is 483 information systems management james nowotarski 15 may 2003

IS 483Information Systems Management

James Nowotarski

15 May 2003

• Recap training and help desk• Understand risk management• Understand procurement process (RFP)

Today’s Objectives

Topic Duration

• Recap last week 20 minutes

• Assignment 2 reports 20 minutes

• Quiz - Training & Help Desk 30 minutes

• *** Break 15 minutes

• Risk management 60 minutes

• Procurement process 50 minutes

Today’s agenda

User training and total cost of ownership

time

callvolume

callcomplexity

User training and total cost of ownership

Increasesuser productivity/effectiveness

Increasestotal costof ownership

Decreasestotal costof ownership

Decreasesuser productivity/effectiveness

• Process-related, rather than application-specific training

• Additional software functionality (new or existing software)

• Providing FAQ’s from the help desk

• Training new users

• Retraining existing users on functionality they have forgotten

• Not providing any training• Providing training at the

wrong time• Providing ineffective training• Replacing software with

same level of functionality • Providing functionality not

required by user

Source: Gartner

Help Desk

Planning• Collect trend information and evaluates trends• Gather planning information to avert problems and

promote the use and further development of network capabilities

Development• Provide development assistance to end users on business

controls, recovery management techniques, etc.• Evaluate new applications for inclusion on distributed

networkDeployment• Provide/Coordinate user training on hardware, software,

proceduresSupport• Provide first tier of support for problem resolution• Compile and maintain online knowledge base

Responsibilities

Tiers of Support

Tier 1

Tier 2

Tier 3

Role

Help Desk

Product Specialists

Product Developers

Help Desk

• Competent help desk representatives– technically competent, current– attitude (calm, patient, thick skin, empathetic, respectful)

• Variety of help vehicles, e.g.,– FAQ/knowledge base– online chat/discussion groups– super users

• Regular communication during problem resolution– report status– be available – practice effective listening skills

• Follow-Up afterward– survey/feedback– ensure customer satisfaction

• Measure and assess (SLA)• Train users to eliminate need for support in the first place

Strategies used by successful Help Desks to obtain user satisfaction

Help Desk

• Performance goals are set for– all help desk agents– all support resources (e.g., vendors, tier 2, etc.)

• Sample list of performance goals:– % of calls resolved on the first call– % of calls where user hung up before talking to agent– % of calls resolved at each tier– Mean Time to Repair (MTTR) for all trouble tickets– Number of tickets for each severity level– MTTR for each severity level– Number of tickets for each tier– MTTR for each tier– MTTR for specific hardware or applications– Number of problems resolved proactively before a telephone

call made

Help Desk Service Level Agreements (SLAs)

Help Desk

• Limits the amount of knowledge needed by help desk agent

• Ensures users have same level/version of products, reduces complexity of multiple version support

• Limits number of vendors and suppliers to be dealt with, enables more standardized interactions with these firms

Product standards enable higher quality help desk service

Help Desk

1. Coordination of support across tiers utilizing single point of contact and ownership transfer concepts

2. Ability to integrate and automate service, problem, change and asset management processes

3. Provision of quality and easy-to-use knowledge-based authoring tools

4. Capacity to offer tight integration of these elements:• legacy tools• telephony• Web chat• VoIP (voice over Internet protocol)• self-support• software distribution• remote control• network and system management (NSM)

Consolidated Service Desk (CSD) Scope of Functions

Help Desk

Provider Perspective• Lowers people costs associated with service• Offers complete picture of all application and

system costs• Reigns in support “chaos” that resulted from

multiple help desks

User Perspective• Higher quality support and service• More seamless interaction with help desk/IT• Anywhere, anytime support• Users can be more self-reliant

Benefits of Consolidated Service Desk (CSD)

Topic Duration







Today’s agenda

IT Objectives

IT Objectives

• IT is aligned with the business, enables the business, and maximizes benefits

• IT resources are used responsibly

• IT related risks are managed appropriately

• economic

• technical

• organizational

• legal

• terrorism

Source: Control Objectives for IT (CobiT)

IT Risk Management

• Economic

• Technical

• Organizational

• Legal

• Terrorism

Major Categories of Risk

Risks that can potentially affect the business• business environment changes• financial performance

IT Risk Management

• Economic

• Technical

• Organizational

• Legal

• Terrorism


Risks that can affect the development, implementation, and operation of a system• integrating technology with legacy• applying unproven technology• conversion may uncover “dirty” data• management inexperienced with projects of this size

IT Risk Management

• Economic

• Technical

• Organizational

• Legal

• Terrorism


Risks that can potentially result from lack of acceptance of a system• low morale• decline in effectiveness/efficiency

IT Risk Management

• Economic

• Technical

• Organizational

• Legal

• Terrorism


Risks arising from potential lawsuits and liabilities associated with implementation of a project• shareholder lawsuits• data privacy• Foreign Corrupt Practices Act (FCPA)

IT Risk Management

• Economic

• Technical

• Organizational

• Legal

• Terrorism


Risks arising from intentional destruction or malevolent modification of:• physical equipment• data• software• network

IT Risk Management

The process in which potential risks to a business

are identified, analyzed and mitigated,

along with

the process of balancing the cost of protecting the

company against a risk vs. the cost of exposure to

that risk.

