Thursday, December 17, 2009

MIS2 - Assignment 4

You were invited by the university president to prepare an IS plan for the university, discuss what are the steps in order to expedite the implementation of the IS Plan.

Strategic information systems planning (SISP) is the process of identifying a portfolio of computer-based applications that will assist an organization in executing its business plans and realizing its business. Because information technology is playing an increasingly strategic role in today's highly competitive business world, the need for effective strategic information systems planning (SISP) has become more and more critical. SISP can contribute substantially to an organization. It can bring IS users and IS professionals together and establish a mutual understanding of the value of information systems and the problems associated with them. It also can help the organization develop priorities for information systems development by ranking such systems in terms of their efficiency, effectiveness, and strategic value. In that manner, it helps the organization identify its portfolio of planned computer-based applications, which both align well with corporate strategy and can create an advantage over competitors. Although much SISP research has been conducted over the past few years, the same types of problems repeatedly appear, thus suggesting that SISP has not improved much in practice. A gap continues to separate the plans and expectations of the developers of an IS strategy from the actual outcome of the strategy. Often, only a few of the systems in the strategy are implemented and some of them take substantially longer than anticipated. A survey of four Norwegian organizations found that only 42% of the projects in the formal IT strategy had been implemented after five years. This lack of implementation not only leaves firms dissatisfied with their current SISP, but also creates problems establishing and maintaining priorities in future SISP.

The failure to execute SISP effectively can cause an organization to lose competitive advantage. Hence it is no surprise that both corporate general managers and IS executives have viewed improved SISP as a key issue facing them. Observers have suggested many practices to make SISP more successful. Categorizations of practices, case studies, and surveys have offered a broad look at SISP practices across large sets of organizations in different countries. The objective of the study described here was to apply the findings from such research to the problem of the failure to implement the recommendations of a SISP study and thus to identify a comprehensive and parsimonious set of factors of practices that predict implementation. The importance of SISP to both general and IS management and its challenging nature make this research issue significant. SISP has been defined as "the process of identifying a portfolio of computer-based applications that will assist an organization in executing its business plans and realizing its business goals". It also includes the specification of databases and systems to support those applications. It embraces the selection of rather prosaic applications which would best fill the organization's current and future needs, but it also entails the discovery of new applications with the potential to create an advantage over competitors. It has been viewed as comprised of six broad process dimensions drawn from strategic management - comprehensiveness, formalization, focus, flow, participation, and consistency and also as comprised of content aspects of business domain analysis and technology domain analysis, and process aspects of top management involvement, user involvement, quality of support mechanisms, and use of a steering committee.

To perform SISP, an organization typically conducts a multi-phase study. One observer summarized such a SISP study in terms of five phases. The first phase, strategic awareness, included the identification of strategic goals, identification of business and IT systems, and the definition of planning process objectives. The second, situation analysis, comprised the analysis of business systems, organizational systems, IT systems, and the external business and IT environments. The third, strategy conception, included the scanning of the future, the identification of alternative scenarios, and scenario elaboration. Strategy formulation, the fourth, contained the formulation of the business architecture, the formulation of the IT architecture, the formulation of organizational solutions, and synthesis and prioritization. Finally, strategy implementation planning comprised the definition of action plan elements for developing the applications in the plan, the elaboration of the action plan, the evaluation of the action plan, and the definition of follow-up and control procedures. SISP has also been described as a system comprised of inputs, processing, and outputs. Objectives, resources, and information serve as inputs and they influence a specific, predetermined planning process. Elements both within the organization's internal environment and beyond its control (i.e., in its external environment) also influence the process. The process itself consists
of a set of practices that result in an IT strategy whose major component is recommendations for the portfolio of new information systems. However, organizations often fail to develop the systems in the strategy. Such failure to implement can be seen as a function of the planning process, and more specifically, its practices.

