The vast majority of the population associates Blockchain with cryptocurrency Bitcoin; however, there are many other uses of blockchain; such as Litecoin, Ether, and other currencies. In this discussion, please describe at least two cryptocurrencies with applicable examples. Discuss some similarities and differences. Lastly, discuss if you have any experience using any cryptocurrencies.
Note:
Need 400 words.
attached material
bgloss.indd 312 11/26/2015 7:40:39 PM
Managing and Using
Information Systems
A STRATEGIC APPROACH
Sixth Edition
Keri E. Pearlson
KP Partners
Carol S. Saunders
W.A. Franke College of Business
Northern Arizona University
Dr. Theo and Friedl Schoeller Research Center for Business and Society
Dennis F. Galletta
Katz Graduate School of Business
University of Pittsburgh, Pittsburgh, PA
ffirs.indd 1 12/1/2015 12:34:39 PM
VICE PRESIDENT & DIRECTOR George Hoffman
EXECUTIVE EDITOR Lise Johnson
DEVELOPMENT EDITOR Jennifer Manias
ASSOCIATE DEVELOPMENT EDITOR Kyla Buckingham
SENIOR PRODUCT DESIGNER Allison Morris
MARKET SOLUTIONS ASSISTANT Amanda Dallas
SENIOR DIRECTOR Don Fowley
PROJECT MANAGER Gladys Soto
PROJECT SPECIALIST Nichole Urban
PROJECT ASSISTANT Anna Melhorn
EXECUTIVE MARKETING MANAGER Christopher DeJohn
ASSISTANT MARKETING MANAGER Puja Katariwala
ASSOCIATE DIRECTOR Kevin Holm
SENIOR CONTENT SPECIALIST Nicole Repasky
PRODUCTION EDITOR Loganathan Kandan
This book was set in 10/12 Times Roman by SPi Global and printed and bound by Courier Kendallville.
This book is printed on acid free paper.
Founded in 1807, John Wiley & Sons, Inc. has been a valued source of knowledge and understanding for more than 200 years, helping people
around the world meet their needs and fulfill their aspirations. Our company is built on a foundation of principles that include responsibility to
the communities we serve and where we live and work. In 2008, we launched a Corporate Citizenship Initiative, a global effort to address the
environmental, social, economic, and ethical challenges we face in our business. Among the issues we are addressing are carbon impact, paper
specifications and procurement, ethical conduct within our business and among our vendors, and community and charitable support. For more
information, please visit our website: www.wiley.com/go/citizenship.
Copyright © 2016, 2013, 2010, 2006, 2004, 2001 John Wiley & Sons, Inc. All rights reserved. No part of this publication may be repro-
duced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or
otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission
of the Publisher, or authorization through payment of the appropriate per‐copy fee to the Copyright Clearance Center, Inc., 222 Rosewood
Drive, Danvers, MA 01923 (Web site: www.copyright.com). Requests to the Publisher for permission should be addressed to the Permissions
Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030‐5774, (201) 748‐6011, fax (201) 748‐6008, or online at: www.
wiley.com/go/permissions.
Evaluation copies are provided to qualified academics and professionals for review purposes only, for use in their courses during the next
academic year. These copies are licensed and may not be sold or transferred to a third party. Upon completion of the review period, please
return the evaluation copy to Wiley. Return instructions and a free of charge return shipping label are available at: www.wiley.com/go/
returnlabel. If you have chosen to adopt this textbook for use in your course, please accept this book as your complimentary desk copy.
Outside of the United States, please contact your local sales representative.
ISBN: 978-1-119-24428-8 (BRV)
ISBN: 978-1-119-24807-1 (EVALC)
Library of Congress Cataloging-in-Publication Data
Names: Pearlson, Keri E. | Saunders, Carol S. | Galletta, Dennis F.
Title: Managing and using information systems: a strategic approach / Keri
E. Pearlson, Carol S. Saunders, Dennis F. Galletta.
Description: 6th edition. | Hoboken, NJ : John Wiley & Sons, Inc., [2015] |
Includes index.
Identifiers: LCCN 2015041210 (print) | LCCN 2015041579 (ebook) | ISBN 9781119244288 (loose-leaf : alk. paper) |
ISBN 9781119255208 (pdf) | ISBN 9781119255246 (epub)
Subjects: LCSH: Knowledge management. | Information technology—Management. |
Management information systems. | Electronic commerce.
Classification: LCC HD30.2 .P4 2015 (print) | LCC HD30.2 (ebook) | DDC 658.4/038011—dc23
LC record available at http://lccn.loc.gov/2015041210
Printing identification and country of origin will either be included on this page and/or the end of the book. In addition, if the ISBN on this
page and the back cover do not match, the ISBN on the back cover should be considered the correct ISBN.
Printed in the United States of America
10 9 8 7 6 5 4 3 2 1
ffirs.indd 2 12/1/2015 12:34:39 PM
http://www.wiley.com/go/citizenship
http://www.copyright.com
http://www.wiley.com/go/permissions
http://www.wiley.com/go/permissions
http://www.wiley.com/go/returnlabel
http://lccn.loc.gov/2015041210
To Yale & Hana
To Rusty, Russell, Janel & Kristin
To Carole, Christy, Lauren, Matt, Gracie, and Jacob
ffirs.indd 3 12/1/2015 12:34:39 PM
iv
Information technology and business are becoming inextricably interwoven. I don ’ t think anybody can talk
meaningfully about one without the talking about the other.
Bill Gates
Microsoft 1
I ’ m not hiring MBA students for the technology you learn while in school, but for your ability to learn about, use
and subsequently manage new technologies when you get out .
IT Executive
Federal Express 2
Give me a ! sh and I eat for a day; teach me to ! sh and I eat for a lifetime .
Proverb
Managers do not have the luxury of abdicating participation in decisions regarding information systems (IS).
Managers who choose to do so risk limiting their future business options. IS are at the heart of virtually every
business interaction, process, and decision, especially when the vast penetration of the Web over the last 20 years
is considered. Mobile and social technologies have brought IS to an entirely new level within ” rms and between
individuals in their personal lives. Managers who let someone else make decisions about their IS are letting
someone else make decisions about the very foundation of their business. This is a textbook about managing and
using information written for current and future managers as a way to introduce the broader implications of the
impact of IS.
The goal of this book is to assist managers in becoming knowledgeable participants in IS decisions. Becoming
a knowledgeable participant means learning the basics and feeling comfortable enough to ask questions. It does
not mean having all the answers or having a deep understanding of all the technologies out in the world today. No
text will provide managers everything they need to know to make important IS decisions. Some texts instruct on
the basic technical background of IS. Others discuss applications and their life cycles. Some take a comprehensive
view of the management information systems (MIS) ” eld and offer readers snapshots of current systems along with
chapters describing how those technologies are designed, used, and integrated into business life.
This book takes a different approach. It is intended to provide the reader a foundation of basic concepts relevant
to using and managing information. This text is not intended to provide a comprehensive treatment on any one
aspect of MIS, for certainly each aspect is itself a topic of many books. This text is not intended to provide readers
enough technological knowledge to make them MIS experts. It is not intended to be a source of discussion of any
particular technology. This text is written to help managers begin to form a point of view of how IS will help or
hinder their organizations and create opportunities for them.
The idea for this text grew out of discussions with colleagues in the MIS area. Many faculties use a series of
case studies, trade and popular press readings, and Web sites to teach their MIS courses. Others simply rely on one
of the classic texts, which include dozens of pages of diagrams, frameworks, and technologies. The initial idea for
this text emerged from a core MIS course taught at the business school at the University of Texas at Austin. That
course was considered an “appetizer” course—a brief introduction into the world of MIS for MBA students. The
course had two main topics: using information and managing information. At the time, there was no text like this
Preface
1 Bill Gates, Business @ the Speed of Thought. New York: Warner Books, Inc. 1999.
2 Source: Private conversation with one of the authors.
fpref.indd 4 11/27/2015 4:21:12 PM
vPreface
one; hence, students had to purchase thick reading packets made up of articles and case studies to provide them the
basic concepts. The course was structured to provide general MBA students enough knowledge of the MIS “eld so
that they could recognize opportunities to use the rapidly changing technologies available to them. The course was
an appetizer to the menu of specialty courses, each of which went much more deeply into the various topics. But
completion of the appetizer course meant that students were able to feel comfortable listening to, contributing to,
and ultimately participating in IS decisions.
Today, many students are digital natives—people who have grown up using information technologies (IT) all
of their lives. That means that students come to their courses with signi”cantly more knowledge about things such
as tablets, apps, personal computers, smartphones, texting, the Web, social networking, “le downloading, online
purchasing, and social media than their counterparts in school just a few years ago. This is a signi”cant trend
that is projected to continue; students will be increasingly knowledgeable the personal use of technologies. That
knowledge has begun to change the corporate environment. Today’s digital natives expect to “nd in corporations
IS that provide at least the functionality they have at home. At the same time, these users expect to be able to work
in ways that take advantage of the technologies they have grown to depend on for social interaction, collaboration,
and innovation. We believe that the basic foundation is still needed for managing and using IS, but we understand
that the assumptions and knowledge base of today’s students is signi”cantly different.
Also different today is the vast amount of information amassed by “rms, sometimes called the “big data” prob-
lem. Organizations have “gured out that there is an enormous amount of data around their processes, their interac-
tions with customers, their products, and their suppliers. These organizations also recognize that with the increase
in communities and social interactions on the Web, there is additional pressure to collect and analyze vast amounts
of unstructured information contained in these conversations to identify trends, needs, and projections. We believe
that today’s managers face an increasing amount of pressure to understand what is being said by those inside and
outside their corporations and to join those conversations reasonably and responsibly. That is signi”cantly different
from just a few years ago.
This book includes an introduction, 13 chapters of text and mini cases, and a set of case studies, supplemental
readings, and teaching support on a community hub at http://pearlsonandsaunders.com. The Hub provides faculty
members who adopt the text additional resources organized by chapter, including recent news items with teaching
suggestions, videos with usage suggestions, blog posts and discussions from the community, class activities, addi-
tional cases, cartoons, and more. Supplemental materials, including longer cases from all over the globe, can be
found on the Web. Please visit http://www.wiley.com/college/pearlson or the Hub for more information.
The introduction to this text defends the argument presented in this preface that managers must be knowledge-
able participants in making IS decisions. The “rst few chapters build a basic framework of relationships among
business strategy, IS strategy, and organizational strategy and explore the links among them. The strategy chapters
are followed by ones on work design and business processes that discuss the use of IS. General managers also need
some foundation on how IT is managed if they are to successfully discuss their next business needs with IT pro-
fessionals who can help them. Therefore, the remaining chapters describe the basics of information architecture
and infrastructure, IT security, the business of IT, the governance of the IS organization, IS sourcing, project
management, business analytics, and relevant ethical issues.
Given the acceleration of security breaches, readers will “nd a new chapter on IS security in this sixth edition of
the text. Also, the material on analytics and “big data” has been extensively updated to re#ect the growing impor-
tance of the topic. Further, the chapter on work design has been reorganized and extensively revised. Each of the
other chapters has been revised with newer concepts added, discussions of more current topics #eshed out, and old,
outdated topics removed or at least their discussion shortened.
Similar to the “fth edition, every chapter begins with a navigation “box” to help the reader understand the #ow
and key topics of the chapter. Further, most chapters continue to have a Social Business Lens or a Geographic Lens
feature. The Social Business Lens feature re#ects on an issue related to the chapter’s main topic but is enabled by or
fundamental to using social technologies in the enterprise. The Geographic Lens feature offers a single idea about
a global issue related to the chapter’s main topic.
No text in the “eld of MIS is completely current. The process of writing the text coupled with the publication
process makes a book somewhat out‐of‐date prior to delivery to its audience. With that in mind, this text is written
fpref.indd 5 11/27/2015 4:21:12 PM
http://pearlsonandsaunders.com
http://www.wiley.com/college/pearlson
vi Preface
to summarize the “timeless” elements of using and managing information. Although this text is complete in and
of itself, learning is enhanced by combining the chapters with the most current readings and cases. Faculty are
encouraged to read the news items on the faculty Hub before each class in case one might be relevant to the topic of
the day. Students are encouraged to search the Web for examples related to topics and current events and bring them
into the discussions of the issues at hand. The format of each chapter begins with a navigational guide, a short case
study, and the basic language for a set of important management issues. These are followed by a set of managerial
concerns related to the topic. The chapter concludes with a summary, key terms, a set of discussion questions, and
case studies.
Who should read this book? General managers interested in participating in IS decisions will “nd this a good
reference resource for the language and concepts of IS. Managers in the IS “eld will “nd the book a good resource
for beginning to understand the general manager’s view of how IS affect business decisions. And IS students will
be able to use the book’s readings and concepts as the beginning in their journey to become informed and success-
ful businesspeople.
The information revolution is here. Where do you “t in?
Keri E. Pearlson, Carol S. Saunders, and Dennis F. Galletta
fpref.indd 6 11/27/2015 4:21:12 PM
vii
Books of this nature are written only with the support of many individuals. We would like to personally thank
several individuals who helped with this text. Although we ’ ve made every attempt to include everyone who helped
make this book a reality, there is always the possibility of unintentionally leaving some out. We apologize in
advance if that is the case here.
Thank you goes to Dr. William Turner of LeftFour , in Austin, Texas, for help with the infrastructure and
architecture concepts and to Alan Shimel, Editor‐in‐Chief at DevOps.com for initial ideas for the new security
chapter.
We also want to acknowledge and thank pbwiki.com. Without its incredible and free wiki, we would have been
relegated to e‐mailing drafts of chapters back and forth, or saving countless ” les in an external drop box without
any opportunity to include explanations or status messages. For this edition, as with earlier editions, we wanted to
use Web 2.0 tools as we wrote about them. We found that having used the wiki for our previous editions, we were
able to get up and running much faster than if we had to start over without the platform.
We have been blessed with the help of our colleagues in this and in previous editions of the book. They
helped us by writing cases and reviewing the text. Our thanks continue to go out to Jonathan Trower, Espen
Andersen, Janis Gogan, Ashok Rho, Yvonne Lederer Antonucci, E. Jose Proenca, Bruce Rollier, Dave Oliver, Celia
Romm, Ed Watson, D. Guiter, S. Vaught, Kala Saravanamuthu, Ron Murch, John Greenwod, Tom Rohleder, Sam
Lubbe, Thomas Kern, Mark Dekker, Anne Rutkowski, Kathy Hurtt, Kay Nelson, Janice Sipior, Craig Tidwell, and
John Butler. Although we cannot thank them by name, we also greatly appreciate the comments of the anonymous
reviewers who have made a mark on this edition.
The book would not have been started were it not for the initial suggestion of a wonderful editor in 1999 at John
Wiley & Sons, Beth Lang Golub. Her persistence and patience helped shepherd this book through many previous
editions. We also appreciate the help of our current editor, Lise Johnson. Special thanks go to Jane Miller, Gladys
Soto, Loganathan Kandan, and the conscientious JaNoel Lowe who very patiently helped us through the revision
process. We also appreciate the help of all the staff at Wiley who have made this edition a reality.
We would be remiss if we did not also thank Lars Linden for the work he has done on the Pearlson and Saunders
Faculty Hub for this book. Our vision included a Web‐based community for discussing teaching ideas and post-
ing current articles that supplement this text. Lars made that vision into a reality starting with the last edition and
continuing through the present. Thank you, Lars!
From Keri: Thank you to my husband, Yale, and my daughter, Hana, a business and computer science student at
Tulane University. Writing a book like this happens in the white space of our lives—the time in between everything
else going on. This edition came due at a particularly frenetic time, but they listened to ideas, made suggestions, and
celebrated the book ’ s completion with us. I know how lucky I am to have this family. I love you guys!
From Carol: I would like to thank the Dr. Theo and Friedl Schoeller Research Center of Business and Society for
their generous support of my research. Rusty, thank you for being my compass and my release valve. I couldn ’ t do
it without you. Paraphrasing the words of an Alan Jackson song (“Work in Progress”): I may not be what you want
me to be, but I ’ m trying really hard. Just be patient because I ’ m a work in progress. I love you, Kristin, Russell,
and Janel very much!
From Dennis: Thanks to my terri” c family: my wife Carole, my daughters Christy and Lauren, and my grand-
daughter Gracie. Also thanks to Matt and Jacob, two lovable guys who take wonderful care of my daughters. Finally,
thanks to our parents and sisters ’ families. We are also blessed with a large number of great, caring neighbors whom
we see quite often. I love you all, and you make it all worthwhile!
Acknowledgments
fack.indd 7 11/27/2015 4:24:53 PM
viii
Dr. Keri E. Pearlson is President of KP Partners , an advisory services ” rm working with business leaders on issues
related to the strategic use of information systems (IS) and organizational design. She is an entrepreneur, teacher,
researcher, consultant, and thought leader. Dr. Pearlson has held various positions in academia and industry. She
has been a member of the faculty at the Graduate School of Business at the University of Texas at Austin where she
taught management IS courses to MBAs and executives and at Babson College where she helped design the popular
IS course for the Fast Track MBA program. Dr. Pearlson has held positions at the Harvard Business School, CSC,
nGenera (formerly the Concours Group), AT&T , and Hughes Aircraft Company . While writing this edition, she was
the Research Director for the Analytics Leadership Consortium at the International Institute of Analytics and was
named the Leader of the Year by the national Society of Information Management (SIM) 2014.
Dr. Pearlson is coauthor of Zero Time: Providing Instant Customer Value—Every Time, All the Time (John
Wiley, 2000). Her work has been published in numerous places including Sloan Management Review, Academy
of Management Executive, and Information Resources Management Journal . Many of her case studies have been
published by Harvard Business Publishing and are used all over the world. She currently writes a blog on issues at
the intersection of IT and business strategy. It ’ s available at www.kppartners.com.
Dr. Pearlson holds a Doctorate in Business Administration (DBA) in Management Information Systems from
the Harvard Business School and both a Master ’ s Degree in Industrial Engineering Management and a Bachelor ’ s
Degree in Applied Mathematics from Stanford University.
Dr. Carol S. Saunders is Research Professor at the W. A. Franke College of Business, Northern Arizona
University in Flagstaff, Arizona, and is a Schoeller Senior Fellow at the Friedrich‐Alexander University of
Erlangen‐Nuremberg, Germany. She served as General Conference Chair of the International Conference on
Information Systems (ICIS) in 1999 and as Program Co‐Chair of the Americas Conference of Information
Systems (AMCIS) in 2015. Dr. Saunders was the Chair of the ICIS Executive Committee in 2000. For three
years, she served as Editor‐in‐Chief of MIS Quarterly . She is currently on the editorial boards of Journal
of Strategic Information Systems and Organization Science and serves on the advisory board of Business &
Information Systems Engineering. Dr. Saunders has been recognized for her lifetime achievements by the
Association of Information Systems (AIS) with a LEO award and by the Organizational Communication and
Information Systems Division of the Academy of Management. She is a Fellow of the AIS.
Dr. Saunders ’ current research interests include the impact of IS on power and communication, overload,
virtual teams, time, sourcing, and interorganizational linkages. Her research is published in a number of journals
including MIS Quarterly, Information Systems Research, Journal of MIS, Communications of the ACM, Journal
of Strategic Information Systems, Journal of the AIS, Academy of Management Journal, Academy of Management
Review, Communications Research , and Organization Science .
Dr. Dennis F. Galletta is Professor of Business Administration at the Katz Graduate School of Business,
University of Pittsburgh in Pennsylvania. He is also the Director of the Katz School ’ s doctoral program and has
taught IS Management graduate courses in Harvard ’ s summer program each year since 2009. He obtained his
doctorate from the University of Minnesota in 1985 and is a Certi” ed Public Accountant. Dr. Galletta served as
President of the Association of Information Systems (AIS) in 2007. Like Dr. Saunders, he is both a Fellow of
the AIS and has won a LEO lifetime achievement award. He was a member of the AIS Council for ” ve years.
He also served in leadership roles for the International Conference on Information Systems (ICIS): Program
Co‐Chair in 2005 (Las Vegas) and Conference Co‐Chair in 2011 (Shanghai); as Program Co‐Chair for the
About the Authors
fabout.indd 8 11/27/2015 4:25:42 PM
http://www.kppartners.com
ixAbout the Authors
Americas Conference on Information Systems (AMCIS) in 2003 (Tampa, Florida) and Inaugural Conference
Chair in 1995 (Pittsburgh). The Pittsburgh conference had several “”rsts” for an IS conference, including the “rst
on‐line submissions, reviews, conference registration and payment, placement service, and storage of all papers
in advance on a website. Dr. Galletta served as ICIS Treasurer from 1994 to 1998 and Chair of the ICIS Execu-
tive Committee in 2012. He taught IS courses on the Fall 1999 Semester at Sea voyage (Institute for Shipboard
Education) and established the concept of Special Interest Groups in AIS in 2000. In 2014, he won an Emerald
Citation of Excellence for a co‐authored article that reached the top 50 in citations and ratings from the “elds of
management, business, and economics.