Risk Management

Importance of risk management

• Dependence on electronic information and IT systems is essential to support critical business processes. Successful businesses need to better manage the complex technology that is pervasive throughout their organizations in order to respond quickly and safely to business needs. . .

. . . In addition, the regulatory environment is mandating stricter control over information. This, in turn, is driven by increasing disclosures of information system disasters and increasing electronic fraud. The management of IT-related risks is now being understood as a key part of enterprise governance.

Source: IT Governance Institute


• One in three senior executives does not have any IT risk management process in place; only half of those who do are confident the processes are strong enough.

• Two out of three executives say their companies do not understand IT-related risks well enough.


• Management needs it to benchmark the existing and planned IT environment

• Users need it so they can be assured that adequate security and control exists

• Auditors are increasingly being called on by management to proactively consult and advise on IT security and control-related matters; without a framework, this is exceedingly difficult

Need for a risk management framework

Risk Frameworks

RISK MANAGEMENT MODEL

Identify Analyze Mitigate

Cost of protection Cost of exposure

$$ $$

Measure

Risk Frameworks

Fidelity’s Risk Cube

Risk Frameworks

Identify Analyze Mitigate Measure

Risk Awareness Risk ManagementRiskMeasurement

---------- Fidelity Risk Cube ----------

Risk Frameworks

RISK Cube - Key Questions

• R is for Return– Are we achieving an appropriate return for the risks we

take?

• I is for Immunization– Do we have controls and limits in place to limit

downside risk?

• S is for Systems– Do we have systems in place to measure and report

risk?

• K is for Knowledge– Do we have the right people, skills, culture, and

incentives for effective risk management?

Risk Management Approaches


• Interdisciplinary Approach

• Portfolio Approach

• Options Thinking

• Chaos Theory


• Interdisciplinary Approach– Applies an integrated assessment of the risks from

various groups in a company to determine and assess all dimensions of risks

– This approach is critically important when analyzing cross-functional risks because of the number of different stakeholders involved (e.g., when implementing an ERP system)

• Portfolio Approach– Treat IT resources such as hardware, software,

services and personnel as collection of investments– Creates mix of low-risk, low-payoff initiatives along

with high-risk, high-payoff ones


• Options Thinking– Similar to Portfolio Approach– Creates financial options approach to create a guide for

managing IT investmentso Allows the business unit to change deals to avoid

losses in bad outcomes and enhance gains in good outcomes

– Create risk profile using decision “tree” extending 5 years into future

– Group ends up with many possible outcomes along with probability of each outcome

– At end of each project stage, stakeholders re-evaluate the risks and benefits of continuing or ending the project


• Chaos Theory– Utilizes the approach of assuming that over time very

small, almost unnoticeable differences can start a chain reaction that will eventually generate big changes

– Projects planned with cutting edge technology should focus on near-term big returns on the investment

– Focus less on ROI (return on investment) and more on what business impact the project will have

Risk vs. Technology Maturity

Impact of Technology Maturity

Risk Early Adopter Mid Adopter Late Adopter

hands-on implementation experience little exper / high riskmore exper / mid risk

much exper / low risk

vendor survival for project after shake-out high risk mid risk low risk

sudden changes in direction of technology high risk mid risk low riskintegrating technology with existing portfolio

high risk mid risk low risk

Benefits

Period for Start of Payoff Short term Mid term Long term

Size of Returns per period Biggest Bigger Big

Risk Management at Project Level

Steps Taken by Prudent Managers

• List the risks that could occur and when they could occur

• Determine what detection method can alert IS that risk occurred

• Establish detection method

• Estimate each risk’s probability of occurring

• Formulate plans that can mitigate each risk

• Establish teams that will monitor and mitigate the risk

Risk Assessment Example

RISK CATEGORY DESCRIPTION PROBABILITY IMPACTIMPACT DESCRIPTION

CONTINGENCY PLAN

Schedule May not hit scheduled conversion date

M H Unless everything falls into place, may not hit 7/1 conversion go live date

Cut scope to increase likelihood of hitting date;

If date not hit, continue running old system

Group Problem

Describe two types of risks giving an example of each that an IS manager should consider when evaluating the options on replacing a legacy system that will no longer correctly process transactions when a new law goes into effect in six months.