SISP has evolved over time. It initially was conducted as a fairly formal and comprehensive activity, although nowadays such an administrative approach is generally not very successful. Competitive analysis and advantage later became a major objective. As organizations began to understand that IT could improve internal efficiencies, SISP began to emphasize business process reengineering. More recently, observers have recognized the importance of SISP for organizational learning. SISP generates an enormous amount of information about an organization, and its internal and external environment, and this information must be organized, managed, and understood. For example, by emphasizing measurable criteria for judging the merits and risks of proposed projects, and by creating concrete procedures for measuring the effectiveness of the plan, organizations learn from their SISP. Thus, SISP can be viewed as having evolved into a knowledge management activity. The purpose of SISP is to create a plan of recommendations that fulfill management objectives and thus benefit the organization. SISP lays the groundwork for implementation of the plan. Implementation is essential because it enables the organization to achieve SISP benefits.

Although the extent of plan implementation is positively associated to the extent of SISP, implementation of the plan is not assured and the failure to implement is common. In fact, a majority of senior IS executives have classified failure to translate goals and strategies into action plans as a major IS planning problem. Going from strategies to action plans is, however, a necessity for implementing IT strategies. Over 55% of senior IS executives have classified the "difficulty to secure top management commitment to implement the IS plan" and over 50% have classified "ignoring the IS plan once it has been developed" as major IS planning problems. Ignoring implementation issues or lack of support for information technology architecture and duration of SISP has also been suggested as the causes of the low rate of SISP implementation. In one study of SISP, less than a quarter of the recommended projects had been initiated after over half the planning horizon had passed. This suggests that organizations were not implementing their plan very vigorously. During the same horizon, 38% of all initiated projects had not been identified in the SISP plan. This also suggests that organizations were not following their plan. Finally, the same study found that satisfaction with plan implementation was significantly lower than satisfaction with the input, process, and resources used during the process.

Several reasons may explain the failure to implement the SISP plan. The duration of IS development is so long that it provides time for the business strategy to change in response to external and internal environmental change, and thus forces IS priorities to change. Users politic to raise the priorities of their projects and bypass the prioritization scheme established in the plan. The organization underestimates the cost of projects and runs out of resources. Long and short-term plans are poorly integrated. Government legislation forces changes in priorities. Groups within the IS department set their own priorities. Management raises the priority of new proposals with higher return on investment. Insufficiently high-level managers participate in SISP. In summary, management does not focus its SISP efforts on implementation issues. A Norwegian study derived ten predictor constructs of implementation from 35 SISP practices. The predictors were intended to reflect the content of the IT strategy rather than practices independent of the final plan. A full multiple regression with all ten showed a significant overall relationship between the predictors and the IT strategy implementation, but no individual one was significant. Stepwise multiple regression, however, showed that two had significant coefficients. "Responsibility for the implementation" had the highest explanatory power, and "user involvement during the implementation" had the second highest (p<.05). Perhaps surprisingly, the other eight plan characteristics - resources needed for implementation, analysis of the organization, anticipated changes in the external environment, solutions to potential resistance during implementation, information technology to be implemented, projects' relevance to the business plan, management support for the implementation, and clear presentation of implementation issues - were not significant implementation predictors. Regardless of the two predictors, the lack of implementation still often leaves firms dissatisfied with their SISP efforts.

The current research used a list of recommended planning practices presumed to produce a more accurate, convincing, and stable plan, a plan less vulnerable to the political and environmental changes that can alter the priorities of its recommendations. However, research has not yet examined the relationship of these practices to implementation. The implications of the research for managers, who want to improve the likelihood of SISP implementation based on the study's findings, are simple and succinct: Deliberately plan for implementation by identifying specific actions to accomplish it and incorporate them in the plan itself. More specifically, identify the resources and actions needed to implement new applications development and maintenance tools. Identify the MIS department's actions necessary to expedite adoption of the plan. Prepare a plan for migrating to new applications including key projects and their order of implementation. Specify actions needed to implement the proposed architecture. Evaluate the costs, benefits and risks of each proposed project to determine its priority. Complete the study in a reasonable period of time. The current research suggests that these practices, grouped together, are the strongest predictors of implementation. Also, control the progress of the SISP study and the implementation of the plan with feedback and guidance. Resolve conflict and bring about agreement on priorities quickly.