Dr. Galletta’s current research addresses online and mobile usability and behavioral security issues such as
phishing, protection motivation, and antecedents of security‐related decision making. He has published his research
in journals such as Management Science; MIS Quarterly; Information Systems Research; Journal of MIS; European
Journal of Information Systems; Journal of the AIS; Communications of the ACM; Accounting, Management, and
Information Technologies; Data Base; and Decision Sciences and in proceedings of conferences such as ICIS,
AMCIS, and the Hawaii International Conference on Systems Sciences. Dr. Galletta’s editorship includes working
as current and founding Coeditor in Chief for AIS Transactions on Human‐Computer Interaction and on editorial
boards at journals such as MIS Quarterly, Information Systems Research, Journal of MIS, and Journal of the AIS.
He is currently on the Pre‐eminent Scholars Board of Data Base. He won a Developmental Associate Editor Award
at the MIS Quarterly in 2006. And during the off‐hours, Dr. Galletta’s fervent hobby and obsession is digital pho-
tography, often squinting through his eyepiece to make portrait, macro, Milky Way, and lightning photos when he
should be writing.
fabout.indd 9 11/27/2015 4:25:42 PM
x
Contents
Preface iv
Acknowledgments vii
About the Authors viii
Introduction 1
The Case for Participating in Decisions about Information Systems 2
What If a Manager Doesn’t Participate? 5
Skills Needed to Participate Effectively in Information Technology Decisions 6
Basic Assumptions 8
Economics of Information versus Economics of Things 12
Social Business Lens 14
Summary 15
Key Terms 16
1 The Information Systems Strategy Triangle 17
Brief Overview of Business Strategy Frameworks 19
Business Models versus Business Strategy 21
Brief Overview of Organizational Strategies 25
Brief Overview of Information Systems Strategy 26
Social Business Lens: Building a Social Business Strategy 27
Summary 28
Key Terms 29
Discussion Questions 29
Case Study 1‐1 Lego 30
Case Study 1‐2 Google 31
2 Strategic Use of Information Resources 33
Evolution of Information Resources 34
Information Resources as Strategic Tools 36
How Can Information Resources Be Used Strategically? 37
Sustaining Competitive Advantage 43
Social Business Lens: Social Capital 47
Strategic Alliances 47
Risks 49
Geographic Box: Mobile‐Only Internet Users Dominate Emerging Countries 50
Co‐Creating IT and Business Strategy 50
ftoc.indd 10 11/27/2015 8:36:37 PM
xiContents
Summary 51
Key Terms 51
Discussion Questions 51
Case Study 2‐1 Groupon 52
Case Study 2‐2 Zipcar 53
3 Organizational Strategy and Information Systems 55
Information Systems and Organizational Design 58
Social Business Lens: Social Networks 63
Information Systems and Management Control Systems 63
Information Systems and Culture 66
Geographic Lens: Does National Culture Affect Firm Investment in IS Training? 70
Summary 71
Key Terms 71
Discussion Questions 71
Case Study 3‐1 The Merger of Airtran by Southwest Airlines: Will the Organizational Cultures Merge? 72
Case Study 3‐2 The FBI 73
4 Digital Systems and the Design of Work 75
Work Design Framework 77
How Information Technology Changes the Nature of Work 78
Social Business Lens: Activity Streams 84
Where Work Is Done and Who Does It: Mobile and Virtual Work Arrangements 86
Geographic Lens: How Do People Around the World Feel About Working Remotely? 88
Geographic Lens: Who Telecommutes? A Look at Global Telecommuting Habits 89
Gaining Acceptance for IT‐Induced Change 94
Summary 96
Key Terms 97
Discussion Questions 97
Case Study 4‐1 Trash and Waste Pickup Services, Inc. 97
Case Study 4‐2 Social Networking: How Does IBM Do It? 98
5 Information Systems and Business Transformation 99
Silo Perspective versus Business Process Perspective 100
Building Agile and Dynamic Business Processes 104
Changing Business Processes 105
Workflow and Mapping Processes 107
Integration versus Standardization 109
Enterprise Systems 110
Geographic Lens: Global vs. Local ERPs 113
Social Business Lens: Crowdsourcing Changes Innovation Processes 118
Summary 119
Key Terms 120
ftoc.indd 11 11/27/2015 8:36:37 PM
xii Contents
Discussion Questions 120
Case Study 5‐1 Santa Cruz Bicycles 121
Case Study 5‐2 Boeing 787 Dreamliner 122
6 Architecture and Infrastructure 124
From Vision to Implementation 125
The Leap from Strategy to Architecture to Infrastructure 126
From Strategy to Architecture to Infrastructure: An Example 133
Architectural Principles 135
Enterprise Architecture 136
Virtualization and Cloud Computing 137
Other Managerial Considerations 139
Social Business Lens: Building Social Mobile Applications 143
Summary 144
Key Terms 144
Discussion Questions 145
Case Study 6‐1 Enterprise Architecture at American Express 145
Case Study 6‐2 The Case of Extreme Scientists 146
7 Security 147
IT Security Decision Framework 149
Breaches and How They Occurred 151
The Impossibility of 100% Security 154
What Should Management Do? 155
Summary 162
Key Terms 163
Discussion Questions 163
Case Study 7-1 The Aircraft Communications Addressing and Reporting System (ACARS) 163
Case Study 7-2 Sony Pictures: The Criminals Won 164
8 The Business of Information Technology 165
Organizing to Respond to Business: A Maturity Model 167
Understanding the IT Organization 168
What a Manager Can Expect from the IT Organization 168
What the IT Organization Does Not Do 170
Chief Information Officer 171
Building a Business Case 173
IT Portfolio Management 175
Valuing IT Investments 176
Monitoring IT Investments 177
Funding IT Resources 182
How Much Does IT Cost? 184
Summary 187
ftoc.indd 12 11/30/2015 7:27:16 PM
xiiiContents
Key Terms 188
Discussion Questions 188
Case Study 8‐1 KLM Airlines 189
Case Study 8‐2 Balanced Scorecards at BIOCO 190
9 Governance of the Information Systems Organization 191
IT Governance 192
Decision‐Making Mechanisms 199
Governance Frameworks for Control Decisions 200
Social Business Lens: Governing the Content 204
Summary 205
Key Terms 205
Discussion Questions 205
Case Study 9‐1 IT Governance at University of the Southeast 205
Case Study 9‐2 The “MyJohnDeere” Platform 207
10 Information Systems Sourcing 208
Sourcing Decision Cycle Framework 209
Social Business Lens: Crowdsourcing 214
Geographic Lens: Corporate Social Responsibility 220
Outsourcing in the Broader Context 224
Summary 225
Key Terms 225
Discussion Questions 225
Case Study 10‐1 Crowdsourcing at AOL 225
Case Study 10‐2 Altia Business Park 226
11 Managing IT Projects 228
What Defines a Project? 230
What Is Project Management? 231
Organizing for Project Management 232
Project Elements 233
IT Projects 239
IT Project Development Methodologies and Approaches 240
Social Business Lens: Mashups 247
Managing IT Project Risk 247
Summary 253
Key Terms 254
Discussion Questions 254
Case Study 11‐1 Implementing Enterprise Change Management at Southern Company 254
Case Study 11‐2 Dealing with Traffic Jams in London 255
ftoc.indd 13 11/27/2015 8:36:37 PM
xiv Contents
12 Business Intelligence, Knowledge Management, and Analytics 258
Competing with Business Analytics 259
Knowledge Management, Business Intelligence, and Business Analytics 260
Data, Information, and Knowledge 261
Knowledge Management Processes 264
Business Intelligence 264
Components of Business Analytics 265
Big Data 268
Social Media Analytics 269
Social Business Lens: Personalization and Real‐Time Data Streams 271
Geographic Lens: When Two National Views of Intellectual Property Collide 272
Caveats for Managing Knowledge and Business Intelligence 274
Summary 274
Key Terms 275
Discussion Questions 275
Case Study 12‐1 Stop & Shop’s Scan It! App 275
Case Study 12‐2 Business Intelligence at CKE Restaurants 276
13 Privacy and Ethical Considerations in Information Management 278
Responsible Computing 280
Corporate Social Responsibility 283
PAPA: Privacy, Accuracy, Property, and Accessibility 284
Social Business Lens: Personal Data 289
Geographic Lens: Should Subcultures Be Taken into Account When Trying to Understand National
Attitudes Toward Information Ethics? 292
Green Computing 292
Summary 293
Key Terms 294
Discussion Questions 294
Case Study 13‐1 Ethical Decision Making 295
Case Study 13‐2 Midwest Family Mutual Goes Green 297
Glossary 299
Index 313
ftoc.indd 14 11/27/2015 8:36:37 PM
1
Introduction
Why do managers need to understand and participate in the information systems decisions of their
organizations? After all, most corporations maintain entire departments dedicated to the management
of information systems (IS). These departments are staffed with highly skilled professionals devoted
to the ” eld of technology. Shouldn’t managers rely on experts to analyze all the aspects of IS and
to make the best decisions for the organization? The answer to that question is an emphatic “no.”
Managing information is a critical skill for success in today ’ s business environment. All decisions
made by companies involve, at some level, the management and use of IS and the interpretation of
data from the business and its environment. Managers today need to know about their organization ’ s
capabilities and uses of information as much as they need to understand how to obtain and budget
” nancial resources. The ubiquity of personal devices such as smart phones, laptops, and tablets and
of access to apps within corporations and externally over the Internet, highlights this fact. Today ’ s
technologies form the backbone for virtually all business models. This backbone easily crosses
oceans, adding the need for a global competency to the manager ’ s skill set. Further, the proliferation
of supply chain partnerships and the vast amount of technology available to individuals outside of
the corporation have extended the urgent need for business managers to be involved in information
systems decisions. In addition, the availability of seemingly free (or at least very inexpensive) appli-
cations, collaboration tools, and innovation engines in the consumer arena has put powerful tools in
everyone ’ s hands, increasing the dif” culty of ensuring that corporate systems are robust, secure, and
protected. A manager who doesn ’ t understand the basics of managing and using information can ’ t
be successful in this business environment.
The majority of U.S. adults own a smart phone and access online apps. According to the Pew
Research Center , in 2014, 90% of U.S. adults had a cell phone of some kind, and 87% of American
adults used the Internet. 1 Essentially the use of these types of devices implies that individuals now
manage a “personal IS” and make decisions about usage, data, and applications. Doesn ’ t that give
them insight into managing information systems in corporations? Students often think they are
experts in corporate IS because of their personal experience with technology. Although there is some
truth in that perspective, it ’ s a very dangerous perspective for managers to take. Certainly knowing
about interesting apps, being able to use a variety of technologies for different personal purposes,
and being familiar with the ups and downs of networking for their personal information systems pro-
vide some experience that is useful in the corporate setting. But in a corporate setting, information
systems must be enterprise‐ready. They must be scalable for a large number of employees; they
must be delivered in an appropriate manner for the enterprise; they must be managed with corpo-
rate guidelines and appropriate governmental regulations in mind. Issues like security, privacy, risk,
support, and architecture take on a new meaning within an enterprise, and someone has to manage
them. Enterprise‐level management and use of information systems require a unique perspective and
a different skill set.
1 Internet Use and Cell Phone Demographics, http://www.pewinternet.org/data‐trend/internet‐use/internet‐use‐over‐time (accessed
August 18, 2015).
cintro.indd 1 11/26/2015 7:38:29 PM
http://www.pewinternet.org/data%E2%80%90trend/internet%E2%80%90use/internet%E2%80%90use%E2%80%90over%E2%80%90time
2 Introduction
Consider the now‐historic rise of companies such as Amazon.com, Google, and Zappos. Amazon.com began as
an online bookseller and rapidly outpaced traditional brick‐and‐mortar businesses like Barnes and Noble, Borders,
and Waterstones. Management at the traditional companies responded by having their IS support personnel build
Web sites to compete. But upstart Amazon.com moved ahead, keeping its leadership position on the Web by lever-
aging its business model into other marketplaces, such as music, electronics, health and beauty products, lawn and
garden products, auctions, tools and hardware, and more. It cleared the pro”tability hurdle by achieving a good
mix of IS and business basics: capitalizing on operational ef”ciencies derived from inventory software and smarter
storage, cost cutting, and effectively partnering with such companies as Toys “R” Us Inc. and Target Corporation.2
More recently, Amazon.com changed the basis of competition in another market, but this time it was the Web ser-
vices business. Amazon.com Web services offers clients the extensive technology platform used for Amazon.com
but in an on‐demand fashion for developing and running the client’s own applications. Shoe retailer Zappos.com
challenged Amazon’s business model, in part by coupling a social business strategy with exemplary service and
sales. It was so successful that Amazon.com bought Zappos.
Likewise, Google built a business that is revolutionizing the way information is found. Google began in 1999
as a basic search company but its managers quickly learned that its unique business model could be leveraged
for future success in seemingly unrelated areas. The company changed the way people think about Web content
by making it available in a searchable format with an incredibly fast response time and in a host of languages.
Further, Google’s keyword‐targeted advertising program revolutionized the way companies advertise. Then Google
expanded, offering a suite of Web‐based applications, such as calendaring, of”ce tools, e‐mail, collaboration,
shopping, and maps and then enhanced the applications further by combining them with social tools to increase
collaboration. Google Drive is one of the most popular “le‐sharing tools and Gmail one of the most popular email
apps. In 2015, Google’s mission was to “organize the world’s information and make it universally accessible and
useful.” It is offering its customers very inexpensive “ber connections. In so doing, Google further expanded into
infrastructure and on‐demand services.3
These and other online businesses are able to succeed where traditional companies have not, in part because their
management understood the power of information, IS, and the Web. These exemplary online businesses aren’t suc-
ceeding because their managers could build Web pages or assemble an IS network. Rather, the executives in these
new businesses understand the fundamentals of managing and using information and can marry that knowledge
with a sound, unique business vision to dominate their intended market spaces.
The goal of this book is to provide the foundation to help the general business manager become a knowledge-
able participant in IS decisions because any IS decision in which the manager doesn’t participate can greatly affect
the organization’s ability to succeed in the future. This introduction outlines the fundamental reasons for taking the
initiative to participate in IS decisions. Moreover, because effective participation requires a unique set of manage-
rial skills, this introduction identi”es the most important ones. These skills are helpful for making both IS decisions
and all business decisions. We describe how managers should participate in the decision‐making process. Finally,
this introduction presents relevant models for understanding the nature of business and information systems. These
models provide a framework for the discussions that follow in subsequent chapters.
The Case for Participating in Decisions about Information Systems
In today’s business environment, maintaining a back‐of”ce view of technology is certain to cost market share and
could ultimately lead to the failure of the organization. Managers who claim ignorance of IS can damage their
reputation. Technology has become entwined with all the classic functions of business—operations, marketing,
accounting, “nance—to such an extent that understanding its role is necessary for making intelligent and effec-
tive decisions about any of them. Furthermore, a general understanding of key IS concepts is possible without the
extensive technological knowledge required just a few years ago. Most managers today have personal technology
2 Robert Hof, “How Amazon Cleared the Profitability Hurdle” (February 4, 2002), http://www.bloomberg.com/bw/stories/2002-02-03/how-amazon-
cleared-the-profitability-hurdle (accessed on October 29, 2015).
3 For more information on the latest services by these two companies, see http://aws.amazon.com/ec2 and http://www.google.com/enterprise/cloud/.
cintro.indd 2 11/26/2015 7:38:29 PM
http://www.bloomberg.com/bw/stories/2002-02-03/how-amazon-cleared-the-profitability-hurdle
http://www.bloomberg.com/bw/stories/2002-02-03/how-amazon-cleared-the-profitability-hurdle
http://www.bloomberg.com/bw/stories/2002-02-03/how-amazon-cleared-the-profitability-hurdle
http://aws.amazon.com/ec2
http://www.google.com/enterprise/cloud
3The Case for Participating in Decisions about Information Systems
such as a smart phone or tablet that is more functional than many corporate‐supported personal computers provided
by enterprises just a few years ago. In fact, the proliferation of personal technologies makes everyone a “pseudo‐
expert.” Each individual must manage applications on smart phones, make decisions about applications to purchase,
and procure technical support when the systems fail. Finally, with the robust number of consumer applications
available on the Web, many decisions historically made by the IS group are increasingly being made by individuals
outside that group, sometimes to the detriment of corporate objectives.
Therefore, understanding basic fundamentals about using and managing information is worth the investment of
time. The reasons for this investment are summarized in Figure I-1 and are discussed next.
A Business View of Critical Resources
Information technology (IT) is a critical resource for today’s businesses. It both supports and consumes a signi”cant
amount of an organization’s resources. Just like the other three major types of business resources—people, money,
and machines—it needs to be managed wisely.
IT spending represents a signi”cant portion of corporate budgets. Worldwide IT spending topped $3.7 trillion in
2014. It is projected to continue to increase.4 A Gartner study of where this money goes groups spending into “ve
categories including devices (e.g., PCs, tablets, and mobile phones), data center systems (e.g., network equipment,
servers, and storage equipment), enterprise software and apps (e.g., companywide software applications), IT ser-
vices (e.g., support and consulting services), and telecommunications (e.g., the expenses paid to vendors for voice
and data services).
Resources must return value, or they will be invested elsewhere. The business manager, not the IS specialist,
decides which activities receive funding, estimates the risk associated with the investment, and develops metrics
for evaluating the investment’s performance. Therefore, the business manager needs a basic grounding in managing
and using information. On the #ip side, IS managers need a business view to be able to explain how technology
impacts the business and what its trade‐offs are.
People and Technology Work Together
In addition to “nancial issues, managers must know how to mesh technology and people to create effective work
processes. Collaboration is increasingly common, especially with the rise of social networking. Companies are
reaching out to individual customers using social technologies such as Facebook, Twitter, Reddit, Renren, YouTube,
and numerous other tools. In fact, Web 2.0 describes the use of the World Wide Web applications that incorporate
information sharing, user‐centered design, interoperability, and collaboration among users. Technology facilitates
FIGURE I-1 Reasons why business managers should participate in information systems decisions.
Reasons
IS must be managed as a critical resource since it permeates almost every aspect of business.
IS enable change in the way people work both inside and outside of the enterprise.
IS are at the heart of integrated Internet‐based solutions that are replacing standard business processes.
IS enable or inhibit business opportunities and new strategies.
IS can be used to combat business challenges from competitors.
IS enable customers to have greater pull on businesses and communities by giving them new options for voicing their
concerns and opinions using social media.
IS can support data‐driven decision making.
IS can help ensure the security of key assets.
4 http://www.gartner.com/newsroom/id/2959717/ (accessed March 5, 2015).
cintro.indd 3 11/26/2015 7:38:29 PM
http://www.gartner.com/newsroom/id/2959717
4 Introduction
the work that people do and the way they interact with each other. Appropriately incorporating IS into the design
of a business model enables managers to focus their time and resources on issues that bear directly on customer
satisfaction and other revenue‐ and pro”t‐generating activities.
Adding a new IS to an existing organization, however, requires the ability to manage change. Skilled business
managers must balance the bene”ts of introducing new technology with the costs associated with changing the
existing behaviors of people in the workplace. There are many choices of technology solutions, each with a different
impact. Managers’ decisions must incorporate a clear understanding of the consequences. Making this assessment
doesn’t require detailed technical knowledge. It does require an understanding of short‐term and long‐term con-
sequences risk mitigation, and why adopting new technology may be more appropriate in some instances than in
others. Understanding these issues also helps managers know when it may prove effective to replace people with
technology at certain steps in a process.
Integrating Business with Information Systems
IS are integrated with almost every aspect of business and have been for quite some time. For example, the CTO of
@WalmartLabs, Jeremy King, wrote in a blog,
There used to be a big distinction between tech companies: those that develop enterprise technology for businesses,
and the global companies that depend on those products. But that distinction is now diminishing for this simple reason:
every global company is becoming a tech company. . . . we’re seeing technology as a critical component for business
success.5
Walmart built platforms to support all of its ecommerce and digital shopping experiences around the world.
Walmart’s teams created a new search engine to enable engaging and ef”cient ways for on‐line customers to “nd
items in inventory. IS placed information in the hands of Walmart associates so that decisions could be made closer
to the customer. IS simpli”ed organizational activities and processes such as moving goods, stocking shelves, and
communicating with suppliers. For example, handheld scanners provide #oor associates with immediate and real‐
time access to inventory in their store and the ability to locate items in surrounding stores, if necessary.
Opportunities and New Strategies Derived from Rapid Changes in Technology
The proliferation of new technologies creates a business environment “lled with opportunities. The rate of adop-
tion of these new technologies has increased due in part to the changing demographics of the workforce and the
integration of “digital natives,” individuals whose entire lives have been lived in an era with Internet availability.
Therefore digital natives are completely #uent in the use of personal technologies and the Web. Even today, inno-
vative uses of the Internet produce new types of online businesses that keep every manager and executive on alert.
New business opportunities spring up with little advance warning. The manager’s role is to frame these oppor-
tunities so that others can understand them, evaluate them against existing business needs and choices, and then
pursue those that “t with an articulated business strategy. The quality of the information at hand affects the quality
of both decisions and their implementation. Managers must develop an understanding of what information is cru-
cial to the decisions, how to get it, and how to use it. They must lead the changes driven by IS.
