and construct meaning (Stigliani and Ravasi 2012; Vlaar et al. 2008). The need to share knowledge across pro- ject stakeholders is also apparent in the literature on planning and control (e.g., Kirsch 2004; Zmud 1980) in ISD projects. For example, Wallace et al. (2004) discuss how poor planning and control cause knowledge gaps such as unclear schedules and milestones for evaluating progress. Similarly, Tiwana (2009) examines the relationship between project control and knowledge sharing between IT and client departments. The relationship between project control and MU has also been examined (e.g., Gregory et al. 2013; Kirsch 2004), but sense- giving and sensemaking, which have both been argued to enable MU (e.g., Vlaar et al. 2008), have not been studied in conjunction with project planning and control mechanisms.
Thus, the literature recognizes that (1) the use of planning and control mechanisms in ISD projects involves knowledge sharing among stakeholders, (2) such knowledge sharing enables sensegiving and sensemaking, and (3) sensegiving and sensemaking enable MU. But these arguments are inde- pendent of each other, and how project planning and control mechanisms interact with cognitive activities (i.e., sense- giving, sensemaking) to affect cognitive (i.e., MU) and project outcomes is not well understood. Therefore, we seek to provide insights into changes in MU over time when con- sidering project planning and control mechanisms as well as sensegiving and sensemaking. Specifically, we examine how sensegiving and sensemaking by project stakeholders helps explain the effects of planning and control mechanisms on MU, and the changes in MU over time within a project (i.e., within a project stage, or between stages of the same project) and across projects (i.e., from one project to the next, or to one much later). Thus, we address the following research questions:
1. Within a project, how do project management mech- anisms (planning, control) affect cognitive activities (sensegiving, sensemaking) by key stakeholders, cogni- tive outcome (MU among key stakeholders), and project success?
2. How do project management mechanisms, cognitive activities, cognitive outcome, and success of an ISD project affect subsequent projects?
To address these questions, we conduct case studies of 13 ISD projects in 2 organizations, mitigating some of the issues with single-project studies (Elbanna 2010). Combining deductive and inductive approaches (e.g., Shepherd and Sutcliffe 2011), we use the literature to propose an initial model and then use empirical findings, based on a longitudinal embedded mixed- methods design (Creswell and Clark 2007), to reach the emergent model.
The rest of this article is organized as follows. We first develop the initial model by integrating concepts of cognition, stakeholders, and planning and control mechanisms. We then discuss our research methods. Next, we summarize the insights from our analyses and present the emergent model. We conclude with a discussion of the implications and limitations of our study.
Theoretical Development
Project Success
Project success has generally been viewed as including pro- cess efficiency, product effectiveness, user satisfaction, and degree of project completion (e.g., whether the project is smoothly completed, partially abandoned, or totally aban- doned) (Aladwani 2002; Gemino et al. 2007). Process effi- ciency reflects how well the project was executed, and product effectiveness reflects the quality of the system delivered. Past research views evaluations of ISD projects as value laden and social, based on the perceptions and expec- tations of various project stakeholders (e.g., Hughes et al. 2017). Thus, if one stakeholder group is not satisfied, the pro- ject may be viewed as less successful than if all stakeholder groups are satisfied.
Mutual Understanding
Mutual understanding refers to the extent to which stake- holders have a shared conception of the project regarding, for example, its goals and processes, and stakeholder roles (Greg- ory et al. 2013). Other terms used to describe MU include congruent understanding (Vlaar et al. 2008) and shared under- standing (Gregory et al. 2013). The importance of MU is highlighted in the information systems (IS) literature, such as on IS group performance (e.g., Nelson and Cooprider 1996) and technology innovativeness (e.g., Lind and Zmud 1991).
650 MIS Quarterly Vol. 43 No. 2/June 2019
Jenkin et al./Mutual Understanding in IS Development
A shared understanding of goals and methods has been linked to project success (Aladwani 2002; Gregory et al. 2013). Dif- ferent interpretations arise in projects (Cronin and Weingart 2007; Lyytinen 1987) because of differing goals, interests, and conceptions of reality (Sambamurthy and Kirsch 2000). Thus, developing MU is important.
MU among stakeholders changes over time, developing or deteriorating, and at different rates (Gregory et al. 2013; Monin et al. 2013). Prior ISD studies link MU development to project planning (Wallace et al. 2004) and control mech- anisms (Gregory et al. 2013; Kirsch 2004), and sensegiving and sensemaking (Vlaar et al. 2008). However, the relation- ships among project management mechanisms, sensegiving, and sensemaking have not been examined. Thus, under- standing how and why project planning and control mech- anisms affect changes in MU over time through sensegiving and sensemaking provides valuable theoretical and practical insights into the role of these mechanisms beyond their tradi- tional role in project management.
To address this gap, we develop an initial model (Figure 1), focusing on how project management mechanisms and cogni- tive activities (sensegiving, sensemaking) affect MU among project stakeholders, and how MU affects project success. Within a project, and consistent with the literature (Monin et al. 2013; Vlaar et al. 2008), sensegiving and sensemaking activities influence MU among stakeholders. However, instead of viewing project planning and control mechanisms as affecting MU directly, we reason that they affect MU through their sensegiving and sensemaking potential. Consis- tent with the literature, we argue that MU influences the success of the ISD project (Aladwani 2002; Gregory et al. 2013). Given the limited literature on MU change within and across ISD projects, we do not include these aspects in the initial model but use a data-driven inductive approach to develop propositions about them.
Sensegiving and Sensemaking Activities
ISD projects include an ongoing dialogue among IT and busi- ness stakeholders, involving episodes of sensegiving and sensemaking (cognitive activities) (Gioia and Chittipeddi 1991; Stigliani and Ravasi 2012), which affect the MU (the focal cognitive outcome) among these stakeholders (Vlaar et al. 2008). Sensemaking involves constructing and recon- structing meaning, interpreting,2 and updating cognitive frameworks (Gioia and Chittipeddi 1991). Sensemaking in
organizations involves an interplay between individual and group sensemaking, through conversations and artifacts (Weick et al. 2005).
Through sensegiving, individuals influence others’ interpre- tation of a situation, that is, their sensemaking (Gioia and Chittipeddi 1991). ISD projects include several stakeholders (business and IT managers, users, and developers) who may pursue their own agendas (Sambamurthy and Kirsch 2000). Influencing others’ sensemaking is one way to do this. Sense- giving and sensemaking3 affect each other; one or more actors provide sense via artifacts or communication and one or more actors make sense of such stimuli (Gioia and Chittipeddi 1991). Thus, it is important to understand the role of actors as sensemakers and sensegivers.
Project Planning and Project Control Mechanisms
The ISD literature considers planning and control mechanisms as key ways to guide the project team and stakeholders to increase the likelihood of project success (Barki et al. 2001; Gemino et al. 2007). Accordingly, we focus on these mech- anisms.
Project Planning
Project planning involves identifying the scope, structure, and sequence of tasks; allocating resources; and estimating time and costs (Wallace et al. 2004). The literature emphasizes planning to provide information that mitigates uncertainty (Barki et al. 2001). Planning has been viewed as critical to meeting project targets (e.g., lower budget variances), pro- ducing high-quality software (Yetton et al. 2000), and enhancing the project success (Pinto and Slevin 1987).
The literature distinguishes between a comprehensive, formal, and top-down approach to planning and an incremental, or emergent, and bottom-up approach. This distinction is seen in both the IS strategic planning (Chen et al. 2010; Segars and Grover 1999) and broader strategy (Fredrickson 1984; Mintz- berg 1990) literatures, which discuss planning attributes of rationality (i.e., comprehensive, integrated, and formal planning) and adaptability (i.e., frequent planning iterations and a learning orientation). In these literatures, comprehen- sive planning is “top-down” in nature; ideally, senior manage-
2Sensemaking can focus on interpreting past events, that is, retrospective sensemaking (Weick 1995), or envisioning what the future may look like, that is, prospective sensemaking (Gioia and Mehra 1996).
3Past studies identify other cognitive activities (e.g., sense demanding, sense breaking) (Monin et al. 2013; Vlaar et al. 2008) and outcomes (e.g., novel understanding). We focus on sensegiving and sensemaking, which have received the greatest attention and been most directly related to MU.
MIS Quarterly Vol. 43 No. 2/June 2019 651
Jenkin et al./Mutual Understanding in IS Development
Project Management Mechanisms
Mutual Understanding
Project Success
Sensegiving
Sensemaking
Cognitive Activities Cognitive Outcome Project Outcome
Planning Mechanisms
Control Mechanisms
Sensegiving Potential
Sensemaking Potential
Figure 1. Initial Model
ment and project managers communicate a clear vision of the project’s objectives, and how to achieve them, to the project team and stakeholders. Thus, many of the project details are conveyed up-front to the team by project and organizational leaders. However, detailed plans may not exist in projects with a high level of uncertainty. In such cases, planning pro- cesses are more emergent and “bottom-up” (Segars and Grover 1999), focusing on iteratively developing the project objectives and deliverables. Thus, emergent planning in- volves experimentation, developing prototypes and other artifacts, and dialogue.
Project Control
Control is viewed as “any attempt to motivate individuals to behave in a manner consistent with organizational objectives” (Kirsch 2004, p. 374). The literature on control distinguishes between the “controller,” who exercises control, and the “con- trollee,” whose behavior is being controlled (Flamholtz et al. 1985). Early studies of ISD projects discussed formal control mechanisms and their effects on project success (e.g., Zmud 1980). Control mechanisms were seen as ways to enable managers to understand project progress and detect deviations early enough to take corrective actions. The literature exam- ines various types of formal and informal control mechanisms (e.g., Henderson and Lee 1992).
Formal controls include outcome and behavior controls. Outcome controls involve specifying the project’s interim and final outcomes (e.g., requirements, design specifications, and delivery date) and measuring the extent to which they are fulfilled (e.g., quality assurance and testing results) (Choud- hury and Sabherwal 2003; Kirsch 1997). Behavior controls involve the controller providing specifications for the process (e.g., ISD methods) and then assessing the extent to which the controllee behaves according to these specifications (e.g., observation).
Informal controls include clan and self-controls. In groups using clan controls, members share a common goal, depend on one another, and influence each other to behave in accept- able ways based on the group’s norms, values, and beliefs (Kirsch 1996). Although project teams are often diverse and temporary, role- or function-specific groups such as program- mers and testers may operate as clans. Clan controls include socialization to develop shared norms, and mechanisms to reward behavior that is consistent with the norms and to sanc- tion behavior that violates them. Self-control, by contrast, stems from individual objectives and intrinsic motivation (Kirsch 1996) and requires controllee autonomy (Tiwana and Keil 2009).
Project Management Mechanisms and Cognitive Activities and Outcomes
Although prior research discusses the relationships of project planning and control mechanisms with MU (e.g., Gregory et al. 2013; Kirsch 2004), how these mechanisms affect MU is not described. For example, Gregory et al. (2013) find that gaps in MU led to different control approaches being em- ployed, which in turn led to the development or deterioration of MU, but they do not examine how control mechanisms such as status review meetings and socialization activities help develop MU among project stakeholders.
Prior research suggests that artifacts, for example, templates and methods (Vlaar et al. 2008), enable sensegiving or sense- making (Gephart 1993; Stigliani and Ravasi 2012). Thus, we incorporate the notion that project planning and control mech- anisms have the potential to support sensegiving and sense- making. For example, outcome controls, such as a plan, have the potential to support moderate levels of sensegiving and sensemaking, as discussed in detail later. In using a mech- anism, the potential is converted into actual sensegiving and sensemaking; the extent to which this potential is realized depends on how the mechanism (e.g., plan) is used.
652 MIS Quarterly Vol. 43 No. 2/June 2019
Jenkin et al./Mutual Understanding in IS Development
Table 1. Implications of Project Planning and Control Mechanisms for Sensegiving and Sensemaking
Type of Mechanism
Potential for Sensegiving
Potential for Sensemaking References
Planning Comprehensive High Low
Bowman et al. (1983); Levina (2005); Segars and Grover (1999)
Emergent Moderate High Abdel-Hamid et al. (1999); Levina (2005); Segars and Grover (1999)
Control
Self-control Low High Henderson and Lee (1992); Kirsch (1996); Tiwana and Keil (2009)
Clan control High High Kirsch (1997, 2004)
Outcome control Moderate Moderate Choudhury and Sabherwal (2003); Kirsch (1997); Nidumolu and Subramani (2003)
Behavior controls Moderate Moderate Kirsch (1996, 1997); Nidumolu and Subramani (2003); Orlikowski (1991)
We use logic and an extensive literature review to assess the potential for the sensegiver to give sense with each mech- anism (e.g., emergent planning, outcome controls), and the potential for the sensemaker to make sense of what is con- veyed through that mechanism. Table 1 provides the sense- giving and sensemaking potential for each mechanism. Appendices A and B provide further details regarding the underlying logic and illustrative quotes from the literature, respectively, supporting the connection between each mech- anism and its sensegiving or sensemaking potential. Extending existing theory, we propose that the greater the sensegiving or sensemaking potential of the mechanisms used in a project, the greater the actual sensegiving or sense- making, respectively.
Stakeholders in ISD Projects
In ISD projects, stakeholders give and make sense of elements related to the project, such as the development process and the project deliverables. Given the differences in interpretations, goals, and interests across stakeholders (e.g., Gregory et al. 2013; Lyytinen 1987), it is important to consider which stake- holders give sense and which make sense over the course of the project. Boland and Tenkasi (1995) take this into account in their related concepts of perspective making and perspec- tive taking, differentiated by the groups involved. Perspective making focuses on within-group sensegiving-sensemaking episodes to strengthen the group’s knowledge, whereas per- spective taking considers each group’s viewpoint in across- group sensegiving-sensemaking.
Past studies examine the role of IS versus business stake- holders (e.g., Bassellier et al. 2001; Kirsch 2004), that is, the
functional home of the stakeholder. The structural position of stakeholders is also deemed important (e.g., Boland and Ten- kasi 1995; Markus and Mao 2004), for example, whether management (e.g., a project manager) interacts with staff (e.g., programmers) or staff interact with peers (e.g., pro- grammers with users) (e.g., Nidumolu 1996). Thus, we dif- ferentiate stakeholder groups along these functional (IT and business) and structural (staff and management) dimensions, resulting in four groups: IT managers (e.g., IT project mana- ger, test lead), business managers (e.g., business unit mana- ger, project sponsor), developers (e.g., programmer, tester), and users (e.g., external customer, internal end-user).
Figure 2 depicts a sensegiving-sensemaking episode between two stakeholders from these groups, showing the iterative nature of the process and how it is affected by planning and control mechanisms. This is a generic depiction, and addi- tional stakeholders could be involved. Consistent with the sensemaking literature (Monin et al. 2013; Stigliani and Rava- si 2012; Vlaar et al. 2008), these sensegiving-sensemaking episodes positively influence MU among stakeholders, which positively affects project success (Aladwani 2002; Davidson 2002; Gregory et al. 2013). Combined with our previous discussion of the effects of project management mechanisms on sensegiving and sensemaking, we propose the following (as shown in Figure 1):
Within an ISD project, project planning and project control mechanisms (through their sensegiving and sensemaking potential) influence sensegiving and sensemaking activities, which affect each other and enable MU among stakeholders, and this MU leads to greater project success.
MIS Quarterly Vol. 43 No. 2/June 2019 653
Jenkin et al./Mutual Understanding in IS Development
Figure 2. Sensegiving-Sensemaking Episode
Research Design
Our research questions focus on understanding changes in MU among project stakeholders and how these changes depend on planning and control mechanisms and sensegiving and sensemaking activities. To address these research ques- tions, we use a variance approach, a longitudinal embedded mixed-methods design that combines qualitative and quanti- tative methods, and a theory-building approach that combines deduction and induction.
The literature suggests that process-oriented research ques- tions can be examined using a variance approach, a process approach, or a hybrid approach (Burton-Jones et al. 2015; Sabherwal and Robey 1995). According to Van de Ven (2007, p. 148),
two different definitions of “process” are often used in the literature: (1) a category of concepts or vari- ables that pertain to actions and activities; and (2) a narrative describing how things develop and change .… When the first definition is used, process is typi- cally associated with a variance model …. The second meaning of process takes an event-driven approach that is often associated with a process study of the temporal sequence of events.
We adopt a variance approach (Burton-Jones et al. 2015) and examine process in terms of activities and changes in state
(Van de Ven 2007) over time. The initial model (Figure 1) focuses on how the use of project planning and control mech- anisms (states) and sensegiving and sensemaking (activities) affect the level of MU (state) among project stakeholders, and how MU affects success (state) within a project. Qualitative data on the cognitive activities are used to assess these acti- vities in terms of their levels (state). We capture low, moderate, and high levels of sensegiving and sensemaking, and directionality in terms of who gave and made sense: localized (i.e., between members of the same group), unidirectional, or bidirectional.
