Information System management

Defence control

4 Defence controls (decrease likelihood of threats) 1. General and application controls o General controls - independent of specific application § Physical controls · protection of computer facilities and resources § Access controls · management of who is and is not authorised to use company's hardware and software § Biometric controls · automated method of verifying identity based on physical characteristics o e.g. thumbprint, retinal scan, voice scan, signature § Administrative controls · deal with issuing guidelines and monitoring compliance with guidelines § Endpoint security and control · endpoints = unencrypted portable storage devices o business data carried on thumb drives, smartphones and removable memory cards o Application controls - safeguards within specific application § include intelligent agents (softbots/knowbots) · highly adaptive applications · applications have some degree of reactivity, autonomy and adaptability o needed in unpredictable attack situation 2. Network security o 3 layers of defences § First layer: Perimeter security · to control access to network · e.g. antivirus and firewalls § Second layer: Authentication · verify the identity of the person requesting access to the network · e.g. username and password § Third layer: Authorisation · control what authenticated users can do once they have access to the network · e.g. permissions and directories o Questions to authenticate person § Who are you? · employee/customer? · different levels of authentication for different types of people § Where are you? · e.g. more risk employee logging on from remote site · e.g. less risk if employee already use badge to access building and log in to site § What do you want? · accessing sensitive/proprietary/benign data? o Wireless security challenges (vulnerabilities) § Radio frequency bands · easy to scan § Signals · spread over wide range of frequencies § Service Set Identifiers (SSID) · broadcast multiple times and are easily picked up § Rogue access points · can be established on different radio channels and divert signals from authentic points § Wired Equivalent Privacy (WEP) · not effective = relies on user input 3. External Control o legal and regulatory procedures that organisation must comply o control is from industry level and government level o In US: § HIPAA · protects medical and healthcare data § Gramm-Leach-Bliley Act · security and confidentiality of customer data in financial org § Sarbanes-Oxley (SOX) Act · org to safeguard accuracy and integrity of financial information used internally and released externally o In UK: § Data Protection Act o In Japan: § Federal Privacy Act o In Credit Card Industry: § Payment Card Industry Data Security Standard (PCI) o In Singapore § Personal Data Protection Act · data protection on private org when they perform activities involving collection, use and disclosure of personal data 4. Internal control activities o control is within organisational level o process designed to achieve § reliable financial reporting § operational efficiency § compliance with laws, regulations and policies § safeguard assets o 5 primary internal control activities § segregation of duties and dual custody § independent checks § appropriate systems of authorisation § physical safeguards § audit trails o Fraud symptoms detected § missing documents § delayed bank deposits § numerous outstanding checks or bills § employee who do not take vacations § large drop in profits § major increase in business with one particular customer § customers complaining about double billing § repeated duplicate payments § employees with the same address or phone number as a vendor o controls monitored to send out message to employees that org is keeping track of their activity

Why is IS a complex task? IS value Business process Task Process

complex task 1. Expensive to acquire operate, and maintain 2. Computing resources are located throughout the organisation and require collaboration between MIS and functional departments 3. IS have significant strategic value to organisation and even nations IS value - determined by the r/s among ISs, people & business processes - influenced by organisational culture (high profits, low costs) Business process - the logically related tasks & behaviours that organisations develop over time to produce a specific business results & the unique manner these activities are organised & coordinated (an asset, a trade secret) = manage resources of business Task - smallest unit of work & management accountability that is not split into more detailed steps - can be automated, semi-automated, or manually done Process - cut across functional departments - has inputs and outputs that are manageable

Dashboard

software tool that provide easy-to-use access to enterprise data and help senior management track business performance and optimise decision making visual displays of information for monitoring the organisation's performance consolidates and displays organisational information in an easily readable form so that management can monitor performance. It is a single view of the status of a variety of metrics. Capabilities - Drill down o able to go to details at several levels o e.g. series of menus/click on drillable portion of screen - Critical success factors (CSFs) o the factors most critical for the success of business o organisational, industry, departmental or for individual workers - Key performance indicators (KPIs) o specific measures of CSFs) - Status access o latest data available on KPIs or some other metric often in real time - Trend Analysis o short-term, medium-term and long-term trend of KPIs o OR metrics which are projected using forecasting methods - Exception reporting o reports that highlight deviations larger than certain thresholds o reports may include deviations Characteristics of well-designed - use visual components to highlight at a glance, the data and exceptions that require action o e.g. charts, performance, bars, spark lines, gauges, meters, stoplights - transparent to the user, meaning that it requires minimal training and is extremely easy to use - combines data from a variety of systems into a single summarised, unified view of the business - enables drill-down or drill-through to underlying data sources or reports - presents dynamic, real-world view with timely data updates - requires little, if any, customised coding to implement deploy and maintain Performance dashboard - translates organisation's strategy into objectives, metrics, initiatives and tasks customised to each group and individual in the organisation - a performance management system - communicates strategic objectives - enables business people to measure, monitor and manage key activities and processes needed to achieve their goals - 3 main sets of functionalities o Monitor § critical business processes and activities using metrics of business performance that trigger alerts when potential problems arise o Analyse § root cause of problems by exploring relevant and timely information from multiple perspectives and at various levels of detail o Manage § people and processes to improve decisions, optimise performance and steer the organisation in the right direction - Levels of layer o Simplest layer § contains graphical data with colourful icons that warn users when certain metrics exceed thresholds o Middle layer § dimensional data, which users can navigate by subject or hierarchy, performing what-if analyses or applying complex algorithms o Most-detailed layer § stored in data warehouses · e.g. transaction data, invoices § accessed by user when they need to understand what is causing the problem - 3 types o Operational dashboards § enable front-line workers to view up-to-date information to manage and control operational processes · e.g. is there enough inventory to fulfil all outstanding orders of...? o Tactical dashboards § used to monitor and manage the performance of processes of departments or specific projects · e.g. what are the monthly inventory and sales trends for all sizes of...? o Strategic dashboards § helps executives monitor the execution of strategic objectives § help to communicate strategy and review performance · e.g. what other products could be complementary to the existing ... product mix? · e.g. what developments may cause an overall increase or decrease in demand for ...?

Impact of IS in business world

- Globalisation = shrinking of the world due to increased communication - Digital system speed - Digitisation - Fraud - Wars - Markets = moving online

4 kinds of structural changes allowed by IT 4. Paradigm shift

- new technology is introduced and it creates radical change in nature of business and business model - e.g. Spotify, Redmart, apple watch