Competitive Challenges
Competitors come from both expected and unexpected places. General managers are in the best position to see the
emerging threats and utilize IS effectively to combat ever‐changing competitive challenges. Further, general man-
agers are often called on to demonstrate a clear understanding of how their own technology programs and products
5 Jeremy King, “Why Every Company Is a Tech Company” (November 21, 2013), http://www.walmartlabs.com/2013/11/21/why‐every‐company‐is‐a‐
tech‐company‐by‐jeremy‐king‐cto‐of‐walmartlabs (accessed August 18, 2015).
cintro.indd 4 11/26/2015 7:38:29 PM
http://www.walmartlabs.com/2013/11/21/why%E2%80%90every%E2%80%90company%E2%80%90is%E2%80%90a%E2%80%90tech%E2%80%90company%E2%80%90by%E2%80%90jeremy%E2%80%90king%E2%80%90cto%E2%80%90of%E2%80%90walmartlabs
http://www.walmartlabs.com/2013/11/21/why%E2%80%90every%E2%80%90company%E2%80%90is%E2%80%90a%E2%80%90tech%E2%80%90company%E2%80%90by%E2%80%90jeremy%E2%80%90king%E2%80%90cto%E2%80%90of%E2%80%90walmartlabs
http://www.walmartlabs.com/2013/11/21/why%E2%80%90every%E2%80%90company%E2%80%90is%E2%80%90a%E2%80%90tech%E2%80%90company%E2%80%90by%E2%80%90jeremy%E2%80%90king%E2%80%90cto%E2%80%90of%E2%80%90walmartlabs
5What If a Manager Doesn’t Participate?
compare with those of their competitors. A deep understanding of the capabilities of the organization coupled with
existing IS can create competitive advantages and change the competitive landscape for the entire industry.
Customer Pull
With the emergence of social networks like Facebook, microblogs like Twitter, and other Web applications like
Yelp, businesses have had to redesign their existing business models to account for the change in power now
wielded by customers and others in their communities. Social media and other web apps have given powerful
voices to customers and communities, and businesses must listen. Redesigning the customer experience when inter-
acting with a company is paramount for many managers and the key driver is IS. Social IT enables new and often
deeper relationships with a large number of customers, and companies are learning how to integrate and leverage
this capability into existing and new business models.
Data‐Driven Decision Making
Managers are increasingly using evidence‐based management to make decisions based on data gathered from
experiments, internal “les, and other relevant sources. Data‐driven decision making, based on new techniques for
analytics, data management, and business intelligence, has taken on increased importance. Social media have cre-
ated a rich stream of real‐time data that gives managers increased insights to the impact of decisions much faster
than traditional systems. Mid‐course corrections are much easier to make. Predictive and prescriptive analytics give
suggestions that are eerily close to what happens. Big data stores can be mined for insights that were unavailable
with traditional IS, creating competitive advantage for companies with the right tools and techniques.
Securing Key Assets
As the use of the Internet grows, so does the opportunity for new and unforeseen threats to company assets. Taking
measures to ensure the security of these assets is increasingly important. But decisions about security measures
also impact the way IS can be used. It’s possible to put so much security around IT assets that they are locked down
in a manner that gets in the way of business. At the same time, too little security opens up the possibility of theft,
hacking, phishing, and other Web‐based mischief that can disrupt business. Managers must be involved in decisions
about risk and security to ensure that business operations are in sync with the resulting security measures.
What If a Manager Doesn’t Participate?
Decisions about IS directly affect the pro”ts of a business. The basic formula Pro”t = Revenue − Expenses can
be used to evaluate the impact of these decisions. Adopting the wrong technologies can cause a company to miss
business opportunities and any revenues those opportunities would generate. For example, inadequate IS can cause
a breakdown in servicing customers, which hurts sales. Poorly deployed social IT resources can badly damage
the reputation of a strong brand. On the expense side, a miscalculated investment in technology can lead to over-
spending and excess capacity or underspending and restricted opportunity. Inef”cient business processes sustained
by ill‐”tting IS also increase expenses. Lags in implementation or poor process adaptation reduces pro”ts and there-
fore growth. IS decisions can dramatically affect the bottom line.
Failure to consider IS strategy when planning business strategy and organizational strategy leads to one of three
business consequences: (1) IS that fail to support business goals, (2) IS that fail to support organizational systems,
and (3) a misalignment between business goals and organizational capabilities. These consequences are discussed
brie#y in the following section and in more detail in later chapters. The driving questions to consider are the poten-
tial effects on an organization’s ability to achieve its business goals. How will the consequences impact the way
people work? Will the organization still be able to implement its business strategy?
cintro.indd 5 11/26/2015 7:38:29 PM
6 Introduction
Information Systems Must Support Business Goals
IS represent a major investment for any “rm in today’s business environment. Yet poorly chosen IS can actually
become an obstacle to achieving business goals. The results can be disastrous if the systems do not allow the orga-
nization to realize its goals. When IS lack the capacity needed to collect, store, and transfer critical information for
the business, decisions can be impacted and options limited. Customers will be dissatis”ed or even lost. Production
costs may be excessive. Worst of all, management may not be able to pursue desired business directions that are
blocked by inappropriate IS. Victoria’s Secret experienced this problem when a Superbowl ad promoting an online
fashion show generated so many inquiries to its Web site that the Web site crashed. Spending large amounts of
money on the advertisement was wasted when potential customers could not access the site. Likewise, Toys “R”
Us experienced a similar calamity when its well‐publicized Web site was unable to process and ful”ll orders fast
enough one holiday season. It not only lost those customers, but it also had a major customer‐relations issue to
manage as a result.
Information Systems Must Support Organizational Systems
Organizational systems represent the fundamental elements of a business—its people, work processes, tasks, struc-
ture, and control systems—and the plan that enables them to work ef”ciently to achieve business goals. If the
company’s IS fail to support its organizational systems, the result is a misalignment of the resources needed to
achieve its goals. For example, it seems odd to think that a manager might add functionality to a corporate Web
site without providing the training the employees need to use the tool effectively. Yet, this mistake—and many
more costly ones—occurs in businesses every day. Managers make major IS decisions without informing all the
staff of resulting changes in their daily work. For example, an enterprise resource planning (ERP) system often
dictates how many business processes are executed and the organizational systems must change to re#ect the new
processes. Deploying technology without thinking through how it actually will be used in the organization—who
will use it, how they will use it, and how to make sure the applications chosen will actually accomplish what is
intended—results in signi”cant expense. In another example, a company may decide to block access to the Internet,
thinking that it is prohibiting employees from accessing offensive or unsecure sites. But that decision also means
that employees can’t access social networking sites that may be useful for collaboration or other Web‐based appli-
cations that may offer functionality to make the business more ef”cient.
The general manager, who, after all, is charged with ensuring that company resources are used effectively,
must guarantee that the company’s IS support its organizational systems and that changes made in one system are
re#ected in the other. For example, a company that plans to allow employees to work remotely needs an information
system strategy compatible with its organizational strategy. Desktop PCs located within the corporate of”ce aren’t
the right solution for a telecommuting organization. Instead, laptop computers or tablets with applications that are
accessible online anywhere and anytime and networks that facilitate information sharing are needed. Employees
may want to use tablets or smart phones remotely, too, and those entail a different set of IS processes. If the orga-
nization allows the purchase of only desktop PCs and builds systems accessible from desks within the of”ce, the
telecommuting program is doomed to failure.
Skills Needed to Participate Effectively in Information
Technology Decisions
Participating in IT decisions means bringing a clear set of skills to the table. All managers are asked to take on
tasks that require different skills at different times. Those tasks can be divided into three types: visionary tasks, or
those that provide leadership and direction for the group; informational/interpersonal tasks, or those that provide
information and knowledge the group needs to be successful; and structural tasks, those that organize the group.
Figure I-2 lists basic skills required of managers who wish to participate successfully in key IT decisions. Not only
does this list emphasize understanding, organizing, planning, and solving the business needs of the organization,
but also it is an excellent checklist for all managers’ professional growth.
cintro.indd 6 11/26/2015 7:38:29 PM
7Skills Needed to Participate Effectively in Information Technology Decisions
These skills may not look much different from those required of any successful manager, which is the main
point of this book: General managers can be successful participants in IS decisions without an extensive technical
background. General managers who understand a basic set of IS concepts and who have outstanding managerial
skills, such as those listed in Figure I-2, are ready for the digital economy.
How to Participate in Information Systems Decisions
Technical wizardry isn’t required to become a knowledgeable participant in the IS decisions of a business. Man-
agers need curiosity, creativity, and the con”dence to ask questions in order to learn and understand. A solid frame-
work that identi”es key management issues and relates them to aspects of IS provides the background needed to
participate in business IS decisions.
The goal of this book is to provide that framework. The way in which managers use and manage information is
directly linked to business goals and the business strategy driving both organizational and IS decisions. Aligning
business and IS decisions is critical. Business, organizational, and information strategies are fundamentally linked
in what is called the Information Systems Strategy Triangle, discussed in the next chapter. Failing to understand this
relationship is detrimental to a business. Failing to plan for the consequences in all three areas can cost a manager
his or her job. This book provides a foundation for understanding business issues related to IS from a managerial
perspective.
Organization of the Book
To be knowledgeable participants, managers must know about both using and managing information. The “rst
“ve chapters offer basic frameworks to make this understanding easier. Chapter 1 uses the Information Systems
Strategy Triangle framework to discuss alignment of IS and the business. This chapter also provides a brief over-
view of relevant frameworks for business strategy and organizational strategy. It is provided as background for
those who have not formally studied organization theory or business strategy. For those who have studied these
areas, this chapter is a brief refresher of major concepts used throughout the remaining chapters of the book.
FIGURE I-2 Skills for successful IT use by managerial role.
Managerial Role Skills
Visionary Creativity
Curiosity
Con#dence
Focus on business solutions
Flexibility
Informational and Interpersonal Communication
Listening
Information gathering
Interpersonal skills
Structural Project management
Analytical
Organizational
Planning
Leading
Controlling
cintro.indd 7 11/26/2015 7:38:30 PM
8 Introduction
Subsequent chapters provide frameworks and sets of examples for understanding the links between IS and business
strategy (Chapter 2), links between IS and organizational strategy (Chapter 3), collaboration and individual work
(Chapter 4), and business processes (Chapter 5).
The rest of the text covers issues related to the business manager’s role in managing IS itself. These chapters
are the building blocks of an IS strategy. Chapter 6 provides a framework for understanding the four components
of IS architecture: hardware, software, networks, and data. Chapter 7 discusses how managers might participate in
decisions about IS security. Chapter 8 focuses on the business of IT with a look at IS organization, funding models,
portfolios, and monitoring options. Chapter 9 describes the governance of IS resources. Chapter 10 explores sourc-
ing and how companies provision IS resources. Chapter 11 focuses on project and change management. Chapter 12
concerns business intelligence, knowledge management, and analytics and provides an overview of how companies
manage knowledge and create a competitive advantage using business analytics. And “nally, Chapter 13 discusses
the ethical use of information and privacy.
Basic Assumptions
Every book is based on certain assumptions, and understanding those assumptions makes a difference in interpret-
ing the text. The “rst assumption made by this text is that managers must be knowledgeable participants in the IS
decisions made within and affecting their organizations. That means that the general manager must develop a basic
understanding of the business and technology issues related to IS. Because technology changes rapidly, this text
also assumes that today’s technology is different from yesterday’s technology. In fact, the technology available
to readers of this text today might even differ signi”cantly from that available when the text was being written.
Therefore, this text focuses on generic concepts that are, to the extent possible, technology independent. It provides
frameworks on which to hang more up‐to‐the‐minute technological evolutions and revolutions, such as new uses of
the Web, new social tools, or new cloud‐based services. We assume that the reader will supplement the discussions
of this text with current case studies and up‐to‐date information about the latest technology.
A second, perhaps controversial, assumption is that the roles of a general manager and of an IS manager require
different skill sets and levels of technical competency. General managers must have a basic understanding of IS in
order to be a knowledgeable participant in business decisions. Without that level of understanding, their decisions
may have serious negative implications for the business. On the other hand, IS managers must have more in‐depth
knowledge of technology so they can partner with general managers who will use the IS. As digital natives take on
increasingly more managerial roles in corporations, this second assumption may change—all managers may need
deeper technical understanding. But for this text, we assume a different, more technical skill set for the IS manager
and we do not attempt to provide that here.
Assumptions about Management
Although many books have been written describing the activities of managers, organizational theorist Henry
Mintzberg offers a view that works especially well with a perspective relevant to IS management. Mintzberg’s
model describes management in behavioral terms by categorizing the three major roles a manager “lls: interper-
sonal, informational, and decisional (see Figure I-3). This model is useful because it considers the chaotic nature of
the environment in which managers actually work. Managers rarely have time to be re#ective in their approaches
to problems. They work at an unrelenting pace, and their activities are brief and often interrupted. Thus, quality
information becomes even more crucial to effective decision making. The classic view is often seen as a tactical
approach to management, whereas some describe Mintzberg’s view as more strategic.
Assumptions about Business
Everyone has an internal understanding of what constitutes a business, which is based on readings and experi-
ences with different “rms. This understanding forms a model that provides the basis for comprehending actions,
interpreting decisions, and communicating ideas. Managers use their internal model to make sense of otherwise
cintro.indd 8 11/26/2015 7:38:30 PM
9Basic Assumptions
FIGURE I-3 Managers’ roles.
Source: Adapted from H. Mintzberg, The Nature of Managerial Work (New York: Harper & Row, 1973).
Type of Roles Manager’s Roles IS Examples
Interpersonal Figurehead CIO greets touring dignitaries.
Leader IS manager puts in long hours to help motivate project team to complete
project on schedule in an environment of heavy budget cuts.
Liaison CIO works with the marketing and human resource vice presidents to
make sure that the reward and compensation system is changed to
encourage use of the new IS supporting sales.
Informational Monitor Division manager compares progress on IS project for the division with
milestones developed during the project’s initiation and feasibility phase.
Disseminator CIO conveys organization’s business strategy to IS department and
demonstrates how IS strategy supports the business strategy.
Spokesperson IS manager represents IS department at organization’s recruiting fair.
Decisional Entrepreneur IS division manager suggests an application of a new technology that
improves the division’s operational ef#ciency.
Disturbance handler IS division manager, as project team leader, helps resolve design
disagreements between division personnel who will be using the system
and systems analysts who are designing it.
Resource allocator CIO allocates additional personnel positions to various departments
based upon the business strategy.
Negotiator IS manager negotiates for additional personnel needed to respond to
recent user requests for enhanced functionality in a system that is being
implemented.
chaotic and random activities. This book uses several conceptual models of business. Some take a functional view
and others take a process view.
Functional View
The classical view of a business is based on the functions that people perform, such as accounting, “nance,
marketing, operations, and human resources. The business organizes around these functions to coordinate them and
to gain economies of scale within specialized sets of tasks. Information “rst #ows vertically up and down between
line positions and management; after analysis, it may be transmitted across other functions for use elsewhere in the
company (see Figure I-4).
Process View
Michael Porter of Harvard Business School describes a business in terms of the primary and support activities that
are performed to create, deliver, and support a product or service. The primary activities are not limited to speci”c
functions, but rather are cross‐functional processes (see Figure I-5). For example, an accounts payable process
O
pe
ra
tio
ns
A
cc
ou
nt
in
g
S
al
es
Executive Management
M
ar
ke
tin
g
S
up
po
rt
In
fo
rm
at
io
n
flo
w
s
FIGURE I-4 Hierarchical view of the “rm.
cintro.indd 9 11/26/2015 7:38:30 PM
10 Introduction
might involve steps taken by other departments that generate obligations, which the accounting department pays.
Likewise, the product creation process might begin with an idea from R&D, which is transferred to an operations
organization that builds the actual product and involves marketing to get the word out, sales to sell and deliver the
product, and support to provide customer assistance as needed. This view takes into account the activities in each
functional area that are needed to complete a process, and any organization can be described by the processes it
performs. Improving coordination among activities increases business pro”t. Organizations that effectively manage
core processes across functional boundaries are often the industry leaders because they have made ef”ciencies that
are not visible from the functional viewpoint. IS are often the key to process improvement and cross‐functional
coordination.
Both the process and functional views are important to understanding IS. The functional view is useful when sim-
ilar activities must be explained, coordinated, executed, or communicated. For example, understanding a marketing
information system means understanding the functional approach to business in general and the marketing function
in particular. The process view, on the other hand, is useful when examining the #ow of information throughout a
business. For example, understanding the information associated with order ful”llment, product development, or
customer service means taking a process view of the business. This text assumes that both views are important for
participating in IS decisions.
Assumptions about Information Systems
Consider the components of an information system from the manager’s viewpoint rather than from the technolo-
gist’s viewpoint. Both the nature of information (hierarchy and economics) and the context of an information
system must be examined to understand the basic assumptions of this text.
Information Hierarchy
The terms data, information, and knowledge are often used interchangeably, but have signi”cant and discrete mean-
ings within the knowledge management domain (and are more fully explored in Chapter 12). Tom Davenport, in his
book Information Ecology, pointed out that getting everyone in any given organization to agree on common de”-
nitions is dif”cult. However, his work (summarized in Figure I-6) provides a nice starting point for understanding
the subtle but important differences.
The information hierarchy begins with data, or simple observations; data are sets of speci”c, objective facts or
observations, such as “inventory contains 45 units.” Standing alone, such facts have no intrinsic meaning but can be
easily captured, transmitted, and stored electronically.
A
cc
ou
nt
in
g
O
pe
ra
tio
ns
M
ar
ke
tin
g
S
al
es
S
up
po
rt
Executive Management
Accounts Payable Process
Product Development Process
Order Fulfillment Process
Information Flows
FIGURE I-5 Process view of the “rm: Cross‐functional processes.
cintro.indd 10 11/26/2015 7:38:30 PM
11Basic Assumptions
Information is data endowed with relevance and purpose.6 People turn data into information by organizing data
into some unit of analysis (e.g., dollars, dates, or customers). For example, a mashup of location data and housing
prices adds something beyond what the data provide individually, and that makes it information. A mashup is the
term used for applications that combine data from different sources to create a new application on the Web.
To be relevant and have a purpose, information must be considered within the context in which it is received
and used. Because of differences in context, information needs vary across functions and hierarchical levels. For
example, when considering functional differences related to a sales transaction, a marketing department manager
may be interested in the demographic characteristics of buyers, such as their age, gender, and home address. A man-
ager in the accounting department probably won’t be interested in any of these details, but instead wants to know
details about the transaction itself, such as method of payment and date of payment.
Similarly, information needs may vary across hierarchical levels. These needs are summarized in Figure I-7
and re#ect the different activities performed at each level. At the supervisory level, activities are narrow in scope
and focused on the production or the execution of the business’s basic transactions. At this level, information is
focused on day‐to‐day activities that are internally oriented and accurately de”ned in a detailed manner. The activ-
ities of senior management are much broader in scope. Senior management performs long‐term planning and needs
FIGURE I-6 Comparison of data, information, and knowledge.
Source: Adapted from Thomas Davenport, Information Ecology (New York: Oxford University Press, 1997).
Data Information Knowledge
De#nition Simple observations of the state
of the world
Data endowed with
relevance and purpose
Information from the human mind
(includes re$ection, synthesis,
context)
Characteristics • Easily structured
• Easily captured on machines
• Often quanti#ed
• Easily transferred
• Mere facts
• Requires unit of analysis
• Data that have been
processed
• Human mediation
necessary
• Hard to structure
• Dif#cult to capture on machines
• Often tacit
• Hard to transfer
Example Daily inventory report of all
inventory items sent to the
CEO of a large manufacturing
company
Daily inventory report
of items that are below
economic order quantity
levels sent to inventory
manager
Inventory manager’s knowledge of
which items need to be reordered
in light of daily inventory report,
anticipated labor strikes, and
a $ood in Brazil that affects the
supply of a major component
6 Peter F. Drucker, “The Coming of the New Organization,” Harvard Business Review (January–February 1988), 45–53.
Top Management Middle Management Supervisory and Lower‐Level
Management
Time Horizon Long: years Medium: weeks, months, years Short: day to day
Level of Detail Highly aggregated
Less accurate
More predictive
Summarized
Integrated
Often #nancial
Very detailed
Very accurate
Often non#nancial
Source Primarily external Primarily internal with limited
external
Internal
Decision Extremely judgmental
Uses creativity and analytical
skills
Relatively judgmental Heavily reliant on rules
FIGURE I-7 Information characteristics across hierarchical levels.
Source: G. Adapted from Anthony Gorry and Michael S. Scott Morton, “A Framework for Management Information Systems,”
Sloan Management Review 13, no. 1, 55–70.
cintro.indd 11 11/26/2015 7:38:30 PM
12 Introduction
information that is aggregated, externally oriented, and more subjective than supervisors require. The information
needs of middle managers in terms of these characteristics fall between the needs of supervisors and of senior
management. Because information needs vary across levels, a daily inventory report of a large manufacturing “rm
may serve as information for a low‐level inventory manager whereas the CEO would consider such a report to be
merely data. The context in which the report is used must be considered in determining whether it is information.