The literature (Creswell and Clark 2007; Venkatesh et al. 2013) mentions four mixed-methods designs: triangulation, embedded, explanatory, and exploratory. An embedded design uses qualitative or quantitative methods in a study based largely on the other method. We use a longitudinal embedded mixed-methods design, conducting exploratory quantitative analyses in a primarily qualitative study. Speci- fically, we use quantitative analyses to explore the data and qualitative analyses to develop a rich understanding. We study changes over time using temporal bracketing (Langley 1999), that is, dividing each project into early, middle, and late stages.
Moreover, we combine deductive and inductive theory- building approaches (e.g., Shepherd and Sutcliffe 2011). We use the ISD literature to identify the proposed relationships (Figure 1) and develop an episode model (Figure 2) of sense-
654 MIS Quarterly Vol. 43 No. 2/June 2019
Jenkin et al./Mutual Understanding in IS Development
giving and sensemaking between stakeholders, showing the influence of project planning and control mechanisms. We then use a bottom-up inductive approach to generate emergent propositions (Eisenhardt 1989; Mantere and Ketokivi 2013). The 10-year case study data, which include rich insights from 13 projects across two organizations, allow us to identify pat- terns, relationships, and insights beyond those described in the literature. Thus, consistent with Eisenhardt’s (1989) recom- mendations for building theory from case studies, we are guided by pre-identified concepts in the initial model but allow unanticipated concepts and relationships to emerge. This is further discussed in the next section (see Appendix C for a summary).
Data
Data Collection
To select cases for inductive theorizing, Eisenhardt (1989) recommends theoretical sampling. We first identified two organizations with headquarters in North America: “Alpha” and “Beta” (pseudonyms). We then used theoretical sampling to select contrasting projects, asking the key informant at each organization to choose projects ranging in focus, importance, and success. At Alpha, a global software development firm, we studied seven projects involving the development and enhancement of enterprise software. At Beta, a global manu- facturer and seller of high-tech products, we studied six projects involving the development and enhancement of inter- nally facing (i.e., supporting internal processes) and externally facing (i.e., supporting customer or supplier interactions) sys- tems. Thus, the two organizations provide different kinds of ISD projects. Table 2 summarizes the 13 projects (see Appendix D for further details).
We followed Eisenhardt’s (1989) recommendations on using multiple and flexible data collection methods, combining qualitative and quantitative data, involving multiple investi- gators, and overlapping data collection and analysis. We developed an interview guide based on the initial model and refined through inputs from industry experts and researchers (see Appendix E for the final version of the guide, which we provided to the key informant at each organization to review before the interviews). We discussed the kind of data to collect, developed the interview guide, and considered interim findings to plan subsequent interviews. Because of method- ological and scheduling considerations, one of us conducted the interviews.
We conducted three intensive waves of onsite interviews in 2004, 2005, and 2010, including 24 formal interviews with 21 informants at the two organizations, many of whom com-
mented on multiple projects. We conducted 17 interviews at Alpha (informants included a vice president, product man- ager, project managers, department managers, product designers, programmers, team leads, testers, and technical writers) and seven at Beta (informants included project managers and functional managers in both IT and business). Project documents and informal conversations at each organi- zation provided additional insights. At each organization, a key informant whose experience there spanned the 10-year study period was interviewed about changes over time and was asked to review the results and interpretations. Inter- views were recorded and 214 pages of transcripts were produced.
Data Coding
Our coding and analysis approach (see Appendix F for details) involved coding data (text from the raw transcripts), analyzing data from the coded transcripts, and iterating between qualitative and quantitative analyses to enhance the reliability of conclusions (Eisenhardt 1989). One author first read the interview transcripts and created narratives of indiv- idual projects, describing the project’s context, how it unfolded, and the outcomes from participant perspectives. All authors then discussed each narrative and developed a coding scheme for the constructs (based on Figure 1) (Eisenhardt and Graebner 2007; Miles and Huberman 1994). Data collection and analyses were iterative. Before the 2010 interviews, all authors discussed the projects studied until then (A1–A5 and B1–B4), which led to clarification questions (Langley 1999; Weick 1995). After these interviews, summaries of the latest projects were created.
In the first step of coding, we (1) identified each quote as pertaining to the early, middle, or late stage of the project; (2) identified the planning and control mechanisms used in each stage of each project; and (3) rated each project’s suc- cess as low, moderate, or high. For example, we coded outcome, behavior, clan, and self-control mechanisms (similar to Kirsch 1997), considering specification and evaluation aspects, and project success, considering the extent to which stakeholder expectations were met (Hughes et al. 2017).
Next, based on expected sensegiving and sensemaking poten- tial for each project planning and control mechanism4 (see Table 1 and Appendix A), and viewing the use of more mechanisms as adding to the overall sensegiving or sense-
4High, moderate, and low potential ratings were coded as 1, 0.5, and 0, respectively.
MIS Quarterly Vol. 43 No. 2/June 2019 655
Jenkin et al./Mutual Understanding in IS Development
Table 2. Summary of Projects
Project Description Timeline
Informants*: Total
(Primary) Roles of Informants
A1 Implemented technical feature to support installation functionality. (Paired with A3)
Jan.–Dec. 2001
4 (2) Project Manager, Programmer, Vice President, Product Manager
A2 Moved core product to a new technology base and architecture to support future usability enhancements.
June 2002– Feb. 2003
4 (2) Project & Department Manager, Team Lead, Vice President, Product Manager
A3
Addressed many issues that arose from the newly implemented installation functionality (i.e., from project A1) including lack of breadth and integration, and usability issues. (Paired with A1)
Oct. 2002– March 2003
5 (3) Project Manager, Team Lead and Programmer, Product Designer, Vice President, Product Manager
A4 Involved porting desktop functionality of a legacy product to the web. (Paired with A5)
Oct. 2002– May 2003
5 (3) Project Manager, Team Lead, Product Designer, Vice President, Product Manager
A5
Involved enhancing web and desktop functionality. Originally included in project A4, but later removed and made into a separate project. (Paired with A4)
Feb.–Sept. 2003
7 (5) 2 Project Managers, 2 Program- mers, Product Designer, Vice President, Product Manager
A6 Added several specific features to Alpha’s flagship product. (Paired with A7)
Sept. 2008– Aug. 2009
5 (4) 2 Product Designers, Program- mer, 2 Technical Writers
A7 Major overhaul of Alpha’s flagship product, including new features and updates to existing features. (Paired with A6)
Aug. 2009– Aug. 2010
5 (4) 2 Product Designers, Program- mer, 2 Technical Writers
B1 Involved implementing a new product for its customers, as well as new technology and business processes. (Paired with B2)
Aug. 2001– May 2002
2 (2) Business Project Manager, IT Project Manager
B2
Ported legacy application onto new platform implemented in project B1. Originally included in project B1. Removed and made a separate project. (Paired with B1)
Aug. 2002– April 2003
2 (2) Business Project Manager, IT Project Manager
B3 Insourced an existing customer product that was previously outsourced and implemented new business processes.
Feb. 2003– Feb. 2005
2 (1) IT Functional Manager, Business Project Manager
B4 Implemented functionality to enable business units to modify their own (customer facing) applications online.
March–Aug. 2004
2 (1) IT Functional Manager, Business Project Manager
B5
Implemented a third-party order management system, integrated with existing systems, and changed business processes.
March–Dec. 2009
2 (1) IT Functional Manager, Business Project Manager
B6 Implemented new functionality for customer- facing application and new business processes.
July–Dec. 2009
2 (1) Business Project Manager, IT Functional Manager
*The total number of informants with whom each project was discussed is given, with the number in parentheses indicating the number of primary informants focusing on the project. Initial site visits and data collection occurred in 2004 for Alpha and 2005 for Beta. A continued relationship with both organizations and key informants enabled a second data collection in 2010.
656 MIS Quarterly Vol. 43 No. 2/June 2019
Jenkin et al./Mutual Understanding in IS Development
making potential for that stage (Klein and Kozlowski 2000),5
we computed aggregated sensegiving (sensemaking) potential for each stage of each project. To measure overall sense- giving (sensemaking) for each project, we averaged sense- giving (sensemaking) across stages.
We then identified sensegiving-sensemaking episodes, the stages in which they occurred, the stakeholder groups en- gaged in them, and the localized, unidirectional, or bidirec- tional nature of the engagement. Thus, using the interview transcripts, we coded actual (versus potential) sensegiving activities and actual sensemaking activities, and then aggre- gated them to assess the levels (low, moderate, or high) and the directionality of sensegiving and sensemaking at each stage (early, middle, late) of each project.6 The coding of the actual levels of sensegiving and sensemaking was done independently of the coding of project planning and control. In the rest of the article, we refer to “actual sensegiving” and “actual sensemaking” as “sensegiving” and “sensemaking,” respectively. We also used the transcripts to code MU at each stage of each project as low, moderate, or high (see Appen- dices G and H for examples of the coding of each construct and an illustrative project, respectively).
Through this process, we compiled panel data for the 13 projects at three time points and project success at the end of each project. We used these data to (1) identify relationships across constructs based on regressions and (2) develop visual displays across time for all projects at each organization, which helped us identify patterns (see Figures 3 and 4).
Quantitative Analyses and Results
As mentioned previously, we conducted exploratory quanti- tative analyses to obtain initial insights into the relationships among constructs. These analyses include correlations and ordinal regressions (see Appendix I for a discussion and detailed results).
Regressions using project-level data suggest that MU has a direct effect on project success. We do not posit this well- accepted (Aladwani 2002; Gregory et al. 2013) effect because the qualitative analyses provide more nuanced and richer insights, as discussed later. Regressions using stage-level data, with sensegiving, sensemaking, and MU as dependent variables, suggest that the actual sensegiving (sensemaking) during a stage depends on sensegiving (sensemaking) poten- tial and the actual sensemaking (sensegiving) during that stage, and that MU during a stage depends directly on sensemaking but not on sensegiving. These results suggest the following proposition, which also emerges clearly from the qualitative analyses:
P1: Sensemaking directly affects the level of MU, but sensegiving affects the level of MU indirectly, through sensemaking.
Qualitative Analyses and Results
The qualitative analyses included three broad steps. First, we reviewed the project narratives, and the coded text and episodes, to summarize each project in a data display and examine the patterns of change in MU within projects. Second, we identified four “paired projects” (B1–B2, A1–A3, A4–A5, and A6–A7) and examined patterns of change across them. Two projects were considered a “pair” if (1) they involved the same overall system and (2) the second project built on the first, using overlapping resources. Third, to see if these patterns were observed elsewhere, we examined changes across all projects at each organization using data displays and transcripts. We considered the rich insights revealed by the qualitative analyses in light of the initial model, the literature, and the results of the exploratory quantitative analyses. We con- cluded the qualitative analyses once the emergent model and propositions were consistent with the data and the incremental improvement from further analysis or studying other projects seemed minimal.
Changes Within Projects
To identify patterns across projects in terms of MU and project success, we created two 3-by-3 matrices. As recom- mended by Monge (1990),7 we used one matrix (Figure 5) to
5We computed the sensegiving (sensemaking) potential for control (and similarly for planning) for each stage by adding the potential of all control mechanisms used in that stage. For example, if a project used outcome and behavior control, but not clan or self-control, in a stage, the sensegiving potential through control would be 0.5 (moderate potential for outcome control) plus 0.5 (moderate potential for behavior control) divided by four (because of the four control types), that is, 0.25. The sensegiving potential for each stage of each project was computed by summing the sensegiving potential for control and for planning.
6To assess interrater reliability, we employed an independent judge to code two projects. For categorical data (mechanisms), Cohen’s Kappa was 1.00 (100% agreement); for ordinal data (low, moderate, high), intraclass corre- lation was 0.91, indicating excellent agreement (Cicchetti 1994)
7Monge also discusses the positive or negative trend of the change. No project in this study involves a drop in MU. Thus, the trend is positive, but with different magnitudes, in all projects.
MIS Quarterly Vol. 43 No. 2/June 2019 657
Jenkin et al./Mutual Understanding in IS Development
Figure 3. Evolution of Projects at Alpha
658 MIS Quarterly Vol. 43 No. 2/June 2019
Jenkin et al./Mutual Understanding in IS Development
Figure 4. Evolution of Projects at Beta
Figure 5. Changes in Mutual Understanding Within Projects
MIS Quarterly Vol. 43 No. 2/June 2019 659
Jenkin et al./Mutual Understanding in IS Development
Figure 6. Mutual Understanding and Project Success
examine projects based on the initial MU level (low, moder- ate, high) and the magnitude of change (low, moderate, high) in MU during the project. We used a second matrix (Figure 6) to classify projects based on success and average MU. We also used detailed data displays for the projects in Alpha (Figure 3) and Beta (Figure 4). These analyses led to the patterns discussed next.
Pattern 1 included three projects that were highly successful with a high level of average MU: A3 and A4, which started with and maintained a high level of MU (Pattern 1a), and A2, which started with a moderate level of MU that quickly rose to high (Pattern 1b). Sensegiving and sensemaking were con- sistently at moderate to high levels, which are needed to maintain MU at high levels. Throughout each project, the stakeholders in sensegiving-sensemaking episodes tended to be from within the same functional group (Figure 3), with some unidirectional across-group (IT to business, or vice versa) engagement. All three projects were based on existing products and knowledge, reducing uncertainty and the need for bidirectional engagement. For example, A4 replicated existing desktop functionality on the web. The low uncer- tainty enabled comprehensive planning early in the project. Projects A3 and A4 involved emergent learning in later stages based on feedback from testing and demonstrations to customers.
Furthermore, projects in this pattern used mechanisms such as user experience and design documents, prototypes, and demonstrations to enable sensegiving and sensemaking throughout the duration of the project. For example, through user experience documents, product designers in A4 were able to give sense to programmers, who in turn used this document to make sense of what needed to be developed. Creating the prototype during planning helped the lead pro-
grammer make sense of the product design. In later stages, the prototype served as an outcome control mechanism and enabled sensegiving to other programmers. The use of planning and control mechanisms with greater potential for sensegiving and sensemaking improved sensegiving and sensemaking, and the sensemaking helped maintain a high level of MU, as expected (Figure 1) and supporting P1.8 The following comment from A2’s team lead illustrates the support for P1:
We had a good clear design and we knew what we wanted to do and we did it with ease … came into the project with a good design note and then we ran with it … I can show you what it looked like before and what it looks like after and you would just drop your jaw. Wow, that is product A?
Pattern 2 contrasts Pattern 1: it is located in the low-low quadrant of both matrices in Figures 5 and 6. Projects following this pattern (B3, B4) began with low levels of MU and did not show much improvement. Although MU developed in some respects (e.g., objectives and require- ments), it deteriorated in others (e.g., feasibility and status). Figure 4 shows the low levels of sensegiving, sensemaking, and MU throughout (P1), and the impact on project success. At first glance, both B3 and B4 appear to “follow the rules” of project management at Beta, employing comprehensive planning and both behavior and outcome controls. The plan- ning and control mechanisms used in each project implied moderate sensegiving and sensemaking potential. However,
8For simplicity, henceforth we identify the relevant proposition (e.g., P1) in parentheses.
660 MIS Quarterly Vol. 43 No. 2/June 2019
Jenkin et al./Mutual Understanding in IS Development
the potential sensegiving (sensemaking) failed to convert into a correspondingly moderate level of sensegiving (sense- making). Several factors contributed to this failure. In both projects, plans lacked detail, limiting the shared information and initial sensegiving. Also, stakeholders in both projects used gate reviews and testing as rituals and failed to disclose technical issues during gate reviews. This led to minimal sensegiving, or rather sensehiding, in the middle of both projects, and late into B3. Relating this to sensegiving- sensemaking episodes (Figure 2), we conceptualize the extent to which stakeholders share information as the depth of stakeholder engagement and suggest that the conversion of potential sensegiving (sensemaking) to sensegiving (sense- making) within an ISD project improves with the depth of stakeholder engagement, which leads to the following proposition:
P2a: The conversion of sensegiving (sensemaking) potential from planning and control mechanisms to actual sensegiving (sensemaking) in an ISD project increases with an increase in the depth of stake- holder engagement.
As a result of the reduced sensemaking in Pattern 2, MU was not developed sufficiently in these projects (P1). Project objectives were not fulfilled, and both projects were seen as failures.