4 frameworks for competitive advantage

1. Generic strategies 2. Value chain 3. Five forces of industry competition 4. Strategic resources and capabilities

7 methods for evaluating and justifying IT investments

1. Financial Approaches - Measure value of investing in long-term capital investment projects - Consider only financial impact of the system - Rely on measures firm's o cash outflows § expenses o cash inflows § increased sales and reduced costs Approaches - Return on Investment (ROI) o calculated by dividing net annual income gained by the project cost of assets invested in project o rate of return >= marketplace cost of capital o ROI = - Net present value (NPV) o amount of money investment is worth o accounts cost, benefits and time value of money o NPV > 0 = worth investing in - Internal rate of return (IRR) o discount rate the produces NPV zero - Payback method o calculates time required for net cash outflows equal to net cash inflows o good for high-risk projects where useful life is difficult to know o BUT it ignores § time value of money § cash flow after payback period § disposal value § profitability of the investment Limitations - do not account social and organisational dimensions that affect costs and benefits - do not express risks and uncertainty of own costs and benefits estimates - cost and benefits do not occur in the same time frame - inflation affect costs and benefits differently - intangible benefits difficult to qualify 2. Multi-criteria approaches - Consider both financial impact and non-financial impact - Used to evaluate alternative system projects, especially when many criteria exists - Assigns weights to various features of system and calculate total weight 3. Ratio Approaches - ratio analysis Criteria - compare previous year spending and adjust by percentage - OR - compare company's spending with industry sector spending 4. Portfolio Approaches - apply portfolios to plot several investment proposals against decision making criteria - evaluate alternative system projects Based on inventory of all information systems projects and assets, including infrastructure, outsourcing contracts and licenses Each system profile risk and benefit - high benefit, low risk - high benefit, high risk - low benefit, low risk - low benefit, high risk Improve return on portfolio - balance risk and return from systems investments Business Project Portfolio - create an internet portfolio planning matrix based on o company fit § alignment with core competencies § alignment with other company initiatives § fit with organisational structure § fit with company's culture and values § ease of technical implementation o project's viability § market value potential § time to positive cash flow § personnel requirements § funding requirement Decision making - criteria are scored (1 - 100) and the average is plotted on internet portfolio matrix - if viability and fit both low o don't proceed - if both high o adopt - if fit high but viability low o project re-design - if fit low and viability high o sell project 5. Total cost of ownership - used to identify costs of technology assets over entire project life-cycle - consider costs of o people o technology o processes o acquisition o operation o control 6. Total benefit of ownership - similar to total cost of ownership - BUT considers o benefits § tangible and intangible benefits 7. Business case approach Business case - written document that is used by managers to garner funding for one or more specific applications or projects - emphasises o justification of specific required investments o BUT also provides bridge between initial IT plan and its execution - purpose o get approval and funding o provide the foundation for tactical decision making and decision risk management - conducted in existing organisation that want to embark on new IT projects - helps clarify how organisation will use its resources the best way to accomplish the IT strategy Business case Template - Project description o objectives § new initiative, major enhancement/upgrade, application replacement, ongoing initiative - Business Need/Problem o need/problem driving the proposed project o identification of the customers and anticipated consumers of the project's product - Proposed Solution o describe product that will resolve need/problem o describe how project is consistent with organisation strategic plan - Cost Benefit Analysis o Anticipated Benefits § tangible and intangible benefits o Cost estimate § include any special sources for funding o Cost/Benefit Analysis § costs for identified benefits § include quantitative analysis - Project Risks o identify risks o solutions to risks

How do you know if implementation of IS is successful

1. high level system use 2. user satisfaction with system 3. objectives achieved 4. financial payoff (costs>expense)

Outsourcing - advantages - disadvantages - risks

Advantages - cost saving - focus on core competencies - access to expertise and new IT - reduced staffing levels - strict service level agreements Disadvantages - loss control over IT - loss of knowledge and skills - difficult relationship with 3rd parties - contractual difficulties - hidden costs - loss control over data - *risks* Risks 1. Shirking - vendor deliberately underperforms when receive full payment - e.g. provide excellent staff a t first then replacing them with under qualified ones 2. Poaching - vendor develops strategic application for client and uses it for other clients 3. Opportunistic repricing - long-term contract: vendor changes financial terms/overcharges for unanticipated enhancements and contract extensions 4. Vendor inability to delivery 5. Vendor Lock-in 6. Loss control over data 7. Breach of contract 8. Loss of employee morale

Computer Forensics

Computer forensics - the search discovery and recover of e-evidence - computer fraud o involves computer and money - E-evidence o refers to any document, file, etc. which may be used to prove or disprove a case - e.g. forensic accounting investigation conducted for fraudulent financial reporting

Ethical Analysis Steps

Steps for analysis 1. Identify and describe the facts clearly - who did what to whom, where, when and how 2. Define the conflict and identify the higher-order values involved - dilemma = 2 opposing parties support worthwhile causes - e.g. freedom, privacy, protection of property, and free enterprise system 3. Identify stakeholders - those who have interest on outcome and what they want - useful when designing solution 4. Identify options that you can reasonably take Identify potential consequences of your options

TAM - other variables

Technology acceptance model - acceptance to technology is based on - perceived ease-of-use (PEOU) - and perceived usefulness of technology (PU) PEOU = extent of belief that using IT = free of effort PU = extent of belief that IT will improve job performance other variables - Prior experience (past experience) - organisational support (encouragement and resource support) - Task structure (extent task is non-routing and valid) - Anxiety (uneasiness/apprehension towards tech) - system quality (functionality, performance and interactivity)

Vulnerability of IS - areas Risk

Vulnerability - weakness of an asset that can be exploited by one or more attackers o e.g. team member resigns and forgot to disable their access to external accounts, change logins, remove their name on company credit cards = business open to intentional and unintentional threats - Areas IS vulnerable from o accessibility of networks o Hardware problems § breakdowns § configuration errors § damage from improper use o Software problems § programming errors § installation errors § unauthorised changes o Disasters § power failures § flood § fires o Use of networks/computers outside of firm's control § domestic or offshore vendors o Loss and theft of portable devices Risk - potential for loss or damage when threats exploit a vulnerability o e.g. financial losses due to business disruption o loss of privacy, reputational damage, legal implications, loss of life Risk = Threat x Vulnerability

Supply chain management - definition - 4 goals

defintion - efficient management of supply chain end-to-end processes (start: from design of product/service end: when it is sold, consumed/used by end consumer) - uses SCM software goals - reduce uncertainty and risks along supply chain - improve collaboration - improve business process and customer service - increase profitability and competitiveness

Advances in technology raising ethical trends

(Double Mob RAN) 1. Doubling of computing power - more companies depend on computer systems = higher demand for critical operations o hacking? access & authorisation to these critical operations 2. Rapid decline in data storage costs - organisations can easily maintain detailed databases on individuals o extra information on biometric, computer usage footprint stored = question on privacy 3. Networking advances & the Internet - copying data from one location to another & accessing personal data from remote locations are much easier o hacking? authorisation 4. Advances in data analysis techniques - profiling combining data from multiple sources to create dossiers of detailed information on individuals o Non-obvious relationship awareness (NORA) combining data from multiple sources to find obscure hidden connections that might help identify criminals or terrorists § what about ex-convicts looking for jobs? Do they lose their chance to build a new life with new jobs? 5. Mobile device growth - tracking of individual cell phones without user consent or knowledge

Factors that affect success and failure of implementation

(PUEMS) 1. project size - larger the project, the greater the risk of failure 2. project structure - highly structured = more clear and straightforward = users know what they need 3. experience with technology - higher the experience = lower the risk of failure 4. levels of user involvement - higher = reduce resistance to change 5. management support - sufficient funding and resources = system enforced properly in organisation

Strategy/Approach to manage End users

- Let them sink or swim o don't do anything o let the end-user beware § (-ve) affect organisation performance § e.g. use company issued devices for both personal and business issue · (-ve) security and support problems - Use the stick o establish and try to enforce policies and procedures to control end-user computing o minimises corporate risks § (-ve) affect user work effectiveness/ privacy issues - Use the carrot o create incentives to encourage certain end-user practices o reduce organisational risks - Offer support o develop services to aid end users in their computing activity