Knowledge is information that is synthesized and contextualized to provide value. It is information with the
most value. Knowledge consists of a mix of contextual information, values, experiences, and rules. For example,
the mashup of locations and housing prices means one thing to a real estate agent, another thing to a potential buyer,
and yet something else to an economist. It is richer and deeper than information and more valuable because someone
thought deeply about that information and added his or her own unique experience and judgment. Knowledge also
involves the synthesis of multiple sources of information over time.7 The amount of human contribution increases
along the continuum from data to information to knowledge. Computers work well for managing data but are less
ef”cient at managing information and knowledge.
Some people think there is a fourth level in the information hierarchy: wisdom. Wisdom is knowledge fused
with intuition and judgment that facilitates the ability to make decisions. Wisdom is that level of the information
hierarchy used by subject matter experts, gurus, and individuals with a high degree of experience who seem to “just
know” what to do and how to apply the knowledge they gain. This is consistent with Aristotle’s view of wisdom as
the ability to balance different and con#icting elements together in ways that are only learned through experience.
Economics of Information versus Economics of Things
In their groundbreaking book, Blown to Bits, Evans and Wurster argued that every business is in the information
business.8 Even those businesses not typically considered information businesses have business strategies in which
information plays a critical role. The physical world of manufacturing is shaped by information that dominates
products as well as processes. For example, an automobile contains as much computing power as a personal com-
puter. Information‐intensive processes in the manufacturing and marketing of the automobile include design,
market research, logistics, advertising, and inventory management. The automobile itself, with its millions of lines
of code, has become a computer on wheels with specialized computers and sensors alerting the driver of its health
and road conditions. When taken in for service, maintenance crews simply plug an electronic monitor into the auto-
mobile to analyze and identify worn parts or other areas in need of upgrades and repair.
As our world is reshaped by information‐intensive industries, it becomes even more important for business strat-
egies to differentiate the timeworn economics of things from the evolving economics of information. Things wear
out; things can be replicated at the expense of the manufacturer; things exist in a tangible location. When sold, the
seller no longer owns the thing. The price of a thing is typically based on production costs. In contrast, information
never wears out, although it can become obsolete or untrue. Information can be replicated at virtually no cost
without limit; information exists in the ether. When sold, the seller still retains the information, but this ownership
provides little value if the ability of others to copy it is not limited. Finally, information is often costly to produce
but cheap to reproduce. Rather than pricing it to recover the sunk cost of its initial production, its price is typically
based on its value to the consumer. Figure I-8 summarizes the major differences between the economics of goods
and the economics of information.
Evans and Wurster suggest that traditionally the economics of information has been bundled with the economics
of things. However, in this Information Age, “rms are vulnerable if they do not separate the two. The Encyclopedia
Britannica story serves as an example. Bundling the economics of things with the economics of information made
it dif”cult for Encyclopedia Britannica to gauge two serious threats. The “rst threat was posed by Encarta, an entire
encyclopedia on a CD‐ROM that was given away to promote the sale of computers and peripherals. The second
was Wikipedia, which is freely available to all and updated on a nearly real‐time basis continuously by thousands of
7 Thomas H. Davenport, Information Ecology (New York: Oxford University Press, 1997), 9–10.
8 Philip Evans and Thomas Wurster, Blown to Bits (Boston: Harvard Business School Press, 2000).
cintro.indd 12 11/26/2015 7:38:30 PM
13Economics of Information versus Economics of Things
volunteers; currently Wikipedia reports that it holds over 4.9 million articles, receives 10 edits per second globally,
and boasts 750 new pages added each day.9 In contrast, Encyclopedia Britannica published volumes every several
years and the price was between $1,500 and $2,200, covering printing and binding ($250) and sales commissions
($500 to $600).10
Britannica focused on its centuries‐old tradition of providing information in richly bound tomes sold to the public
through a well‐trained sales force. Only when it was threatened with its very survival did Encyclopedia Britannica
grasp the need to separate the economics of information from economics of things and sell bits of information
online. Clearly, Encyclopedia Britannica’s business strategy, like that of many other companies, needed to re#ect
the difference between the economics of things from the economics of information.
Internet of Things
More recently, a new concept has emerged to describe the explosive growth in the data generated by sensors
traveling over the Web. The Internet of things (IoT) is the term used to refer to machines and sensors talking to
each other over the network, taking Evans and Wurster’s concepts even further. Although the term IoT was coined
in1999,11 it was not widely discussed until the current decade. The earliest example of its functions was reported
before the Internet even existed—in a Coke machine at Carnegie Mellon University in the mid‐1970s. Staff mem-
bers and students in the Computer Science Department were able to use a network connecting a minicomputer
and sensors in the machine to monitor not only the machine’s inventory but even which button to push for the
coldest bottles.12
A more broadly used early application of IoT was provided by Otis Elevator in the late 1980s and later copied
by most other elevator companies.13 Sensors in elevators send alerts over a network to a service center’s computer
when parts need replacing, and service technicians arrive without the builder owner knowing about the potential
problem. Extending IoT even further, today’s elevator systems alert handheld devices of nearby repair technicians
who then visit the elevator to make the repair. Devices may connect to the Internet over a wireless connection or
through a hard‐wired connection.
Many say that we are on the brink of a new revolution that will be as impactful as the popularization of the
World‐Wide Web. The IoT has already been applied to large number of “things”—extending to home appliances,
automobiles, thermostats, lighting, pets, and even people.14 Many people can already perform futuristic functions
using smartphone apps. They can remotely check the status of their heart monitor, tire pressure, or subway train’s
location. They can locate a lost pet or valuable object. They can reset their thermostat, turn off lights, and record a
program on their DVR even after having left for vacation.
9 Wikipedia Statistics, http://en.wikipedia.org/wiki/Wikipedia:Statistics (accessed August 18, 2015).
10 Evans and Wurster, Blown to Bits.
11 K. Ashton, “That ‘Internet of Things’ Thing,” RFID Journal (June 22, 2009), http://www.rfidjournal.com/articles/view?4986 (accessed May 26, 2015).
12 Attributed to The Carnegie Mellon University Computer Science Department Coke Machine, “The ‘Only’ Coke Machine on the Internet,” https://www.
cs.cmu.edu/~coke/history_long.txt (accessed May 26, 2015).
13 D. Freedman, “The Myth of Strategic IS,” CIO Magazine (July 1991), 42–48.
14 Internet of Things, Whatis.com, http://whatis.techtarget.com/definition/Internet‐of‐Things (accessed May 26, 2015).
FIGURE I-8 Comparison of the economics of things with the economics of information.
Things Information
Wear out Doesn’t wear out but can become obsolete or untrue
Are replicated at the expense of the manufacturer Is replicated at almost zero cost without limit
Exist in a tangible location Does not physically exist
When sold, possession changes hands When sold, seller may still possess and sell again
Price based on production costs Price based on value to consumer
cintro.indd 13 11/26/2015 7:38:30 PM
http://en.wikipedia.org/wiki/Wikipedia:Statistics
http://www.rfidjournal.com/articles/view?4986
https://www.cs.cmu.edu/~coke/history_long.txt
http://whatis.techtarget.com/definition/Internet%E2%80%90of%E2%80%90Things
14 Introduction
Management
Information Systems
People Technology Process
FIGURE I-9 System hierarchy.
Social Business Lens
The explosion of consumer‐based technologies, coupled with applications such as Facebook, Renren, Sina
Weibo, Twitter, LinkedIn, YouTube, Foursquare, Skype, Pinterest, and more have brought into focus the concept of
a social business. Some call this trend the consumerization of technology . Consumerization means that technol-
ogies such as social tools, mobile phones, and Web applications targeted at individual, personal users are cre-
ating pressures for companies in new and unexpected ways. At the same time, technologies initially intended for
the corporation, like cloud computing, are being retooled and “consumerized” to appeal to individuals outside
the corporation.
In this text, we use the term social business to refer to an enterprise using social IT for business applications,
activities and processes. We sometimes say that a social business has infused social capabilities into business
processes.
Social business is permeating every facet of business. There are new business models based on a social IT
platform that offer new ways of connecting with stakeholders in functions such as governing, collaborating, doing
work, and measuring results. In this book, we are particular about the terminology we use. Social IT is the term we
use for all technologies in this space. We de# ne social IT as the technologies used for people to collaborate, net-
work, and interact over the Web. These include social networks and other applications that provide for interaction
between people.
Many use the term social media as an overarching term for this space, but increasingly, social media refers to
the marketing and sales applications of social IT, and we use it that way. Social networks are a speci# c type of tool,
like Facebook, Ning, and similar tools. Social networking is the use of these types of social IT tools in a community.
As of the writing of this text, the social space is still like the Wild West; there are no widely accepted conventions
about the terms and their meanings or the uses and their impacts. But we have enough experience with social
IT that we know it ’ s a major force bursting on to the enterprise scene and it must be addressed in discussions of
managing and using information systems.
Look in chapters for the feature “Social Business Lens” where we explore one topic related to that chapter from
a social business perspective.
The reader might already be using the IoT with one or more of these apps. However, vendors tell us we “ain ’ t
seen nothing yet.” The potential impact of IoT is limited by the number of objects connected and apps available to
monitor and control them. As the number of devices directly connected to the Internet increases, researchers and IT
cintro.indd 14 11/26/2015 7:38:31 PM
15Summary
professionals expect an exponential increase in IoT functionality and usage.15 In the coming years, Internet traf”c
will dramatically increase along with an explosion in the amount of information generated by these devices.
System Hierarchy
Information systems are composed of three main elements: technology, people, and process (see Figure I-9). When
most people use the term information system, they actually refer only to the technology element as de”ned by the
organization’s infrastructure. In this text, the term infrastructure refers to everything that supports the #ow and
processing of information in an organization, including hardware, software, data, and network components whereas
architecture refers to the blueprint that re#ects strategy implicit in combining these components. Information sys-
tems (IS) are de”ned more broadly as the combination of technology (the “what”), people (the “who”), and process
(the “how”) that an organization uses to produce and manage information. In contrast, information technology (IT)
focuses only on the technical devices and tools used in the system. We de”ne information technology as all forms
of technology used to create, store, exchange, and use information. Many people use the terms IS and IT inter-
changeably. In recent years, “IT” has been more fashionable, but that changes as fashions change.
S U M M A R Y
Aligning information systems and business decisions is no longer an option; it’s an imperative for business. Every business oper-
ates as an information‐based enterprise. In addition, the explosive growth of smart phones, tablets, social tools, and Web‐based
businesses provides all managers with some experience in information systems and some idea of the complexity involved in
providing enterprise‐level systems. This highlights the need for all managers to be skilled in managing and using IS.
It is no longer acceptable to delegate IS decisions to the management information systems (MIS) department alone. The
general manager must be involved to both execute business plans and protect options for future business vision. IS and business
maturity must be aligned to provide the right level of information resources to the business.
This chapter makes the case for general managers’ full participation in strategic business decisions concerning IS. It out-
lines the skills required for such participation, and it makes explicit certain key assumptions about the nature of business,
management, and IS that will underlie the remaining discussions. Subsequent chapters are designed to build on these concepts
by addressing the following questions.
Frameworks and Foundations
• How should information strategy be aligned with business and organizational strategies? (Chapter 1)
• How can a business achieve competitive advantages using its IS? (Chapter 2)
• How do organizational decisions impact IS decisions? (Chapter 3)
• How is the work of the individual in an organization affected by decisions concerning IS? (Chapter 4)
• How are information systems integrated with business processes? (Chapter 5)
IS Management Issues
• What are the components of an IS architecture? (Chapter 6)
• How are IS kept secure? (Chapter 7)
• How is the IT organization managed and funded? (Chapter 8)
• How are IS decisions made? (Chapter 9)
• What source should provide IS services and how and where should they be provided? (Chapter 10)
15 Jared Newman, “Right Now, the Internet of Things Is Like the Internet of the 1990s,” Fast Company (March 27, 2015I, http://www.fastcompany.
com/3044375/sector‐forecasting/the‐future‐of‐the‐internet‐of‐things‐is‐like‐the‐internet‐of‐the‐1990s (last accessed May 26, 2015).
cintro.indd 15 11/26/2015 7:38:31 PM
http://www.fastcompany.com/3044375/sector%E2%80%90forecasting/the%E2%80%90future%E2%80%90of%E2%80%90the%E2%80%90internet%E2%80%90of%E2%80%90things%E2%80%90is%E2%80%90like%E2%80%90the%E2%80%90internet%E2%80%90of%E2%80%90the%E2%80%901990s
16 Introduction
• How are IS projects managed and risks from change management mitigated? (Chapter 11)
• How is business intelligence managed within an organization? (Chapter 12)
• What ethical and moral considerations bind the uses of information in business? (Chapter 13)
K E Y T E R M S
architecture (p. 14)
data (p. 10)
digital natives (p. 4)
information (p. 11)
information system (p. 14)
information technology (p. 14)
infrastructure (p. 14)
internet of things (p. 13)
knowledge (p. 12)
mashup (p. 11)
social business (p. 15)
social IT (p. 15)
social media (p. 15)
social networking (p. 15)
Web 2.0 (p. 3)
wisdom (p. 12)
cintro.indd 16 11/26/2015 7:38:31 PM
17
1
chapter The Information Systems
Strategy Triangle
In February 2015, 1 health care giant Kaiser Permanente named Dick Daniels to the CIO position and
the leadership team for the next stage of the company ’ s business strategy: to provide better health care
at lower costs. To achieve those goals, Kaiser Permanente, one of the nation ’ s largest not‐for‐pro” t
health care systems with over 9.5 million members and 2014 operating revenue of $56.4 billion,
invested in numerous information systems projects aimed at streamlining operations, offering new
services, and meeting government obligations. For example, in 2014, 13% of all the medical appoint-
ments were ful” lled digitally—through e‐mail—to the delight of patients who did not have to make
a trip to the doctor ’ s of” ce and to the delight of doctors who were able to check in on their patients,
particularly those with chronic conditions, more frequently. Doctors particularly liked this because
their annual bonuses were based, in part, on improvements in patient health metrics such as lower
blood pressure, reduced blood sugar levels if at risk for diabetes, and improvement in cholesterol
scores rather than on the number of tests they ordered or the total billing they brought in. The organi-
zation invested heavily in video conferencing technology, mobile apps, and analytics as they ” nished
implementing a $4 billion electronic health records system, KP HealthConnect.
KP HealthConnect began in 2003, but by 2008, all members had online access to their health
records; by 2010, all system services were available at all medical of” ces and hospitals in the system;
and by 2012, all members had access to their health records on mobile devices. Kaiser Permanente
has been a regular innovator in the use of technologies, being one of the ” rst health care organiza-
tions to experiment with chat rooms, secure messaging, and private e‐mail correspondence between
patients, physicians, and care providers. The new system connects each member to all caregivers and
services available at Kaiser Permanente. Further, it enabled patients to participate in the health care
they received at a new level and access information directly from the system.
The organizational design supported the business strategy of better health care at lower costs. 2
At the core of this strategy was a shift from a “” x‐me system” with which patients seek health care
when something is broken and needs repair to a system that was truly proactive and focused on pro-
moting health. Under the “” x‐me system,” health care was expensive and often sought too late to
The Information Systems Strategy Triangle highlights the alignment necessary between
decisions regarding business strategy, information systems, and organizational design.
This chapter reviews models of business strategy, organizational strategy and design, and
information systems strategy. It concludes with a simple framework for creating a social
business strategy.
1 http://blogs.wsj.com/cio/2015/02/09/kaiser‐permanente‐names‐richard‐dick‐daniels‐cio/; http://fortune.com/2015/04/29/kaiser‐
ceo‐on‐healthcare/; http://fortune.com/2014/07/24/a‐health‐care‐model‐thats‐working/; Paul Gray , Omar Sawy , Guillermo Asper ,
and Magnus Thordarson , “ Realizing Strategic Value Through Center‐Edge Digital Transformation in Consumer‐Centric Industries ,”
MIS Quarterly Executive 12 , no. 1 ( March 2013 ) .
2 Note that the organizational design puts the organizational strategy into practice. For instance, rewarding billings, sharing little
information, and late involvement with patients are organizational design elements of a “fix‐me” organizational strategy.
c01.indd 17 11/26/2015 6:19:39 PM
http://blogs.wsj.com/cio/2015/02/09/kaiser%E2%80%90permanente%E2%80%90names%E2%80%90richard%E2%80%90dick%E2%80%90daniels%E2%80%90cio%00%00
http://fortune.com/2015/04/29/kaiser%E2%80%90ceo%E2%80%90on%E2%80%90healthcare%00a
http://fortune.com/2015/04/29/kaiser%E2%80%90ceo%E2%80%90on%E2%80%90healthcare%00a
http://fortune.com/2015/04/29/kaiser%E2%80%90ceo%E2%80%90on%E2%80%90healthcare%00a
http://fortune.com/2014/07/24/a%E2%80%90health%E2%80%90care%E2%80%90model%E2%80%90thats%E2%80%90working%00a
18 The Information Systems Strategy Triangle
“x the problem. Instead, the Kaiser Permanente strategy focused on promoting health, enabling identi”cation of
problems before they became serious issues. For example, those in need of more exercise may receive a prescription
to take a walk and an e‐mail reminder from health care providers to reinforce the new behavior. Staff incentive
systems were aligned with this behavior, too. Physicians were all paid a #at salary and end‐of‐year bonuses if their
patients achieved better health. All caregivers were rewarded for guiding people into making behavioral choices
that were likely to keep them well.
The success at Kaiser Permanente was achieved in part because of the alignment between its business strategy, its
information systems strategy, and its organization design. Physicians were part of the decision‐making processes.
Managers were involved in the design and implementation of the information systems. The decision to move from
a “”x‐me system” to a “proactive health system” was not made in isolation from the organization or the information
systems.
The information systems (IS) department is not an island within a “rm. Rather, IS manages an infrastructure
that is essential to the “rm’s functioning. Further, the Kaiser Permanente case illustrates that a “rm’s IS must be
aligned with the way it manages its employees and processes. For Kaiser Permanente, it was clear that not only did
the physicians need a fast, inexpensive, and useful way to communicate with patients outside of regular in‐person
appointments but also incentive systems and patient service processes had to be updated. Information systems
provided a solution in conjunction with new operational and control processes.
This chapter introduces a simple framework for describing the alignment necessary with business systems and
for understanding the impact of IS on organizations. This framework is called the Information Systems Strategy
Triangle because it relates business strategy with IS strategy and organizational strategy. This chapter also presents
key frameworks from organization theory that describe the context in which IS operates as well as the business
imperatives that IS support. The Information Systems Strategy Triangle presented in Figure 1.1 suggests three key
points about strategy.
1. Successful “rms have an overriding business strategy that drives both organizational strategy and IS strat-
egy. The decisions made regarding the structure, hiring practices, vendor policies, and other components of
the organizational design, as well as decisions regarding applications, hardware, and other IS components,
are all driven by the “rm’s business objectives, strategies, and tactics. Successful “rms carefully balance
these three strategies—they purposely design their organization and their IS strategies to complement their
business strategy.
2. IS strategy can itself affect and is affected by changes in a “rm’s business and organizational design. To
perpetuate the balance needed for successful operation, changes in the IS strategy must be accompanied by
changes in the organizational strategy and must accommodate the overall business strategy. If a “rm designs
its business strategy to use IS to gain strategic advantage, the leadership position in IS can be sustained only
by constant innovation. The business, IS, and organizational strategies must constantly be adjusted.
3. IS strategy always involves consequences—intended or not—within business and organizational strategies.
Avoiding harmful unintended consequences means remembering to consider business and organizational
strategies when designing IS implementation. For example, deploying tablets to employees without an
accompanying set of changes to job expectations, process design, compensation plans, and business tac-
tics will fail to achieve expected productivity improvements. Success can be achieved only by speci”cally
designing all three components of the strategy triangle so they properly complement each other.
Business Strategy
Organizational Strategy Information Strategy
FIGURE 1.1 The Information Systems Strategy Triangle.
c01.indd 18 11/26/2015 6:19:39 PM
19Brief Overview of Business Strategy Frameworks
Before the changes at Kaiser Permanente, incentives for doctors were misaligned with the goals of better health
care. Its IS Strategy Triangle was out of alignment at that time. Its organizational strategy (e.g., a “”x‐me” system)
was not supported by the IS strategy (e.g., tracking and reporting billable procedures). Neither the organizational
strategy nor the IS strategy adequately supported their purported business strategy (helping patients at lower cost).
For Kaiser Permanente, success could be achieved only by speci”cally designing all three components of the
strategy triangle to work together.
Of course, once a “rm is out of alignment, it does not mean that it has to stay that way. To correct the misalign-
ment described earlier, Kaiser Permanente used on‐line services to enable quick communications between patients,
physicians, and care providers. Further, it changed its bonus structure to focus on health rather than billing amounts.
The new systems realign people, process, and technology to provide better service, save time, and save money.