To improve the overall value of the SISP study, focus on trends, competitors, the impact of information technology, and focus on tying these issues to strategic business planning. Also, it is important to ensure the reputation of the planning team. However, do not expect these practices necessarily to lead to implementation. Analyze organization needs. However, do so quickly and not to the extent that the analysis impedes plan implementation, as this research suggested it can. Finally, managers should assess each practice regardless of whether it predicts implementation or not. Each practice might play a key role in the implementation of a particular plan. Hence each one merits careful consideration in the context of each individual organization. Different circumstances could render some - even those that do not predict implementation in a large sample - both essential and effective for individual organizations. The research examined the planning practices expected to predict the implementation of SISP plans. It found that the Migration factor predicted greater implementation using two different dependent variables, whereas Management Control predicted it with only one dependent variable, Study Focus and Team Member Selection Criteria did not predict it with either, and Needs predicted less implementation with one variable. The lack of consistent prediction of implementation may suggest practices do not play as great a role as anticipated in implementation. However, such findings are consistent with previous research that showed that only two practices, "responsibility for the implementation" and "user involvement during the implementation" out of ten predicted it using a similar, multi-item, scaled dependent variable. Combined, the two studies suggest that although many practices may be valuable, their direct impact on implementation itself is limited. This research speculated why such practices might not predict implementation, but future research should look more closely to assess the reasons.

While diligent efforts were made to ensure that this research considered all possible planning practices, more practices may exist and hence further research with a larger number of practices might be desirable. However, a larger sample of subjects would also be necessary. With a larger sample, the more powerful analytic technique of structural equation modeling would be possible; the current sample had insufficient subjects for such analysis. Some of the prescriptions correlated negatively with the implementation
measure. Future research might reword them. For example, "The SISP study used experienced external consultants" might be changed to "The SISP study avoided the use of experienced external consultants," or perhaps simply "The SISP study avoided the use of external consultants." The research assessed implementation success by regressing practices on two measures of implementation. One measure was perceptual and the other was more objective. The results were not completely consistent. The differences suggest the importance of multiple measures of variables and imply that they should be used more frequently in future research. One of those measures was the ratio of the number of implemented projects to the total recommended. Previous research has used that ratio. However, the ratio does not take into account project size. A firm that implements many minor projects would be deemed more successful than one that implements a few major projects, although in fact, it might or might not actually be more successful. In a sense the ratio is consistent with popular advice to break large projects into smaller ones to facilitate their implementation. Nevertheless, future research should consider project size in the evaluation process. Researchers could also ask about implementation success in different ways. One alternative approach would be to ask planners directly to assess how much each practice contributed to implementation.

Planners' perceptions played a major role in this study. Information systems department professionals are probably not the only parties knowledgeable about SISP. Hence, future researchers should also seek the views of business managers and other participants from outside the MIS function. Correlation and regression also played an important role in this study. Correlation and regression are not causation. Perhaps more in-depth studies of SISP would facilitate a better assessment of causality. Finally, the research predicted that the analysis of organization needs would presage the implementation of plans. Instead, it found that such analysis might impede implementation. Naturally some level of such analysis is necessary. Hence, future research should seek to determine this level. In reference to such an appropriate level of analysis, information systems managers speak informally of "analysis paralysis" - the excessive study of a problem and resultant delay in beginning to solve it. Perhaps the greatest need for research is thus to determine when enough analysis is complete so as to begin implementing and to avoid analysis paralysis. In other words, future research should ask, how much analysis is necessary to facilitate SISP implementation and how much more analysis will begin to impede it? Strategic information systems planning has evolved over time from a fairly formal and comprehensive to a knowledge management activity. It continues to challenge information systems managers and other executives. Planning is expensive and the failure to implement a SISP plan wastes valuable resources. By focusing on the actions necessary for implementation, the chances of
successfully doing so can likely be increased.