Methods of Attack

- Spyware o small program install themselves on computer to monitor Web surfing activity - Viruses o rogue program attaches itself to other programs or data files - Spoofing o redirecting web-link to address different from intended one o site masquerade as intended destination - Denial-of-service attacks (DoS) o flooding server with thousands of false requests to crash the network - Distributed denial-of-service attacks (DDoS) o use of numerous computers to launch a DoS o Botnets § a collection of bots (computers infected by software robots) § infected computers = zombies § can be controlled and organised into a network of zombies on the command of a remote bot master (aka bot herder) § expose infected computers as well as other network computers to other threats: · Spyware o zombies commanded to monitor and steal personal or financial data · Adware o zombies commanded to download, and display advertisements/visit a specific web site o result to DOS/DDOS · Spam o junk email - sent by zombies · Phishing o zombies seek out weak servers to host a phishing website o looks like legitimate website = trick users to input confidential data - Phishing o set up fake web site/send email message that look like legitimate businesses to ask users for confidential personal data - social engineering o tricking user into revealing passwords by pretending to be legitimate members of company in need of information - Internal threats: Employees o security threat originate inside organisation o inside knowledge o social engineering § tricking user into revealing passwords by pretending to be legitimate members of company in need of information o user lack of knowledge = greatest cause of network security breaches o forget passwords o allow co-workers to use them o enter faulty data o not follow instructions o software errors in design and development - Cyberwarfare and Cyber terrorism o use of technological force within computer networks where information is stored, shared or communicated online o aka cyber-crime o violent acts that result in or threaten, loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation o large-scale disruption of computer networks - Computer crime o any violations of criminal law that involve knowledge of computer technology for their perpetration, investigation or prosecution o computer may be § target of crime · e.g. breaching confidentiality of protected computerised data · e.g. accessing a computer system without authority § instrument of crime · e.g. theft of trade secret · e.g. using email for threats or harassment

IS planning Strategy Difficulties of IT planning

- Top down IS planning - Bottom up IS planning Difficulties of IT planning - time consuming - resource intensive - argument: time plan complete, technology has evolved & plan is obsolete - getting correct personnel involved - difficult to align business & IT goals - changing requirement - lack of clear objectives - costly - difficulty in specifying processes correctly - difficulty in engaging key players with initiative - lack of leadership - lack of cross country/departmental co-operation - lack of knowledge on cultural differences

4 kinds of structural changes allowed by IT 3. Business process redesign/re-engineering - steps - key success factors - problems in re-engineering - Venkatraman Model - Examples

- analyse, simplify & redesign business processes = remove unnecessary non-value added process - describes how organisations achieve radical improvements over a short period of time steps 1. Identify process for change - understand what business process needs improvement identify business vision & process improvement objectives 2. Analyse existing processes - understand & measure performance of existing processes - as baseline - include inputs, outputs, resources & activity sequence select process for improvement 3. Design the new process - improve process by designing a new one - documented & modelled for comparison with old one understand & measure existing processes 4. Implement the new process - translate new process to new procedures & work rules re-design the process 5. Continuous measurements - continually measured o might deteriorate over time as employees fall back to old methods o business experiences other changes manage the implications of the process re-design Key success factors - effective use of teams - commitment of appropriate time & resources - clear understanding of the scope & goals of the initiative - strong communications program to keep people up to speed on the initiative - realistic planning and schedules effective training and education Problems in re-engineering § resistance to change § gaining cross-functional co-operation § inadequate work place skills § sustaining top management support § poor project leadership high staff turnover Venkatraman Model Level 1: Local exploitation - manual tasks are automated, internal efficiency increases - systems not linked in any way - e.g. automation of payrolls, personnel records, accounts Level 2: Internal integration - linking of IT systems in diff parts of the organisation - e.g. accounts + customer records + stock control Level 3: Business process redesign - process innovation - step back from process - consider overall business objective - then introduce creative/radical changes achieve order of magnitude of improvements in the way that objectives are achieved Level 4: Business network redesign - extend boundaries of process redesign to include external entities - e.g. suppliers/customers - radical change in relationships between org induced use of IT - e.g. altered terms & conditions of contracts Level 5: Business scope redefinition - come up with entirely new product rather than using IT to support or enhance an existing product - organisation moves into new markets at this level - e.g. American Airlines & their SABRE system Example 1 Tan Tock Seng Hospital (TTSH) Outpatient Pharmacy Automation System (OPAS) Before BPR § manual task § labour costs § patients wait for 20 minutes § staff pick up and packing, little time to counsel patients § low accuracy After BPR § OPAS automated manual process § OPAS reads prescription & simultaneously picks & packs medication § accuracy 99.9% § staff focused more on counselling and educating patients on medicine Example 2 Ford Ford Accounts Payable Before BPR § 500 man power to match purchase order, receive documents, invoice and issue payment § slow § cumbersome (inefficient) low accuracy in matching After BPR § re-engineer procurement § 75% less labour § eliminate invoice § matching computerised accuracy improved (higher accuracy)

4 kinds of structural changes allowed by IT 2. Rationalisation - procedures

- follows early automation - automation reveals existing bottlenecks that make procedures cumbersome - removal of bottlenecks 2 procedures A. TQM - management strategy to aim awareness on importance of quality throughout organisation 4 sequential categories 1. plan change to process - predict effect of change - plan how effects will be measured 2. Do implement changes - on small scale - measure effects 3. check results - learn effect 4. adopt change - permanent modification or abandon change (go back to 1.) B. Six sigma - structure methodology for quality improvement and control - prevent: impact on customers and cost money 2 methodologies 1. DMAIC - define, measure, analyse, improve, control (use when process need to be improved) 2. DMADV - define, measure, analyse, design, verify (use when process needs to be invented)

3 Back end process in supply chain 3. Inventory management - Bullwhip effect

- major challenge - need to decide size of inventory o too much = expensive o too little = run out of inventory § lose opportunities for manufacture and sale Bullwhip effect - erratic shifts in orders up and down the supply chain - occurs when companies significantly cut or add inventories - caused by (factors) o poor demand forecasting o price fluctuation o order batching o rationing within chain - bullwhip because o slightest demand uncertainties and variability become magnified § if each distinct identity makes ordering and inventory decisions with respect to its own interest o slightest increase in demand can cause big increase in the need for parts and materials further down the supply chain - consequence = distorted information o can lead to § inefficiencies § excessive inventories § poor customer service § lost revenues § ineffective shipments § misused production schedules - solution o sharing information along supply chain via EDI, extranets and technologies § e.g. employing vendor-managed inventory strategy · vendor monitors inventory levels and when it falls below threshold for each product automatically trigger an immediate shipment o collaborative fulfilment network and e-procurement § e.g. Just-in-time technique by Walmart o pricing strategies and policies § eliminate incentives that cause customers to delay orders · e.g. volume transportation discounts § address causes of order cancellations offer fair prices = prevent buying surges triggered by temporary promotional discounts

Business process management - effects if succeed Business process modelling

- provides methodologies and tools necessary to be successful - more focused on continual improvements to business process & using processes as building blocks in IS · if well implemented: (VisCosServGrowRoot) - greater visibility into processes - cut costs - improve service - achieve growth - identify root causes of bottlenecks within process - pinpoint time & conditions when data from a process is transferred to other processes - comply with regulations Business Process Modelling (BPM) - provides a map of the processes within an org and shows how a system will work after it is built - 3 categories of tools: § Documenting & monitoring - identify inefficiencies - identify trouble spots § Automating - automate some parts of business process - enforce business rules § Integrating - integrate existing systems - support process improvements

Business Continuity Planning (Disaster recovery planning)