Projects in Patterns 3–5 had moderate levels of average MU but differed in their degree of improvement and project success. Pattern 3 started with low MU but experienced a considerable increase (A7, B1, B5). In contrast to Pattern 1, all three projects started with uncertainty. For example, B1 involved implementing both new IT and new business pro- cesses, which influenced sensegiving and sensemaking as well as patterns of who was giving sense and who was making sense. Either sensegiving or sensemaking, or both, started at moderate levels and increased to higher levels later in each project. Sensegiving-sensemaking episodes occurred both across groups (usually bidirectional between IT and business) and within groups (a mix of unidirectional, e.g., management to staff, and bidirectional, e.g., between staff and management) (Figures 3 and 4). These patterns reflect project stakeholders’ efforts to reduce uncertainty and develop MU. But these efforts caused turmoil, as illustrated by this remark from A7’s designer:
We had two distinct phases: the introduction of the new process and the churn that followed where there was a lot of strain in relationships between the team—between and within the team. We had the development manager who really didn’t understand
his role in the new process. The team was under the understanding that they no longer needed the devel- opment manager’s guidance or decision-making. That led to a lot of churn.
Projects in Pattern 3 employed comprehensive planning early, followed by emergent planning later. Projects A7 and B5 used numerous outcome control mechanisms (e.g., prototypes and templates) to enable sensegiving and sensemaking. Clan control was employed early or midway through the projects to cope with change, which contributed to the high level of sensemaking. The uncertainty created by the introduction of new technology and processes in B1 resulted in weak outcome controls early in the project. The team had limited ability to fill in the missing details, which impeded sense- making initially. A7 also suffered from a lack of outcome control early on because the project’s start coincided with the introduction of a new organization-wide development methodology, causing turbulence. However, sensegiving and sensemaking were consistently at higher levels later in these projects, related to the use of control mechanisms and emergent planning, as well as the depth of stakeholder engagement (information shared) (P2a).
Pattern 3 highlights the value of bidirectional stakeholder engagement in sensegiving-sensemaking episodes when MU is initially low, in this case, due to project uncertainty. The bidirectional nature of stakeholder engagement across groups enabled iterative sensegiving and sensemaking. This indi- cates that the scope of engagement (i.e., the number of groups giving sense and the number of other groups making sense) is also important in the conversion of potential sensegiving (sensemaking) to actual sensegiving (sensemaking) in ISD projects, which leads to the following proposition:
P2b: The conversion of sensegiving (sensemaking) poten- tial from planning and control mechanisms to actual sensegiving (sensemaking) in an ISD project increases with an increase in the scope of stake- holder engagement.
Thus, in Pattern 3, the greater depth (P2a) and scope (P2b) of engagement led to greater sensegiving and sensemaking and increased MU, overcoming initial uncertainty (P1).
Pattern 4 is similar to Pattern 3: both began with low MU and achieved moderate average MU. However, projects in Pattern 4 (A1, A5, B2, B6) encountered only a moderate level of improvement in MU. Pattern 4 includes two types: 4a (A1, A5) and 4b (B2, B6).
In Pattern 4a, sensegiving and sensemaking were delayed until late in the project, which is related to the lack of plan-
MIS Quarterly Vol. 43 No. 2/June 2019 661
Jenkin et al./Mutual Understanding in IS Development
ning and minimal use of control mechanisms. Compared to Pattern 3, fewer mechanisms to support sensegiving and sensemaking were used, and those that were used were either incomplete, containing few details (i.e., low depth of stake- holder engagement), or developed late in the project. Also, sensegiving-sensemaking episodes began later in the project, initiated in both projects by testers (staff). Thus, staff played a key role in giving sense in Pattern 4a. For example, testers in A5 were trying to figure out what to test based on the existing user experience document, which was incomplete. Aiming to better understand the expected functionality, the testers requested clarification from the product designer, initiating an iterative cycle of sensegiving and sensemaking that included the product designer and the programmer, all staff roles. At this point, the programmer began creating a matrix of functionality options, which enabled sensemaking. Most sensegiving-sensemaking episodes in A1 and A5 occurred within group, either localized (staff to staff) or unidirectionally from staff to managers. Thus, the depth and scope of engagement were low, as were sensegiving and sensemaking (P2a, P2b).
In Pattern 4b (B2, B6), sensegiving-sensemaking episodes tended to occur bidirectionally both within (between staff and management) and across (between IT and business) groups. As shown in Figure 4, planning and control mechanisms were employed throughout. Thus, these projects appeared to follow the rules, similar to Pattern 2. However, both projects failed to include a key stakeholder group at some stage (i.e., they had a low scope of engagement). For example, in B6 a key stakeholder group (senior sales representatives) was not included in the decision to turn off the old system. Despite the planning and control mechanisms employed, both projects achieved only a moderate level of sensemaking, reducing MU (P1).
Pattern 5 is similar to Pattern 1: both had low improvement in MU. But unlike the high level of initial MU in Pattern 1, the project in this pattern (A6) had moderate initial MU and, like Patterns 3 and 4, moderate average MU. Similar to Patterns 2 and 4b, A6 appeared to follow the rules, employing planning and control mechanisms throughout. It included sensegiving-sensemaking episodes that were unidirectional within and across groups, from the business or IT manager to IT staff. Thus, the voice of the staff was not included (limited scope of engagement), hindering the conversion of potential sensegiving (sensemaking) to actual sensegiving (sense- making) (P2b), which was at low to moderate levels through- out. Improvement in MU was limited because of the low sensemaking (P1). The following remark by the A6 designer is illustrative:
No clear understanding by the team as to why cer- tain things were being done with the priority they
were being done. And in the way they were being done.
Further Analysis of Patterns
All the projects in Patterns 3, 4, and 5 had moderate average MU, but the relationship between MU and success varied across projects as shown in Figure 6. For example, B5 (Pattern 3) was similar to B2 (Pattern 4b) as both had moderate average MU and a high level of success, whereas the other projects in these patterns experienced only moderate success. The similarities between B5 and B2 provide insights into what led to project success despite moderate average MU. Both projects had low initial MU due to uncertainty but had bidirectional stakeholder engagement (high scope) within and across groups, and the planning and control mechanisms used in sensegiving-sensemaking episodes shared detailed information (high depth of engagement). Moreover, similar to Pattern 1, both projects had high sensegiving early in the project because of the planning and control mechanisms employed at that time. This highlights the importance of early engagement, as shown in the following proposition:
P2c: The conversion of sensegiving (sensemaking) potential from planning and control mechanisms to actual sensegiving (sensemaking) in an ISD project increases with earlier timing of stakeholder engagement.
Furthermore, the timing, depth, and scope of stakeholder engagement allowed B2 and B5 to overcome uncertainty and succeed despite low initial MU. In contrast, the only two projects (A3, A4) that started with high MU were highly successful, suggesting that project success may be related to the timing of MU development, specifically, the earlier, the better. A2, the remaining successful project, started with moderate initial MU that quickly rose to a high level. The relationships among the timing of MU, stakeholder engage- ment, and project success leads to the following emergent proposition:
P3: Projects with higher initial MU have a greater likelihood of success. However, if initial MU is low, better stakeholder engagement (in terms of depth, scope, and timing) enables an increase in MU and subsequently greater project success.
As the central quadrant in Figure 6 shows, five projects (across Patterns 3 (A7, B1), 4a (A5), 4b (B6), and 5 (A6)) were moderately successful and had moderate average MU. A6 started with moderate MU, whereas the other projects had low initial MU but experienced at least moderate improve- ment to increase MU later in the project.
662 MIS Quarterly Vol. 43 No. 2/June 2019
Jenkin et al./Mutual Understanding in IS Development
The moderate success of B6 can be understood by comparing it to B2 and B5. In B2 and B5, all key stakeholders were involved in comprehensive planning. Both projects were considered highly successful, despite the exclusion of some stakeholders in the middle of B2. However, in B6, senior sales reps were excluded from the start until they voiced their concerns late in the project. This led to the reversal of the earlier decision to turn off the old system, requiring extensive post-implementation workarounds. Thus, a low initial scope of engagement reduced early sensegiving in contrast to the high levels early in B2 and B5. This further highlights the importance of early stakeholder engagement when MU is initially low (P3).
Despite low to moderate sensegiving and sensemaking and only localized within-group stakeholder engagement, A5 achieved moderate success. MU was developed later in the project once staff members engaged in within-group sense- giving and sensemaking. This MU was translated into the product, enabling moderate project success. However, in A1, sensemaking was low until the late stages and by the time MU increased, it was too late to benefit the project, resulting in a low level of success. A1 was considered a failure, as reflected in the comments of its project manager:
We knew there were shortcomings with the tech- nology. Some of it came out of testing. Some reports opened our eyes to other shortcomings we hadn’t considered … it wasn’t successful from a customer satisfaction point of view.
This comparison between A5 and A1 further demonstrates the importance of timing (P2c, P3). A5 initiated iterative sensegiving-sensemaking episodes in time to increase and act upon MU to achieve moderate success. A1 was too late. Although earlier is better, being late, but not too late, may allow project stakeholders to salvage some degree of project success.
Changes Across Projects
We examined the changes across projects by analyzing pro- ject pairs with participants and systems in common (A1–A3, B1–B2, A4–A5, and A6–A7). Our findings indicate that project management mechanisms (planning and control), stakeholder engagement (timing, depth, and scope), and MU all changed across projects as influenced by the factors identified in our analysis (see Table 3). These changes ranged from deterioration to improvement, with some project pairs showing little change. Learning occurs when project team members reflect on their experiences in one project and hence do things differently in the next project. Moreover, learning
from previous projects can lead to either improvement or deterioration in subsequent projects, whereas a lack of learning always leads to deterioration.
We found evidence of experiential learning that resulted in improvements in the second project for three of the pairs (A1–A3, A6–A7, B1–B2). As depicted in Figure 4 and Table 3, pair B1-B2 experienced improvements in the use of planning and control mechanisms. For example, business and IT project stakeholders learned the importance of project controls from problems experienced in B1 and used them to a greater extent in B2 (e.g., gate reviews, testing controls for financial transactions, detailed requirements, and documenta- tion). The result was a greater depth of stakeholder engage- ment, which contributed to B2’s success.
Pair A6–A7 experienced improvements in planning and control mechanism use and stakeholder engagement. For example, unlike A5, which lacked planning, and A6, which relied only on comprehensive planning, A7 started with com- prehensive planning and then shifted to emergent planning. Again, unlike A5 and A6, which had localized or unidirec- tional within-group stakeholder engagement and low levels of sensegiving and sensemaking, A7 involved bidirectional engagement within and across groups (i.e., greater scope of engagement) and thereby greater sensegiving and sense- making. Using their knowledge of the issues with the prior approach, the A7 team adapted the new methodology and improved the mechanisms for planning (emergent) and con- trol (daily stand-up meetings), seeking better information (reflecting greater depth of engagement). A7 ended up as moderately successful, similar to A6, but with high MU.
Pair A1–A3 showed improvement in planning and control mechanism use, stakeholder engagement, and MU. For example, more stakeholders (e.g., customer, quality assurance (QA) personnel, and product designer) were engaged in sensegiving-sensemaking episodes in A3, and these episodes occurred throughout the project, not just at the end. In using the same technology and requirements, the MU developed in A1 was carried over to A3, resulting in a higher level of MU at the start of the project. Unlike A1, A3 was considered highly successful.
In the preceding examples, participants in the second project learned from problems encountered in the first and experi- enced improvements in at least one of the following: project management mechanism use, stakeholder engagement, and MU among stakeholders. However, we also found a case of deterioration. Although it appears from Table 3 and Figure 4 that stakeholder engagement improved from B1 to B2, it instead deteriorated. There was greater emphasis on across- group stakeholder engagement in B1; however, business-side
MIS Quarterly Vol. 43 No. 2/June 2019 663
Jenkin et al./Mutual Understanding in IS Development
Table 3. Changes Across Projects in Project Pairs*
stakeholders perceived IT’s attempts to control changes in scope as political. This resulted in a shift to more within- group stakeholder engagement for both groups in B2 as each attempted to protect its position. Based on the problems in B1, business and IT stakeholders learned how to maneuver politically in B2, which led to cautious sharing of information across groups, resistance by the business to sign off on deliverables, and more within-group engagement to plan negotiations and escalations. Business and IT stakeholders sought safety within their groups in B2, limiting exposure to across-group interactions. Disagreements between business and IT stakeholders adversely affected stakeholder engage- ment in the subsequent project. Therefore, we propose:
P4a: The extent of across-project learning (in terms of project management mechanisms, stakeholder engagement, and MU) increases with a decrease in
disagreements across stakeholder groups in the first project.
The learning that occurred among stakeholder groups from B1 to B2 may have extended beyond these projects to the broader business and IT groups, affecting stakeholder engagement in B3 and B4. This may explain the ritualized use of control mechanisms and sensehiding in B3 and B4. Thus, learning by stakeholders may have dysfunctional effects on subsequent projects.
We also found that the introduction of new project elements, such as business processes, requirements, technology, or methodology, in the second project influences whether project management mechanisms, stakeholder engagement, and MU improves or deteriorates. In contrast to A1–A3, where MU improved, the other three project pairs (A4–A5, A6–A7,
664 MIS Quarterly Vol. 43 No. 2/June 2019
Jenkin et al./Mutual Understanding in IS Development
B1–B2) experienced a deterioration in MU. A1–A3 did not include new project elements, but the other project pairs did. For example, a new organization-wide system development methodology was introduced at the start of A7, creating the need to understand these new processes. The result was lower initial MU than at the end of A6. Therefore, we propose:
P4b: The extent of across-project learning (in terms of project management mechanisms, stakeholder engagement, and MU) increases with a decrease in the extent to which new project elements are introduced in the second project.
Project pair A4–A5’s deterioration in stakeholder engagement and use of planning and control mechanisms was dramatic compared to the other observed instances of deterioration. A4 was a notable success and, having been the first project to implement a new, more formal agile methodology at Alpha, was viewed as an exemplar. Project A5 directly followed A4; it was spun off of A4 because of A5’s extensive scope. However, A5 failed to apply what should have been learned from the positive experiences in A4. The project was under- scoped and misunderstood, with an unclear, uncertain set of requirements. Rather than applying the new structured and well-organized approach used in A4, A5 appeared to revert to how projects were run before A4. A5 had no planning, mini- mal controls, and localized within-group stakeholder engage- ment late in the project, reflecting later timing and lower scope and depth of stakeholder engagement; the project was described as chaotic and a failure.
Comparing A4–A5 to the other project pairs (see Table 3), we found that this pair was the only one in which the first project was highly successful. Participants in the other three project pairs openly discussed the problems in the first project and the corresponding improvements in the second project. In con- trast, for A4–A5, participants spoke about how well A4 went and how poorly A5 went. Having challenges in a project may trigger project team members to reflect and make sense of what went wrong and how to improve in the next project. However, A4 was very successful and well executed, but no reflection on why it was successful occurred. As a result, the improvements made in A4 were not internalized by project team members and replicated in A5, a learning failure. Another reason for this lack of reflection appears to be related to stress from time pressure and resource constraints. A project manager from A5 commented:
The whole development process seemed to be pushed aside because of the time constraint and the resource constraint.
The new project elements introduced on A5 contributed further to this stress and lower initial MU. Stakeholder groups focused sensemaking on the new project elements, not on how to adopt A4’s successful approach. This suggests the following emergent proposition:
P4c: The extent of across-project learning (in terms of project management mechanisms, stakeholder engagement, and MU) increases with an increase in the extent to which project participants in the second project reflect on the first project.
Discussion
In this article, we seek to provide insights into how the MU among project stakeholders changes over time within a project, and how MU changes across projects. We integrate the previously disconnected argument about the effects of project planning and control mechanisms (e.g., Tiwana and Keil 2009; Wallace et al. 2004) and cognitive activities (sensegiving, sensemaking) (e.g., Davidson 2002; Gregory et al. 2013) on MU. The implications of the emergent model, summarized in Figure 7, for theory and practice are elaborated next.
Implications for Theory
This article contributes to knowledge about ISD project management in five ways. First, it provides insight into how MU among stakeholders changes during a project through cognitive activities. Specifically, improvisational learning, which occurs in response to an emergent problem (e.g., Miner et al. 2001), can lead to changes in MU during a project. For example, when significant issues were identified midway through project A5, the product designer and programmer used a nonstandard artifact (matrix of functionality) to make sense of the requirements and flesh out the details. By recog- nizing the emergent issues and collaboratively using artifacts to give and make sense, these staff also made sense of recently introduced planning and control mechanisms, rather than mindlessly following an apparent standard. Another example of improvisational learning was the way the A5 team split up the timing of the product release, which included providing an early beta to some customers to meet their time- sensitive need for access to new product features. The A7 project team also displayed improvisational learning in their response to a methodology change. Although it was a chal- lenging experience, the resultant learning improved the outcomes for A7.