What does alignment mean? The book Winning the 3‐Legged Race de”nes alignment as the situation in which a
company’s current and emerging business strategy is enabled and supported yet unconstrained by technology. The
authors suggest that although alignment is good, there are higher states, namely synchronization and convergence,
toward which companies should strive. With synchronization, technology not only enables current business strategy
but also anticipates and shapes future business strategy. Convergence goes one step further by exhibiting a state in
which business strategy and technology strategy are intertwined and the leadership team members operate almost
interchangeably. Although we appreciate the distinction and agree that “rms should strive for synchronization and
convergence, alignment in this text means any of these states, and it pertains to the balance between organizational
strategy, IS strategy, and business strategy.3
A word of explanation is needed here. Studying IS alone does not provide general managers with the appropriate
perspective. This chapter and subsequent chapters address questions of IS strategy squarely within the context of
business strategy. Although this is not a textbook of business strategy, a foundation for IS discussions is built on
some basic business strategy frameworks and organizational theories presented in this and the next chapter. To be
effective, managers need a solid sense of how IS are used and managed within the organization. Studying details
of technologies is also outside the scope of this text. Details of the technologies are relevant, of course, and it is
important that any organization maintain a suf”cient knowledge base to plan for and adequately align with business
priorities. However, because technologies change so rapidly, keeping a textbook current is impossible. Instead, this
text takes the perspective that understanding what questions to ask and having a framework for interpreting the
answers are skills more fundamental to the general manager than understanding any particular technology. That
understanding must be constantly refreshed using the most current articles and information from experts. This text
provides readers with an appreciation of the need to ask questions, a framework from which to derive the ques-
tions to ask, and a foundation suf”cient to understand the answers received. The remaining chapters build on the
foundation provided in the Information Systems Strategy Triangle.
Brief Overview of Business Strategy Frameworks
A strategy is a coordinated set of actions to ful”ll objectives, purposes, and goals. The essence of a strategy is
setting limits on what the business will seek to accomplish. Strategy starts with a mission. A mission is a clear and
compelling statement that uni”es an organization’s effort and describes what the “rm is all about (i.e., its purpose).
Mark Zuckerberg’s re#ection on the mission of Facebook provides an interesting example. Originally conceived as
a product rather than a service, the CEO of Facebook commented, “after we started hiring more people and building
out the team, I began to get an appreciation that a company is a great way to get a lot of people involved in a mission
you’re trying to push forward. Our mission is getting people to connect.”4
In a few words, the mission statement sums up what is unique about the “rm. The information in Figure 1.2 indi-
cates that even though Zappos, Amazon, and L.L. Bean are all in the retail industry, they view their missions quite
differently. For example, Zappos’ focus is on customer service, Amazon is about customer sets, and L.L. Bean is
3 F. Hogue, V. Sambamurthy, R. Zmud, T. Trainer, and C. Wilson, Winning the 3‐Legged Race (Upper Saddle River, NJ: Prentice Hall, 2005).
4 Shayndi Raice, “Is Facebook Ready for the Big Time?” The Wall Street Journal (January 14–15, 2012), B1.
c01.indd 19 11/26/2015 6:19:39 PM
20 The Information Systems Strategy Triangle
about the merchandise and treating people the right way. It’s interesting to note that although Amazon purchased
Zappos in 2009, the acquisition agreement speci”ed that Zappos would continue to run independently of its new
parent. Today, Zappos continues to remain both culturally and physically separate from Amazon. Zappos is located
near Las Vegas, Nevada, and Amazon is in Seattle, Washington.
A business strategy is a plan articulating where a business seeks to go and how it expects to get there. It is
the means by which a business communicates its goals. Management constructs this plan in response to market
forces, customer demands, and organizational capabilities. Market forces create the competitive context for the
business. Some markets, such as those faced by package delivery “rms, laptop computer manufacturers, and credit
card issuers, face many competitors and a high level of competition, such that product differentiation becomes
increasingly dif”cult. Other markets, such as those for airlines and automobiles, are similarly characterized by
high competition, but product differentiation is better established. Customer demands comprise the wants and
needs of the individuals and companies who purchase the products and services available in the marketplace.
Organizational capabilities include the skills and experience that give the corporation a currency that can add value
in the marketplace.
Consider Dell, originally a personal computer company. Initially Dell’s business strategy was to sell personal
computers directly to the customer without going through an intermediary. Reaching customers in this way was
less expensive and more responsive than selling the computers in retail stores. The Internet, combined with Dell’s
well‐designed IS infrastructure, allowed customers to electronically contact Dell, which then designed a PC for a
customer’s speci”c needs. Dell’s ordering system was integrated with its production system and shared information
automatically with each supplier of PC components. This IS enabled the assembly of the most current computers
without the expense of storing large inventories, and inventory uncertainties were pushed back to the vendors. Cost
savings were passed on to the customer, and the direct‐to‐customer model allowed Dell to focus its production
capacity on building only the most current products. With small pro”t margins and new products quickly able to
replace existing products, IS aligned with Dell’s business strategy to provide low‐cost PCs. The cost savings from
the IS was re#ected in the price of systems. In addition, Dell executives achieved a strategic advantage in reducing
response time, building custom computers that had one of the industry’s lowest costs, and eliminating inventories
that could become obsolete before they are sold. Thus, this business strategy was consistent with Dell’s mission of
delivering the best customer experience in the markets it serves.
But things aren’t always as they seem. If the direct‐to‐customer strategy was so effective, why is Dell now
also selling its computers at major retail outlets such as Walmart, Staples, and Best Buy? It is likely that the sales
“gures and pro”t margins were not measuring up to Dell’s stated objectives and performance targets. And Dell
has branched out to other hardware, such as printers and servers, and more recently, providing IT services. Con-
sequently, Dell adjusted its business strategy, and we can expect to see changes in its organizational design and
information systems to re#ect its altered direction.
Now consider your favorite dot‐com company. Every dot‐com company has a business strategy of delivering
its products or services over the Internet. To do so, the dot‐coms need organizations “lled with individuals and
processes that support this business strategy. Their employees must be Internet savvy; that is, they must have
FIGURE 1.2 Mission statements of three retail businesses.
Company Mission Statement
Zappos To provide the best customer service possible. Internally we call this our WOW philosophy.a
Amazon We seek to be Earth’s most customer‐centric company for three primary customer sets: consumer
customers, seller customers and developer customers.b
L.L. Bean Sell good merchandise at a reasonable pro#t, treat your customers like human beings and they will
always come back for more.c
a http://about.zappos.com (accessed March 19, 2015).
b http://www.amazon.com Mission Statement on Amazon Investor Relations page (accessed March 19, 2015).
c http://www.llbean.com/customerService/aboutLLBean/company_values.html (accessed March 19, 2015).
c01.indd 20 11/26/2015 6:19:40 PM
http://about.zappos.com
http://www.amazon.com
http://www.llbean.com/customerService/aboutLLBean/company_values.html
21Brief Overview of Business Strategy Frameworks
Business Models versus Business Strategy
Some new managers confuse the concept of a business model with the concept of a business strategy. The
business strategy , as discussed in this chapter, is the coordinated set of actions used to meet the business goals
and objectives. It ’ s the path a company takes to achieve its goals. One of the components of the business strategy
is the business model, the design of how the business will make money and how customers will get value from its
products and services. Some might argue that a business model is the outcome of strategy. *
Some examples of business models commonly seen in the digital world include † :
• Subscription: Customers pay a recurring fee for the product or service.
• Advertising: Customers access the product or service for “free,” and sponsors or vendors pay fees for
advertising that goes with the product or service.
• Cost plus: Somewhat like a traditional retailer, customers purchase the product or service for a specific price
that is usually the cost plus some markup for profit.
• Renting/Licensing: Customers pay a fee to use the product or service for a specified period of time.
• All‐you‐can‐Eat: Customers pay one fee for access to as much of the product or service as they want to
consume, usually over a specific period of time.
• Freemium: Customers get something for “free,” and the company makes money from selling customers
something after they get the giveaway. This is similar to a business model used in brick‐and‐mortar busi-
nesses that give away something or sell something for a very low price, but the customer has to pay for
refills or upgrades such as giving razors away but making money from selling razor blades.
* For a more detailed treatment of the concepts of business models, strategy, and tactics, see Ramon Casadesus‐Masanell and Joan
Ricart, “From Strategy to Business Models and to Tactics,” Harvard Business School working paper 10‐036, http://www.hbs.edu/
faculty/Publication%20Files/10‐036 (accessed August 21, 2015).
† For a list of 15 different business models, see http://www.digitalbusinessmodelguru.com/2012/12/15‐business‐models‐complete‐
list.html (accessed August 21, 2015).
skills and knowledge that are relevant to the dot‐com business. Their processes must support the dot‐com strategy.
Imagine what would happen if the order process for their services was not Internet based. It seems silly to even
consider a dot‐com that would insist that orders be placed in person or even by telephone. The dot‐com processes
are aligned with companies ’ on‐line‐based business strategy. Further, their IS strategy must also be aligned with
their processes. It would be equally silly to expect information to be based on paper ” les rather than electronic ” les.
A classic, widely used model developed by Michael Porter still frames most discussions of business strategy. In
the next section, we review Porter ’ s generic strategies framework as well as dynamic environment strategies. 5 We
then share questions that a general manager must answer to understand the business ’ strategy.
The Generic Strategies Framework
Companies sell their products and services in a marketplace populated with competitors. Michael Porter ’ s frame-
work helps managers understand the strategies they may choose to build a competitive advantage. In his book
Competitive Advantage , Porter claims that the “fundamental basis of above‐average performance in the long run is
sustainable competitive advantage.” 6 Porter identi” ed three primary strategies for achieving competitive advantage:
(1) cost leadership, (2) differentiation, and (3) focus. These advantages derive from the company ’ s relative position
5 Another popular model by Michael Porter, the value chain, provides a useful model for discussing internal operations of an organization. Some find it a
useful model for understanding how to link two firms. This framework is used in Chapter 5 to examine business process design. For further information,
see M. Porter , Competitive Advantage , 1st ed. ( New York : The Free Press , 1985 ) .
6 M. Porter , Competitive Advantage: Creating and Sustaining Superior Performance , 2nd ed. ( New York : The Free Press , 1998 ) .
c01.indd 21 11/26/2015 6:19:40 PM
http://www.hbs.edu/faculty/Publication%20Files/10%E2%80%90036
http://www.digitalbusinessmodelguru.com/2012/12/15%E2%80%90business%E2%80%90models%E2%80%90complete%E2%80%90list.html
http://www.digitalbusinessmodelguru.com/2012/12/15%E2%80%90business%E2%80%90models%E2%80%90complete%E2%80%90list.html
http://www.digitalbusinessmodelguru.com/2012/12/15%E2%80%90business%E2%80%90models%E2%80%90complete%E2%80%90list.html
22 The Information Systems Strategy Triangle
in the marketplace, and they depend on the strategies and tactics used by competitors. See Figure 1.3 for a summary
of these three strategies for achieving competitive advantage.
Cost leadership results when the organization aims to be the lowest‐cost producer in the marketplace. The
organization enjoys above‐average performance by minimizing costs. The product or service offered must be
comparable in quality to those offered by others in the industry so that customers perceive its relative value. Typ-
ically, only one cost leader exists within an industry. If more than one organization seeks an advantage with this
strategy, a price war ensues, which eventually may drive the organization with the higher cost structure out of the
marketplace. Through mass distribution, economies of scale, and IS to generate operating ef”ciencies, Walmart
epitomizes the cost‐leadership strategy.
Through differentiation, the organization offers its product or service in a way that appears unique in the mar-
ketplace. The organization identi”es which qualitative dimensions are most important to its customers and then
“nds ways to add value along one or more of those dimensions. For this strategy to work, the price charged cus-
tomers for the differentiator must seem fair relative to the price charged by competitors. Typically, multiple “rms
in any given market employ this strategy. Progressive Insurance is able to differentiate itself from other automobile
insurance companies.
In its earlier days, Progressive Insurance’s service was unique. Representatives responded to accident claims
24‐7, arriving at the scene of the accident with powerful laptops and software that enabled them to settle claims and
cut a check on the spot. More recently, Progressive was the “rst to offer a usage‐based insurance product, called
Snapshot, that bases insurance rates on the miles driven by customers. These innovations enabled a strategy that
spurred Progressive’s growth and widened its pro”t margins. Apple Inc. is another example of a company that com-
petes in its markets on its ability to differentiate its products. Apple’s various innovations in its operating system,
laptop design, iPads, iPhones, iPods, iTunes and iWatches have created a strategy based on the uniqueness of its
products and services.
Focus allows an organization to limit its scope to a narrower segment of the market and tailor its offerings
to that group of customers. This strategy has two variants: (1) cost focus, in which the organization seeks a cost
advantage within its segment and (2) differentiation focus, in which it seeks to distinguish its products or services
within the segment. This strategy allows the organization to achieve a local competitive advantage even if it does
not achieve competitive advantage in the marketplace overall. Porter explains how the focuser can achieve compet-
itive advantage by focusing exclusively on certain market segments:
Breadth of target is clearly a matter of degree, but the essence of focus is the exploitation of a narrow target’s differ-
ences from the balance of the industry. Narrow focus in and of itself is not suf#cient for above‐average performance.7
Marriott International demonstrates both types of focus with two of its hotel chains: Marriott has a cost focus,
and Ritz‐Carlton has a differentiation focus. To better serve its business travelers and cut operational expenses,
Marriott properties have check‐in kiosks that interface with their Marriott Rewards loyalty program. A guest can
swipe a credit card or Marriott Rewards card at the kiosk in the lobby and receive a room assignment and keycard
Strategic Advantage
St
ra
te
g
ic
T
ar
g
et Uniqueness perceived by customer Low-cost position
Industrywide Differentiation Cost leadership
Particular segment only Focus
Source: Adapted from M. Porter, Competitive Advantage, 1st ed. (New York: The Free Press, 1985) and Competitive Advantage:
Creating and Sustaining Superior Performance, 2nd ed. (New York: The Free Press, 1998).
FIGURE 1.3 Three strategies for achieving competitive advantage.
7 Porter, Competitive Advantage: Creating and Sustaining.
c01.indd 22 11/26/2015 6:19:40 PM
23Brief Overview of Business Strategy Frameworks
from the machine. She can also print airline boarding passes at the kiosks. Further, the kiosks help the Marriott
chain implement its cost focus by cutting down on the personnel needed in at the front desk. The kiosk system is
integrated with other systems such as billing and customer relationship management (CRM) to generate operating
ef”ciencies and enhanced corporate standardization.
In contrast, stand‐alone kiosks in the lobby would destroy the feeling that the Ritz‐Carlton chain, acquired by
Marriott in 1995, creates. To the Ritz‐Carlton chain, CRM means capturing and using information about guests,
such as their preference for wines, a hometown newspaper, or a sunny room. Each Ritz‐Carlton employee is
expected to promote personalized service by identifying and recording individual guest preferences. To demon-
strate how this rule could be implemented, a waiter, after hearing a guest exclaim that she loves tulips, could log the
guest’s comments into the Ritz‐Carlton CRM system called “Class.” On her next visit to a Ritz‐Carlton hotel, tulips
could be placed in the guest’s room after querying Class to learn more about her as her visit approaches. The CRM
is instrumental in implementing the differentiation‐focus strategy of the Ritz‐Carlton chain.8 Its strategy allows the
Ritz‐Carlton chain to live up to its unique motto which emphasizes that its staff members are distinguished people
with distinguished customers.
Airline JetBlue adopted a differentiation strategy based on low costs coupled with unique customer experience.
It might be called a “value‐based strategy.” It is not the lowest cost carrier in the airline industry; at 12.3 cents per
passenger seat mile, JetBlue has one of the lowest costs, but Virgin America, Spirit, and Allegiant had even lower
per seat mile costs in 2013. But JetBlue manages its operational costs carefully, making decisions that keep its per
passenger costs among the lowest in the business, such as a limited number of airplane models in its #eet, gates at
less congested airports, paperless cockpit and many other operations, and snacks instead of meals on #ights. Jet-
Blue has one of the longest stage length averages (the length of the average #ight) in the industry, and the longer
the #ight, the lower the unit costs. Competing network carriers, who are more well known and established, may
have different pay scales because they’ve been in the business longer and have a different composition of staff.
These carriers also have higher maintenance costs for their older, more diverse #eets. If it could realize its plans for
growth while maintaining its low cost structure, JetBlue could move from its cost focus based on serving a limited,
but growing, number of market segments to a cost leadership strategy.9
While sustaining a cost focus, JetBlue’s chairman believes that JetBlue can compete on more than price, which
is part of its unique differentiation strategy. It is why the airline continually strives to keep customers satis”ed with
frills such as extra leg room, leather seats, prompt baggage delivery, DirectTV, and movies. It has been recognized
with many awards for customer satisfaction in the North American airline industry.
Dynamic Environment Strategies
Porter’s generic strategies model is useful for diagnostics, for understanding how a business seeks to pro”t in
its chosen marketplace, and for prescriptions, or building new opportunities for advantage. It re#ects a careful
balancing of countervailing competitive forces posed by buyers, suppliers, competitors, new entrants, and substitute
products and services within an industry. As is the case with many models, dynamic environment strategies offer
managers useful tools for thinking about strategy.
However, the Porter model was developed at a time when competitive advantage was sustainable because the
rate of change in any given industry was relatively slow and manageable. Since the late 1980s, when this frame-
work was at the height of its popularity, newer models have been developed to take into account the increasing
turbulence and velocity of the marketplace. Organizations need to be able to respond instantly and change rapidly,
which requires dynamic structures and processes. One example of this type of approach is the hypercompetition
framework. Discussions of hypercompetition take a perspective different from that of the previous framework. Por-
ter’s framework focuses on creating competitive advantage in relatively stable markets, whereas hypercompetition
frameworks suggest that the speed and aggressiveness of the moves and countermoves in a highly competitive and
8 Scott Berinato, “Room for Two,” CIO.com (May 15, 2002), http://www.cio.com/archive/051502/two_content.html.
9 http://www.oliverwyman.com/content/dam/oliver‐wyman/global/en/2014/nov/Airline_Economic_Analysis_Screen_OW_Nov_2014 (accessed
March 23, 2015).
c01.indd 23 11/26/2015 6:19:40 PM
http://www.cio.com/archive/051502/two_content.html
http://www.oliverwyman.com/content/dam/oliver%E2%80%90wyman/global/en/2014/nov/Airline_Economic_Analysis_Screen_OW_Nov_2014
24 The Information Systems Strategy Triangle
turbulent market create an environment in which advantages are rapidly created and eroded. In a hypercompetitive
market, trying to sustain a speci”c competitive advantage can be a deadly distraction because the environment and
the marketplace change rapidly. To manage the rapid speed of change, “rms value agility and focus on quickly
adjusting their organizational resources to gain competitive advantage. Successful concepts in hypercompetitive
markets include dynamic capabilities, creative destruction, and blue ocean strategy.10
Dynamic capabilities are means of orchestrating a “rm’s resources in the face of turbulent environments. In
particular, the dynamic capabilities framework focuses on the ways a “rm can integrate, build, and recon”gure
internal and external capabilities, or abilities, to address rapidly changing environments. These capabilities are
built rather than bought. They are embedded in “rm‐speci”c routines, processes, and asset positions. Thus,
they are dif”cult for rivals to imitate. In sum, they help determine the speed and degree to which the “rm can
marshal and align its resources and competences to match the opportunities and requirements of the business
environment.11
Since the 1990s, a competitive practice, called creative destruction, has emerged. First predicted over 60 years
ago by the economist Joseph Schumpeter, it was made popular more recently by Harvard Professor Clay Christensen.
Coincidentally (or maybe not), the accelerated competition has occurred concomitantly with sharp increases in the
quality and quantity of information technology (IT) investment. The changes in competitive dynamics are particu-
larly striking in sectors that spend the most on IT.12
One example of using dynamic models was implemented by leadership guru Jack Welch at General Electric
(GE). Often nicknamed “Neutron Jack” because of the way businesses were radically changed, Welch’s approach
to creative destruction was termed destroy your business (DYB). Welch recognized that GE could sustain its com-
petitive advantage only for a limited time as competitors attempted to outmaneuver the company. He knew that
if GE did not identify its weaknesses, its competitors would relish doing so. DYB is an approach that places GE
employees in the shoes of their competitors.13 Through the DYB lenses, GE employees develop strategies to destroy
the company’s competitive advantage. Then, in light of their revelations, they apply the grow your business (GYB)
strategy to “nd fresh ways to reach new customers and better serve existing ones. This allows GE to protect its
business from its competitors and sustain its position in the marketplace over the long run.
A similar strategy of cannibalizing its own products was used by Apple. Steve Jobs, Apple’s founder and former
CEO, felt strongly that if a company was not willing to cannibalize its own products, someone else would come
along and do it for them. That was evident in the way Apple introduced the iPhone while iPod sales were brisk and
the iPad while its Macintosh sales were strong.14 Apple continues to exhibit this strategy with subsequent releases
of new models of all of its products.
Most discussions of strategy focus on gaining competitive advantage in currently existing industries and mar-
ketplaces, which are referred to by Kim and Mauborgne as red ocean strategy. Using a red ocean strategy, “rms
“ercely compete to earn a larger share of existing demand. Kim and Mauborgne recommend a better approach:
Firms adopt a blue ocean strategy in which they create new demand in untapped marketspaces where they have the
“water” to themselves. When applying the blue ocean strategy, the goal is not to beat the competition but to make
it irrelevant. This is what Dell did when it challenged current industry logic by changing the computer purchasing
and delivery experiences of its customers. “With its direct sales to customers, Dell was able to sell its PCs for
40 percent less than IBM dealers while still making money.”15 Dell also introduced into unchartered seas an unprec-
edented delivery process that allowed buyers to receive their new computers within four days of ordering them as
compared to the red ocean process, which typically required 10 weeks.