- purpose o keep the business running after a disaster o each function in the business should have a valid recovery capability plan - part of asset protection o identify and protect assets within sphere of functional control - planning focus first on recovery from a total loss of all capabilities - proof of capability involves what-if (scenario) analysis that shows that the recovery plan is current - all critical applications must be identified, and their recovery procedures addressed in the plan - plan should be written = effective, not only to satisfy auditors - kept in safe place = copies given to all key managers/ available in intranet - audited periodically - structure o introduction and index o definition of computer disaster o assumptions o disaster exclusions o inventories o emergency budgets o invocation o logistics o maintenance and testing appendices

4 kinds of structural changes allowed by IT 1. Automation

- replace manual tasks - efficient & effective use of IT to assist employees to do tasks

Collaborative supply chain - advantage - formats

- solution to solve supply chain problems - improve demand forecast by sharing information along supply chain - enable goods to move smoothly and on time from supplier to manufacturer to distributors to customers - keeps inventories low and cost low Formats 1. Collaborative planning § synchronise production, distribution plans and product flows § optimise resource utilisation over expanded capacity base § increase customer responsiveness § reduce inventories 2. Vendor-managed inventory (VMI) § vendor (distributor) manages the inventories for the manufacturer or buyer § reduces warehousing cost for suppliers § requires extensive information sharing · vendor = maintain high visibility of goods at customer's location = can replenish and restock · vendor = lock-in customer = steady income flow = reduce customer to switching suppliers · customer = no need to reorder at last minute and operations not interrupted

Strategies for outsourcing

- to balance costs saved from outsourcing, loss of control, expertise and knowledge in organisation 3 decisions 1. determine what to outsource - what is truly strategic and should be kept in-house - aim of the project - outsource only a part of the function 2. negotiate contract based on - SLA - time-scales - copyright issues - staffing issues - termination of contract arrangements - short term contracts to "get out" from rapidly changing tech 3. manage the relationship with vendor - vendor = partner? or primarily contractual? - increase number of contractors

Business Intelligence - statistical methods

- transformation of large amount of raw data into meaningful and useful information to improve decision making 4 Statistical methods - Decisive Analytics o supports human decisions with visual analytics - Descriptive Analytics o insight form historical data with reporting, scorecards, etc. - Predictive Analytics o machine learning techniques and data mining - Prescriptive Analytics make predictions and suggest decision options

4 kinds of structural changes allowed by IT

1. Automation 2. Rationalisation 3. Business process redesign/ Business process re-engineering (BPR) 4. Paradigm shift

4 frameworks for competitive advantage 1. Generic strategies

1. Cost leadership - Lower cost in producing goods/services than competition o e.g. Walmart's customer response system Walmart · Low pricing strategy = build and maintain customer trust · Low labour cost via effective employee partnership and work flexibility · Support small business owners = sell general merchandise in bulks · Purchase all the goods right from suppliers = no 3rd party · Minimise inventory level via JIT activities · Use private truck to distribution centres · IS involvement § E-marketing tools to reach customers on promotions § Crowd sourcing to gather info of lower cost than traditional methods § Extensive RFID in SCM o Identify & track products from arrival at warehouse till sold o Reader @ checkout = read purchase & send info to Retail Link System o Info passed to suppliers, accounting info system, CRM, etc. 2. Differentiation - Product/service distinct from competition by giving it some special feature/enhancement o e.g. google, Nike, Apple 3. Niche - Identification of a niche in the market and the tailoring of existing/ development of new products that fit that niche o e.g. Hilton Hotel's OnQ system 4. Further generic strategies (I-CAGE) - Growth o Increase market share o Attract more customers/sell more products e.g. electronic auctions - Alliance o Collaboration with business partners via joint ventures. Alliances, partnership, et.c. o Able to focus on core competencies o Involve organisations' suppliers/ number of organisations in the allieance o E.g. Star alliance - Innovation o Similar to differentiation = introduction of new products/services but impact more dramatic o New/different = changes the nature of the industry o E.g. Citibank's ATMs, Apple Watch - Entry Barriers o Difficult for other organisations to enter own market space by introducing innovative products'/services o E.g. Cisco's dynamic configuration tool, Google search tool - Customer relations o Focus on customer needs, satisfaction = for successful business o Strong linkages with customers = create switching costs (if customer goes elsewhere for their product/service) = encourage customer loyalty o E.g. Amazon

4 frameworks for competitive advantage 4. Strategic resources and capabilities

1. Cost leadership - product/service lowest in industry 2. Differentiation - offer different products, services/product features 3. Niche - narrow scope segment (market niche) & be the best in quality, speed/ cost in that segment 4. Growth - increase market share, acquire more customers/sell more types of products 5. Alliance - work with business partners in partnerships, alliances, joint ventures/virtual companies 6. Innovation - new products/services introduced; new features on existing products/services; develop new ways to produce products/services 7. Operation effectiveness - improve manner in which internal business processes are executed so that the firm performs similar activities better than rivals 8. Customer orientation - concentrate on customer satisfaction 9. Time - teat time as a resource, then manage it & use it to firm's advantage 10. Entry barriers - create barriers to entry. By introducing innovative products/ using IT to provide exceptional service, companies can create entry barriers to discourage new entrants 11. Customer/ supplier lock in - encourage customers/ suppliers to stay with you rather than going to competitors. Reduce customers' bargaining power by locking them in 12. Increase switching costs - discourage customers/suppliers from going to competitors for economic reason

Policies and procedures for security - steps - CSO

1. Ensure senior management support § senior managers' influence · need to implement, maintain security, ethical standards, privacy practices and internal control 2. Define security policies and provide training § provide training · ensure everyone is aware and understands the security policies = more secured 3. Introduce and enforce security procedures § security polices = useless if user's activities not monitored for compliance § perfect security costly = incorporate risk management = calculate proper level of protection 4. Put the appropriate hardware and software in place § implement software and hardware = support and enforce security policies Chief security Officer - help to ensure firm maximises the protection of information resources - tools o Security policy § principle document that determines security goals and how they will be achieved o Acceptable use policy (AUP) § outlines acceptable and unacceptable uses of hardware and telecommunications equipment; specifies consequences for non-compliance o Authorisation policy § Determines what access users may have to information resources o Identity management system § manages access to each part of the information system

3 Outsourcing decisions

1. Full vs Selective model 2. Single vs Multiple vendors A. Single --> simpler but higher risks = all eggs in one basket B. Multiple --> distribute work to "best in breed" --> more coordination --> tend to point fingers when problems occur 3. Outsourcing vs Offshore Outsourcing A. Outsourcing - contracting work to be done by 3rd party vendor B. Offshore outsourcing - outsource with vendor in another country - 6 considerations 1. data/security protection 2. loss of business knowledge 3. government oversight/regulation 4. difference in culture 5. turnover of key personnel 6. knowledge transfer - do not offshore when 1. work is not routine work 2. client company will lose too much control over critical operations 3. high risk on data security, data privacy/intellectual property and proprietary information 4. business activities rely on uncommon combination of specific application domain knowledge and IT knowledge in order to work properly

Business drivers that influence investment on IS

1. Market pressures i. Global economy and strong competition a. Telecomm/n and Internet shape global economy = open new market opportunities & outsourcing of operation from areas with cheaper labour ii. Need for real time operations a. Require to be an agile organisation = quick response & decision making needed to keep pace with fast changing business landscape iii. Changing nature of the workforce a. Increased diversity of workforce, increased worker knowledge, increased teleworkers iv. Powerful customers a. With increasing choice and competition = customers are now better informed and more demanding 2. Technological pressures i. Technological innovation & obsolescence a. Replace existing technologies = new/improved tech give opportunities for differentiated products and services ii. Information overload a. Invest in tech to handle Increasing amt of info 3. Social pressures i. Social responsibility a. Responsible roles in wider environment issues e.g. control pollution & care for environment ii. Compliance with government regulation a. e.g. laws on privacy and data protection iii. Security a. Terrorist attacks and protection · IS allow - identification of potential sources of attacks & provide protection b. Homeland Security · Governments share info = allow identify potential cross-border threats and protection of country