MIS Quarterly Vol. 43 No. 2/June 2019 665
Jenkin et al./Mutual Understanding in IS Development
Figure 7. Emergent Model
Second, this article extends prior work on the relationship between project planning and control mechanisms and MU (e.g., Kirsch 2004) and on the importance of MU for project success (e.g., Gregory et al. 2013) by proposing a causal logic for these relationships. Specifically, we argue that project planning and control mechanisms possess different levels of sensegiving and sensemaking potential and that the use of mechanisms with greater potential enables the cognitive activities of sensegiving and sensemaking. Qualitative and quantitative results support these arguments. However, the conversion of sensegiving (sensemaking) potential to actual sensegiving (sensemaking) depends on stakeholder engage- ment. Also, the exploratory quantitative analysis suggests that the level of MU affects project success, and the qualita- tive analysis provides richer insights into this relationship, highlighting the importance of (1) achieving MU early in the project and (2) attaining stakeholder engagement.
Third, this article offers a rich conceptualization of stake- holder engagement—in terms of depth, scope, and timing—as reflecting the nature of stakeholders and their interactions as they give and make sense within projects. Together, these three dimensions of stakeholder engagement help explain why the conversion of the sensegiving (sensemaking) potential of
planning and control mechanisms to actual sensegiving (sensemaking) is not necessarily frictionless (P2) and how success can be achieved despite low initial MU (P3).
The depth of stakeholder engagement refers to the amount of information shared via planning and control mechanisms. Low depth of engagement is related to the concepts of rituals and deception from the ISD literature. The literature (Robey and Markus 1984; Wastell 1999) has discussed how the use of rituals by developers as a defense mechanism leads to negative outcomes. Ritually creating an artifact to adhere to the ISD methodology and avoid blame for issues that may arise leads to fewer details being shared, limiting the depth of engagement and inhibiting sensegiving or sensemaking. Moreover, deception as a kind of political action has been studied in ISD projects (Sabherwal and Grover 2010). Our results suggest that deception, or sensehiding, may be a defense mechanism to buy time to fix issues or to avoid blame if the project fails. In sensehiding, certain viewpoints are silenced or marginalized, or information is withheld to manage individuals’ interpretations (Vaara and Monin 2010).
Previous work recognizes the importance of “who” is engaged in an activity (e.g., Boland and Tenkasi 1995; Markus and
666 MIS Quarterly Vol. 43 No. 2/June 2019
Jenkin et al./Mutual Understanding in IS Development
Mao 2004). For example, Markus and Mao (2004) recom- mend that participation research examine the relative propor- tion and structural positions of stakeholder groups. The current article extends research that focuses on the breadth of engagement (i.e., the number of engaged individuals; Liz- arondo et al. 2016), by examining the scope of engagement. Scope incorporates both (1) the number of engaged groups (functional and structural positions of stakeholders), that is, who is giving and making sense, and (2) the directionality of information flow, that is, whether it is localized within a group, or unidirectional or bidirectional within or across groups. Our findings indicate that both these aspects of scope matter. If sensegiving and sensemaking are localized within a group (e.g., only between staff) or unidirectional within or across groups (e.g., from business to IT), the development of MU across stakeholders would be inhibited by some perspec- tives being ignored. Bidirectional engagement across groups seems to be especially important when initial MU is low (e.g., P3). However, if sensegiving and sensemaking occur exclu- sively across groups (e.g., between business and IT), this would inhibit the deepening of each group’s understanding before (Boland and Tenkasi 1995) and exploration during (Nidumolu 1996) this interaction. Bidirectionality both with- in and across groups is important, allowing stakeholders to consider each other’s interpretations. Directionality can also help shed light on other aspects of ISD projects, such as user involvement (Newman and Noble 1990).
The timing of stakeholder engagement, specifically, earlier engagement, helps develop initially low MU and leverage the sensegiving (sensemaking) potential of planning and control mechanisms. Thus, the timing of engagement matters: the sooner, the better. Examining the timing of events is impor- tant in process research (Van de Ven 2007). For example, prior research has explored how the choice of control mech- anisms changes during a project based on factors such as uncertainty, project performance, and stakeholder interactions (Choudhury and Sabherwal 2003). This article contributes to the ISD literature by indicating that the timing of stakeholder engagement plays an important role in addition to depth and scope.
Overall, engagement may be useful in examining not only cognition and user involvement in ISD projects but also gamification (Liu et al. 2017) and other IT contexts involving interactions over time. Moreover, this article shows that integrating engagement (and its three dimensions) with cogni- tive activities (sensegiving and sensemaking) enables a richer conceptualization of ISD projects than using either construct alone.
Fourth, this article explores artifacts, which may be used in project planning and control, and their effects on cognition.
The qualitative analyses suggest that artifacts used in planning and control, such as demos, prototypes, user experience docu- ments, and macro stories, play an important role in sense- giving and sensemaking. For example, user experience documents served as outcome controls and were used by product designers to give sense to programmers.9 Prior studies have examined how stakeholders use artifacts (e.g., wireframes) to arrive at the final ISD design (Levina 2005) and how material practices involving artifacts (e.g., idea boards) support the collective sensemaking for new product design (Stigliani and Ravasi 2012). The Project Management Office (PMO) literature also highlights the value of em- bedding knowledge in artifacts such as templates and method- ologies (Julian 2008; Liu and Yetton 2007). We extend this work by studying how artifacts, as planning and control mechanisms, differ in their sensegiving (sensemaking) poten- tial and thereby support cognitive activities in ISD projects.
Fifth, this article focuses on changes across projects. Our findings suggest that aspects of an ISD project may differ from those of prior project(s) because of experiential or vicarious learning,10 as discussed in the ISD context (Boh et al. 2007; Peng et al. 2013) and in organizations in general (Argote and Miron-Spektor 2011). However, a failure to learn from experience, as observed in project pair A4–A5, has also been identified in both the ISD (e.g., Lyytinen and Robey 1999) and broader management (e.g., Edmondson 2002) literatures. The PMO literature highlights the difficulty in learning across projects (Julian 2008; Müller et al. 2013) and the PMO’s role in facilitating such learning (Julian 2008; Liu and Yetton 2007). In this article, changes across projects often led to improvements, but a deterioration was observed in some cases, influenced by (1) disagreements between stakeholders in the first project, (2) incorporation of new project elements in the second project, and (3) lack of reflection in the second project.
This article suggests that disagreements between stakeholders may lead to learning at the stakeholder level but dysfunctional effects at the project level. Groups may learn from experience in a way that fulfills their goals, but not those of the project. For example, sensehiding across groups and ritual use of control mechanisms in both B3 and B4 may have been the result of knowledge being transferred from the stakeholder
9Moreover, demos were used in A4, A6, and A7 to give sense and enable sensemaking. Prototypes enabled sensemaking by the lead programmers in A2 and A4. User experience documents and macro stories helped sense- giving and sensemaking in A3, A4, A6, and A7.
10For example, learning from A1 resulted in improved use of planning and control mechanisms in A3.
MIS Quarterly Vol. 43 No. 2/June 2019 667
Jenkin et al./Mutual Understanding in IS Development
groups in B1 and B2 to the broader IT and business groups. Thus, project stakeholders vicariously “learned” from stake- holders in prior projects that withholding knowledge may help their groups but to the detriment of their projects.
Understanding how the incorporation of new project elements affects across-project learning is related to IS research on how experience with similar tasks and systems affects learning (e.g., Boh et al. 2007). Although similar tasks and systems may enable learning, introducing new elements may be equally important to a project’s success. We find that new project elements, for example, new requirements or method- ologies, may trigger the need to make sense of them. Sensegiving-sensemaking episodes supported by high-quality stakeholder engagement can result in improvements. This is consistent with prior findings (Liu and Yetton 2007) that a PMO has a greater impact on across-project learning in situations that involve greater change. Thus, greater support for learning, including high-quality stakeholder engagement, is needed when new project elements are introduced.
Lack of reflection on experience has been noted as a reason for learning failure (Edmondson and Nembhard 2009). Rea- sons for lack of reflection include time constraints and lack of psychological safety (Edmondson 2002). Related to this lack of reflection is organizational forgetting, that is, the inability to retain created knowledge (de Holan and Phillips 2004). According to the PMO literature, projects often focus on “red light” learning or learning from problems, which may inhibit learning from successes (Julian 2008). Our results suggest that reflection on the earlier project may be less likely when that project was a success, resulting in forgetting.
Implications for Practice
Our results have several potential implications for practice. First, the emergent model provides insights that can help develop MU among project stakeholders and enhance ISD success. It suggests that managers should focus on cognitive activities that lead to MU. Specifically, it indicates the impor- tance of emphasizing both sensegiving and sensemaking activities; pursuing one of these activities at the expense of the other is counterproductive because sensemaking depends on sensegiving and directly enables MU.
Second, this article suggests that planning and control mech- anisms are two important levers that project managers can deploy to promote sensegiving and sensemaking. Specifi- cally, using artifacts, such as prototypes and user experience documents early and demonstrations later, can help promote higher levels of sensegiving and, in turn, sensemaking.
Third, this article indicates that project managers should plan for stakeholder engagement, using the broader view of engagement. That is, managers should pay attention not only to the depth of engagement but also to its timing, and recog- nize the importance of bidirectional stakeholder engagement both within and across groups. They should also monitor stakeholder engagement and use mechanisms to avoid or quickly address (e.g., through an anonymous mechanism for whistle-blowing) dysfunctions such as rituals and deception.
Fourth, insights into the patterns of MU change and their links to project success can be of value to managers. Periodic assessment of MU among key stakeholders can serve as a valuable tool in diagnosing potential issues and identifying mechanisms to increase MU. This will allow project man- agers to target specific mechanisms and engage appropriate stakeholders. Although our findings suggest that earlier is better, they indicate that late recoveries are also possible and illustrate potential ways (e.g., the functionality matrix in A5) to achieve them.
Finally, although organizations may employ project planning and control mechanisms, these mechanisms should be updated to prevent deterioration in MU due to issues such as organiza- tional forgetting and dysfunctional consequences from disagreements. Assessing such risks can enable managers to take mitigating actions. The results suggest that managers should recognize when improvisational learning is beneficial and encourage its use, especially as improvisation may be seen as antithetical to project management.
Limitations
The study’s findings should be viewed in light of its limita- tions. First, the core business of both focal organizations (Alpha and Beta) involved IT products and/or services. Further research is needed to examine whether the findings apply to projects from non-IT organizations. Second, the informants provided retrospective accounts during each data collection period. We partly addressed this by developing ongoing relationships with key informants, whom we con- tacted for updates between visits, and by focusing on recently completed projects. Third, we did not use objective measures of the focal constructs. Instead, ratings were based on the informants’ perceptions. Measuring cognitive constructs raises additional challenges, which we tried to address by using multiple informants for each project in each period. Fourth, this study focused on planning and control mech- anisms, but other mechanisms, such as roles, dialogue, and other boundary objects (e.g., Majchrzak et al. 2012), may enable sensegiving and sensemaking. Further research is
668 MIS Quarterly Vol. 43 No. 2/June 2019
Jenkin et al./Mutual Understanding in IS Development
needed to examine the effects of these other ways to give and make sense. Finally, the sample sizes for the regression analyses were small, although the quantitative analysis was only a part of the primarily qualitative study.
Conclusion
This article offers insights into the patterns of MU change, both development and deterioration, and within and across projects. The emergent model describes relationships among project management mechanisms, cognitive activities (sense- giving, sensemaking), stakeholder groups, and MU within and across projects, and how MU affects project success. Thus, this article provides insights into how project planning and control mechanisms affect MU through their influence on sensegiving and sensemaking. Although project planning and control mechanisms differ in their potential to support sense- giving and sensemaking, our results show that successfully converting this potential into actual sensegiving and sense- making is not frictionless. Stakeholder engagement and its dimensions of depth, scope, and timing help explain this relationship, as well as that between MU and project success. We also identify potential causes of deterioration in MU, patterns of stakeholder engagement, and the use of planning and control mechanisms across projects: disagreements be- tween stakeholders in the first project, new project elements in the second project, and lack of reflection in the second project. Recognizing and understanding the cognitive chal- lenges in projects, as well as identifying ways to develop MU among project stakeholders, are important steps forward in enabling organizations and managers to achieve higher levels of project success.
References
Abdel-Hamid, T. K., Sengupta, K., and Swett, C. 1999. “The Impact of Goals on Software Project Management: An Experi- mental Investigation,” MIS Quarterly (23:4), pp. 531-555.
Aladwani, A. M. 2002. “An Integrated Performance Model of Information Systems Projects,” Journal of Management Infor- mation Systems (19:1), pp. 185-210.
Argote, L., and Miron-Spektor, E. 2011. “Organizational Learning: From Experience to Knowledge,” Organization Science (22:5), pp. 1123-1137.
Barki, H., Rivard, S., and Talbot, J. 2001. “An Integrative Contin- gency Model of Software Project Risk Management,” Journal of Management Information Systems (17:4), pp. 37-69.
Bassellier, G., Reich, B. H., and Benbasat, I. 2001. “Information Technology Competence of Business Managers: A Definition and Research Model,” Journal of Management Information Systems (17:4), pp. 159-182.
Boh, W. F., Slaughter, S. A., and Espinosa, J. A. 2007. “Learning from Experience in Software Development: A Multilevel Analy- sis,” Management Science (53:8), pp. 1315-1331.
Boland, R. J., and Tenkasi, R. V. 1995. “Perspective Making and Perspective Taking in Communities of Knowing,” Organization Science (6:4), pp. 350-372.
Bowman, B., Davis, G., and Wetherbe, J. 1983. “Three Stage Model of MIS Planning,” Information & Management (6:1), pp. 11-25.
Burton-Jones, A., McLean, E. R., and Monod, E. 2015. “Theore- tical Perspectives in IS Research: From Variance and Process to Conceptual Latitude and Conceptual Fit,” European Journal of Information Systems (24:6), pp. 664-679.
Chen, D. Q., Mocker, M., Preston, D. S., and Teubner, A. 2010. “Information Systems Strategy: Reconceptualization, Measure- ment, and Implications,” MIS Quarterly (34:2), pp. 233-259.
Choudhury, V., and Sabherwal, R. 2003. “Portfolios of Control in Outsourced Software Development Projects,” Information Systems Research (14:3), pp. 291-314.
Cicchetti, D. V. 1994. “Guidelines, Criteria, and Rules of Thumb for Evaluating Normed and Standardized Assessment Instruments in Psychology,” Psychological Assessment (6:4), pp. 284-290.
Creswell, J. W., and Clark, V. L. P. 2007. Designing and Con- ducting Mixed Methods Research, Thousand Oaks, CA: SAGE Publications.
Cronin, M. A., and Weingart, L. R. 2007. “Representational Gaps, Information Processing, and Conflict in Functionally Diverse Teams,” Academy of Management Review (32:3), pp. 761-773.
Davidson, E. J. 2002. “Technology Frames and Framing: A Socio- Cognitive Investigation of Requirements Determination,” MIS Quarterly (26:4), pp. 329-358.
de Holan, P. M., and Phillips, N. 2004. “Remembrance of Things Past? The Dynamics of Organizational Forgetting,” Management Science (50:11), pp. 1603-1613.
Edmondson, A. C. 2002. “The Local and Variegated Nature of Learning in Organizations: A Group-Level Perspective,” Organization Science (13:2), pp. 128-146.
Edmondson, A. C., and Nembhard, I. M. 2009. “Product Develop- ment and Learning in Project Teams: The Challenges Are the Benefits,” Journal of Product Innovation Management (26:2), pp. 123-138.
Eisenhardt, K. M. 1989. “Building Theories from Case Study Research,” Academy of Management Review (14:4), pp. 532-550.
Eisenhardt, K. M., and Graebner, M. E. 2007. “Theory Building from Cases: Opportunities and Challenges,” Academy of Management Journal (50:1), pp. 25-32.
Elbanna, A. 2010. “Rethinking IS Project Boundaries in Practice: A Multiple-Projects Perspective,” Journal of Strategic Informa- tion Systems (19:1), pp. 39-51.
Flamholtz, E. G., Das, T. K., and Tsui, A. S. 1985. “Toward an Integrative Framework of Organizational Control,” Accounting, Organizations and Society (10:1), pp. 35-50.
Fredrickson, J. W. 1984. “The Comprehensiveness of Strategic Decision Processes: Extension, Observations, and Future Direc- tions,” Academy of Management Journal (27:3), pp. 445-466.
MIS Quarterly Vol. 43 No. 2/June 2019 669
Jenkin et al./Mutual Understanding in IS Development
Gemino, A., Reich, B. H., and Sauer, C. 2007. “A Temporal Model of Information Technology Project Performance,” Journal of Management Information Systems (24:3), pp. 9-44.
Gephart, R. P. 1993. “The Textual Approach: Risk and Blame in Disaster Sensemaking,” Academy of Management Journal (36:6), pp. 1465-1514.
