Assignment

tejasimha 12_

RecordedCH9.pptx

Home >Information Systems homework help >Assignment

Managing and Using Information Systems: A Strategic Approach – Sixth Edition

Keri Pearlson, Carol Saunders, and Dennis Galletta

Chapter 9 Governance of the Information Systems Organization

Learning Objectives

Understand how governance structures define how decisions are made

Describe governance based on organization structure, decision rights, and control

Discuss examples and strategies for implementation.

Intel’s Transformation

Huge performance improvements between 2013 and 2014

Was it due to a spending increase?

Intel’s evolution

1992: Centralized IT

2003: Protect Era – lockdown (SOX & virus)

2009: Protect to Enable Era (BYOD pressure)

No, it was due to a spending decrease, not an increase.

They focused on protecting to enable, not just locking down

Intel Reached Level 3:

Developing programs and delivering services

Contributing business value

Transforming the firm

Previously: categorized problems as “business” or “IT”

Now: Integrated solutions are the only way

IT Governance

Governance (in business) is all about making decisions that

Define expectations,

Grant authority, or

Ensure performance.

Empowerment and monitoring will help align behavior with business goals.

Empowerment: granting the right to make decisions.

Monitoring: evaluating performance.

A decision right is an important organizational design variable since it indicates who in the organization has the responsibility to initiate, supply

information for, approve, implement, and control various types of decisions.

IT Governance

IT governance focuses on how decision rights can be distributed differently to facilitate three possible modes of decision making:

centralized,

decentralized, or

hybrid

Organizational structure plays a major role.

Four Perspectives

Traditional – Centralized vs decentralized

Accountability and allocation of decision rights

Ecosystem

Control structures from legislation

Centralized vs. Decentralized Organizational Structures

Centralized – bring together all staff, hardware, software, data, and processing into a single location.

Decentralized – the components in the centralized structure are scattered in different locations to address local business needs.

Federalism – a hybrid of centralized and decentralized structures.

Organizational continuum

Federalism

Most companies would like to achieve the advantages of both centralization and decentralization.

Leads to federalism

Distributes, power, hardware, software, data and personnel

Between a central IS group and IS in business units

A hybrid approach

Some decisions centralized; some decentralized

Federal IT

Recent Global Survey

Percent of firms reporting that they are:

Centralized: 70.6%

Decentralized: 13.5%

Federated: 12.7%

Figure 9.4 IT Accountability and Decision Rights Mismatches

	Accountability
		Low	High
Decision Rights	High	Technocentric Gap Danger of overspending on IT creating an oversupply IT assets may not be utilized to meet business demand Business group frustration with IT group	Strategic Norm (Level 3 balance) IT is viewed as competent IT is viewed as strategic to business
	Low	Support Norm (Level 1 balance) Works for organizations where IT is viewed as a support function Focus is on business efficiency	Business Gap Cost considerations dominate IT decision IT assets may not utilize internal competencies to meet business demand IT group frustration with business group

Figure 9.5 Five major categories of IT decisions.

Category	Description	Examples of Affected IS Activities
IT Principles	How to determine IT assets that are needed	Participating in setting strategic direction
IT Architecture	How to structure IT assets	Establishing architecture and standards
IT Infrastructure Strategies	How to build IT assets	Managing Internet and network services; data; human resources; mobile computing
Business Application Needs	How to acquire, implement and maintain IT (insource or outsource)	Developing and maintaining information systems
IT Investment and Prioritization	How much to invest and where to invest in IT assets	Anticipating new technologies

Political Archetypes (Weill & Ross)

Archetypes label the combinations of people who either provide information or have key IT decision rights

Business monarchy, IT monarchy, feudal, federal, IT duopoly, and anarchy.

Decisions can be made at several levels in the organization (Figure 9.6).

Enterprise-wide, business unit, and region/group within a business unit.

For each decision category, the organization adopts an archetype as the means to obtain inputs for decisions and to assign responsibility for them.

Political Archetypes

Organizations vary widely in their archetypes selected

The duopoly is used by the largest portion (36%) of organizations for IT principles decisions.

IT monarchy is the most popular for IT architecture (73%) and infrastructure decisions (59%).

Figure 9.6 IT governance archetypes

There is no best arrangement for the allocation of decision rights.

The most appropriate arrangement depends on a number of factors, including the type of performance indicator.