3 Back end process in supply chain

1. Order Fulfilment 2. Logistics 3. Inventory Management

Key components to take note when developing IS

1. Purpose of the plan - current business organisation & future organisation, key business processes, management strategy 2. Strategic Business Plan Rationale - current situation, current business organisation, changing environment, major goals of the business plan, firm's strategic plan 3. Current Systems - major systems supporting business functions & processes, current IT infrastructure capabilities, difficulties meeting business requirements, anticipated future demands 4. New Developments - new IS projects, new infrastructure, capabilities required 5. Management Strategy - acquisition plans, milestones & timing, organisation realignment, internal reorganisation, management controls, major training initiatives, personnel strategy 6. Implementation Plan - anticipated difficulties in implementation, progress reports 7. Budget Requirements - resource requirements, potential savings, financing, acquisition cycle

4 frameworks for competitive advantage 3. Five forces of industry competition - apply generic strategies

1. Threat of entry of new competitors - Can easily jump into your markets & lure customers away with cheaper/ better products & services 2. Bargaining power of suppliers - Number of suppliers determine ease/difficulty of business in controlling your supply chain (little number of suppliers = little control) 3. Bargaining power of customers - Customers more informed = able to jump to competitors, new market entrants/substitute products 4. Threat of substitute products/services - Customers willing to try cheaper & higher quality substitute products & services 5. Rivalry among existing firms - Rival always create new products & services to try to steal your customers Apply generic strategies ------------------ Cost leadership ------------------ Entry Barriers (prevent threat of entry of new competitors) - Able to decrease price in retaliation to deter Buyer power (to keep customers = realise their power) - Able to decrease price to powerful buyers Supplier power (to keep control) - Insulated from powerful suppliers Threat of substitutes - Use low price to defend against substitutes Rivalry - Able to compete on price ------------------ Differentiation ------------------ Entry Barriers - Customer loyalty discourage Buyer power - Buyers has less power to negotiate due to few close alternatives Supplier power - Able to pass on supplier price increases to customers Threats of subs - Customers attached to differentiating attributes, reduce threat of subs Rivalry - Brand loyalty to keep customers from rivals ------------------ Focus ------------------ Entry Barriers - Focusing develops core competencies Buyer power - Buyers has less power to negotiate due to few alternatives Supplier power - Supplier has power because of low volumes, but a differentiation-focused firm is able to pass on supplier price increases to customers Threats of subs - Specialised products and core competency protect against subs Rivalry - Rivals cannot meet differentiation-focused customer needs

Types of threats

3 types of threats 1. Natural threats o e.g. floods, tornado 2. Unintentional threats (Sources of Attacks) o Human error (most prevalent) § occur in the design of hardware of IS § can also occur in programming, testing or data entry § untrained or unaware responding to phishing/ignore security procedures · e.g. not changing default passwords on firewalls · e.g. fail to manage patches = create security holes o patches § small pieces of repair flaws § exploits created faster than patches released and implemented · e.g. employee accidentally accessed wrong information o Computer system failures § result of poor manufacturing § defective materials § poorly maintained networks § lack of experience to inadequate testing § ALSO · Commercial software contain flaws = open networks to intruders o Environment hazard § volcanoes, earthquakes, blizzards, floods, fires (most common), explosions § result is that computer resources can be damaged § disrupt normal computer operations = long waiting periods and exorbitant costs while programs and data files are recreated 3. Intentional threats o theft of data, hacking, cybercrimes, crackers, social engineering, deliberate manipulation handling (manipulate inputs), processing, transferring o e.g. spyware, malware, worms, viruses o Types of attack § Attack on computer facilities · e.g. data tampering, programming attacks, viruses, worms, botnets § Fraud · involves 3 elements o deception o confidence o trickery § Computer crimes · identity fraud · hardware theft

Defence Strategy

6 Defence strategy 1. Prevention and deterrence o properly designed control § may prevent errors from occurring § deter criminals from attacking system § deny access to unauthorised people 2. Detection o the earlier the attack is detected = the easier to combat it = the less damage done o use diagnostic software = minimal cost 3. Containment (contain the damage)/Damage control (limitation of damage) o minimise or limit losses once malfunction has occurred § e.g. fault-tolerant system permitting operation in degraded mode until full recovery made = cheaper recovery 4. Recovery o recovery plan explains how to fix a damaged information system as quickly as possible o Replace NOT repair = fast recovery 5. Correction o correcting causes of damaged system = prevent problem from occurring again 6. Awareness and compliance o all organisation members must be educated about the hazards and must comply with security rules and regulations

Role of IS in digital economy - areas affected by IS - digital economy Advantages of Digital economy

Areas that are affected by IS: 1. International level · nations use IS to compete in the international arena 2. Industry level · industries restructured due to IS capabilities 3. Organisational level · support operational, management and strategic levels decision making 4. Inter-organisational level · evolution of organisation interaction with one another 5. Personal level · evolution in day-to-day and professional lives due to IT 6. Interpersonal level · evolution of interpersonal interaction and communication Digital Economy · economy based on digital technologies and because of IT, its members are better informed and able to communicate · Emphasizes convergence of computing and telecommunication via Internet and resulting flow of information stimulates e-commerce, online transactions, and organisational changes Advantages of digital economy (FEADS) · Significant r/s with customers, suppliers, and employees are digitally enabled and mediated · Accomplish core business via digital networks all over the entire organisation or linking multiple organisation · Digital management of Key corporate assets - intellectual property, core competencies, & financial and human assets · Faster sense & response to their environments than traditional firms · Offer global organisation more flexibility and management, via time-shifting and space shifting

Auditing - importance - types - example Auditor - types

Auditing --------------------- importance § ensures that the systems perform to their specification § ensures procedures are conformed with 2 types § operational audit · determines where IS department working properly § compliance unit · determines whether controls have been implemented properly and are adequate Examples § e.g. MIS audit · examines firm's overall security environment as well as controls governing individual information systems · examine data quality · auditor trace the flow of sample transactions through the system and perform tests, using automated audit software § e.g. security audit · simulate attack or disaster to test response of technology, information staff and business employees · ranks control weaknesses · estimate probability of their occurrence · assess financial and organisational impact of each threat --------------------- Auditor --------------------- § ensure that correct processing takes place on an on-going basis § ensure that problems are dealt with correctly § ensure that controls in system are · sufficient · effective § ensure that responsibilities are clearly identified and documented § ensure audit is continuous and cover automated and manual processes 2 Types of auditor § internal auditor · corporate employee · not a member of ISD § external auditor · corporate outsider · reviews finding of internal audit

BPM vs BI

BPM - much broader scope that is focused on the entire enterprise - includes business process that leverages BI - timely data that provides support for operational decision making in addition to strategic and tactical decision making - solutions more proactive in helping organisations improve their ongoing business operations and processes - an outgrowth of BI and incorporates many of its technologies, application and techniques BPM = BI + Planning ( unified solution) - relies on analysis reporting, queries, dashboards and scorecards BI - provides IT infrastructure and applications required to implement BPM - support strategic and tactical decision making - solutions are more reactive as it facilitates decision making based on archived data - BI crucial element of BPM - evolved from reporting and predicting