Gioia, D. A., and Chittipeddi, K. 1991. “Sensemaking and Sense- giving in Strategic Change Initiation,” Strategic Management Journal (12:6), pp. 433-448.
Gioia, D. A., and Mehra, A. 1996. “Sensemaking in Organiza- tions,” Academy of Management Review (21:4), pp. 1226-1230.
Gregory, W. G., Beck, R., and Keil, M. 2013. “Control Balancing in Information Systems Development Offshoring Projects,” MIS Quarterly (37:4), pp. 1211-1232.
Henderson, J. C., and Lee, S. 1992. “Managing I/S Design Teams: A Control Theories Perspective,” Management Science (38:6), pp. 757-777.
Hughes, D. L., Rana, N. P., and Simintiras, A. C. 2017. “The Changing Landscape of IS Project Failure: An Examination of the Key Factors,” Journal of Enterprise Information Management (30:1), pp. 142-165.
Julian, J. 2008. “How Project Management Office Leaders Facilitate Cross-Project Learning and Continuous Improvement,” Project Management Journal (39:3), pp. 43-58.
Kirsch, L. J. 1996. “The Management of Complex Tasks in Organi- zations: Controlling the Systems Development Process,” Organization Science (7:1), pp. 1-21.
Kirsch, L. J. 1997. “Portfolios of Control Modes and IS Project Management,” Information Systems Research (8:3), pp. 215-239.
Kirsch, L. J. 2004. “Deploying Common Systems Globally: The Dynamics of Control,” Information Systems Research (15:4), pp. 374-395.
Klein, K. J., and Kozlowski, S. W. J. 2000. “From Micro to Meso: Critical Steps in Conceptualizing and Conducting Multilevel Research,” Organizational Research Methods (3:3), pp. 211-236.
Langley, A. 1999. “Strategies for Theorizing from Process Data,” Academy of Management Review (24:4), pp. 691-710.
Levina, N. 2005. “Collaborating on Multiparty Information Sys- tems Development Projects: A Collective Reflection-in-Action View,” Information Systems Research (16:2), pp. 109-130.
Lind, M. R., and Zmud, R. W. 1991. “The Influence of a Conver- gence in Understanding between Technology Providers and Users on Information Technology Innovativeness,” Organization Science (2:2), pp. 195-217.
Liu, D., Santhanam, R., and Webster, J. 2017. “Towards Meaning- ful Engagement: A Framework for Design and Research of Gamified Information Systems,” MIS Quarterly (41:4), pp. 1011-1034.
Liu, L. L., and Yetton, P. Y. 2007. “The Contingent Effects on Pro- ject Performance of Conducting Project Reviews and Deploying Project Management Offices,” IEEE Transactions on Engi- neering Management (54:4), pp. 789-799.
Lizarondo, L., Kennedy, K., and Kay, D. 2016. “Development of a Consumer Engagement Framework,” Asia Pacific Journal of Health Management (11:1), pp. 44-49.
Lyytinen, K. 1987. “Different Perspectives on Information Sys- tems: Problems and Solutions,” ACM Computing Surveys (19:1), pp. 5-46.
Lyytinen, K., and Robey, D. 1999. “Learning Failure in Informa- tion Systems Development,” Information Systems Journal (9), pp. 85-101.
Majchrzak, A., More, P. H. B., and Faraj, S. 2012. “Transcending Knowledge Differences in Cross-Functional Teams,” Organi- zation Science (23:4), pp. 951-970.
Mantere, S., and Ketokivi, M. 2013. “Reasoning in Organization Science,” Academy of Management Review (38:1), pp. 70-89.
Markus, M. L., and Mao, J.-Y. 2004. “Participation in Develop- ment and Implementation—Updating an Old, Tired Concept for Today’s IS Contexts,” Journal of the Association for Information Systems (5:11-12), pp. 514-544.
Miles, M. B., and Huberman, M. A. 1994. Qualitative Data Analysis: An Expanded Sourcebook, Thousand Oaks, CA: SAGE Publications.
Miner, A. S., Bassoff, P., and Moorman, C. 2001. “Organizational Improvisation and Learning: A Field Study,” Administrative Science Quarterly (46:2), pp. 304-337.
Mintzberg, H. 1990. “Strategy Formation: Schools of Thought,” in Perspectives on Strategic Management, J. Fredrickson (ed.), New York: Harper Business, pp. 148-163.
Monge, P. 1990. “Theoretical and Analytical Issues in Studying Organizational Processes,” Organization Science (1:4), pp. 406-430.
Monin, P., Noorderhaven, N., Vaara, E., and Kroon, D. 2013. “Giving Sense to and Making Sense of Justice in Postmerger Integration,” Academy of Management Journal (56:1), pp. 256-284.
Müller, R., Glückler, J., Aubry, M., and Shao, J. 2013. “Project Management Knowledge Flows in Networks of Project Managers and Project Management Offices: A Case Study in the Pharma- ceutical Industry,” Project Management Journal (44:2), pp. 4-19.
Nelson, K. M., and Cooprider, J. G. 1996. “The Contribution of Shared Knowledge to IS Group Performance,” MIS Quarterly (20:4), pp. 409-432.
Newman, M., and Noble, F. 1990. “User Involvement as an Inter- action Process: A Case Study,” Information Systems Research (1:1), pp. 89-113.
Nidumolu, S. 1996. “A Comparison of the Structural Contingency and Risk-Based Perspectives on Coordination in Software- Development Projects,” Journal of Management Information Systems (13:2), pp. 77-113.
Nidumolu, S. R., and Subramani, M. R. 2003. “The Matrix of Control: Combining Process and Structure Approaches to Managing Software Development,” Journal of Management Information Systems (20:3), pp. 159-196.
Orlikowski, W. J. 1991. “Integrated Information Environment or Matrix of Control: The Contradictory Implications of Informa- tion Technologies,” Accounting, Management and Information Technologies (1:1), pp. 9-42.
Peng, G., Mu, J., and Di Benedetto, C. A. 2013. “Learning and Open Source Software License Choice,” Decision Sciences (44:4), pp. 619-643.
Pinto, J. K., and Slevin, D. P. 1987. “Critical Factors in Successful Project Implementation,” IEEE Transactions on Engineering Management (34:1), pp. 22-27.
Rai, A., Maruping, L. M., and Venkatesh, V. 2009. “Offshore Information Systems Project Success: The Role of Social
670 MIS Quarterly Vol. 43 No. 2/June 2019
Jenkin et al./Mutual Understanding in IS Development
Embeddedness and Cultural Characteristics,” MIS Quarterly (33:3), pp. 617-641.
Robey, D., and Markus, M. L. 1984. “Rituals in Information System Design,” MIS Quarterly (8:1), pp. 5-15.
Sabherwal, R., and Grover, V. 2010. “A Taxonomy of Political Processes in Systems Development,” Information Systems Journal (20), pp. 419-447.
Sabherwal, R., and Robey, D. 1995. “Reconciling Variance and Process Strategies for Studying Information System Develop- ment,” Information Systems Research (6:4), pp. 303-327.
Sambamurthy, V., and Kirsch, L. 2000. “An Integrative Frame- work of the Information Systems Development Process,” Decision Sciences (31:2), pp. 391-411.
Segars, A. H., and Grover, V. 1999. “Profiles of Strategic Informa- tion Systems Planning,” Information Systems Research (10:3), pp. 199-232.
Shepherd, D. A., and Sutcliffe, K. M. 2011. “Inductive Top-Down Theorizing: A Source of New Theories of Organization,” Academy of Management Review (36:2), pp. 361-380.
Standish Group. 2015. Chaos Report, Boston, MA: The Standish Group.
Stigliani, I., and Ravasi, D. 2012. “Organizing Thoughts and Connecting Brains: Material Practices and the Transition from Individual to Group-Level Prospective Sensemaking,” Academy of Management Journal (55:5), pp. 1232-1259.
Tiwana, A. 2009. “Governance-Knowledge Fit in Systems Devel- opment Projects,” Information Systems Research (20:2), pp. 180-197.
Tiwana, A., and Keil, M. 2009. “Control in Internal and Out- sourced Software Projects,” Journal of Management Information Systems (26:3), pp. 9-44.
Vaara, E., and Monin, P. 2010. “A Recursive Perspective on Discursive Legitimation and Organizational Action in Mergers and Acquisitions,” Organization Science (21:1), pp. 3-22.
Van de Ven, A. H. 2007. Engaged Scholarship: A Guide for Organizational and Social Research, New York: Oxford University Press.
Venkatesh, V., Brown, S. A., and Bala, H. 2013. “Bridging the Qualitative-Quantitative Divide: Guidelines for Conducting Mixed Methods Research in Information Systems,” MIS Quarterly (37:1), pp. 21-54.
Vlaar, P. W. L., van Fenema, P. C., and Tiwari, V. 2008. “Co- creating Understanding and Value in Distributed Work: How Members of Onsite and Offshore Vendor Teams Give, Make, Demand, and Break Sense,” MIS Quarterly (32:2 ), pp. 227-255.
Wallace, L., Keil, M., and Rai, A. 2003. “How Software Project Risk Affects Project Performance: An Investigation of the Dimensions of Risk and an Exploratory Model,” Decision Sciences (35:2), pp. 289-321.
Wastell, D. G. 1999. “Learning Dysfunctions in Information Systems Development: Overcoming the Social Defenses with Transitional Objects,” MIS Quarterly (23:4), pp. 581-600.
Weick, K. E. 1995. Sensemaking in Organizations, Thousand Oaks, CA: SAGE Publications.
Weick, K. E., Sutcliffe, K. M., and Obstfeld, D. 2005. “Organizing and the Process of Sensemaking,” Organization Science (16:4), pp. 409-421.
Yetton, P., Martin, A., Sharma, R., and Johnson, K. 2000. “A Model of Information Systems Development Project Perfor- mance,” Information Systems Journal (10:4), pp. 263-289.
Zmud, R. W. 1980. “Management of Large Software Development Efforts,” MIS Quarterly (4), pp. 45-55.
About the Authors
Tracy A. Jenkin is Associate Professor and Distinguished Faculty Fellow of Management Information Systems at the Smith School of Business, Queen’s University. She has published on IT projects, knowledge discovery and data analytics, and environmental sustain- ability in journals such as Business and Society, Decision Sciences, Information and Organization, Journal of Business Ethics, and Journal of Information Technology. She has a Ph.D. from Queen’s University.
Yolande E. Chan is Associate Dean (Research and PhD-MSc Programs) and E. Marie Shantz Professor of MIS at Queen’s Univer- sity. She holds a Ph.D. from Western University, an M.Phil. in Management Studies from Oxford University, and S.M. and S.B. degrees in Electrical Engineering and Computer Science from MIT. She is a Rhodes Scholar. Yolande studies IT strategic alignment and innovation, and publishes in leading journals such as MIS Quarterly and Information Systems Research. Yolande has served as an asso- ciate editor for several journals and as senior editor for Journal of Strategic Information Systems and MIS Quarterly Executive. She is a Fellow of the AIS.
Rajiv Sabherwal is Edwin & Karlee Bradberry Chair and Depart- ment Chair of Information Systems in the Walton College of Busi- ness at the University of Arkansas. He has published on the management, utilization, and impacts of IT and knowledge in jour- nals including Information Systems Research, MIS Quarterly, Management Science, Organization Science, and the Journal of MIS. He has served as editor-in-chief for IEEE Transactions on Engi- neering Management and senior editor or guest editor for MIS Quarterly, Journal of AIS, and Information Systems Research. He is a Fellow of both the IEEE and the Association of Information Systems, with a Ph.D. from the University of Pittsburgh.
MIS Quarterly Vol. 43 No. 2/June 2019 671
RESEARCH ARTICLE
MUTUAL UNDERSTANDING IN INFORMATION SYSTEMS DEVELOPMENT: CHANGES WITHIN AND ACROSS PROJECTS
Tracy A. Jenkin and Yolande E. Chan Smith School of Business, Queen’s University,
Kingston, ON CANADA K7L 3N6 {[email protected]} {[email protected]}
Rajiv Sabherwal Sam M. Walton College of Business, University of Arkansas,
Fayetteville, AR 72701 U.S.A. {[email protected]}
Appendix A
Proposed Sensegiving and Sensemaking Potential of Project Planning and Control Mechanisms
Mechanisms Sensegiving (Actor: Sensegiver) Sensemaking (Actor: Sensemaker)
P la
n n
in g
M e c h
a n
is m
s
C o
m p
re h
e n
s iv
e
High In comprehensive planning processes, there tends to be a clear project vision developed, with the high-level details known up front: what, how, and why. The sensegiver provides these details to the sensemakers, typically as directives. Thus, the potential to give sense with this mechanism is high.
Low The sensemakers are given the vision and project details by the sensegiver(s). With these details in hand there is little uncertainty, so the sensemakers have little additional analysis and interpretation to do to gain an understanding. With the interpretation given, the potential for sensemaking is low. That is, not much sensemaking needs to be done.
E m
e rg
e n
t
Moderate Although few details (i.e., what, how, and why) are known up front and uncertainty is high, the planning process is iterative and techniques are very interactive between project stakeholders. Artifacts such as prototypes and storyboards are created and used to ultimately give sense. Uncertainty is reduced by such artifacts. Thus, the potential to give sense with this mechanism is moderate.
High There are few details known up front, with a high level of uncertainty. There is a high degree of interaction between sensegivers and sensemakers to analyze, discuss, and anticipate the project details. This is often a very iterative process. Therefore, the sensemakers must actively engage in dialogue and with artifacts to make sense and flesh out the details. Thus, the potential for sensemaking is high.
MIS Quarterly Vol. 43 No. 2, Appendices/June 2019 A1
Jenkin et al./Mutual Understanding in IS Development
Mechanisms Sensegiving (Actor: Sensegiver) Sensemaking (Actor: Sensemaker)
C o
n tr
o l
M e c h
a n
is m
s
S e
lf -
C o
n tr
o l
Low With self-control, there is only one individual involved. Thus, no one else is trying to influence that individual’s behaviors and interpretation. Therefore, the potential for sensegiving is low.
High With self-control, there is only one individual involved. That individual is responsible for analyzing and inter- preting the pertinent project details. Since no sense is being given, the individual has to flesh out all details and resolve any uncertainty. Thus, the potential for sensemaking is high.
C la
n C
o n
tr o
l
High The clan strongly influences the behaviors of its members through interactive socialization mech- anisms. Thus, each member of the clan has the opportunity to act as the sensegiver of the clan’s norms and goals. What (goal), how (behavioral norms), and why are often known and provided by the sensegiver(s). Sensegiving is also seen when clans reward appropriate behavior and sanction inappropriate behavior. Thus, the potential for sensegiving is high.
High The taken-for-granted nature of clan norms and goals results in little sensemaking. However, when clan norms and goals conflict with the project’s norms and goals, sensemaking is required to resolve the resulting conflict. Clans have the ability to interact frequently, through multiple channels, so that this conflict can be resolved. Thus, the potential for sensemaking is high.
O u
tc o
m e
C o
n tr
o l
Moderate Specifying outcomes: Many details are speci- fied by the sensegiver, typically the what (e.g., requirement) and why associated with the out- comes. The how, or process, may be left up to the sensemaker. There is some uncertainty and details to be determined by the sensemaker. Specification is typically accomplished using impersonal formats (i.e., artifacts). Measuring outcomes: The results being mea- sured provide some details regarding the degree to which the performance metrics have been achieved. These are often high level and may require some analysis and interpretation (in this case, the sensegiver is the controllee who generates the results to be measured by the controller, the sensemaker). Thus, the sense- giving potential is moderate.
Moderate Specifying outcomes: The what and the why are typically provided (e.g., requirements document); however, the how is often left up to the discretion of the sensemaker. Thus, there is some uncertainty to resolve in terms of the process. The specification is typically provided as an artifact (e.g., document). Measuring outcomes: The sensemaker of the results (i.e., the controller) completes some analysis and reflection to determine the degree to which the results are meeting performance expectations. These results are high level and may require some analysis on the part of the controller (sensemaker). Thus, the potential for sensemaking is moderate.
B e h
a v io
r C
o n
tr o
l
Moderate Specifying behaviors: With behavior controls, sensemakers are told how to do their work (develop software), and often why it is important to do it that way. What to develop is not speci- fied. It is up to the sensemaker to determine this. Specification of behaviors tends to be via imper- sonal formats (i.e., artifacts such as standards and methodologies). Measuring behaviors: Observation, status reports, and gate reviews provide some informa- tion indicating whether the process is being followed and if not, why. The controllee is the sensegiver of this high-level information. Thus, the sensegiving potential is moderate.