10 For more information, please see Don Goeltz, “Hypercompetition,” vol. 1 of The Encyclopedia of Management Theory, ed. Eric Kessler (Los Angeles:
Sage, 2013), 359–60.
11 D. J. Teece, G. Pisano, and A. Shuen, “Dynamic Capabilities and Strategic Management,” Strategic Management Journal 18 (1997), 509–33; David
Teece, “Dynamic Capabilities,” vol. 1 of The Encyclopedia of Management Theory, ed. Eric Kessler (Los Angeles: Sage, 2013), 221–24.
12 Andrew McAfee and Erik Brynjolfsson, “Investing in the IT That Makes a Competitive Difference,” Harvard Business Review (July–August 2008),
98–107.
13 M. Levinson, “GE Uses the Internet to Grow Business,” CIO (October 15, 2001), http://www.cio.com/article/30624/HOT_TOPIC_E_BUSINESS_
GE_Uses_the_Internet_to_Grow_Business_ (accessed May 5, 2012).
14 Walter Isaacson, Steve Jobs (New York: Simon and Shuster, 2011).
15 W. Chan Kim and Renee Mauborgne, Blue Ocean Strategy (Cambridge, MA: Harvard Business School, 2005), 202.
c01.indd 24 11/26/2015 6:19:40 PM
http://www.cio.com/article/30624/HOT_TOPIC_E_BUSINESS_GE_Uses_the_Internet_to_Grow_Business
25Brief Overview of Organizational Strategies
Why Are Strategic Advantage Models Essential to Planning
for Information Systems?
A general manager who relies solely on IS personnel to make IS decisions may not only give up any authority over
IS strategy but also hamper crucial future business decisions. In fact, business strategy should drive IS decision
making, and changes in business strategy should entail reassessments of IS. Moreover, changes in IS potential
should trigger reassessments of business strategy—as in the case of the Internet when companies that understood
or even considered its implications for the marketplace quickly outpaced their competitors who failed to do so.
For the purposes of our model, the Information Systems Strategy Triangle, understanding business strategy means
answering the following questions:
1. What is the business goal or objective?
2. What is the plan for achieving it? What is the role of IS in this plan?
3. Who are the crucial competitors and partners, and what is required of a successful player in this
marketplace?
4. What are the industry forces in this marketplace?
Porter’s generic strategies framework and the dynamic frameworks (summarized in Figure 1.4) are revisited in
the next few chapters. They are especially helpful in discussing the role of IS in building and sustaining competitive
advantages (Chapter 2) and for incorporating IS into business strategy. The next section of this chapter establishes
a foundation for understanding organizational strategies.
Brief Overview of Organizational Strategies
Organizational strategy includes the organization’s design as well as the choices it makes to de”ne, set up, coor-
dinate, and control its work processes. How a manager designs the organization impacts every aspect of opera-
tions from dealing with innovation to relationships with customers, suppliers, and employees. The organizational
strategy is a plan that answers the question: “How will the company organize to achieve its goals and implement
its business strategy?”
A useful framework for organizational design can be found in the book Building the Information Age Orga-
nization by Cash, Eccles, Nohria, and Nolan.16 This framework (Figure 1.5) suggests that the successful execu-
tion of a company’s organizational strategy comprises the best combination of organizational, control, and cultural
variables. Organizational variables include decision rights, business processes, formal reporting relationships, and
informal networks. Control variables include the availability of data, nature and quality of planning, effectiveness
of performance measurement and evaluation systems, and incentives to do good work. Cultural variables comprise
the values of the organization. These organizational, control, and cultural variables are managerial levers used by
decision makers to effect changes in their organizations. These managerial levers are discussed in detail in Chapter 3.
FIGURE 1.4 Summary of strategic approaches and IT applications.
Strategic Approach Key Idea Application to Information Systems
Porter’s generic strategies Firms achieve competitive advantage
through cost leadership, differentiation,
or focus.
Understanding which strategy is chosen
by a #rm is critical to choosing IS to
complement the strategy.
Dynamic environment strategies Speed, agility, and aggressive moves
and countermoves by a #rm create
competitive advantage.
The speed of change is too fast for
manual response, making IS critical to
achieving business goals.
16 James I. Cash, Robert G. Eccles, Nitin Nohria, and Richard L. Nolan, Building the Information Age Organization (Homewood, IL: Richard D. Irwin, 1994).
c01.indd 25 11/26/2015 6:19:40 PM
26 The Information Systems Strategy Triangle
Our objective is to give the manager a framework to use in evaluating various aspects of organizational design.
In this way, the manager can review the current organization and assess which components may be missing and
what future options are available. Understanding organizational design means answering the following questions:
1. What are the important structures and reporting relationships within the organization?
2. Who holds the decision rights to critical decisions?
3. What are the important people‐based networks (social and informational), and how can we use them to get
work done better?
4. What are the characteristics, experiences, and skill levels of the people within the organization?
5. What are the key business processes?
6. What control systems (management and measurement systems) are in place?
7. What are the culture, values, and beliefs of the organization?
The answers to these questions inform the assessment of the organization’s use of IS. Chapters 3, 4, and 5 use
the Managerial Levers model to assess the impact of information systems (IS) on the “rm. Chapters 8 and 9 use this
same list to understand the business and governance of the IS organization.
Brief Overview of Information Systems Strategy
IS strategy is the plan an organization uses to provide information services. IS allow a company to implement its
business strategy. JetBlue’s former Vice President for People explains it nicely: “We de”ne what the business needs
and then go “nd the technology to support that.”17
Business strategy is a function of competition (What does the customer want and what does the competition
do?), positioning (In what way does the “rm want to compete?), and capabilities (What can the “rm do?). IS help
Organizational
effectivenessStrategy
Organization Control
Culture
Performance
measurement
and
evaluation
Incentives
and rewardsValues
Formal
reporting
relationships
Planning
Business
processes
Decision
rights
Data
Informal
networks
People,
Information, and
Technology
Execution
FIGURE 1.5 Managerial Levers model.
Source: J. Cash, R. G. Eccles, N. Nohria, and R. L. Nolan, Building the Information Age Organization (Homewood, IL: Richard D.
Irwin, 1994).
17 Hogue et al., Winning the 3‐Legged Race, 111.
c01.indd 26 11/26/2015 6:19:40 PM
27Brief Overview of Information Systems Strategy
determine the company ’ s capabilities. An entire chapter is devoted to understanding key issues facing general man-
agers concerning IT architecture, but for now a more basic framework is used to understand the decisions related
to IS that an organization must make.
The purpose of the matrix in Figure 1.6 is to give the manager a high‐level view of the relation between the
four IS infrastructure components and the other resource considerations that are keys to IS strategy. Infrastructure
FIGURE 1.6 IS strategy matrix.
What Who Where
Hardware The physical devices of the system System users and managers Physical location of devices
(cloud, data center, etc.)
Software The programs, applications, and
utilities
System users and managers The hardware it resides on and
physical location of that hardware
Networking The way hardware is connected to
other hardware, to the Internet, and
to other outside networks
System users and managers;
company that provides the
service
Where the nodes, the wires, and
other transport media are located
Data Bits of information stored in the
system
Owners of data; data
administrators
Where the information resides
Social Business Lens: Building a Social Business Strategy
Some companies use social IT as point solutions for business opportunities, but others build a social business
strategy that considers the application of social IT tools and capabilities to solve business opportunities holisti-
cally. A social business strategy is a plan of how the # rm will use social IT that is aligned with its organizational strat-
egy and IS strategy. Social business strategy includes a vision of how the business would operate if it seamlessly
and thoroughly incorporated social and collaborative capabilities throughout the business model. It answers the
same type of questions of what, how, and who, as do many other business strategies.
Social businesses infuse social capabilities into their business processes. Most of the social business opportu-
nities fall into one of three categories:
Collaboration —using social IT to extend the reach of stakeholders, both employees and those outside the
enterprise walls. Social IT such as social networks enable individuals to find and connect with each other to
share ideas, information, and expertise.
Engagement —using social IT to involve stakeholders in the traditional business of the enterprise. Social IT such as
communities and blogs provide a platform for individuals to join in conversations, create new conversations,
and offer support to each other and other activities that create a deeper feeling of connection to the company,
brand, or enterprise.
Innovation —using social IT to identify, describe, prioritize, and create new ideas for the enterprise. Social IT offers
community members a “super idea box” where individuals suggest new ideas, comment on other ideas, and
vote for their favorite idea, giving managers a new way to generate and decide on products and services.
National Instruments (ni.com) is an example of a company that has embraced social IT and created a social
business strategy. Managers developed a branded community consisting of a number of social IT tools like Face-
book, Twitter, blogs, forums, and more. By thinking holistically about all the ways that customers and employees
might interact with one another, the branded community has become the hub of collaboration, engagement, and
idea generation.
Source: Adapted from Keri Pearlson , “ Killer Apps for a Social Business ” (February 17, 2011 ) , http://instantlyresponsive.wordpress.
com/2011/02/27/killer‐apps‐for‐a‐social‐business/ (accessed March 19, 2015). For more information on National Instruments,
see Harvard Business school case study 813001, “National Instruments” by Lynda Applegate, Keri Pearlson, and Natalie Kindred.
c01.indd 27 11/26/2015 6:19:40 PM
http://instantlyresponsive.wordpress.com/2011/02/27/killer%E2%80%90apps%E2%80%90for%E2%80%90a%E2%80%90social%E2%80%90business/
28 The Information Systems Strategy Triangle
includes hardware, such as desktop units and servers. It also includes software, such as the programs used to do
business, to manage the computer itself and to communicate between systems. The third component of IS infra-
structure is the network, which is the physical means by which information is exchanged among hardware com-
ponents. Examples include “ber networks such as Google Fiber, cable networks such as those provided by Time
Warner, AT&T, and Comcast, WiFi provided by many local services, and 3G/4G/WiMax technologies (which are
actually Internet communication standards, but some phone companies adopt those terms as the name of networks
they offer). Some communications are conducted through a private digital network, managed by an internal unit).
Finally, the fourth part of the infrastructure is the data. The data include the bits and bytes stored in the system.
In current systems, data are not necessarily stored alongside the programs that use them; hence, it is important to
understand what data are in the system and where they are stored. Many more detailed models of IS infrastructure
exist, and interested readers may refer to any of the dozens of books that describe them. For the purposes of this
text, the IS strategy matrix provides suf”cient information to allow the general manager to assess the critical issues
in information management.
Because of the advanced state of technology, many managers are more familiar with the use of platforms and
applications, or apps. Platforms are technically any set of technologies upon which other technologies or appli-
cations run. Often they are a combination of hardware and operating system software. Microsoft Windows and
Apple’s Macintosh with its latest operating system are two examples of platforms. Also common are mobile plat-
forms such as the iPhone and Samsung/Android phone. Applications or apps, on the other hand, are self‐contained
software programs that ful”ll a speci”c purpose and run on a platform. The term “apps” became popular from the
smart phone industry, beginning when Apple offered an online marketplace for customers to download small pro-
grams to run on their devices. But more recently, because all platforms have applications that run on them, the term
apps has taken on a broader meaning.
S U M M A R Y
The Information Systems Strategy Triangle represents a simple framework for understanding the impact of IS on businesses. It
relates business strategy with IS strategy and organizational strategy and implies the balance that must be maintained in business
planning. The Information Systems Strategy Triangle suggests the following management principles.
Business Strategy
Business strategy drives organizational strategy and IS strategy. The organization and its IS should clearly support de”ned
business goals and objectives.
• De”nition: A well‐articulated vision of where a business seeks to go and how it expects to get there
• Example Models: Porter’s generic strategies model; dynamic environment models
Organizational Strategy
Organizational strategy must complement business strategy. The way a business is organized either supports the implementation
of its business strategy or it gets in the way.
• De”nition: The organization’s design, as well as the choices it makes to de”ne, set up, coordinate, and control its work
processes
• Example Model: managerial levers
IS Strategy
IS strategy must complement business strategy. When IS support business goals, the business appears to be working well. IS
strategy can itself affect and is affected by changes in a “rm’s business and organizational strategies. Moreover, IS strategy
always has consequences—intended or not—on business and organizational strategies.
c01.indd 28 11/26/2015 6:19:40 PM
29Discussion Questions
• De”nition: The plan the organization uses in providing information systems and services
• Models: A basic framework for understanding IS decisions for platform, applications, network and data‐relating
architecture (the “what”), and the other resource considerations (“who” and “where”) that represent important planning
constraints
Strategic Relationships
Organizational strategy and information strategy must complement each other. They must be designed so that they support,
rather than hinder, each other. If a decision is made to change one corner of the triangle, it is necessary to evaluate the other two
corners to ensure that balance is preserved. Changing business strategy without thinking through the effects on the organization
and IS strategies will cause the business to struggle until balance is restored. Likewise, changing IS or the organization alone
will cause an imbalance.
D I S C U S S I O N Q U E S T I O N S
1. Why is it important for business strategy to drive organizational strategy and IS strategy? What might happen if the business
strategy was not the driver?
2. In 2015, the NFL decided to hand out Microsoft Surface tablets to all coaches for use during games, and there are reports
that in the future, they will add HoloLens devices to provide augmented reality.18 A HoloLens device is a high‐definition,
head‐mounted display that allows coaches to see the plays with text and animation superimposed right on the live images. If
the NFL simply handed them out without making any other formal changes in organizational strategy or business strategy,
what might be the outcome? What unintended consequences might occur?
3. Consider a traditional manufacturing company that wants to build a social business strategy. What might be a reasonable
business strategy, and how would organization and IS strategy need to change? How would this differ for a restaurant chain?
A consumer products company? A nonprofit?
4. This chapter describes key components of an IS strategy. Describe the IS strategy of a consulting firm using the matrix
framework.
5. What does this tip from Fast Company mean: “The job of the CIO is to provide organizational and strategic flexibility”?19
K E Y T E R M S
apps (p. 27)
blue ocean strategy (p. 24)
business model (p. 20)
business strategy (p. 21)
collaboration (p. 28)
cost leadership (p. 22)
creative destruction (p. 24)
differentiation (p. 22)
dynamic capabilities (p. 24)
engagement (p. 28)
focus (p. 22)
hypercompetition (p. 23)
Information Systems Strategy
Triangle (p. 18)
innovation (p. 28)
IS strategy (p. 26)
managerial levers (p. 25)
mission (p. 19)
organizational strategy (p. 25)
red ocean strategy (p. 24)
social business strategy (p. 27)
strategy (p. 19)
18 Sean Michael, “NFL Teams Will Use Surface Pro 3s in 2015 and May Use HoloLens in the Future,” WinBeta (August 7, 2015), http://www.winbeta.
org/news/nfl‐teams‐will‐use‐surface‐pro‐3s‐2015‐and‐may‐use‐hololens‐future (accessed August 21, 2015).
19 “Technology: How much? How fast? How revolutionary? How expensive?” Fast Company (March 2002), http://www.fastcompany.com/44651/
technology‐how‐much‐how‐fast‐how‐revolutionary‐how‐expensive (accessed August 21, 2015).
c01.indd 29 11/26/2015 6:19:40 PM
http://www.winbeta.org/news/nfl%E2%80%90teams%E2%80%90will%E2%80%90use%E2%80%90surface%E2%80%90pro%E2%80%903s%E2%80%902015%E2%80%90and%E2%80%90may%E2%80%90use%E2%80%90hololens%E2%80%90future%20
http://www.fastcompany.com/44651/technology%E2%80%90how%E2%80%90much%E2%80%90how%E2%80%90fast%E2%80%90how%E2%80%90revolutionary%E2%80%90how%E2%80%90expensive
30 The Information Systems Strategy Triangle
Lego has long been an industry leader in children ’ s toys with its simple yet unique building block‐style products. A Danish
carpenter whose family still owns Lego today founded the privately held company in 1932. But by 2004, the company found
itself close to extinction, losing $1 million a day. A new CEO was brought in, and within ” ve years sales were strong, pro” ts
were up, and naysayers who felt the new strategy was going to fail were proved wrong. In fact, sales, revenues and pro” ts
continued to be strong. Revenues grew from 16 billion Danish krone (DKK) in 2010 to over 28 billion DKK in 2014, and in
the same period, pro” t almost doubled from 3.7 billion DKK to 7 billion DKK.
With the advent of high‐tech forms of entertainment, such as the iPod and PlayStation, Lego found itself more antique
than cutting edge in the toy world. When new CEO Jorgen Vig Knudstorp, a father and former McKinsey consultant, took
over, the company was struggling with poor performance, missed deadlines, long development times, and a poor delivery
record. The most popular toys frequently would be out of stock, and the company was unable to ship enough products or
manage the production of its more complicated sets. Retail stores were frustrated, and that translated into reduced shelf
space and ultimately to business losses.
Knudstorp changed all of that. He reached out to top retailers, cut costs, and added missing links to the supply chain. For
example, prior to the new strategy, 90% of the components were used in just one design. Designers were encouraged to reuse
components in their new products, which resulted in a reduction from about 13,000 different Lego components to 7,000.
Because each component ’ s mold could cost up to 50,000 euros on average to create, this reduction saved signi” cant expense.
Lego was known for its traditional blocks and components that would allow children to build just about anything their
imagination could create. The new strategy broadened the products, targeting new customer segments. Lego managers cre-
ated products based on themes of popular movies, such as Star Wars and the Indiana Jones series. The company moved
into video games, which featured animated Lego characters sometimes based on movies. The company created a product
strategy for adults and engaged the communities who had already set up thousands of Web sites and blogs featuring Lego
creations. It embraced the community who thought of Lego as a way to create art rather than simply as a building toy. And
the company designed a line of Legos aimed at girls because the majority of its products had primarily targeted boys.
The culture of Lego changed to one that refused to accept nonperformance. The company ’ s past showed a tendency to
focus on innovation and creativity, often at the expense of pro” ts. But that changed. “Knudstorp . . . made it clear that results,
not simply feeling good about making the best toys, would be essential if Lego was to succeed. . . . Its business may still be
fun and games, but working here isn ’ t,” 20 describes the current culture at Lego .
Some of the most drastic changes came from within the Lego organization structure. After its massive losses in 2004,
Lego switched its employee pay structure, offering incentives for appropriate product innovation and sales. Key performance
indicators encourage product innovation that catalyzes sales while decreasing costs. Development time dropped by 50%, and
some manufacturing and distribution functions were moved to less expensive locations, but the focus on quality remained.
The creation of reusable parts alleviated some of the strain on Lego ’ s supply chain, which in turn helped its bottom line.
Lego also expanded into the virtual world, extending into video gaming and virtual‐interaction games on the Internet.
Thinking outside the company ’ s previous product concepts cut costs while encouraging real‐time feedback from customers
across a global market. Additionally, Lego created brand ambassadors who organized conventions across the world to dis-
cuss product innovation and to build communities of fellow customers. With increased revenue, Lego managers considered
entering the movie‐making business—a risky proposition for a toy company. However, Lego ’ s success with Hollywood‐type
action ” gures fueled its interest in a movie‐making endeavor.
The growth put strains on the IS supporting the business. Order management and ful” llment were particularly affected,
resulting in the inability to meet customer demand. Employee management systems were stretched as new employees were
added to support the growth and additional locations. Product design and development, especially the virtual and video
games, required new technology, too.
To solve some of these problems, Lego managers used the same approach they used for their blocks. They created a
modularized and standardized architecture for their IS, making it possible to expand more quickly and add capacity and
functionality as it was needed. They implemented an integrated enterprise system that gave them new applications for
human capital management, operations support, product life cycle management, and data management. The new systems
and services, purchased from vendors such as SAP and IBM , simpli” ed the IT architecture and the management processes
needed to oversee the IS.
■ CASE STUDY 1‐1 Lego
20 Nelson D. Schwartz , “ Turning to Tie‐Ins, Lego Thinks Beyond the Brick ,” The New York Times , September 5, 2009 , http://www.nytimes.
com/2009/09/06/business/global/06lego.html?pagewanted=all&_r=0 (accessed August 21, 2015) .
c01.indd 30 11/26/2015 6:19:41 PM
http://www.nytimes.com/2009/09/06/business/global/06lego.html?pagewanted=all&_r=0
31Case Study
One manager at Lego summed it up nicely, “The toy world moves onwards constantly, and Lego needs to re‐invent itself
continuously. Signi” cant corporate re‐shaping introduced new energy to the company.” 21 He went on to say that simplifying
Lego ’ s IT systems and implementing an ef” cient product development process that was able to maintain quality and cost
favorably positioned Lego to respond to the fast changing pace of the toy industry.
Discussion Questions
1. How did the information systems and the organization design changes implemented by Knudstorp align with the changes
in business strategy?