Business performance management - define - advantage - examples - process

BPM - refers to business processes, methodologies, metrics and technologies used by enterprises to measure, monitor and manage business performance +ve - alerts managers to potential opportunities, impending problems and threats and them empowers them to react through models and collaboration - examples: Balanced Scorecard and Dashboard Process 1. Formulate business strategy > Strategize and Plan - define what needs to be measured, when and how - devise metrics for measuring performance Strategize - where do we want to go? - strategy include: o strategic objective § statement of general course of action of targeted directions for an organisation o strategic goal § quantified objective with a designated time period o strategic vision § image of what the organisation should look like in future o critical success factors (CSF) § factors that organisation need to do to be successful - strategy importance o evaluate alternative courses to action o determine how to allocate resources o to guide actions o to determine which opportunities are succeeding or failing Plan - How do we get there? - operation plan o translate strategic objectives and goals to defined tactics, initiatives, resources requirements and expected results for some future time period (usually a year) - Financial planning and budgeting o resource allocations aligned with organisation's strategic objectives and tactics to achieve strategic success 2. Modify and execute business strategy > Monitor and Analyse - devise a system for monitoring performance - define a system for analysing performance and comparing actual achievements against standards > Act and Adjust - take appropriate action Monitor and Analyse - How are we doing? - diagnostic control system o has inputs, process for transforming inputs to outputs o a standard or benchmark against which to compare the outputs - a feedback channel to allow information on variances between outputs and standard to be communicated and acted upon Act and Adjust - What do we need to do differently? - success depends on o new projects o creating new products o entering new markets o acquiring new customers streamlining some processes

BSC vs Dashboard

Balanced score card - performance management - measurement: KPI (Metric and target) - measure linked to business objectives - measures progress (current and target) - updates periodically (monthly) - strategic long term goals - purpose: plan and execute strategy, identify why something is happening and what can be done about it - helps to align objectives and see connections between them - in automobile: the GPS (when and how to arrive) Dashboard - performance measurement and monitoring - measurement tool: metric - not linked to objectives - updates in real time - operational short term gaols - purpose: high-level idea with what is happening in company - helps to visualise the performance to understand current state - in automobile: dashboard (show how car is operating)

CIO - job scope - characteristics - advantages - disadvantages

Chief information officer (CIO) - head of the IS department - member of the senior team in the organisation - job scope o ensure that information systems meet business needs o foster close relationship between IS department and end users o fulfil service level agreements that define the relationship between IS and the rest of the organisation - characteristics o analytic, creative, intuitive and able to solve problems o Political savvy § effectively understand other workers § use that understanding to influence others to meet organisational needs § comfortable with interpersonal relationship o Influence leadership and power § inspire and promote a vision § good communicator § has both technical and managerial skills o Relationship management § build and maintain working relationships with co-workers and those external to organisation o Resourceful § think strategically § make good decisions under pressure o Strategic planner § capable in developing long-term objective and strategies § can translate vision into realistic business strategies o Does what it takes § persevere and focus in the face of obstacles o Leads employees effectively § delegate to employees effectively - advantages CIO brings to business o business and technical perspective o helps senior executive make a decision with IS o decisions made for the needs of the business § not on based on other factors · costs too much to implement · technically infeasible - disadvantage of having CIO o salary = expensive o other managers may over-rely on the CIO on the IS side of the things § every manager needs to be knowledgeable on IS and its impacts

Ethical decisions vs legal decisions

Ethical decision · based on the morale principles of right & wrong that govern a person's behaviours · Not based on mandatory choices (laws & regulations) used because Legal Decisions can't keep up with rapid advances of IS Legal decision · Governed by laws & regulations incapable of keeping up with rapid advances of IS - require ethical principles required to make decisions

Ethical Principles

GIDURN 1. Golden Rule - do unto others as you would have them done unto you 2. Immanuel Kant's Categorical Imperative - if an action is not right for everyone to take, it is not right for anyone 3. Descartes' rule of change - if an action not right to be taken repeatedly, it is not right to take at all 4. Utilitarian Principle - take the action that achieves the higher or greater value 5. Risk Aversion Principle - take the action that produces the least harm or the least potential cost 6. No free lunch rule assume all tangible and intangible objects are owned by someone else unless there is a specific declaration otherwise

IT vs IS vs ISM Advantage of IS Disadvantage of ISM - avoid disadvantages

IT - The h/w, s/w, communications & other electronic devices which enable these processes to take place IS - the people & procedures that collect, transform, utilise and disseminate information through use of IT (collect, process and disseminate) ISM - the planning, implementation and control of the IS to enable an informed response to the opportunities of modern IT Advantage of IS Capabilities: 1. high-speed & high-volume in numerical computation performance 2. Accurate and fast communication & collaboration unrestricted by time and location 3. Large amount of information stored and accessible via private networks and the internet 4. Automate semi-automatic business processes and manually done tasks Enable automation of routine decision making and facilitate complex decision making Disadvantage of ISM Importance = role of IS + drivers of IS If ISM not correctly implemented (-ve) 1. Strategic importance gone 2. Data storage, data processing, data transport = Costs not advantages 3. Commoditised use not advantageous use 4. IT (replicable) = replication is cheaper To avoid disadvantages 1. Spend less a. allow cost advantage (since hard to gain competitive advantage) 2. Follow, don't lead a. technology cheaper as you wait longer = cost advantage b. Waiting prevents buying flawed tech / tech that is doomed to rapid obsolescence 3. Focus on vulnerabilities not opportunities Allow continue to cede control over IT applications and network vendors and other third parties, threats will proliferate

4 frameworks for competitive advantage 2. Value chain - advantages

Primary Activities - direct generation of the organisation's output to its customers a) Inbound logistics - Acquire raw materials & resources & distributes b) Operations - Raw materials transformed/inputs into goods and services c) Outbound logistics - Distributes goods & services to customers d) Sales & marketing - Promotes, prices, & sells products to customers e) Service & support - Provide customer support Support Activities - operation of the primary a) Firm infrastructure - Company format/departmental structures, environment, and systems b) HR management - Employee training, hiring, & compensation c) Technology development - Apply IT to processes to add value d) Procurement - Purchases inputs such as raw materials, resources, equipment & supplies advantages - low supply chain cost - give value to customers - automation - optimised and co-ordinated activities

Productivity paradox - reasons

Productivity paradox - decrease in productivity growth despite rapid investment and development on IT - hard to measure o affect firm level only o important to measure 3 levels organisation, industries and national economies 4 Reasons 1. Measurement Error - outputs and inputs not properly measured by conventional approaches Example - ATMS lead to fewer cheques being written o lead to decrease in productivity statistics - improved timeliness of delivery and personalised customer service o poorly represented in productivity statistics 2. Lags - time lags in the pay-offs to IT make analysis of current costs vs current benefits misleading Example - benefits form IT can take several years to show up on the bottom line 3. Redistribution - IT is used in redistributive activities among firms, making it privately beneficial without adding to total output Example - IT used disproportionately for market research and marketing o activities that can be very beneficial to the firm while adding nothing to total output 4. Mismanagement - lack of explicit measure of the value of information make it particularly vulnerable to misallocation and overconsumption by managers Example - no gains because of the unusual difficulties in managing IT or information itself