Moderate Specifying behaviors: Although “how” to do the work and often “why” it is important to do it that way are given to the sensemaker, (s)he is not told specifically what to develop. The sensemaker is left to determine this aspect. Also, adaptation of the specified behaviors is often acceptable and requires inter- pretation on the part of the sensemakers to determine. Measuring behaviors: The sensemaker of the given reports, verbal status, or observations has to assess the extent to which the behavior is as specified. The sensemaker is the controller. Not all details are pro- vided in reports, nor can all behaviors be observed. Therefore, there is some level of uncertainty requiring analysis and interpretation by the sensemaker. Thus, the potential for sensemaking is moderate.
A2 MIS Quarterly Vol. 43 No. 2–Appendices/June 2019
Jenkin et al./Mutual Understanding in IS Development
Appendix B
Linkage between ISD Project Planning and Control Mechanisms and Sensemaking and Sensegiving
Mechanisms Sensegiving Sensemaking
P la
n n
in g
C o
m p
re h
e n
s iv
e
“Information analysts then construct alternative structures for the overall MIS architecture subject to the MIS objec- tives, strategies, and constraints enu- merated as the MIS strategy set. The general alternatives are then presented to management” (Bowman et al. 1983, p. 17).
“When the new members officially joined the team, they were given copies of deliverables from the planning phase. In a ‘knowledge dump’ meeting, the planning phase strategists walked the newcomers through the planning phase deliver- ables presentation” (Levina 2005, p. 121).
E m
e rg
e n
t
“Structured problem solving and experi- mentation through the use of cross- functional teams tend to produce high levels of understanding regarding organizational processes ... a noted drawback of the philosophy is its ten- dency to promote strategic drift as many actors continually bounce back and forth between competing strategic perspec- tives” (Segars and Grover 1999, p. 222).
“As the third week of the planning phase approached—a time when, according to the Eserve service delivery model, consul- tants should be up to speed on their client’s business—Eserve conducted a brainstorming workshop with the intention of generating ideas as to what kind of functionality the website should support” (Levina 2005, p. 119).
C on
tr ol
S e
lf -
C o
n tr
o l “Self-control therefore requires that the
controller grant autonomy to the con- trollee without imposing any other forms of control” (Tiwana and Keil 2009, p. 21).
“He monitors how well he is progressing over time; and intrinsically rewards himself for completing the job” (Kirsch 1996, p. 3).
C la
n
C o
n tr
o l
“Team-building sessions and meetings served to incent stakeholders to embrace common values. The System Development Manager explained various approaches for generating this level of commitment and shared goals” (Kirsch 2004, p. 383).
“During this phase, control can be characterized as ‘collective sensemaking’ in which informal mechanisms of control are used jointly by IS and business stakeholders to clarify ambiguous project goals, reach consensus on a common business process, and negotiate a set of global system requirements” (Kirsch 2004, p. 388-389).
O u
tc o
m e
C o
n tr
o l
“In outcome control, the controller focuses on the outputs (both final and interim) of the project without regard to the process by which these outputs are achieved” (Choudhury and Sabherwal 2003, p. 293).
“that define outcome metrics for software in great detail (high standardization of performance criteria). However, the contracts allow project teams to have discretion in adopting the standards to suit the context of specific projects” (Nidumolu and Subramani 2003, p. 168).
B e h
a v io
r
C o
n tr
o l
“A detailed systems development methodology may be viewed as a mechanism of behavior control if it articulates the precise steps to follow to successfully develop a system” (Kirsch 1997, p. 217).
“While younger consultants … tended to interpret the method- ology literally, and follow its procedures ‘to the letter,’ … experienced employees seemed less constrained, relying on their initiative to direct production work, and using the method- ology primarily as a coordination device to manage impres- sions through appropriate behavior packaging. Thus, while the methodology is prescriptive in documentation, in practice, its tenets were often modified, overridden, or ignored” (Orlikowski 1991, p. 16).
Legend: Low Moderate High
MIS Quarterly Vol. 43 No. 2, Appendices/June 2019 A3
Jenkin et al./Mutual Understanding in IS Development
Appendix C
Research Method Summary: Building Theory from Cases (Eisenhardt 1989)
Recommendation This Study
P la
n n
in g
t h
e S
tu d
y Getting started: Define the research question and identify a priori research constructs.
Used a combination of top-down inductive and deductive theorizing to start the study as recommended by Shepherd and Sutcliffe (2011), followed by bottom-up inductive theorizing described below in this appendix.
Selecting cases: Identify the population of interest and use theoretical sampling.
Defined population as projects focused on the development and enhancement of systems at global IT firms with headquarters in North America. Sample included projects completed over a 10-year time span (2000 to 2010) at two organizations (Alpha and Beta). Examined 13 projects (7 at Alpha, 6 at Beta).
C o
ll e
c ti
n g
D a
ta
Crafting instruments and protocols: Use multiple data collection methods, combine qualitative and quantitative data, and involve multiple investigators.
Developed and refined interview guide before the interviews. Most data were quali- tative, although some quantitative data were also captured (e.g., team members per project, years of experience for each team member). The authors jointly developed the interview guide. One author conducted the interviews and immersed herself in the case details and project context, enabling the other authors to bring a “very dif- ferent and possibly more objective eye to the evidence” (Eisenhardt 1989, p. 538).
Entering the field: Overlap data collection and analysis, and use flexible methods to collect data.
Data collected in 2004, 2005, and 2010, through 24 interviews with 21 informants at the two organizations. Data collection and analysis overlapped over this time period. For instance, the authors jointly considered the interview findings (in the form of narrative summaries) to plan subsequent interviews and data collection. At least one respondent at each organization was interviewed in multiple time periods. Interviews were recorded, producing 214 pages of transcripts.
D e
v e
lo p
in g
P ro
p o
s it
io n
s
Analyzing data: Analyze within-case data and search for cross-case patterns.
Qualitatively coded quotes from transcripts based on the constructs in the initial model (Figure 1) and the project stage. Used iterative process with multiple cycles with all authors involved. Next, used coded transcripts to rate each project’s stages in terms of the focal constructs in the initial model as high, moderate, or low. Also identified planning and control mechanisms that were used in each project stage to code and calculate sensegiving (sensemaking) potential. In the final phase, identi- fied sensegiving-sensemaking episodes, coding when it occurred, the stakeholder groups who gave and made sense, and directionality. Result was panel data for 13 projects at three points in time. Created multiple data displays for within and cross- case analysis. Regressions using the quantitative data supplemented the qualitative results.
Shaping hypotheses: Itera- tively compare theory and data so that emergent theory fits the data.
Employed a longitudinal embedded mixed-methods design approach (Creswell and Clark 2007). Used regressions to develop an initial understanding of the potential relationships. Used the extensive qualitative data to develop more nuanced insights into various relationships. Triangulation through the use of quantitative data (regressions), qualitative data (the coded text from the raw transcripts), and overall perceptions (narrative summary, data displays in Figures 3, 4, 5, and 6).
Enfolding literature: Com- pare theory and hypotheses with the literature.
Compared the patterns and relationships uncovered through the qualitative analy- ses with the initial model, the prior literature, and the quantitative analyses. Devel- oped an emergent model and propositions based on these new relationships and patterns.
Reaching closure: Achieve saturation (i.e., minimal improvement).
Reached closure in data analyses once the emergent model and propositions were consistent with the data (including the transcripts, key informants’ remarks, and quantitative results), and the incremental improvement from continuing the analysis or examining other projects seemed minimal.
A4 MIS Quarterly Vol. 43 No. 2–Appendices/June 2019
Jenkin et al./Mutual Understanding in IS Development
Appendix D
Supplementary Project Details123
Proj. Background Size2 Novelty Key Events3 Key Outcomes
A1 New feature requested by customers, referred to as a “customer escalation.”
3 to 5 • New technology for Alpha
• New product feature
• Quality assurance (QA) finding issues during testing was the initial stimulus for the team thinking there were issues.
• Customer reports of significant issues with the software confirmed that there were major issues with the new feature and technology.
• Post-implementation discovery that other users of this IT had similar issues.
• Late delivery with a number of defects, resulting in customer complaints. Followed up with patches to provide short-term fixes.
A2 Architecture project to introduce new IT and struc- ture to an old legacy prod- uct. This would enable future user interface en- hancements. Proposed by team lead.
6 to 8 • Existing product functionality implemented on new technology platform
• Prototyping to assess technical feasibility and whether to proceed with the project.
• Decision to proceed based on successful prototype.
• Successfully imple- mented architecture changes and fixed a number of long- standing defects in the product.
A3 Initiated to resolve the issues associated with the new feature implemented on A1.
4 to 7 • Technology introduced on A1
• Product feature introduced on A1
• Decision to consult and work with another office (in Alpha) and reuse one of their code components.
• Issue with Windows disrupted development for four weeks.
• Cut scope back due to time constraints.
• Successful delivery that resolved problems in A1 and met customer needs.
A4 Existing functionality from a 15-year-old product was being incrementally ported to a web-based platform in multiple projects, including A4. Identified as important by sales and marketing.
6 to 9 • Existing product functionality implemented on new web-based platform
• New methodology introduced
• Usability testing of prototype at a user conference found usability issues before development began.
• Decision to split off functionality to create project A5.
• Successful delivery of product to customers, with minimal defects. Held up as the ideal way to run a project, but delivered later than target date due to problems with A5.
A5 Originally part of the requirements of A4, but spun off as a separate project given the scope of the required functionality. A4 was dependent on the functionality being implemented in A5.
6 to 9 • New product features for existing platform and new web- based platform
• New methodology recently introduced, but not applied here
• Decision to split off functionality to create project A5.
• Realization that scope was larger than initially estimated.
• Tester posed questions seeking clarifications regarding user experience document, which initiated sensegiving- sensemaking episodes to further define requirements.
• Decision to split release of the product to provide select customers with an early version of the product (with defects).
• Delivered required product functionality late and with defects. Split release allowed some customers to receive functionality earlier than others, based on urgency of needs.
• Failed to implement methodology and lessons from A4. Significant problems with the process led to lessons learned at the end of the project.
1For timeline information, see Table 2.
2Size is in terms of the number of individuals working on the project, which changed over time. In addition to the IT project team members, it includes the business sponsor, the business project manager, any business-side team members, and the vendor project manager as applicable.
3These are the significant events in the project that impacted the project or subsequent projects.
MIS Quarterly Vol. 43 No. 2, Appendices/June 2019 A5
Jenkin et al./Mutual Understanding in IS Development
Proj. Background Size Novelty Key Events Key Outcomes
A6 Involved implementing several “specific” features to Alpha’s flagship product. The goal was for customers to switch to it from legacy product. Considered a point release. Not all features were relevant to all customers.
14 to 16 • Minor feature updates to existing product and platform
• Change in product manager midway through the project.
• Decision to drop large, more complex feature to meet deadline.
• Decision to release patches to fix issues post-release after customers called to complain.
• Product was imple- mented on time, but with some quality issues. Specifically, customers were not entirely satisfied with the product because some older problems still existed.
• Patches were released to fix these issues.
A7 A major overhaul of Alpha’s flagship product (same as A6), including new features and improvements to existing features. Also added integration with Alpha’s suite of products. Considered a full release.
14 to 16 • New features and feature updates to existing product and platform
• New methodology introduced
• Organization-wide introduction of new methodology, creating turmoil on project.
• Identified and agreed upon adjustments to new methodology.
• Decision to drop large feature (same feature dropped in A6).
• Dropped feature and turmoil at project start hurt perceptions of success.
• Otherwise, product was successfully launched.
• Process improve- ments and adaptation of the new method- ology.
B1 Implemented a new product and new technology platform and business processes to support it. Considered strategic, with product launch seen as key to the company’s survival.
20 to 30 • New technology platform, con- sisting of multiple new and existing systems
• New business processes
• Period of high intensity of change requests, resulting in significant turmoil on the project.
• Decision to implement the project according to scheduled release date.
• Delivered project on time but with numerous defects. Turmoil and defects negatively impacted perceptions of success.
• Did achieve the objective of launching new product.
B2 Originally part of project B1, involved porting legacy application to the new technology platform implemented in B1.
20 to 30 • Existing legacy system features implemented on IT platform intro- duced in B1
• Late change request from critical business partner.
• Decision to postpone project by one month to accommodate request.
• Delivered project one month later than original plan, due to postponement.
B3 Considered a strategic project that involved insourcing an existing customer product that was previously outsourced.
15 to 22 • New features on existing IT platform
• New business processes linked to the new product
• Programmers hid technical issues. • Decision to reduce scope late in the
project due to technical issues, which had not been disclosed earlier.
• Significantly over budget, late and defect-ridden. Technical issues resulted in reduced scope and manual workarounds.
B4 Added functionality to enable business units to modify own (customer facing) applications and accelerate implementation of business initiatives.
20 to 25 • New features and processes on existing technology platform
• Programmers hid technical issues, just like in B3.
• Decision to drop a large portion of project’s scope at the last minute due to technical deficiencies, which had not been disclosed earlier. Just like in B4.
• Due to scope reduc- tion, project objec- tives not met. Busi- ness stakeholders were not satisfied.
• A new project was initiated.
B5 Focused on improving global procurement and order management systems, information, and processes.
15 to 20 • New third-party technology platform
• New business processes
• Changes to methodology
• Implemented request by programmers to change process for managing issues.
• Process changed back when it did not have the intended effect.
• Change in methodology declared by senior management.
• Project successfully delivered the desired functionality for the business. Business and IT stakeholders perceived project as successful.
A6 MIS Quarterly Vol. 43 No. 2–Appendices/June 2019
Jenkin et al./Mutual Understanding in IS Development
Proj. Background Size Novelty Key Events Key Outcomes
B6 Involved implementing functionality and processes that would allow a business unit to expand its marketing capabilities. Similar capabilities, systems, and processes were implemented in another unit.
17 to 27 • New features in an existing IT platform
• New business processes
• Similar to pro- cesses and features in a related system
• As requested by the project manager, business management agreed to turn off old system so that the new features did not have to be implemented on it.
• Reversal of this decision at project end when senior sales reps became aware of the impending system retirement.
• Post-implementation workarounds.
• The issue with the senior sales reps resulted in significant workarounds after go- live. All other aspects of the project were considered success- ful. Not all stake- holders perceived the project as a success.
MIS Quarterly Vol. 43 No. 2, Appendices/June 2019 A7
Jenkin et al./Mutual Understanding in IS Development
Appendix E
Interview Guide
The following questions were used as a guide during the interview. Each interview was emergent: the interviewer adapted questions and asked additional probing questions as needed.
Please recall a recently completed project that was considered strategic (important to the business). We will discuss this project throughout the interview.
1. What is the name of the project? 2. What was your role on the project? 3. How long have you been with the company? In this role? 4. When did the project start and end? 5. Was there a business sponsor? (Probe: Ask about steering committee and other senior management support mechanisms.) 6. Can you describe the project organization chart? Is this typical for the organization? 7. Why was this project considered strategic (important to the business)? 8. Do you know what priority level was assigned to this project? 9. Did this project need to be justified formally before it was approved? If so, what justifications were provided?
10. What were the purpose, goals, and objectives of the project? (Probe: Discuss linkages or dependencies on other systems or projects.) 11. What changes occurred during the project? 12. At any time, was this project’s priority changed? 13. At any time were there resource changes on the project? If so, why were those changes made? 14. Were there any changes to requirements during the project? How were changes in requirements handled? 15. Were you given adequate ownership and decision-making ability in running this project? (for Project Manager) 16. What do you think makes a great project manager? 17. How did you handle roadblocks (problems, unexpected issues, surprises)? Did you have predetermined escalation paths? (Probe: Discuss
risks and risk management approach; also discuss any major issues and why they arose.) 18. What, if any, methodology was followed? Describe. How closely did you follow it? (Probe: Describe the phases and what was done in
those phases. Specifically, initiation, planning, design, development, testing and implementation phases.) 19. At a high-level, explain your testing methodology. (Probe: Describe any problems detected during testing, such as defects.) 20. Were periodic reviews of the project conducted? (Including testing, gate reviews, deliverable reviews, status reviews, etc.) 21. Was a final evaluation of the project conducted? What were the criteria used for the evaluation? What was done with the results? (For
example, formal post-mortem review with the business? Surveys?) 22. Was a formal process followed for the implementation (deployment to “production” or “generally available”) of this project? If yes, what
was it? If no, what was involved in coordinating the implementation of this system? 23. Most important best practice? Biggest mistake? 24. How did the business (for example, product managers, marketing, sales) communicate with the project team? How did the project team
communicate with the business? (Probe: Were there any problems with communication and coordination? How were users involved?) 25. How would you describe the relationship you had with the business? (for development team members) How would you describe the
relationship you had with the development project team members? (for business team members) (Probe to see if there were there any problems with the relationship.)
26. In your opinion, how well do the development project team members understand the business? Conversely, how well do the business team members understand development?
27. Was the project implemented on time? Did this project have an accelerated timeline to meet market-timing constraints? Or was timing based on estimated effort?