Emergent Governance: Digital Ecosystems

Challenge a “top down” approach

Self-interested, self-organizing, autonomous sets of technologies from different sources

Firms find opportunities to exploit new technologies that were not anticipated

Good examples:

Google Maps

YouTube

Another Interesting Example

Electronic Health Record

Can connect to perhaps planned sources:

Pharmacy

Lab

Insurance Company

And can connect to unplanned sources:

Banks – for payment

Tax authority – for matching deductions

Smartphone apps – for many purposes

How to Govern in this case?

Might be difficult to impossible!

The systems might simply emerge and evolve over time

No one entity can plan these systems in their entirety

Mechanisms for Making Decisions

Policies and Standards (60% of firms)

Review board or committee

Steering committee (or governance council)

Key stakeholders

Can be at different levels:

Higher level (focus on CIO effectiveness)

Lower level (focus on details of various projects)

Summary of Three Governance Frameworks

Governance Framework	Main Concept	Possible Best Practice
Centralization-Decentralization	Decisions can be made by a central authority or by autonomous individuals or groups in an organization.	A hybrid, Federal approach
Decision Archetypes	Specifying patterns based upon allocating decision rights and accountability.	Tailor the archetype to the situation
Digital Ecosystems	Members of the ecosystem contribute their strengths, giving the whole ecosystem a complete set of capabilities.	Build flexibility and adaptability into governance.

A Fourth – Out of a Firm’s Control:

Legislation

Sarbanes-Oxley Act (SoX) (2002)

To increase regulatory visibility and accountability of public companies and their financial health

All companies subject to the SEC are subject to SoX.

CEOs and CFOs must personally certify and be accountable for their firm’s financial records and accounting.

Firms must provide real-time disclosures of any events that may affect a firm’s stock price or financial performance.

20 year jail term is the alternative.

IT departments play a major role in ensuring the accuracy of financial data.

IT Control and Sarbanes-Oxley

In 2004 and 2005, IT departments began to

Identify controls,

Determine design effectiveness, and

Test to validate operation of controls

IT Control and Sarbanes-Oxley

Five IT control weaknesses are repeatedly uncovered by auditors:

Failure to segregate duties within applications, and failure to set up new accounts and terminate old ones in a timely manner

Lack of proper oversight for making application changes, including appointing a person to make a change and another to perform quality assurance on it

Inadequate review of audit logs to not only ensure that systems were running smoothly but that there also was an audit log of the audit log

Failure to identify abnormal transactions in a timely manner

Lack of understanding of key system configurations

Frameworks for Implementing SoX

COSO - Committee of Sponsoring Organzations of the Treadway Commission.

Created three control objectives for management and auditors that focused on dealing with risks to internal control

Operations –maintain and improve operating effectiveness; protect the firm’s assets

Compliance –with relevant laws and regulations.

Financial reporting –in accordance with GAAP

Control Components

Five essential control components were created to make sure a company is meeting its objectives:

Control environment (culture of the firm)

Assessment of most critical risks to internal controls

Control processes that outline important processes and guidelines

Communication of those procedures

Monitoring of internal controls by management

Frameworks (continued)

COBIT (Control Objectives for Information and Related Technology)

IT governance framework that is consistent with COSO controls.

Issued in 1996 by Information Systems Audit & Control Association (ISACA)

A company must

Determine the processes/risks to be managed.

Set up control objectives and KPIs (key performance indicators)

Develop activities to reach the KPIs

Advantages - well-suited to organizations focused on risk management and mitigation, and very detailed.

Disadvantages – costly and time consuming

IS and the Implementation of SoX Compliance

The IS department and CIO are involved with the implementation of SoX.

Section 404 deals with management’s assessment of internal controls.

Six tactics that CIOs can use in working with auditors, CFOs, and CEOs (Fig. 9.9):

Knowledge building (Build a knowledge base)

Knowledge deployment (Disseminate knowledge to management.)

Innovation directive (Organize for implementing SoX)

Mobilization (Persuade players and subsidiaries to cooperate)

Standardization (Negotiate agreements, build rules)

Subsidy (Fund the costs)

A CIO’s ability to employ these various tactics depends upon his/her power (relating to the SoX implementation).

The CIO needs to acquire and manage the considerable IT resources to make SoX compliance a reality.

Managing and Using Information Systems: A Strategic Approach – Sixth Edition

Keri Pearlson, Carol Saunders, and Dennis Galletta