Five moral dimensions of the information Age

SAP IQ 1. Information Rights & Obligations - right of individual to be left alone from surveillance/interference from organisation/other individuals/state - tracking - cookies, web beacons (tiny graphics embedded in e-mails & web pages) & spyware - some websites o no strong privacy protection policies o no informed consent regarding use of personal information 2. Accountability & control - measures in place to ensure that somebody is identified who is held responsible for any damage caused by an IS 3. Quality of life - computers can bring us benefits but also can create destruction of valuable elements of our culture and society Work-life-balance compromised - Ubiquitous. telecommuting, mobile computing o "do anything anywhere" Health problems - repetitive stress injury (RSI), carpal tunnel syndrome (CTS), computer vision syndrome (CTS) and technostress Opportunities to commit crime - new valuable items to steal - new ways to steal them - new ways to harm others 4. System Quality - standards of systems and data quality which are necessary to ensure protection of data and information Individuals and organisations - may be held responsible for avoidable and foreseeable consequences that they have a duty to perceive correct - grey area: o some system errors are foreseeable and correctable only at a very great expense 5. Property Rights & Obligations - systems have severely challenged existing law and social practices that protect intellectual property Intellectual property - tangible and intangible products of the mind created by individuals or corporations - protected by: o trade secrets § any intellectual work product used for business purpose § not based on information on public domain o copyright § statutory grant that protect creators of intellectual property from having their work copied by others for any purpose during the life of the author plus additional 70 years after author's death o Patents grants the owner an exclusive monopoly on the ideas behind an invention for 20 years

SLA - advantages - contain

Service Level Agreements (SLA) - formal agreements between end-user's requirements and IS department's commitment to meet them o responsibilities for each side o agreed targets o measurement of performance - (+ve) o provide conceptual focus for both the end users and IS department o formalise relationships o provide focal point for discussions o improve understanding of user concerns o objective measure and record of services required o individual IS failures can be put into context of overall record o IS resources can be directed into activities which give most benefit to the user - contain o simple definition of service to be provided § e.g. help desk support o names and contact information of IS personnel = allow contact for their service o services list and their cost § e.g. how quickly different types of problems will be responded to, and associated cost with providing this type of service level? o escalation procedures § e.g. who to contact if agreed service response is not being provided? o sign-off page for the appropriate business client and IS liaison preparing the SLA document

Resistance to change - types - reason - overcome

Types 1. positive resistance = system is flawed 2. negative resistance = system come in surprise 3. early resistance = testing the waters (on system features) Reason 1. Parochial self-interest > fear of computers > changes to areas of an individual's working life > alterations to interpersonal relationships > change to job content > change to decision-making & power structures 2. Misunderstanding > to why the system has been introduced and lack of trust in mgt 3. Different assessments > between what management & the user believes system will achieve 4. Low tolerance for change Overcome change 1. force by threat of negative consequences if do not comply (Persuasion) 2. Remove uncertainty & threat (Persuasion) - tell truth as much as possible § why? · absence of information = people assume the worst 3. give them something in exchange for compliance (Incentives) 4. they do it because they believe in you &/ the proposed course of action (Negotiation & Agreement) 5. effective communication - clear reasoning for the change & anticipated outcomes - passionate & inspirational 6. Involve people in the change process (User partition & involvement) - active listening - prepared to incorporate their ideas & suggestions 7. Remove excuses - purge unnecessary activities to provide time & energy 8. Utilise peer pressure - seek out role models & ambassadors - use them to influence the masses 9. Train People in new skills & behaviours (Education) - be patient, give encouragement, forgive mistakes 10. Provide emotional support (Facilitation & support) - be empathetic, offer shoulder to cry on, give time to come to terms with change

Economic Aspects of web-based systems - web based systems - decisions to invest on web based systems - economic categories

Web-based systems - IT as a product in itself rather than in a supporting role Decisions to invest on web-based systems - based on assumption that the investments are needed for strategic reasons - expected returns cannot be measured in monetary values 3 Economic Categories 1. Reach vs Richness o Reach § number of customers a company can reach o Richness § amount of interaction and information services it can provide to them o Trade-off between reach and richness § more customers want to reach = fewer services can be provided to them 2. Cost Reduction and productivity increase o Regular products curve § average cost per unit decline to certain quantity § necessary increased overhead = costs start to increase · adding manager and marketing costs o Digital products curve § costs will continue to decline with increased quantity § little variable costs § once fixed cost covered = increase in quantity = continuous decrease in average cost 3. Measuring IT payoffs

Bottom-up planning

definition - Used to determine what IS will be needed in the future, by auditing current position Also, helps the org to understand where it is now in terms of its current information systems questions to ask · What is the coverage of existing systems? > identify current systems that are better exploited for business purposes > identify current systems that require to be built upon to yield significant added value · What is the business value of our existing systems? > business users asked on their view on the value of the IS to the business · What is the technical value of our existing systems? > technical staff asked to know how good the system is technically (e.g. how reliable it is, how user-friendly it is?) ----------- 1 methodologies ----------- Systems audit grid/ Evaluation grid - represents appraisal framework for current systems - Horizontal axis ® represents technical conditions of a system - Vertical axis ® represents business value of the system

Outsourcing - definition - reasons - arrangement types - types of outsourcing

definition - delegation of some or all of the IT functions, products and/or services to a third party reasons (advantages) - focus more on core competency - cheaper and faster to enhance IT capabilities - cut operational costs Arrangement types - Application Service provider (ASP) --> agent/vendor who assembles the software needed by enterprises and packages them with outsourced development, operations, maintenance and other services - Software-as-a-service (SaaS) --> delivery of software where vendor hosts the applications and provides them as a service to customers over a network Types of outsourcing - Total outsourcing --> all IT functions outsources - selective outsourcing --> one or more IT functions are outsourced but other functions are retained in house - transitional outsourcing --> outsource ageing IT to concentrate efforts and resources on new IT projects - transformational outsourcing --> vendor hired to bring in new IT technologies and build the requisite skills and capabilities

Risk Management - stages

definition - process of identifying assessing and reducing risk to an acceptable level - needed because not economical to prepare protection against every possible threat 4 major stages 1. Risk identification o identify potential source of risks § Technological risk · result of accidental/deliberate damage and may be either physical or logical § Business risk · project fails to meet the business needs § Project implementation · degree of risk to an IS project depend on project size · degree of structure and complexity of technology deployed in project 2. Risk Analysis o qualitative or quantitative techniques o expected loss = (probability of attack) x (probability of successful attack) x (loss when attack is successful) o (loss) x (frequency of attack) - (annual loss exposure) 3. Risk control o control or lessen the effect of risk elements o include § avoidance · way that risk can be avoided? · e.g. supply uninterrupted power supply = prevent power cuts § reduction/mitigation · way risk can be minimised? · e.g. comprehensive security policy = adequate security and backup procedures in place § risk transfer · way risk can be transferred to 3rd party? · e.g. insurance company? can project be outsourced? 4. Disaster recovery (Business continuity planning) o plan to mitigate impact o purpose of recovery plan § keep the organisation running after the disaster o asset protection o what-if scenarios should be conducted § each risk should have person responsible for its management

3 Back end process in supply chain 2. Logistics - techniques

definition - process of planning, implementing and controlling the efficient and effective flow and storage of goods, services and related information from point of origin to point of consumption for purpose of conforming customer requirements 2 Techniques 1. Drop Shipping - used where manufacturer/supplier ships the product directly to customer - retailer o does not keep goods in stock o transfers customer orders and shipment details to manufacturer or wholesaler o profit § on difference between the wholesale and retail price OR earn an agreed percentage of sales in commission (paid by manufacturer/wholesaler to the retailer) 2. Channel assembly - distributors become manufacturers or aggregators of product - parts of product gathered and assembled as the product moves through distribution channel - accomplished by third-party logistics (3PL) firms - involve physical assembly of product at a 3PL facility or the collection of finished components for delivery to customer - e.g. computer company would have items (monitor) shipped directly from vendor to 3PL facility (Fedex) order would come together when all items placed in vehicle for delivery low to zero inventories