28. Was the project implemented on budget? 29. Was this project considered successful? Why or why not? 30. How does your company measure the success/performance of a project? 31. Did the initial objectives and goals for the project change during the project? Were all of the objectives and goals of the project met? 32. Were some objectives for this project not met? Was this a conscious decision (for example, ran out of time or money)? If some objectives
were not met, what was done as a result? 33. Was the business (and users) satisfied with the results of the project? 34. Was the development team satisfied with the results of the project?
A8 MIS Quarterly Vol. 43 No. 2–Appendices/June 2019
Jenkin et al./Mutual Understanding in IS Development
Appendix F
Coding and Analysis Approach
MIS Quarterly Vol. 43 No. 2, Appendices/June 2019 A9
Jenkin et al./Mutual Understanding in IS Development
Appendix G
Quotes Illustrating the Coding of Constructs
Construct Type Illustrative Quote Project (Stage)
P la
n n
in g
Compre- hensive
“Because of the high risk of this project, I had put together an MS Project plan with the team lead. We mapped out the whole process and defined the details” (Project Manager).
A2 (E)
Emergent “We cut back a little on what we were going to deliver.” When asked if this was done because of timing, he responded, “Yes. Because of scope. So we decided to do it in a phased delivery of functionality” (Project Manager).
A3 (L)
C o
n tr
o l
Self-control “[The initial document] was a high-level vision. This is how we see it happening. The developer thought that it was exactly what should be happening and then started developing and there wasn’t time to go to a more detailed design of here is how the screens will actually look” (Product Designer).
A5 (E)
Clan control
“No training, no rollout, no explanation. Half of the documents are gone, or the documents we had been using have no meat in them anymore. I went out to look at the test spec and it was ‘huh?’ And people came to me asking me if I had an old copy of the template. And I say ‘yes we have it on our Sharepoint site’” (QA Manager).
B5 (M)
Outcome control
“Reviews were being done, but primarily between the development manager and the product manager in terms of ‘have you delivered this yet.’ Very centralized” (Product Designer).
A6 (M)
Behavior control
“We had weekly reviews of the actual specifics of the project in the Exec Sponsor’s project review meeting. So any large efforts that are being worked in his group are talked about in this forum—a weekly Friday meeting with all of his direct reports and stakeholders throughout the business that own pieces of his business (e.g., risk manager). That was his forum for Q and A, if he had ques- tions about what we were doing or we needed answers for something, we would bring those up in that meeting” (Business Project Manager).
B6 (M)
S e n
s e m
a k in
g
Low “I did find there was a lot of coming and saying ‘this is what I am getting’ and then me saying ‘well that is what you are supposed to get. It is by design. If you had read the document you would know that’” (Programmer 2).
A5 (M)
High “Having a dedicated product designer, a usability person/product designer, to help define the stories and then having review sessions with the team where people can ask questions and change the stories if issues are brought up … took a lot of time, but was a really helpful process. And great for us (documentation). Also good for the product” (Technical Writer).
A7 (M)
S e n
s e g
iv in
g High “The business area originally felt they could wait until after implementation to address their needs … resulted in a last-minute escalation to the project steering committee and the CEO .... Very political move” (IT Project Manager).
B2 (L)
Low “We were compliant … in form, but not in function. There was a lot of spin going on. IT couldn’t speak to the business truthfully” (QA Manager).
B3 (M)
A10 MIS Quarterly Vol. 43 No. 2–Appendices/June 2019
Jenkin et al./Mutual Understanding in IS Development
Construct Type Illustrative Quote Project (Stage)
M u
tu a
l U
n d
e rs
ta n
d in
g
High “Everybody knew what everybody else was going to do and how it is going to work in the system” (Team Lead).
A4 (E)
Low “At the beginning, there was an organization-wide decision … that generated a lot of confusion and lack of clarity within the team.… this team, as well as other teams within the organization, were led to question some fundamental things about the way they were working” (Product Designer).
A7 (E)
P ro
je c t
S u
c c e s s Low “In the end, it didn’t really accomplish what it was intended to do. The users
weren’t that satisfied” (Project Manager). A1 (L)
High “That one went quite nicely. It was one of those classic ‘yeah that’s the way you do it’” (Product Designer).
A4 (L)
MIS Quarterly Vol. 43 No. 2, Appendices/June 2019 A11
Jenkin et al./Mutual Understanding in IS Development
Appendix H
Quotes Illustrating the Coding of a Project: Project A7
Stage Early Middle Late
Planning (overview)
The requirements for the project were determined by the product manager at the start. Planning was not as inclusive as it could be given that customers were not consulted. However, planning was disrupted in the early stages of the project because of the methodology change. Once this change was resolved and planning resumed, planning was conducted collaboratively and emerged incrementally during each iteration.
Coding Comprehensive Emergent Emergent
Illustrative Quotes
“They had a very ambitious set of objectives initially.… But very quickly that was taken off the list of goals because it was just too ambi- tious. I'm not sure how serious that goal ever was, but it was there. That was unfortunate but then they had a more realistic set of goals to replace that and I think it’s been really successful, the process” (Technical Writer 1).
“A lot of collaboration between the new product manager, the dev manager and myself to set a common direction for the team, to really agree on the priorities for the release and to react very flexibly to changes in priority. So that has been very effective” (Product Designer).
“But lately it is more visible because every two weeks we get together to discuss what’s new” (Programmer).
Explanation Product manager set the list of ambitious objectives upfront on the project. These objectives were updated to become more realistic. Demonstrates comprehensive planning upfront. Other comments also show that all the requirements were determined upfront, but things were added and taken away during the agile iterations.
Collaboration between the product designer, development manager, and product manager show that these three stake- holders helped to set priorities and update those priorities as needed when changes arose. This began after things settled down following the methodology change. Other comments demonstrate that this collabora- tion enabled the team to adapt to changes flexibly across iterations, reflecting an emergent learning approach to planning.
Applies to both middle and late stages of the project. At the beginning of each iteration, the new things to be implemented in that iteration were discussed and planned in more detail. This demonstrates emergent planning in both the middle and late stages of the project.
Control (overview)
At the start of the project, there was little control. Clan control helped team members focus on overcoming the challenges associated with the methodology change. The new methodology was a form of behavior control, but it was not yet understood and was being compared to the old ways. Midway in the project, outcome controls were added: macro stories (requirements) served as outcome specifications and frequent testing and reviews served as outcome measurement. Behavior control was stronger now, as the methodology was more clearly understood. Daily reviews also helped measure behavioral compliance.
Coding Behavior, Clan Behavior, Outcome Behavior, Outcome
Illustrative Quotes
“Conflicts between product designer and developers early on over the new process because there was a new role for the designers and I think it was just a matter of sorting out what the roles would be. But there were some pretty significant conflicts” (Technical Writer 1).
“It helps things from getting too far off track. Because if someone has done something but maybe they haven't emailed you or let you know. But then they mention it and you know right away. Before when a developer changed something without telling
“Reviews were done at the end of each iteration. There would be a demo to interested parties as to what was achieved” (Programmer).
A12 MIS Quarterly Vol. 43 No. 2–Appendices/June 2019
Jenkin et al./Mutual Understanding in IS Development
Stage Early Middle Late
you for whatever reason, it could be weeks or months before you found out about it. Whereas now, you could know the same day” (Technical Writer 1).
Explanation Conflicts were resolved using clan control, leveraging past history of norms and beliefs for the group, who had just completed project A6. Other quotes show that sanctions were imposed on members who did not accept new norms and roles.
Daily stand up meetings, which were conducted in both middle and late stages, served as an outcome control because they enabled outcome measurement. As noted above, this also enabled behavioral compliance to the adapted methodology. Other comments demonstrate the value of macro stories as outcome specifications.
Refers to the reviews and demos that occurred at the end of each iteration, in both the middle and later stages. These reviews served as a mechanism to measure outcomes. This demonstrates outcome control.
Cognitive Activities: Sensegiving (overview)
At the start of the project, there was moderate sensegiving from the espoused new methodology. This adapted methodology was a helpful sensegiving device throughout the rest of the project. Midway and later in the project, macro stories, interim builds (prototypes), daily stand-ups and frequent reviews gave the team sense, which in turn supported sensemaking.
Coding Moderate High High
Illustrative Quotes
“I think the introduction of the new process was a good stimulus for looking at some of the practices and improving the way the team does its work. And I think we have become more agile, not necessarily because of the introduction of the new process, but perhaps even in spite of it, by realizing that there were certain things that were important that we could be doing. It turned out to be a positive development definitely” (Product Designer).
“The other thing that was a best practice that emerged out of this release was early review of requirements and design with the dev team and with QA and docu- mentation staff and even with support. So we have formalized a process, well not formalized, but we have a consistent process for doing these reviews and engaging the rest of the team in providing early and often feedback to priorities, well maybe not so much to priorities but definitely to design decisions. And that has been really key to effectively deliver the more complicated features we have in this release” (Product Designer).
Paraphrased: The amount of information and detail made writing up the documentation in parallel to development a lot easier. It allowed you to know what the functionality was going to look and act like when it was done. Things were completely itemized in detail and planned out (Technical Writer 2 Paraphrase: participant asked not to be directly quoted).
Explanation Moderate sensegiving early in the project via the new methodology announcement. Other comments suggest that training and the project objectives provided sensegiving. However, sensegiving was only moderate, not high, because the methodology and training were too high level and not directly applicable to the Alpha and project A7 context. See sensemaking comments for how the team made sense of this.
A high level of sensegiving in the middle and later stages as the result of the reviews between the product designer and the devel- opment team, QA and technical writers and updating these stake- holders on design decisions and the rationale behind those deci- sions. Other comments also sug- gest that the macro stories (user experience stories) developed by the product designer to describe and explain the design to this same set of stakeholders provided a high level of sensegiving.
Demonstrates the sensegiving provided through the macro stories provided in each iteration in both middle and late stages of the project. This brought further sensegiving to the reviews, keeping a high level of sense- giving in both the middle and later stages. Other comments suggest that the daily stand up meetings, interim builds and demos enabled a high level of sensegiving.
MIS Quarterly Vol. 43 No. 2, Appendices/June 2019 A13
Jenkin et al./Mutual Understanding in IS Development
Stage Early Middle Late
Cognitive Activities: Sensemaking (overview)
At the start of the project, the level of sensemaking was high due to the team interpreting and adapting the methodology to suit their needs and resolving the uncertainty that came from the change. Midway and later in the project, macro stories, interim builds (prototypes), daily stand-ups and frequent reviews gave the team sense, which in turn supported sensemaking.
Coding High High High
Illustrative Quotes
“The way the process was rolled out was not done very well. As a result, this team, as well as other teams within the organization, were led to question some fundamental things about the way they were working. And there was quite a bit of churn and discussion that had to result before the team could settle back down and be effective in imple- menting the things they needed to implement” (Product Designer).
“I wouldn't say that was so much a feature of the formal process, but more of a feature of constant collaboration between what I like to call the customer team—so the product manager, the dev mana- ger, and myself. As soon as time-sensitive things came up we immediately discussed them, we talked to the development team to understand the repercussions, got rough effort estimates and based on that quickly responded whether or not it was something that we could incorporate into the release or push off to a future release” (Product Designer).
“For A7, we have had the regular demos of the completed func- tionality for the whole team. And especially this was helpful in involving QA and documentation and support in understanding what had been delivered in each of the iterations preceding the demo” (Product Designer).
Explanation A high level of sensemaking occurred early in the project as all team members tried to understand and work out how the new method- ology could be applied to the project context of A7 and Alpha more broadly. Part of this sensemaking included reflecting on problems with the current process and how to adapt the new methodology to improve this process. Other comments demonstrate that the end result was an improved process.
Describes the sensemaking pro- cess engaged in by the “customer team” (product designer, develop- ment manager, and product manager) to understand impacts, develop estimates and make decisions. Along with the other comments that demonstrate the sensemaking that occurred via regular reviews, demos, and macro stories, this reflects a high level of sensemaking on a daily and weekly basis during the iterations.
A high level of sensemaking continued in the middle and later stages of the project. This comment demonstrates the sensemaking that the demos enabled for QA, technical writers, and the support team. Other comments demonstrate the benefit of regular reviews and macro stories in helping programmers, QA and technical writers make sense of the requirements as well as the functionality that had been implemented by programmers.
Cognitive Outcome: Mutual Under- standing (overview)
At the beginning of the project, there was a low mutual understanding of the process and roles due to the change in methodology. Midway through the project, there was some uncertainty regarding why the large feature was dropped. However, the mutual understanding of the project process and the requirements progressively developed over the course of the project due to the high levels of sensegiving and sensemaking midway and later in the project.
Coding Low Moderate High
Illustrative Quotes
“At the beginning of [project A7], there was an organization-wide decision and a series of training sessions rolled out to support that decision to move to a more industry standard agile process. Not entirely industry standard but closer to those standards. That generated a lot of confusion and lack of clarity within the team” (Product Designer).
“And for IDP, you are supposed to have a post-mortem at the end of each iteration. So every three weeks or two weeks. I think those eventually died because no one said anything. Initially, it was good because I think when the process was still being nailed down it was helpful to be able to vent. But as people got accus- tomed to it, there was less need for that” (Technical Writer 1).
Paraphrased: in the new pro- cess, there are macro stories and micro stories provided and we have daily stand-up meetings. As a result, everyone on the team has a good sense of what is going on in terms of who is working on what, what is not working, and what is working well (Technical Writer 2 Paraphrase).
A14 MIS Quarterly Vol. 43 No. 2–Appendices/June 2019
Jenkin et al./Mutual Understanding in IS Development
Stage Early Middle Late
Explanation The methodology change resulted in confusion regarding the impact of the change on roles and the process. Thus, there was low mutual understanding at the start of the project. Other comments further support the uncertainty and confusion that ensued in the early stage of the project while the team was working this out.
Post-mortems at the end of each two-week iteration were con- ducted initially when mutual understanding of the project and the product needed to be further developed. This mutual under- standing grew to a moderate level during the middle of the project. Other comments note that a feature was dropped because of uncertainty regarding the required functionality. By dropping the feature, the team could focus on the better understood features.
Artifacts of the new process resulted in a high level of mutual understanding of the product being developed and the status of the project via the sensegiving and sensemaking enabled by these artifacts. In addition to the macro stories and daily stand up meetings, other comments demonstrate that regular demos and reviews with the entire team also helped in this regard.
Project Success
Moderate Success (success is evaluated at the end of each project).
Coding Moderate
Illustrative Quotes
“I think A7 has done a much better job of addressing the strategic roadmap goals of the product. Again, one of the strategic roadmap goals was that one large feature that got dropped. At the same time, arguably, by not taking on that very complicated and risky feature, we have delivered a better and more stable product in a lot of other ways” (Product Designer).
Explanation Project stakeholders perceived the project to be moderately successful and not highly successful because of the important feature that was dropped from the project due to timing constraints. Other comments indicate that there was a gap created by the missing functionality, which impacted perceptions of success. Further, other comments demonstrate that the initial chaos caused by the methodology change had a negative impact on perceptions of project success.
MIS Quarterly Vol. 43 No. 2, Appendices/June 2019 A15
Jenkin et al./Mutual Understanding in IS Development
Appendix I
Quantitative Analyses and Results
We coded variables into low, medium, and high. Since we cannot assume equal gaps between low and medium and between medium and high, the data is ordinal in nature. Therefore, we used Kendall’s Tau to measure correlation (Conover 1999) and conducted ordinal logistic regressions. Tables I1 and I2 present the descriptive statistics, correlations and the results for four regression models. All four regressions included two control variables: project duration (months) and number of primary informants for the project.
The first three regression models used stage-level data, with sensegiving, sensemaking, and MU as dependent variables. The planning and control mechanisms used in each stage were included at an aggregate level as sensegiving potential and sensemaking potential. Model 1 suggests that sensegiving during a stage depends on sensegiving potential and sensemaking during that stage. Similarly, Model 2 suggests that sensemaking in a stage depends on sensemaking potential and sensegiving in that stage. Thus, sensegiving and sensemaking affect each other, as expected. Moreover, sensegiving and sensemaking seem to depend on sensegiving potential and sensemaking potential, respectively, of the planning and control mechanisms used, as was also expected.
We expected both sensegiving and sensemaking to affect MU. The results for Model 3 differ somewhat from these expectations, suggesting that MU during a stage depends directly on sensemaking but not on sensegiving. Combined with the results for Model 2, this leads to the emergent proposition P1.