Strategic information system planning (SlSP) is the process of deciding the objectives for organizational computing and identifying potential computer applications which the organization should implement. Most information systems today are affected by one or more
regulations, and some would argue that industries as a whole are over-regulated. That is particularly true in industries such as banking and insurance. There are many valid reasons for regulations, especially when it comes to information systems. A significant portion of business processes and activities in most organizations depends completely on information systems, and could not function without them. The vast amount of information generated by information systems is used by publicly-traded companies to report to authorities and regulatory agents. Additionally, decision-makers and stakeholders use financial reports published by organizations to make business decisions about investments, mergers, and acquisitions. Internal and IT auditors are in a unique professional position. Their traditional and primary duty is to inspect and verify that business processes and practices are carried out as required by various regulatory bodies. Additionally, the main output of an audit activity is an audit report that describes risks, control deficiencies, and breach of existing controls. Auditors also can assume the role of trusted advisor and suggest ways to improve existing processes and add new processes, tools, and best practices that improve performance and reduce operating costs. This article presents some ways in which internal and IT auditors can bring tremendous value to organizations in the course of conducting an audit.

In spite of the overwhelming number of existing regulations, there is strong evidence that a tidal wave of new regulations will emerge in the next 12 to 18 months. The new regulations will ensure that better controls are applied as an oversight on activities performed by particular groups within an organization. One thing IT departments can do now is use this grace period to prepare for complying with new regulations. A paradigm shift and thinking outside of the box regarding current practices will help in accepting a different approach to complying with regulation requirements. For example, the notion that regulation is not the chief information officer’s or IT department’s responsibility and the view that regulation requirements are not part of system requirements no longer apply. Instead, IT departments should accept the involvement of stakeholders and subject matter experts (SMEs) within the organization as critical and necessary for successful implementation of regulation requirements in information systems. The following represents the primary key players and SMEs who should be directly involved in complying with regulations requirements throughout the life cycle of the information system: Chief compliance officer, Chief risk officer, Information system manager, IT project manager, Information security manager, and Quality assurance manager. Internal and IT auditors cannot and should not take an active part in the design or implementation of regulation requirements in order to prevent potential conflicts of interest in future audits.

A key point of this new approach is that regulation requirements are an integral part of the set of requirements that are defined for an information system (functional, technical, performance, security) and therefore: Regulation requirements must be documented and managed along with all other requirements. (The use of a requirements management tool is recommended.); Regulation requirements must be translated into tasks and activities to be performed throughout the life cycle of the information system and clearly defined in all project work plans; and the test plan for information systems must include specific tests to ensure effective and accurate implementation of regulation requirements. Internal and IT auditors can bring an important added value to organizations by raising the level of awareness among managers and stakeholders of the benefits to be gained by adopting a new approach to meeting regulation requirements. Auditors can express such opinions in audit reports and during audit closing meetings as general comments and recommendations. “Information System Life Cycle Phases” represents a typical life cycle model for information system development, implementation, and sustainability. The model includes some key activities that are related to regulation requirements in each phase of the life cycle. The activities relating to regulation requirements development, testing, and implementation can be easily incorporated into other life cycle models. There is no need to invent a new methodology for information systems development or to alter existing methodologies drastically. Instead, organizations should change and upgrade concepts that are currently used by IT departments. The involvement and active participation of SMEs is essential to successful implementation of this approach.

The adoption and implementation of the proposed approach to complying with regulation requirements consist of four steps. Activities in these four steps can be easily incorporated into the Software Development Life Cycle (SDLC) currently in use by the organization. “Information System Life Cycle Phases” is a model that demonstrates integrating regulation requirements into a popular SDLC:

1. Discovery and Identification. Specific regulation requirements relevant to information systems should be documented. A current risk survey report may be used if available. Identification and classification of binding enterprise regulations, standards, and frameworks should be included in a dictionary of terms and definitions. This dictionary should be the basis for a common language among all the organizational units in
the enterprise that are involved in implementing and sustaining regulatory compliance measures. Existing and planned information systems and the identification of gaps between regulation requirements and their implementation should also be surveyed. It is possible to have regulation requirements from multiple regulatory agents. Conversely, IT controls that were developed in response to a particular regulation requirement may be applicable to several information systems. One byproduct of this exercise is the identification of duplicate controls that were implemented to remedy regulatory requirements. A list of information systems, their risk classification, and associated controls presents an excellent opportunity to streamline and consolidate the number of IT controls in the organization. Once IT controls are documented, a logical next step would be to expand the knowledge base by linking relevant policies, procedures, work instructions, forms, process owner information, and system managers. A repository of such information could help reduce the burden and high demand on IT professionals and make the audit process more efficient.

2. Classification Information systems should be classified to facilitate prioritization according to criteria such as: The importance of a system to a business process. An existing risk survey report can be used as a source for information system classification and serve as a starting point. Control self-assessment is a popular tool that can be used for establishing information systems classification; the impact of the information system on one or more business processes and the risk factors associated with information systems; the interdependency with other internal and external information systems. Once prioritized, a viable work plan for implementing regulation requirements can be developed for the information systems managed by the IT department.

3. Mapping To establish ownership and direct responsibility for each information system in the organization, it is necessary to map information systems. Mapping should identify the following relationships: Information system to business process; Regulation requirements to organizational unit(s); Information system ownership; Identification or discovery of “orphan” information systems; Identification of multi-owner information systems. Any identified gaps must be investigated and resolved. Additionally, the mapping information collected in this effort should be well-documented and maintained as an ongoing regulation compliance activity.

4. Development, Testing, Implementation, and Maintenance The development, testing, implementation, and maintenance of regulation requirements include: Development of code necessary to satisfy regulation requirements; Testing and validation of regulation compliance of information systems developed in-house; Validation that all vendor-supplied information systems comply with regulation requirements; Testing, validation, and approval of external information systems services compliance with regulation requirements (including software as a service-based (SaaS) systems). Certification demonstrating regulatory compliance of information systems by all stakeholders is required to authorize systems for production use. During tough economic times and budget cuts, improving business processes is a good way to prepare for the up-turn cycle and for the inevitable wave of new regulations that are sure to hit our shores. The prevailing best practice of doing more with less applies to internal and IT auditors just as it does to other stakeholders in business enterprises. Internal and IT auditors can add value to their audited parties, in particular, and to business organizations in general, by playing the role of trusted advisor. The primary role of an auditor is to verify compliance; identify risks, control deficiencies, and the effectiveness of existing controls; and produce an audit report for management.

An experienced auditor can suggest and recommend improvements to existing processes and recommend new tools and methods for consideration. Furthermore, over time this approach can improve work relationships between the auditor and audited parties in the organization. For a long time relationship between information system functions and corporate strategy was not of much interest to Top Management of firms. Information Systems were thought to be synonymous with corporate data processing and treated as some back-room operation in support of day-to-day mundane tasks . In the 80’s and 90’s, however, there has been a growing realization of the need to make information systems of strategic importance to an organization. Consequently, strategic information systems planning (SISP) is a critical issue. In many industry surveys, improved SISP is often mentioned as the most serious challenge facing IS managers. Planning for information systems, as for any other system, begins with the identification of needs. In order to be effective, development of any type of computer-based system should be a response to need--whether at the transaction processing level or at the more complex information and support systems levels. Such planning for information systems is much like strategic planning in management. Objectives, priorities, and authorization for information systems projects need to be formalized. The systems development plan should identify specific projects slated for the future, priorities for each project and for resources, general procedures, and constraints for each application area. The plan must be specific enough to enable understanding of each application and to know where it stands in the order of development. Also the plan should be flexible so that priorities can be adjusted if necessary. King in his recent article has argued that strategic capability architecture - a flexible and continuously improving infrastructure of organizational capabilities – is the primary basis for a company's sustainable competitive advantage. He has emphasized the need for continuously updating and improving the strategic capabilities architecture.