2. Which of the generic strategies does Lego appear to be using based on this case? Provide support for your choice.
3. Are the changes implemented by Knudstorp an indication of hypercompetition? Defend your position.
4. What advice would you give Knudstorp to keep Lego competitive, growing, and relevant?
Sources: Adapted from http://www.nytimes.com/2009/09/06/business/global/06lego.html (accessed August 21, 2015) ; Brad Wieners ,
“ Lego Is for Girls ” (December 19, 2011 ), 68 – 73 ; information from Lego ’ s 2012 annual report, http://www.lego.com/en‐us/aboutus/news‐
room/2013/february/annual‐result‐2012 (accessed March 29, 2015); and “Lego Case Study,” http://thelegocasestudy.com (accessed
March 29, 2015).
Started in the late 1990s, Google grew rapidly to become one of the leading companies in the world. Its mission is “to
organize the world ’ s information and make it universally accessible and useful.” It is operating on a simple but innovative
business model of attracting Internet users to its free search services and earning revenue from targeted advertising. In the
winner‐takes‐all business of Internet search, Google has captured considerably more market share than its next highest rival,
Yahoo . This has turned Google ’ s Web pages into the Web ’ s most valuable real (virtual) estate. Through its two # agship pro-
grams, AdWords and AdSense, Google has capitalized on this leadership position in searching to capture the lion ’ s share in
advertisement spending. AdWords enables businesses to place ads on Google and its network of publishing partners using
an auction‐engine algorithm to decide which ad will appear on a given page. On the other hand, Google uses AdSense to
push advertisements on publishing partners ’ Web sites targeting a speci” c audience and share ad revenue with the publishing
partner. This creates a win–win situation for both advertisers and publishers; Google makes more than 90% of its revenue
from ads.
Even as a large company, Google continues to take risks and expand into new markets. Innovation is at the core of their
enterprise. Sergey Brin and Larry Page, the founders, declared in Google ’ s IPO prospectus, “We would fund projects that
have a 10% chance of earning a billion dollars over the long term. . . We place smaller bets in areas that seem very specula-
tive or even strange. As the ratio of reward to risk increases, we will accept projects further outside our normal areas.” They
add that they are especially likely to fund new types of projects when the initial investment is small.
Google promotes a culture of creativity and innovation in a number of ways. It encourages innovation in all employees
by allowing them to spend 20% of their time on a project of their own choosing. In addition, the company offers bene” ts
such as free meals, on‐site gym, on‐site dentist, and even washing machines at the company for busy employees.
Despite an open and free work culture, a rigid and procedure‐” lled structure is imposed for making timely decisions and
executing plans. For example, when designing new features, the team and senior managers meet in a large conference room.
They use the right side of the conference room walls to digitally project new features and the left side to project any tran-
scribed critique with a timer clock giving everyone 10 minutes to lay out ideas and ” nalize features. Thus, Google utilizes
rigorous, data‐driven procedures for evaluating new ideas in the midst of a chaotic innovation process.
Nine notions of innovations are embedded in the organizational culture, processes, and structure of Google: 22
1. “Innovation Comes from Anywhere”: All Google employees can innovate.
2. “Focus on the User”: When focus is on the user, the money and all else will follow.
■ CASE STUDY 1‐2 Google
21 https://www.vmware.com/files/pdf/partners/sap/sap‐vmware‐lego‐cs‐en (accessed September 11, 2015).
22 Kathy Chin Long , “ Google Reveals its Nine Principles of Innovations ,” Fast Company , http://www.fastcompany.com/3021956/how‐to‐be‐a‐success‐
at‐everything/googles‐nine‐principles‐of‐innovation (accessed March 30, 2015 ) .
c01.indd 31 11/26/2015 6:19:41 PM
http://www.nytimes.com/2009/09/06/business/global/06lego.html
http://www.lego.com/en%E2%80%90us/aboutus/news%E2%80%90room/2013/february/annual%E2%80%90result%E2%80%902012
http://www.lego.com/en%E2%80%90us/aboutus/news%E2%80%90room/2013/february/annual%E2%80%90result%E2%80%902012
http://www.lego.com/en%E2%80%90us/aboutus/news%E2%80%90room/2013/february/annual%E2%80%90result%E2%80%902012
http://thelegocasestudy.com
https://www.vmware.com/files/pdf/partners/sap/sap%E2%80%90vmware%E2%80%90lego%E2%80%90cs%E2%80%90en
http://www.fastcompany.com/3021956/how%E2%80%90to%E2%80%90be%E2%80%90a%E2%80%90success%E2%80%90at%E2%80%90everything/googles%E2%80%90nine%E2%80%90principles%E2%80%90of%E2%80%90innovation
http://www.fastcompany.com/3021956/how%E2%80%90to%E2%80%90be%E2%80%90a%E2%80%90success%E2%80%90at%E2%80%90everything/googles%E2%80%90nine%E2%80%90principles%E2%80%90of%E2%80%90innovation
http://www.fastcompany.com/3021956/how%E2%80%90to%E2%80%90be%E2%80%90a%E2%80%90success%E2%80%90at%E2%80%90everything/googles%E2%80%90nine%E2%80%90principles%E2%80%90of%E2%80%90innovation
32 The Information Systems Strategy Triangle
3. “Aim to be Ten Times Better”: To get radical and revolutionary innovation, think 10 times improvement to force
out‐of‐the‐box thinking.
4. “Bet on Technical Insights”: Trust your organization ’ s unique insights and bet on them for major innovation.
5. “Ship and Iterate”: Do not wait for perfection; let users help you to “iterate.”
6. “Give Employees 20 Percent Time”: Employees will delight you with their creative thinking. Give them 20 percent
of their work time to pursue projects they are passionate about.
7. “Default to Open Processes”: Make processes open to all to tap into the collective energy of the user base to find
great ideas.
8. “Fail Well”: Do not attach stigma to failure. If you do not fail often, you are not trying hard enough. Let people and
projects fail with pride.
9. “Have a Mission That Matters”: Google believes that its work has a positive impact on millions of people and that
this is motivating its people every day.
Keeping up with the organizational strategy of Google , its IT department provides free and open access to IT for all
employees. Rather than keeping tight control, Google allows employees to choose from several options for computer and
operating systems, download software themselves, and maintain of” cial and unof” cial blog sites. Google ’ s intranet provides
employees information about every piece of work at any part of the company. In this way, employees can ” nd and join hands
with others working on similar technologies or features.
In building the necessary IT infrastructure, Google ’ s IT department balances buying and making its own software depend-
ing on its needs and off‐the‐shelf availability. Google thinks of every IT decision “at Web Scale” to make sure its technology
works well for its customers. Given the nature of business, security of information resources is critical for Google . For
instance, its master search algorithm is considered a more valuable secret formula than Coca‐Cola ’ s. However, rather than
improving IT security by sti# ing freedom through preventive policy controls, Google puts security in the infrastructure and
focuses more on detective and corrective controls. Its network management software tools combined with a team of security
engineers constantly look for viruses and spyware as well as strange network traf” c patterns associated with intrusion.
Discussion Questions
1. How is Google ’ s mission statement related to its business strategy?
2. How does Google ’ s information systems strategy support its business strategy?
3. How does Google ’ s organizational strategy support its business strategy?
4. Which of Porter ’ s three generic strategies does Google appear to be using based on this case? Provide a rationale for
your response.
5. Analyze Google ’ s strategy and the type of market disruption it has created using a dynamic environment perspective.
Sources: Adapted from Michelle Colin , “ Champions of Innovation ,” Businessweek 3989 (June 1 8 , 2006 ), 18–26 , http://www.bloomberg.
com/bw/stories/2006‐06‐18/champions‐of‐innovation; Vauhini Vara , “ Pleasing Google ’ s Tech‐Savvy Staff ” (March 18, 2008 ) , B6; Jason
Bloomberg , “ Google ’ s Three‐Pronged Enterprise Strategy ,” Forbes Online (December 12, 2014 ) ; and Connor Forrest , “ Four Ways
Google Makes Money ,” TechRepublic (January 16, 2015 ) , http://www.techrepublic.com/article/four‐ways‐google‐makes‐money‐
outside‐of‐advertising/ (accessed August 21, 2015 ).
c01.indd 32 11/26/2015 6:19:41 PM
http://www.bloomberg.com/bw/stories/2006%E2%80%9006%E2%80%9018/champions%E2%80%90of%E2%80%90innovation
http://www.techrepublic.com/article/four%E2%80%90ways%E2%80%90google%E2%80%90makes%E2%80%90money%E2%80%90outside%E2%80%90of%E2%80%90advertising
http://www.techrepublic.com/article/four%E2%80%90ways%E2%80%90google%E2%80%90makes%E2%80%90money%E2%80%90outside%E2%80%90of%E2%80%90advertising
http://www.techrepublic.com/article/four%E2%80%90ways%E2%80%90google%E2%80%90makes%E2%80%90money%E2%80%90outside%E2%80%90of%E2%80%90advertising
33
2
chapter
This chapter introduces the concept of building competitive advantage using information
systems‐based applications. It begins with a discussion of a set of eras that describe the use
of information resources historically. It then presents information resources as strategic tools,
discussing information technology ( IT ) assets and IT capabilities. Michael Porter ’ s Five Com-
petitive Forces model then provides a framework for discussing strategic advantage, and
his Value Chain model addresses tactical ways organizations link their business processes
to create strategic partnerships. We then introduce the Piccoli and Ive ’ s model to show how
strategic advantage may be sustained in light of competitive barriers while the Resource‐
Based View focuses on gaining and maintaining strategic advantage through information
and other resources of the # rm. The chapter concludes with a brief discussion of strategic
alliances, co‐opetition, risks of strategic use of IT, and cocreating IT and business strategy.
Just as a note: this chapter uses the terms competitive advantage and strategic advantage
interchangeably.
1 Inditex Web site, http://www.inditex.com/en/who_we_are/concepts/zara (accessed February 20, 2012); http://www.marinabaysands.
com/shopping/zara.html (accessed May 2, 2015).
Strategic Use of
Information Resources
Zara , a global retail and apparel manufacturer based in Arteixo, Spain, needed a dynamic business
model to keep up with the ever‐changing demands of its customers and industry. At the heart of its
model was a set of business processes and an information system that linked demand to manufactur-
ing and manufacturing to distribution. The strategy at Zara stores was simply to have a continuous
# ow of new products that were typically in limited supply. As a result, regular customers visited
their stores often—an average of 17 times a year whereas many retail stores averaged only four
times a year. When customers saw something they liked, they bought it on the spot because they
knew it would probably be gone the next time they visited the store. The result was a very loyal and
satis” ed customer base and a wildly pro” table business model.
How did Zara do it? It was possible in part because the company aligned its information system
strategy with its business strategy. Its corporate Web site gave some insight:
Zara ’ s approach to design is closely linked to our customers. A non‐stop $ ow of information from
stores conveys shoppers ’ desires and demands, inspiring our 200‐person strong creative team. 1
The entire process from factory to shop # oor is coordinated from Zara ’ s headquarters by using
information systems. The point‐of‐sale (POS) system on the shop # oor records the information from
each sale, and the information is transmitted to headquarters at the end of each business day. Using
a handheld device, the Zara shop managers also report daily to the designers at headquarters to let
them know what has sold and what the customers wanted but couldn ’ t ” nd. The information is used
to determine which product lines and colors should be kept and which should be altered or dropped.
c02.indd 33 11/26/2015 6:20:48 PM
http://www.inditex.com/en/who_we_are/concepts/zara
http://www.marinabaysands.com/shopping/zara.html
34 Strategic Use of Information Resources
The designers communicate directly with the production staff to plan for the incredible number of designs—more
than 30,000—that will be manufactured every year.2
The shop managers have the option to order new designs twice a week using handheld computers. Before order-
ing, they can use these devices to check out the new designs. Once an order is received at the manufacturing plant at
headquarters, a large computer‐controlled piece of equipment calculates how to position patterns to minimize scrap
and cut up to 100 layers of fabric at a time. The cut fabric is then sent from Zara factories to external workshops for
sewing. The completed products are sent to distribution centers where miles of automated conveyor belts are used
to sort the garments and recombine them into shipments for each store. Zara’s Information Systems (IS) department
wrote the applications controlling the conveyors, often in collaboration with vendors of the conveyor equipment.
As the Zara example illustrates, innovative use of a “rm’s information resources can provide it substantial
and sustainable advantages over competitors. Every business depends on IS, making its use a necessary resource
every manager must consider. IS also can create a strategic advantage for “rms who bring creativity, vision, and
innovation to their IS use. The Zara case is an example. This chapter uses the business strategy foundation from
Chapter 1 to help general managers visualize how to use information resources for competitive advantage. This
chapter highlights the difference between simply using IS and using IS strategically. It also explores the use of
information resources to support the strategic goals of an organization.
The material in this chapter can enable a general manager to understand the linkages between business strategy
and information strategy on the Information Systems Strategy Triangle. General managers want to “nd answers to
questions such as: Does using information resources provide a sustainable and defendable competitive advantage?
What tools are available to help shape strategic use of information? What are the risks of using information resources
to gain strategic advantage?
Evolution of Information Resources
The Eras model (Figure 2.1) summarizes the evolution of information resources over the past six decades. To think
strategically about how to use information resources now and in the future within the “rm, a manager must under-
stand how the company arrived at where it is today. This model provides a good overview of trends and uses that
have gotten the company from simple automation of tasks to extending relationships and managing their business
ecosystems to where it is today.
IS strategy from the 1960s to the 1990s was driven by internal organizational needs. First came the need to
lower existing transaction costs. Next was the need to provide support for managers by collecting and distributing
information followed by the need to redesign business processes. As competitors built similar systems, organi-
zations lost any advantages they had derived from their IS, and competition within a given industry once again
was driven by forces that existed prior to the new technology. Most recently, enterprises have found that social IT
platforms and capabilities drive a new evolution of applications, processes, and strategic opportunities that often
involve an ecosystems of partners rather than a list of suppliers. Business ecosystems are collections of interacting
participants, including vendors, customers, and other related parties, acting in concert to do business.3
In Eras I through III, the value of information was tied to physical delivery mechanisms. In these eras, value was
derived from scarcity re#ected in the cost to produce the information. Information, like diamonds, gold, and MBA
degrees, was more valuable because it was found in limited quantities. However, the networked economy beginning
in Era IV drove a new model of value—value from plenitude. Network effects offered a reason for value derived
from plenitude; the value of a network node to a person or organization in the network increased when others joined
the network. For example, an e‐mail account has no value without at least one other e‐mail account with which to
communicate. As e‐mail accounts become relatively ubiquitous, the value of having an e‐mail account increases
as its potential for use increases. Further, copying additional people on an e‐mail is done at a very low cost (virtu-
ally zero), and the information does not wear out (although it can become obsolete). As the cost of producing an
2 Shenay Kentish, Zara (October 18, 2011), http://unilifemagazine.com.au/special‐interest/zara/ (accessed April 10, 2012).
3 For further discussion of business ecosystems, please refer to Nicholas Vitalari and Hayden Shaughnessy, The Elastic Enterprise (Longboat Key, FL:
Telemachus Press, 2012).
c02.indd 34 11/26/2015 6:20:48 PM
http://unilifemagazine.com.au/special%E2%80%90interest/zara
35Evolution of Information Resources
additional copy of an information product within a network becomes trivial, the value of that network increases.
Therefore, rather than using production costs to guide the determination of price, information products might be
priced to re#ect their value to the buyer.4
As each era begins, organizations adopt a strategic role for IS to address not only the “rm’s internal circum-
stances but also its external circumstances. Thus, in the value‐creation era (Era V), companies seek those appli-
cations that again provide them an advantage over their competition and keep them from being outgunned by
start‐ups with innovative business models or traditional companies entering new markets. For example, companies
like Microsoft, Google, Apple, and Facebook have created and maintained a competitive advantage by building
technical platforms and organizational competencies that allow them to bring in partners as necessary to create
new products and services for their customers. Their business ecosystems give them agility as well as access to
talent and knowledge, extending the capabilities of their internal staff. Other “rms simply try to solve all customer
requests themselves.
Era VI has brought another paradigm shift in the use of information with an era of hyperplenitude: seem-
ingly unlimited availability of information resources such as the Internet and processing and storage through
FIGURE 2.1 Eras of information usage in organizations.
Era I 1960s Era II 1970s Era III 1980s Era IV 1990s Era V 2000s Era VI 2010+
Primary Role
of IT
Ef#ciency Effectiveness Strategy Strategy Value
creation
Value extension
Automate
existing
paper‐based
processes
Solve
problems
and create
opportunities
Increase
individual and
group
effectiveness
Transform
industry/
organization
Create
collaborative
partnerships
Create
community
and social
business
Connecting
intelligent
devices
Justify IT
Expenditures
Return on
investment
Increase in
productivity
and better
decision
quality
Competitive
position
Competitive
position
Added value Creation of
relationships
Automated
information
exchange
Target of
Systems
Organization Organization/
Group
Individual
manager/
Group
Business
processes
Customer/
Supplier
relationships
Customer/
Employee/
supplier
ecosystem
Intelligent
devices
Information
Models
Application
speci#c
Data driven User driven Business
driven
Knowledge
driven
People
driven (or
relationship
driven)
Data
exchange
driven
Dominant
Technology
Mainframe,
“centralized
intelligence”
Minicomputer,
mostly
“centralized
intelligence”
Microcomputer,
“decentralized
intelligence”
Client server,
“distributed
intelligence”
Internet,
global
“ubiquitous
intelligence”
Social
platforms,
social
networks,
mobile, cloud
Intelligent
devices,
sensors,
electronics
Basis of
Value
Scarcity Scarcity Scarcity Plenitude Plenitude Hyperplenitude
Underlying
Economics
Economics of
information
bundled with
economics of
things
Economics of
information
bundled with
economics of
things
Economics of
information
bundled with
economics of
things
Economics of
information
separated
from
economics
of things
Economics of
information
separated
from
economics
of things
Economics of
relationships
bundled with
economics of
information
Economics of
informa tion
bundled with
economics of
things
4 Adapted from M. Broadbent, P. Weill, and D. Clair. “The Implications of Information Technology Infrastructure for Business Process Redesign,” MIS
Quarterly 23, no. 2 (1999), 163.
c02.indd 35 11/26/2015 6:20:48 PM
36 Strategic Use of Information Resources
cloud computing sparked new value sources such as community and social business and the Internet of Things
(connecting intelligent devices, sensors, and other electronics).
The Information System Strategy Triangle introduced in Chapter 1 re#ects the linkages between a “rm’s IS strat-
egy, organizational strategy, and business strategy. A link between IS strategy and business strategy focuses on the
“rm’s external requirements whereas a link between IS strategy and organizational strategy ful”lls and enhances
internal requirements of the “rm. Maximizing the effectiveness of the “rm’s business strategy requires that the
general manager be able both to identify and use information resources. This chapter describes how information
resources can be used strategically by general managers.
Information Resources as Strategic Tools
Crafting a strategic advantage requires the general manager to cleverly combine all the “rm’s resources, includ-
ing “nancial, production, human, and information, and to consider external resources such as the Internet and
opportunities in the global arena. Information resources are more than just the infrastructure. This generic term,
information resources, is de”ned as the available data, technology, people, and processes within an organization
to be used by the manager to perform business processes and tasks. Information resources can either be assets or
capabilities. An IT asset is any thing, tangible or intangible, that can be used by a “rm to create, produce, and/or
offer its products (goods or services). Examples of IT assets include a “rm’s Web site, data “les, or computer equip-
ment. An IT capability is something that is learned or developed over time for the “rm to create, produce, or offer
its products. An IT capability makes it possible for a “rm to use its IT assets effectively.5 The ability and knowledge
to create a Web site, work with data “les, and take advantage of IT equipment are examples of capabilities.
An IS infrastructure (a concept that is discussed in detail in Chapter 6) is an IT asset. It includes each of an
information resource’s constituent components (i.e., data, technology, people, and processes). The infrastructure
provides the foundation for the delivery of a “rm’s products or services. Another IT asset is an information repos-
itory, which is logically related data captured, organized, and retrieved by the “rm. Some information repositories
are “lled with internally oriented information designed to improve the “rm’s ef”ciency. Other repositories tap the
external environment and contain signi”cant knowledge about the industry, the competitors, and the customers.
Although most “rms have these types of information repositories, not all “rms use them effectively.
In the continually expanding Web space, the view of IT assets is broadening to include potential resources that
are available to the “rm but that are not necessarily owned by it. These additional information resources are often
available as a service rather than as a system to be procured and implemented internally. For example, Internet‐
based software (also called software as a service, or SAAS), such as SalesForce.com, offers managers the opportu-
nity to “nd new ways to manage their customer information with an externally based IT resource. Social networking
systems such as Facebook and LinkedIn offer managers the opportunity to “nd expertise or an entire network of
individuals ready to participate in the corporate innovation processes using relatively little capital or expense.
The three major categories of IT capabilities are technical skills, IT management skills, and relationship skills.
Technical skills are applied to designing, developing, and implementing information systems. IT management skills
are critical for managing the IS department and IS projects. They include an understanding of business processes,
the ability to oversee the development and maintenance of systems to support these processes effectively, and the
ability to plan and work with the business units in undertaking change. Relationship skills can be focused either
externally or internally. An externally focused relationship skill includes the ability to respond to the “rm’s market
and to work with customers and suppliers. The internal relationship between a “rm’s IS managers and its business
managers is a spanning relationship skill and includes the ability of IS to manage partnerships with the business
units. Even though it focuses on relationships in the “rm, it requires spanning beyond the IS department. Rela-
tionship skills develop over time and require mutual respect and trust. They, like the other information resources,
can create a unique advantage for a “rm. Figure 2.2 summarizes the different types of information resources and
provides examples of each.