Topic Duration







Today’s agenda

Procurement - Process

RFP Process

1. Pre-RFP

2. RFP

3. Proposal Submissions

4. Proposal Evaluations

5. Vendor Selection

6. ProcurementMethod

7. ROI Analysis

8. NegotiateContract

Objective: Identify best solution to meet stated business need while minimizing cost and risk

1. Pre-RFP

• Also known as Requirements Definition

• Preliminary analysis for management (not given to vendor)

• Serves as basis for Request for Proposal (RFP) and evaluation criteria

• May be a simple presentation (small firm) or a formal report

• Most important step in the system procurement process

1. Pre-RFP

Steps in the Pre-RFP

• Problem is noticed

• High-level requirements are identified

• Preliminary alternatives proposed

• Request for Information (RFI) issued

– Vendors are called/consultants consulted/research conducted

– Breadth of alternatives is identified

– Vendors identified to participate in future stages

• Ideally, 3-6 vendors found for each alternative

• Collect information from each vendor for the Pre-RFP report to management

1. Pre-RFP

Sections of the Pre-RFP Report

• Problem statement

– Current state

– Gaps

– Risks

• Alternative solutions

• Ratings (of each alternative)

• Range of costs and benefits

• Recommended alternative and rationale

2. RFP

• Blueprint for system functionality

• Confirms in detail the exact requirements stated in both business and technical terms

• Limited distribution (e.g., 3-5 vendors)

– Protect confidentiality

– Keep selection process manageable

2. RFP

• Business need/Functional requirements

• Statement of Work to be done

– Software characteristics

– Implementation plan

– Training strategy

– Maintenance and support

– Cost budget

• Procedural details

– Form and structure of proposal

– Schedule (meetings, demos, selection)

– Key contacts

• Selection criteria

Contents of an RFP (see also Assign. 3)

2. RFP

• Multiple solutions available that will fit the need

• Multiple vendors can provide the same solution

• Products for the project cannot be clearly specified

• Project requires vendors to combine and subcontract products and services

• Lowest price is not the determining criterion for award

• Final pricing is negotiated with the vendor

• Corporate policy requires it

When should an RFP be used?

2. RFP

• RFP team develops better understanding of the project from both a technical and business perspective

• Compels vendors to create competitive solutions

• Does not favor one vendor over another (in theory)

• “Everybody singing from same hymn book”

– vendors working from same set of rules and requirements

• Facilitates evaluation of competitive solutions

– provides a foundation on which to base a more rigorous evaluation of a vendor

Advantages of Using an RFP

2. RFP

• Should the purchaser include info on budget? on number of RFP’s issued?

• It is recommended that the purchaser provide indicative figures in both instances

• Maximum of five qualified vendors should be invited to submit a proposal

• Presentations/demos only for those making the short list

• Give vendors $$$ to encourage higher-quality submissions

Additional points from Assignment 2 papers, past quarters

3. Proposal Submissions

• Forums to answer vendor questions (written, oral)

– Vendor conferences before proposal submission

• Response content and format

• Sometimes requires "proof" statements, such as "This feature was implemented 12 months ago and is currently installed at 10 sites. Names and addresses are provided in the reference section."


• Business and Technical Solutions

– Rating scale: (0=unresponsive, . . ., 5=exceptional)

• Vendor qualifications (site visits, reference checks)

• Preliminary cost, value, and risk analysis

• Cost proposal may be a separate document from technical proposal

• Vendor demo

• Personnel assignment

• May be a two-stage process, with only a “short list” of 2-3 vendors doing demos and making “best and final” offers

• Question: Who are the key stakeholders in this process?


• Ability and track record of vendor to meet schedule and budget commitments?

• Satisfaction levels of vendor’s current customers, particularly long-term customers?

• Vendor’s project management capabilities, including estimation, project planning, project tracking, and project control?

• Vendor’s ability to protect your confidential information?

• Vendor’s track record for providing support?

• Any litigation pending against vendor?

• Is the vendor financially stable?

In selecting a vendor, there are major management and technical considerations

Management considerations


• Ability and track record of vendor to meet technical challenges of project?

• Evaluation of vendor’s development capability (both work products and development processes)?

• Level of vendor’s expertise in your industry (e.g., Financial Services)? In this application area (e.g., CRM)?

• Level of vendor’s expertise with the development and execution environments for the system?

• Quality of vendor’s past work? Are metrics available?

In selecting a vendor, there are major management and technical considerations (cont.)

Technical considerations

End of slides

is 483 information systems management james nowotarski 15 may 2003

Documents