3 Back end process in supply chain 1. Order Fulfilment - steps

definition - set of complex processes involved in providing customers with what they have ordered on time (right place and right cost) and all related customer services - back office and front-office activities 9 steps 1. Assurance of customer payment 2. Check of in-stock availability 3. Shipment arrangement · if product is available, it can be shipped to the customers 4. Insurance · sometimes the contents of a shipment need to be insured 5. Replenishment · customised orders will always trigger a need for some manufacturing or assembly operation 6. In-house production · in-house production needs to be planned 7. Contractor use · manufacturer may opt to buy products from contractors 8. Contacts with customers · sales representatives need to keep in contact with customers 9. Returns · in some cases, customers want to exchange or return items

SCM software - definition - example of e-business system - Advantages - RFID, e-procurement

definition - supports steps in the supply chain o manufacturing o inventory control o scheduling o transportation - concentrates on improving decision making, forecasting, optimising and analysis 3 example of e-business system 1. Collaborative fulfilment networks (CFNs) o enable coordination among multiple participating firms at different stages of the supply chain § e.g. organisations use a coordinated inventory approach § with replenishment policy that does order smoothing to reduce order size variability and hence overall systems costs 2. Electronic marketplaces (B2B) o allow organisations in supply chain to identify upstream suppliers 3. Electronic data interchange (EDI) o a communication standard that enables the electronic transfer of routine documents, such as purchase orders, between business partners Advantages o allow movement of information throughout the supply chain faster and more reliable o better cost performance from improved productivity and lower costs o enhanced customer service from improved quality of service o Improved process capabilities from online business quality consistency o higher productivity and dependability from increased control of material flows along the supply chain o shortened cycle times due to fewer delays and higher speed o greater flexibility in planning and re-planning o smoother related production processes Radio Frequency Identification - radio waves to read and capture information stored on a tag attached to an object o tag can be read from several feet away and does not need to be in direct line-of-sight of the reader to be tracked reduces costs and increase operating efficiencies E-procurement - use of internet technologies to purchase or provide goods and services - reduces purchase prices through greater transparency of market pricing and lower search costs - allows purchasing of similar products o get significant lower pricing through volume discounts - used to standardise purchasing processes within the organisation o improve internal purchase processes and employee satisfaction

Top-down planning

definition - used to determine where the organisation wants to be in terms of its future information systems questions to answer: · What are the aims, objectives & goals of business? · What IS systems are needed to support these aims, objectives & goals? ----------- 3 methodologies ----------- 1. Business Systems Planning (BSP) -> Old strategy o Considers the business process o Derives the data classes to support these processes, which become the building blocks of the information architecture o Define an Information Architecture for the firm Basic building blocks of Information Architecture: o Business Process § Logically related decisions and activities required to manage the resources of the business o Data classes § Categories of logically related data that are necessary to support the business 2. Critical Success Factors (CSF) -> More practical o Areas of activity that should receive constant & careful attention from mgt o Strongly related to mission & strategic goals of business/project o IT manager determines IS needed to support the business to achieve CSF o Idea: (definition) § Limited number of areas = result satisfactory = successful competitive performance § Else = result = less desired § Limited Areas refer to key areas where things must go right for the business to flourish IT planners identify CSF by interviewing managers qns: o what objectives are central to org? o the critical factors essential to meeting these objectives? o key decisions/actions to the critical factors? o what variables underlie these decisions & how are they measured? o what IS can supply these measures? CSF to develop systems 1. Identify - relies on interviews with key managers to identify their CSF - @After interview ® determine org objectives for which the manager is responsible ® determine critical factors to attaining objectives 2. Combine - individual CSF are aggregated to develop CSF for the entire firm ® select a small number of CSFs ® determine the info requirements for those CSFs ® measure if CSFs are met > if not met, MUST build appropriate applications 3. Build - build systems to deliver information on these CSF 3. Scenario Planning -> Looks into future for IT app to be ready in future use o a structured way to think of the future o First: executives create several scenarios on how future unfold & how it affect issue confronting them e.g. Supermarket invest in security/expand retail? o Second: a team compiles as many future events as possible that may influence the outcome of each scenario o used in planning situations that involve much uncertainty e.g. e-commerce o why use this planning: (+ve) 1. ensure that you are not focusing on catastrophe to the exclusion of opportunity 2. help you allocate resources more prudently 3. preserve your options 4. ensure that not still "fighting the last war" 5. opportunity to rehearse testing and training of people to go through the process

Supply chain - definition - involves flow of... Reverse supply chain

defintion - set of relationship among suppliers, manufacturers, distributors and retailers that facilitate transformation of raw materials into final products involves 1. Material or product flow - e.g. chipmaker Intel supply chips to Dell, Dell supply computer to end-user products - reverse supply chain --> products returned --> activities required to retrieve used product from customer to dispose it or reuse it 2. Information flow - detailed data movement among members of supply chain - e.g. order info, customer info, delivery status 3. Financial flow - transfer of payments and financial arrangements - e.g. billing payment schedules, credit terms, payment via electronic funds transfer

Balanced scorecard

framework for defining, implementing and managing an enterprise's business strategy by linking objectives with factual measures part of BI system checks if operational activities conducted in the organisation are aligned with the overall business strategy - balance o refer to balance in combined set of measures used in balanced scorecard o balance between indicators § financial and non-financial § leading and lagging § quantitative and qualitative § short term and long term o eliminate some of the defects of traditional management measuring methods such as tendency to concentrate on § internal § financial § quantitative lagging indicators - Measures perspective performance on o financial (traditional perspective) -how organisation look to shareholders? § (-ve) Measure performance based only on financial metrics. Financial measures are... · reported by organisational structures (e.g. research and dev expenses) not by processes that produced them · lagging indicators o what happened NOT why it happened or what is likely to happen in future · e.g. administrative overhead o product not related to underlying process that generated them · focused on short term and provide little information on the long term o customer - how customer view org? o internal business process - (which) to excel in to impress its shareholders and customers o learning and growth - how dynamic the organisation is? Can org continue to improve and create value? o each perspective contains 4 subparts § Objectives · what the strategy is to achieve in that perspective § Measures · how progress for that particular objective will be measured § Targets · refer to the target value that the company seeks to obtain for each measure § Initiatives · what will be done to facilitate the reaching of the target - steps to achieve objectives on BSC 1. identify objectives for each perspective 2. define measures for each objective 3. assign targets to the measures 4. define the strategic measures to meet each objective 5. identify and assign each initiative and its responsibilities 6. provide a strategic map to link the objectives § strategy map · graphic description of the relationships among the key organisational objectives of 4 BSC perspectives · begins at the top with financial objectives down to customer, internal and learning objectives - (+ve) of BSC o clarifies vision/strategy o provides a means of communications o turns strategy into action o cause and effect o provides a means of measurement and therefore management based on fact o provides feedback on ... in order to continuously improve strategic performance and result § internal business processes § external outcomes - Balanced Scorecard and Six Sigma o can be integrated § use BSC on the front-end · to identify performance weaknesses and uncover opportunities for improvement § Six Sigma then deals with performance shortfall complements BSC = no conflict