Model 4 used project-level data as project success, the dependent variable, was assessed at the end of the project. Although the sample size of 13 is a limitation and implied a low statistical power (0.36 with medium effect size), the effect of MU on project success was significant. Also, when sensemaking and sensegiving were added as independent variables, and a stepwise ordinal regression was conducted (due to the small sample size), only MU was found to have a significant direct effect on project success.4
Table I1. Descriptives and Correlations
Correlations1
Mean S.D. Min Max SG_P SM_P SG SM MU
Sensegiving Potential (SG_P) 0.46 0.25 0.00 0.88
Sensemaking Potential (SM_P) 0.37 0.25 0.13 1.00 0.18
Sensegiving (SG) 2.18 0.72 1.00 3.00 0.28** 0.22*
Sensemaking (SM) 2.00 0.79 1.00 3.00 0.09 0.28** 0.39***
Mutual Understanding (MU) 1.97 0.78 1.00 3.00 -0.05 0.20* 0.26* 0.40***
Project Success (SUCC) 2.15 0.80 1.00 3.00 0.27 0.31 0.49* 0.50* 0.53**
1Kendall’s Tau statistics are reported for correlations. N = 13 for Project Success and correlations involving it. N = 39 for other constructs and
correlations. *p < 0.05; **p < 0.01; ***p < 0.001. As expected (Conover 1999), the results are consistent in significance when using Spearman’s Rho.
4The results for this additional regression are not reported in Table I2 due to space constraints. Moreover, sample size limitations precluded quantitative tests of the mediating effects.
A16 MIS Quarterly Vol. 43 No. 2–Appendices/June 2019
Jenkin et al./Mutual Understanding in IS Development
Table I2. Regression Results1
Model 12 Model 2 Model 3 Model 43
Dependent Variables Sensegiving Sensemaking Mutual
Understanding Project
Success
Control Variables
Project duration (months) 0.00 (0.82) -0.12 (0.10) -0.34 (0.22) -0.01 (0.11)
Number of primary informants for the project -0.47 (0.17) 0.40 (0.33) 0.61 (0.39) -0.27 (0.37)
Independent Variables
Sensegiving 2.16** (0.67) 0.59 (0.78)
Sensegiving Potential 5.72* (2.56)
Sensemaking 2.62** (0.85) 1.88* (0.93)
Sensemaking Potential 4.02* (1.97)
Mutual Understanding 6.56** (2.69)
N 39 39 39 13
Wald’s4 χ² 10.49* 11.64* 25.97*** 12.75** McFadden R² 0.417 0.359 0.325 0.457
Highest Variance Inflation Factor 1.08 1.21 1.72 1.42
1Instandardized regression coefficients are given with robust standard errors in parentheses. All significance levels are indicated as follows: *p < 0.05; **p < 0.01; ***p < 0.001. 2 For Models 1–3, we first conducted panel-data ordinal regressions (using xtologit in Stata 15), with panels based on projects. Results of estimated variance components and likelihood-ratio tests indicate that xtologit does not improve over a standard ordered logistic regression. So, results of ordinal regressions (the ologit command) are reported in this table. We used the “vce(cluster)” option with clustering based on the project. The results are substantively the same when using either panel-data ordinal regressions (xtologit) or multiple regressions with the data clustered by project, and with a dummy for organization. Results for the other models are excluded due to space considerations. 3 Model 4 is tested using ordinal regression (the ologit command) with the “vce(robust)” option to obtain robust standard errors (for consistency with Models 1–3). The results for a model including a dummy for organization are substantively the same, and are excluded due to space constraints. 4 Using G*Power (http://www.gpower.hhu.de), medium effect size, and four (Models 1-3) or three (Model 4) predictors (excluding controls), statistical power is 0.77 for Models 1–3 and 0.36 for Model 4.
References
Bowman, B., Davis, G., and Wetherbe, J. 1983. “Three Stage Model of MIS Planning,” Information & Management (6:1), pp. 11-25. Choudhury, V., and Sabherwal, R. 2003. “Portfolios of Control in Outsourced Software Development Projects,” Information Systems Research
(14:3), pp. 291-314. Conover, W. J. 1999. Practical Nonparametric Statistics, Hoboken, NJ: Wiley. Creswell, J. W., and Clark, V. L. P. 2007. Designing and Conducting Mixed Methods Research, Thousand Oaks, CA: SAGE Publications. Eisenhardt, K. M. 1989. “Building Theories from Case Study Research,” Academy of Management Review (14:4), pp. 532-550. Kirsch, L. J. 1996. “The Management of Complex Tasks in Organizations: Controlling the Systems Development Process,” Organization
Science (7:1), pp. 1-21. Kirsch, L. J. 1997. “Portfolios of Control Modes and IS Project Management,” Information Systems Research (8:3), pp. 215-239. Kirsch, L. J. 2004. “Deploying Common Systems Globally: The Dynamics of Control,” Information Systems Research (15:4), pp. 374-395. Levina, N. 2005. “Collaborating on Multiparty Information Systems Development Projects: A Collective Reflection-in-Action View,”
Information Systems Research (16:2), pp. 109-130. Nidumolu, S. R., and Subramani, M. R. 2003. “The Matrix of Control: Combining Process and Structure Approaches to Managing Software
Development,” Journal of Management Information Systems (20:3), pp. 159-196. Orlikowski, W. J. 1991. “Integrated Information Environment or Matrix of Control: The Contradictory Implications of Information
Technologies,” Accounting, Management and Information Technologies (1:1), pp. 9-42. Segars, A. H., and Grover, V. 1999. “Profiles of Strategic Information Systems Planning,” Information Systems Research (10:3), pp. 199-232. Shepherd, D. A., and Sutcliffe, K. M. 2011. “Inductive Top-Down Theorizing: A Source of New Theories of Organization,” Academy of
Management Review (36:2), pp. 361-380. Tiwana, A., and Keil, M. 2009. “Control in Internal and Outsourced Software Projects,” Journal of Management Information Systems (26:3),
pp. 9-44.
MIS Quarterly Vol. 43 No. 2, Appendices/June 2019 A17
Copyright of MIS Quarterly is the property of MIS Quarterly and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.
prev-prof-grading/APA Template for Final Paper.pdf
Running head: THE COSO FRAMEWORK OF INTERNAL CONTROLS 1
The COSO Framework of Internal Controls
Krishna C Sanagavarapu
Department of IT, University of the Cumberlands
ITS 831: InfoTech Import in Strat Plan
Dr.Hollis
June 14th, 2020
THE COSO FRAMEWORK OF INTERNAL CONTROLS 2
The COSO Framework of Internal Controls
Introduction
The success of most organizations lies squarely on its internal control processes. Internal control
policies help with five main things. They help with the protection of assets thereby reducing the
possibility of fraud. Secondly, they help through improving efficiency in organizations. Thirdly,
they ensure compliance with statutory regulations and the law. Fourthly, they establish m
monitoring procedures. Lastly, they increase financial integrity and reliability. There is one main
framework that helps in the evaluation and testing of internal controls and processes and that is
the COSO framework. An analysis of the COSO framework and its five components will help
reveal information on how organizations can ensure that their internal controls and procedures
are good and reliable.
1. Control Environment
For organizations to succeed in having effective internal controls they must create an
environment that emphasizes the need and the value of internal controls. The control
environment is divided into two main areas and it is centered on the leadership of an
organization. The first area is the management and the management consists of the executive and
the board of directors. According to Sari et al (2018), management must prioritize and emphasize
the need for internal controls and they can do so by having in-house policies that dictate how
employees work and their relationship with other people.
The second area is the mission, desired outcomes, and the goals of an organization. The
mission of an organization dictates the policies and the actions an organization takes part in.
Organizations that have their missions matching integrity will most of the time emphasize the
implementation of internal controls and policies. The reasons for the existence of an organization
THE COSO FRAMEWORK OF INTERNAL CONTROLS 3
will dictate how an organization carries out its operations. Internal control policies that are
supported by a good control environment ensure that organizations harvest all the benefits of
having reliable internal controls.
2. Risk Assessment and Management
The COSO framework emphasizes the need for organizations to understand the risks they
face. The second component of the framework targets the weaknesses and threats of an
organization. The framework emphasizes that risk assessment, management, and evaluation
should be done. Risk assessments help organizations to identify the areas that are most likely to
expose them to losses, destruction as well as the areas likely to hamper their operations.
Through risk basement findings, management can come up with policies and procedures
geared at ensuring that organizations counter the identified risks. In addition, through risk
assessments, management can prepare organizations in the eventuality that the risks become a
reality. The second component of the COSO framework exists for the analysis of risks,
formulation of solutions against risks, and the implementation of changes and actions that
mitigate and prevent losses.
3. Control Activities
The third component of the COSO framework focuses on the control activities to limit
risk occurrence and the impact of risk in case they become a reality. The component emphasizes
the control policies and procedures in place. Special emphasis is placed on how security
measures are implemented and measures in place to ensure business continuity in case of an
incident. According to Pearlson, Saunders & Galletta (2019), the effectiveness of internal
controls is correlated to the expectations and rules of an organization. It is for that reason that the
THE COSO FRAMEWORK OF INTERNAL CONTROLS 4
third component recommends that organizations should have a proactive approach to security
activities that are aligned to organizations’ missions and goals
4. Information and Communication
How information is shared within an organization and the type of communication that an
organization has with its external relations influences an organization’s internal controls. The
COSO framework emphasizes the need for organizations to have a proper communication
channel for internal and external purposes. Having such measures will limit the risks associated
with organizational communication; information will only be shared with those it is intended for
and organizations will reduce the likelihood of trade secrets being leaked.
5. Monitoring and Review
The monitoring and reviewing component emphasizes the need for auditing to happen.
All control policies and procedures need to be checked if they are effective or not. Through
monitoring and reviewing it is possible for organizations to change, upgrade, or even do away
with some measures depending on their effectiveness (Rae, Sands & Subramaniam, 2017). The
framework emphasizes on regular monitoring and reviews to reduce the likelihood of lapses in
internal security and related controls. All five components need to be monitored and reviewed
for organizations to have efficient and reliable internal controls.
Areas of concern during an IT audit
There are five main areas that an auditor would be most concerned about during an IT audit.
First, an auditor would be concerned with the control environment and this would involve
reviewing and the department’s management and operation policies (Otero, 2018). The second
area of concern is control procedures where the emphasis will be placed on the type of control
activities and measures that are in place. The third area is detection risk assessment which
THE COSO FRAMEWORK OF INTERNAL CONTROLS 5
focuses on the detection of risks in the department. The fourth area of concern is the control risk
assessment which involves reviewing IT standards and processes. The last area of concern for an
IT audit is Personnel attitude and actions. It involves interviewing and observing employees
assess their adoption and implementation of internal controls.
Integrating the COSO framework at Citi Bank
Integrating the COSO framework for any banking institution is encouraged since
financial institutions are primary targets of fraud and related incidences. Citi bank is an example
of a financial institution that needs to integrate the COSO framework in its operations. All five
components of the framework can be easily integrated. Citi bank needs to create a controlled
environment by having its management and leadership in general call for the implementation of
internal control measures.
Secondly, the bank can have a risk assessment that details all its weak points and through
that, the management can institute measures risk occurrence. Thirdly, the bank can have in place
measures that protect it from insider trading, data leaks, and other risks that compromise on their
operations. Fourthly, the bank can limit the sharing of information to a need to know basis to
protect its trade secrets and data. Lastly, the bank can continuously monitor and review its
internal control measures and practices.
Conclusion
The COSO framework provides a guide in which organizations can secure their
operations as well as their data. The framework offers ways of securing internal controls of the
organization. The five components of the framework focus on the environment in which internal
controls operate, risk assessment, internal control activities, and monitoring of security and
THE COSO FRAMEWORK OF INTERNAL CONTROLS 6
control measures. The framework is ideal as it offers an easy guideline that can be implemented
by any organization regardless of size and nature of operation.
THE COSO FRAMEWORK OF INTERNAL CONTROLS 7
References
Otero, A. R. (2018). Information Technology Control and Audit. CRC Press.
Pearlson, K. E., Saunders, C. S., & Galletta, D. F. (2019). Managing and using information
systems: A strategic approach. John Wiley & Sons.
Rae, K., Sands, J., & Subramaniam, N. (2017). Associations among the five components within
the COSO internal control integrated framework as the underpinning of quality corporate
governance. Australasian Accounting, Business and Finance Journal, 11(1), 28-54.
Retrieved from https://ro.uow.edu.au/aabfj/vol11/iss1/3/
Sari, R., Kosala, R., Ranti, B., & Supangkat, S. H. (2018, October). COSO Framework for
Warehouse Management Internal Control Evaluation: Enabling Smart Warehouse
Systems. In 2018 International Conference on ICT for Smart Society (ICISS) (pp. 1-5).
IEEE.
prof-class-reccordings.txt
https://s3.amazonaws.com/blackboard.learn.xythos.prod/5a31b16bb2c48/7027716?response-cache-control=private%2C%20max-age%3D21600&response-content-disposition=inline%3B%20filename%2A%3DUTF-8%27%27ITS83105week7bi.mp4&response-content-type=video%2Fmp4&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20200617T000000Z&X-Amz-SignedHeaders=host&X-Amz-Expires=21600&X-Amz-Credential=AKIAIL7WQYDOOHAZJGWQ%2F20200617%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=d5a6570a950f960e31af09527b994880033d6f2d73842ecc9afaf60dcb069da1 https://s3.amazonaws.com/blackboard.learn.xythos.prod/5a31b16bb2c48/7027715?response-cache-control=private%2C%20max-age%3D21600&response-content-disposition=inline%3B%20filename%2A%3DUTF-8%27%27ITS83105chap12BI.mp4&response-content-type=video%2Fmp4&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20200617T000000Z&X-Amz-SignedHeaders=host&X-Amz-Expires=21600&X-Amz-Credential=AKIAIL7WQYDOOHAZJGWQ%2F20200617%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=c08528fb18089e12db107841e33f11611b6482f92837233561193561e46e7406 https://s3.amazonaws.com/blackboard.learn.xythos.prod/5a31b16bb2c48/6999414?response-cache-control=private%2C%20max-age%3D21600&response-content-disposition=inline%3B%20filename%2A%3DUTF-8%27%27week7both.mp4&response-content-type=video%2Fmp4&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20200617T000000Z&X-Amz-SignedHeaders=host&X-Amz-Expires=21600&X-Amz-Credential=AKIAIL7WQYDOOHAZJGWQ%2F20200617%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=0bbdd9f7143fe9b45c14190ba632808cec72688d5dfb82972044b82f47a48298
prof-reading.txt
Attached Files: File Mutual Understanding in Information Systems Development Changes within and across Projects.pdf (3.916 MB) File Employees’ collaborative use of green information systems for corporate sustainability motivation, effort and performance.pdf (1.29 MB) Chapter 11, “Managing IT Projects” pp. 246-259 Jenkin, T. A., Chan, Y. E., & Sabherwal, R. (2019). Mutual Understanding in Information Systems Development: Changes within and across Projects. MIS Quarterly, 43(2), 649–671. Retrieved from https://doi.org/10.25300/MISQ/2019/13980 Yang, Z., Sun, J., Zhang, Y., Wang, Y., & Cao, L. (2017). Employees’ collaborative use of green information systems for corporate sustainability: motivation, effort and performance. Information Technology for Development, 23(3), 486-506. Retrieved from https://doi.org/10.1080/02681102.2017.1335281
question.docx
This week's written activity is a three- part activity. You will respond to three separate prompts but prepare your paper as one research paper. Be sure to include at least one UC library source per prompt, in addition to your textbook (which means you'll have at least 4 sources cited).
Start your paper with an Abstract paragraph.
Prompt 1 "Data Warehouse Architecture" (2-3 pages): Explain the major components of a data warehouse architecture, including the various forms of data transformations needed to prepare data for a data warehouse. Also, describe in your own words current key trends in data warehousing.
Prompt 2 "Big Data" (2-3 pages): Describe your understanding of big data and give an example of how you’ve seen big data used either personally or professionally. In your view, what demands is big data placing on organizations and data management technology?
Prompt 3 “Green Computing” (2-3 pages): One of our topics in Chapter 13 surrounds IT Green Computing. The need for green computing is becoming more obvious considering the amount of power needed to drive our computers, servers, routers, switches, and data centers. Discuss ways in which organizations can make their data centers “green”. In your discussion, find an example of an organization that has already implemented IT green computing strategies successfully. Discuss that organization and share your link. You can find examples in the UC Library.
Conclude your paper with a detailed conclusion section.
Your paper should meet the following requirements:
• Be approximately seven in length, not including the required cover page and reference page.
• Follow APA6 guidelines. Your paper should include an introduction, a body with fully developed content, and a conclusion.
• Support your answers with the readings from the course, the course textbook, and at least three scholarly journal articles to support your positions, claims, and observations, in addition to your textbook. The UC Library is a great place to find supplemental resources.
• Be clearly and well-written, concise, and logical, using excellent grammar and style techniques. You are being graded in part on the quality of your writing.
Regards,