SISP is the analysis of a corporation’s information and processes using business information models together with the evaluation of risk, current needs and requirements. The result is an action plan showing the desired course of events necessary to align information use and needs with the strategic direction of the company. The same article emphasizes the need to note that SISP is a management function and not a technical one. This is consistent with the earlier distinction between the older data processing views and the modern strategic importance view of Information Systems. SISP thus is used to identify the best targets for purchasing and installing new management information systems and help an organization maximize the return on its information technology investment. A portfolio of computer-based applications is identified that will assist an organization in executing its business plans and realize its business goals. There is a growing realization that the application of information technology (IT) to a firm’s strategic activities has been one of the most common and effective ways to improve business performance. The paper reviews the existing methodologies for SISP in an attempt to answer the critical question: how to move ahead and further improve the effectiveness of strategic planning for information-based enterprises? In particular, we examine their capacity for driving the development of corporate information systems ensuing the planning, and their potential to support economic evaluations of information systems investments. Strategic Information Systems Planning in the present SIS era is not an easy task because such a process is deeply embedded in business processes. These systems need to cater to the strategic demands of organizations, i.e., serving the business goals and creating competitive advantage as well as meeting their data processing and MIS needs. The key point here is that organizations have to plan for information systems not merely as tools for cutting costs but as means to adding value. The magnitude of this change in perspective of IS/IT’s role in organizations is highlighted in a Business Week article, ‘The Technology Payoff’.

According to this article, throughout the 1980s US businesses invested a staggering $1 trillion in the information technology. This huge investment did not result in a commensurate productivity gain - overall national productivity rose at a 1% annual rate compared with nearly 5% in Japan. Using the information technology merely to automate routine tasks without altering the business processes is identified as the cause of the above productivity paradox. As IT is used to support breakthrough ideas in business processes, essentially supporting direct value adding activities instead of merely cost saving, it has resulted in major productivity gains. In 1992, productivity rose nearly 3% and the corporate profits went up sharply. According to an MIT study quoted in the above article,
the return on investment in information systems averaged 54% for manufacturing and 68% for all businesses surveyed. This impact of information technology on re-defining, re-engineering businesses is likely to continue and it is expected that information technology will play increasingly important roles in future. For example, Pant point out that the emerging vision of virtual corporations will become a reality only if it is rooted in new visionary information technology. It is information technology alone which will carve multiple ‘virtual
corporations’ simultaneously out of the same physical resources and adapt them without having to change the actual organizations. Thus, it is obvious that information technology has indeed come a long way in the SIS era, offering unprecedented possibilities, which, if not cashed on, would turn into unprecedented risks. As Keen has morbidly but realistically pointed out that organizations not planning for strategic information systems may fail to spot the business implications of competitors’ use of information technology until it is too late for them to react. In situations like this, when information technology changes the basics of competition in an industry, 50% of the companies in that industry disappear within ten years. The task of strategic information systems planning is difficult and often time organizations do not know how to do it. Strategic information systems planning is a major change for organizations, from planning for information systems based on users’ demands to those based on business strategy.

Also strategic information systems planning changes the planning characteristics in major ways. For example, the time horizon for planning changes from 1 year to 3 years or more and development plans are driven by current and future business needs rather than incremental user needs. Increase in the time horizon is a factor which results in poor response from the top management to the strategic information systems planning process as it is difficult to hold their attention for such a long period. Other questions associated with strategic information systems planning are related to the scope of the planning study, the focus of the planning exercise – corporate organization vs. strategic business unit, number of studies and their sequence, choosing a strategic information
systems planning methodology or developing one if none is suitable, targets of planning process and deliverables. Because of the complexity of the strategic information systems planning process and uniqueness of each organization, there is no one best way to tackle it.


References:

http://www.allbusiness.com/technology/3502724-1.html
http://viu.eng.rpi.edu/publications/strpaper.pdf
http://www.theiia.org/intAuditor/itaudit/2009-articles/the-impact-of-regulation-on-information-system-planning/

0 Comments:

Post a Comment



Template by:
Free Blog Templates