5 G. Piccoli and B. Ives, “IT‐Dependent Strategic Initiatives and Sustained Competitive Advantage: A Review and Synthesis of the Literature,” MIS
Quarterly 29, no. 4 (2003), 747–76.
c02.indd 36 11/26/2015 6:20:48 PM
37How Can Information Resources Be Used Strategically?
Information resources exist in a company alongside other resources. The general manager is responsible for
organizing all resources so that business goals are met. Understanding the nature of the resources at hand is a pre-
requisite to using them effectively. By aligning IS strategy with business strategy, the general manager maximizes
the company’s pro”t potential. To ensure that information resources being deployed for strategic advantage are used
wisely, the general manager must identify what makes the information resource valuable (and the Eras model may
provide some direction) and sustainable. Meanwhile, the “rm’s competitors are working to do the same. In this
competitive environment, how should the information resources be organized and applied to enable the organiza-
tion to compete most effectively?
How Can Information Resources Be Used Strategically?
The general manager confronts many elements that in#uence the competitive environment of his or her enterprise.
Overlooking a single element can bring about disastrous results for the “rm. This slim tolerance for error requires
the manager to take multiple views of the strategic landscape. Three such views can help a general manager align
IS strategy with business strategy. The “rst view uses the !ve competitive forces model by Michael Porter to look
at the major in#uences on a “rm’s competitive environment. Information resources should be directed strategically
to alter the competitive forces to bene”t the “rm’s position in the industry. The second view uses Porter’s value
chain model to assess the internal operations of the organization and partners in its supply chain. Information
resources should be directed at altering the value‐creating or value‐supporting activities of the “rm. We extend this
view further to consider the value chain of an entire industry to identify opportunities for the organization to gain
competitive advantage. The third view speci”cally focuses on the types of IS resources needed to gain and sustain
competitive advantage. These three views provide a general manager with varied perspectives from which to iden-
tify strategic opportunities to apply the “rm’s information resources.
Using Information Resources to In#uence Competitive Forces
Porter provides the general manager a classic view of the major forces that shape the competitive environment of an
industry, which affects “rms within the industry. These “ve competitive forces are shown in Figure 2.3 along with
some examples of how information resources can be applied to in#uence each force. This view reminds the general
FIGURE 2.2 Information resources.
Source: Adapted from G. Piccoli and B. Ives, “IT‐Dependent Strategic Initiatives and Sustained Competitive Advantage: A Review
and Synthesis of the Literature,” MIS Quarterly 29, no. 4 (2005), 755.
IT Assets IT Capabilities
IT Infrastructure
• Hardware
• Software and company apps
• Network
• Data
• Web site
Information Repository
• Customer information
• Employee information
• Marketplace information
• Vendor information
Technical Skills
• Pro#ciency in systems analysis
• Programming and Web design skills
• Data analysis/data scientist skills
• Network design and implementation skills
IT Management Skills
• Business process knowledge
• Ability to evaluate technology options
• Project management skills
• Envisioning innovative IT solutions
Relationship Skills
• Spanning skills such as business‐IT
relationship management
• External skills such as vendor management
c02.indd 37 11/26/2015 6:20:48 PM
38 Strategic Use of Information Resources
manager that competitive forces result from more than just the actions of direct competitors. We explore each force
in detail from an IS perspective.
Potential Threat of New Entrants
Existing “rms within an industry often try to reduce the threat of new entrants to the marketplace by erecting bar-
riers to entry. New entrants seem to come out of nowhere; established “rms can diversify their business models and
begin to compete in the space occupied by existing “rms, or an enterprising entrepreneur can create a new business
that changes the game for existing “rms. Barriers to entry— including a “rm’s controlled access to limited distribu-
tion channels, public image of a “rm, unique relationships with customers, and an understanding of their industry’s
government regulations—help the “rm create a stronghold by offering products or services that are dif”cult to dis-
place in the eyes of customers based on apparently unique features. Information resources also can be used to build
barriers that discourage competitors from entering an industry. For example, Google’s search algorithm is a source
of competitive advantage for the search company, and it’s a barrier of entry for new entrants that would have to cre-
ate something better to compete against Google. New entrants have failed to erode Google’s market share, which
holds fast at 65% in the United States and at over 90% in Europe.6 Walmart, another example, effectively blocks
competition with its inventory control system, which helps it drive down expenses and ultimately offer lower costs
to customers. Any company entering Walmart’s marketplace would have to spend millions of dollars to build the
inventory control system and IS required to provide its operations with the same capabilities. Therefore, the system
at Walmart may be a barrier to entry for new companies.
Search engine optimization (actions that a “rm can take to improve its prominence in search results) has served
as a barrier to entry for some businesses. Consider the Web site that has the number one position in a user’s search.
There is only one number one position, making it an advantage for the company enjoying that position and a barrier
for all other Web sites seeking that position.
Bargaining Power
of Suppliers
3
Bargaining Power
of Buyers
2
Strategic use
• Cost effectiveness
• Market access
• Differentiation of
product or service
Strategic use
• Switching costs
• Access to distribution
channels
• Economies of scale
Strategic use
• Selection of supplier
• Threat of backward
integration
Strategic use
• Buyer selection
• Switching costs
• Differentiation
Strategic use
• Redefine products and
services
• Improve price/performance
Potential Threat of
New Entrants
1
Threat of Substitute
Products
4
Industry Competitors
5
FIGURE 2.3 Five competitive forces with potential strategic use of information resources.
Sources: Adapted from M. Porter, Competitive Strategy (New York: The Free Press, 1998); and Lynda M. Applegate, F. Warren
McFarlan, and James L. McKenney, Corporate Information Systems Management : The Issues Facing Senior Executives, 4th ed.
(Homewood, IL: Irwin, 1996).
6 “Viewed as a Monopoly in Europe, Google Takes on Role as a Wireless Trust‐Buster in U.S.,” New York Times (May 8, 2015), B1, B6.
c02.indd 38 11/26/2015 6:20:49 PM
39How Can Information Resources Be Used Strategically?
Bargaining Power of Buyers
Customers often have substantial power to affect the competitive environment. This power can take the form of
easy consumer access to several retail outlets to purchase the same product or the opportunity to purchase in large
volumes at superstores like Walmart. Information resources can be used to build switching costs that make it less
attractive for customers to purchase from competitors. Switching costs can be any aspect of a buyer’s purchas-
ing decision that decreases the likelihood of “switching” his or her purchase to a competitor. Such an approach
requires a deep understanding of how a customer obtains the product or service. For example, Amazon.com’s
patented One Click option encourages return purchases by making buying easier. Amazon.com stores buyer
information, including a default credit card number, shipping method, and “ship‐to” address so that purchases
can be made with one click, saving consumers the effort of data reentry and further repetitive choices. Similarly,
Apple’s iTunes simple‐to‐use interface and proprietary software for downloading and listening to music makes
it dif”cult for customers to use other formats and technologies, effectively reducing the power of the buyers, the
customers.
Bargaining Power of Suppliers
Suppliers’ bargaining power can reduce a “rm’s options and ultimately its pro”tability. Suppliers often strive to
“lock in” customers through the use of systems (and other mechanisms). For example, there are many options for
individuals to back up their laptop data, including many “cloud” options. The power of any one supplier is low
because there are a number of options. But Apple’s operating system enables easy creation of backups and increases
Apple’s bargaining power. Millions of customers “nd it easy to use the iCloud, and they do.
The force of bargaining power is strongest when a “rm has few suppliers from which to choose, the quality of
supplier inputs is crucial to the “nished product, or the volume of purchases is insigni”cant to the supplier. For
example, steel “rms lost some of their bargaining power over the automobile industry because car manufacturers
developed technologically advanced quality control systems for evaluating the steel they purchase. Manufacturers
can now reject steel from suppliers when it does not meet the required quality levels.
Through the Internet, “rms continue to provide information for free as they attempt to increase their share of
visitors to their Web sites and gather information about them. This decision reduces the power of information sup-
pliers and necessitates “nding new ways for content providers to develop and distribute information. Many Internet
“rms are integrating backward or sideways within the industry, that is, creating their own information supply and
reselling it to other Internet sites. Well‐funded “rms simply acquire these content providers, which is often quicker
than building the capability from scratch. One example of this was Amazon.com’s purchase of Zappos, the shoe
retailer. More recently, in 2015 LinkedIn acquired online learning company Lynda.com to add a capability to offer
professional development to the company’s business of networking, recruitment, and advertising.
Threat of Substitute Products
The potential of a substitute product in the marketplace depends on the buyers’ willingness to substitute, the
relative price‐to‐performance ratio of the substitute, and the level of switching costs a buyer faces. Information
resources can create advantages by reducing the threat of substitution. Substitutes that cause a threat come from
many sources. Internal innovations can cannibalize existing revenue streams for a “rm. For example, new iPhones
motivate current customers to upgrade, essentially cannibalizing the older product line revenue. Of course, this is
also a preemptive move to keep customers in the iPhone product family rather than to switch to another competi-
tor’s product. The threat might come from potentially new innovations that make the previous product obsolete.
Tablets have reduced the market for laptops and personal computers. GPS systems have become substitutes for
paper maps, digital cameras have made “lm and “lm cameras obsolete, and MP3 music has sharply reduced the
market for vinyl records, record players, CDs, and CD players. Free Web‐based applications are a threat to soft-
ware vendors who charge for their products and who do not have Web‐based delivery. Revolutions of many kinds
and levels of maturity seem to be lurking everywhere. Cloud services are a substitute for data centers. Uber offers a
substitute for taxicabs. Managers must watch for potential substitutes from many different sources to fully manage
this competitive threat.
c02.indd 39 11/26/2015 6:20:49 PM
40 Strategic Use of Information Resources
Industry Competitors
Rivalry among the “rms competing within an industry is high when it is expensive for a “rm to leave the industry,
the growth rate of the industry is declining, or products have lost differentiation. Under these circumstances, the
“rm must focus on the competitive actions of rivals to protect its own market share. Intense rivalry in an industry
ensures that competitors respond quickly to any strategic actions. Facebook enjoys a competitive advantage in the
social networking industry. Other sites have tried to compete with Facebook by offering a different focus, either a
different type of interface or additional ways to network. Competition is “erce and many start‐ups hope to “be the
next Facebook.” However, Facebook continues to lead the industry, in part by continued innovation and in part by
its huge customer base, which continues to raise the bar for competitors.
The processes that “rms use to manage their operations and to lower costs or increase ef”ciencies can provide
an advantage for cost‐focus “rms. However, as “rms within an industry begin to implement standard business
processes and technologies—often using enterprisewide systems such as those of SAP and Oracle—the industry
becomes more attractive to consolidation through acquisition. Standardizing IS lowers the coordination costs of
merging two enterprises and can result in a less competitive environment in the industry.
One way competitors differentiate themselves with an otherwise undifferentiated product is through creative use
of IS. Information provides advantages in such competition when added to an existing product. For example, the
iPod, iPhone, iPad, and iWatch are differentiated in part because of the iTunes store and the applications available
only to users of these devices. Competitors offer some of the same information services, but Apple was able to take
an early lead by using information systems to differentiate their products. Credit card companies normally compete
on “nancial services such as interest rate, fees, and payment period. But Capital One differentiated its credit cards
by adding information to its services; it provided customers their credit scores.
Each of the competitive forces identi”ed by Porter’s model is acting on “rms at all times, but perhaps to a greater
or lesser degree. There are forces from potential new entrants, buyers, sellers, substitutes, and competitors at all
times, but their threat varies. Consider Zara, the case discussed in at the beginning of this chapter. See Figure 2.4
for a summary of these “ve forces working simultaneously at the retailer and manufacturer.
General managers can use the “ve competitive forces model to identify the key forces currently affecting compe-
tition, to recognize uses of information resources to in#uence forces, and to consider likely changes in these forces
FIGURE 2.4 Application of “ve competitive forces model for Zara.
Competitive Force IT In$uence on Competitive Force
Threat of New Entrant Zara’s IT supports its tightly knit group of designers, market specialists,
production managers, and production planners. New entrants are unlikely to
be able to provide IT to support such relationships that have been built over
time at Zara. Further, it has a rich information repository about customers that
would be hard to replicate.
Bargaining Power of Buyers Recently, Zara has employed laser technology to measure 10,000 women
volunteers so that it can add the measurements of “real” customers into its
information repositories. This means that the new products will be more likely
to #t Zara customers.
Bargaining Power of Suppliers Its computer‐controlled cutting machine cuts up to 1,000 layers at a time.
A large number of sellers are available for the simple task of sewing the
pieces together. Zara has great $exibility in choosing the sewing companies.
Industry Competitors Zara tracks breaking trends and focuses on meeting customer preferences for
trendy, low‐cost fashion. The result is the highest sales per square foot in its
industry, virtually no advertising, only 10% of stock remaining unsold, very low
inventory levels, new products offered in 15 days from idea to shelves, and
extremely ef#cient manufacturing and distribution operations.
Threat of Substitute Products IT helps Zara offer extremely fashionable lines that are expected to last for
approximately 10 wears. IT enables Zara to offer trendy, appealing apparel at
hard‐to‐beat prices, making substitutes dif#cult.
c02.indd 40 11/26/2015 6:20:49 PM
41How Can Information Resources Be Used Strategically?
over time. The changing forces drive both the business strategy and IS strategy, and this model provides a way to
think about how information resources can create competitive advantage for a business unit and, even more broadly,
for the “rm. The forces also can reshape an entire industry—compelling general managers to take actions to help
their “rm gain or sustain competitive advantage.
Using Information Resources to Alter the Value Chain
A second lens for describing the strategic use of information systems is Porter’s value chain. The value chain model
addresses the activities that create, deliver, and support a company’s product or service. Porter divided these activ-
ities into two broad categories (Figure 2.5): support and primary activities. Primary activities relate directly to the
value created in a product or service whereas support activities make it possible for the primary activities to exist
and remain coordinated. Each activity may affect how other activities are performed, suggesting that information
resources should not be applied in isolation. For example, more ef”cient IS for repairing a product may increase
the possible number of repairs per week, but the customer does not receive any value unless his or her product is
repaired, which requires that the spare parts be available. Changing the rate of repair also affects the rate of spare
parts ordering. If information resources are focused too narrowly on a speci”c activity, then the expected value may
not be realized because other parts of the chain have not adjusted.
The value chain framework suggests that competition stems from two sources: lowering the cost to perform
activities and adding value to a product or service so that buyers will pay more. To achieve true competitive
advantage, a “rm requires accurate information on elements outside itself. Lowering activity costs achieves an
advantage only if the “rm possesses information about its competitors’ cost structures. Even though reducing
isolated costs can improve pro”ts temporarily, it does not provide a clear competitive advantage unless the
“rm can lower its costs below a competitor’s. Doing so enables the “rm to lower its prices as a way to grow its
market share.
For example, many Web sites sell memory to upgrade laptops. But some sites, such as crucial.com, have an
option that automates the process prior to the sales process. These sites have the “Crucial System Scanner Tool,”
which scans the customer’s laptop, identi”es the current con”guration and the capacity, and then suggests com-
patible memory upgrade kits. The customer uses the scanner, which identi”es the con”guration of the laptop, and
automatically opens a Web page with the appropriate memory upgrades. The customer does not have to “gure out
the con”guration or requirements; it’s done automatically. By combining a software program like its con”gurator
with the sales process, crucial.com has added value to the customer’s experience by automating a key process.
Organization
Human Resources
Technology
Purchasing
Inbound
Logistics
Outbound
Logistics
Operations Marketing
and Sales
Service
Materials
handling
Delivery
Manufacturing
Assembly
Order
processing
Shipping
Product
Pricing
Promotion
Place
Customer service
Repair
P
ri
m
ar
y
A
ct
iv
iti
es
S
up
po
rt
A
ct
iv
iti
es
FIGURE 2.5 Value chain of the “rm.
Source: Adapted from Michael Porter and Victor Millar, “How Information Gives You Competitive Advantage,” Harvard Business
Review (July–August 1985), reprint no. 85415.
c02.indd 41 11/26/2015 6:20:49 PM
42 Strategic Use of Information Resources
Although the value chain framework emphasizes the activities of the individual “rm, it can be extended, as
in Figure 2.6, to include the “rm in a larger value system. This value system is a collection of “rm value chains
connected through a business relationship and through technology. From this perspective, a variety of strategic
opportunities exist to use information resources to gain a competitive advantage. Understanding how information is
used within each value chain of the system can lead to new opportunities to change the information component of
value‐added activities. It can also lead to shakeouts within the industry as “rms that fail to provide value are forced
out and as surviving “rms adopt new business models.
Opportunity also exists in the transfer of information across value chains. For example, sales forecasts gener-
ated by a manufacturer, such as a computer or automotive company, and linked to supplier systems create orders
for the manufacture of the necessary components for the computer or vehicle. Often this coupling is repeated from
manufacturing company to vendor/supplier for several layers, linking the value chains of multiple organizations. In
this way, each member of the supply chain adds value by directly linking the elements of its value chains to others.
Optimizing a company’s internal processes, such as its supply chain, operations, and customer relationship
processes, can be another source of competitive advantage. Tools are routinely used to automate the internal oper-
ations of a “rm’s value chain, such as supply chain management (SCM) to source materials for operations,
enterprise resource planning (ERP) systems to automate functions of the operations activities of the value chain,
and customer relationship management (CRM) systems to optimize the processing of customer information.
These systems are discussed in more detail in Chapter 5.
In an application of the value chain model to the Zara example discussed earlier, Figure 2.7 describes the value
added to Zara’s primary and support activities provided by information systems. The focus in Figure 2.7 is on
value added to Zara’s processes, but suppliers and customers in its supply chain also realize the value added by
information systems. Most notably, the customer is better served as a result of the systems. For example, the stores
place orders twice a week over personal digital assistants (PDAs). Each night, managers use their PDAs to learn
about newly available garments. The orders are received and promptly processed and delivered. In this way, Zara
can be very timely in responding to customer preferences.
Unlike the “ve competitive forces model, which focuses on industry dynamics, the focus of the value chain is
on the “rm’s activities. Yet, using the value chain as a lens for understanding strategic use of information resources
affects competitive forces because technology innovations add value to suppliers, customers, or even competitors
and potential new entrants.
Supplier’s
Value
Chains
Firm’s
Value
Chain
Channel’s
Value
Chains
Buyer’s
Value
Chains
FIGURE 2.6 The value system: Interconnecting relationships between organizations.
c02.indd 42 11/26/2015 6:20:49 PM
43Sustaining Competitive Advantage
Sustaining Competitive Advantage
It might seem obvious that a “rm would try to sustain its competitive advantage. After all, the “rm might have
worked very hard to create advantages, such as those previously discussed. However, there is some controversy
about trying to sustain a competitive advantage.
On one side are those who warn of hypercompetition as discussed in Chapter 1.7 In an industry facing hyper-
competition, recall that trying to sustain an advantage can be a deadly distraction. Consider the banking industry as
a good example that has undergone much change over the past “ve decades. In the 1960s, people needed to visit a
physical bank for all transactions, including withdrawing from or depositing to their accounts and transferring among
accounts. In the 1970s, some banks took a chance and invested in automated teller machines (ATMs) and were
among the innovators in the industry. In the 1980s, some banks pioneered “bank‐by‐phone” services that enabled
customers to pay bills by phone, attempting to establish competitive advantage with technology. In the late 1990s,
Web sites served to augment banking services, and “bank‐by‐web” was the new, exciting way to compete. Most
recently, many banks are providing mobile banking, enabling customers to make deposits by using their smartphone
camera to take photos of checks that previously needed to be turned in physically. Then the checks can be destroyed.
The obvious picture to paint here is that competitors caught up with the leaders very quickly, and competitive
advantage was brief. When ATMs were introduced, it did not take long for others to adopt the same technology.
Even small banks found that they could band together with competitors and invest in the same technologies. The
same imitation game took place with “bank by phone,” “bank by Web,” and mobile banking.
More interestingly, what sounds like an exciting way to show off the power of technology can also be interpreted
as a way to increase the cost of doing business. Although some investments, such as using ATMs to replace tellers,
lowered costs, other investments raised costs (such as needing to offer phone, Web, and mobile banking options to
customers).
FIGURE 2.7 Application of value chain model to Zara.
Activity Zara’s Value Chain
Primary Activities
Inbound Logistics IT‐enabled just‐in‐time (JIT) strategy results in inventory being received when needed. Most
dyes are purchased from its own subsidiaries to better support JIT strategy and reduce
costs. Many suppliers are located near its production facilities.
Operations Information systems support decisions about the fabric, cut, and price points. Cloth is ironed
and products are packed on hangers so they don’t need ironing when they arrive at stores.
Price tags are already on the products. Zara produces 60% of its merchandise in house.
Fabric is cut and dyed by robots in 23 highly automated Spanish factories.
Outbound Logistics Clothes move on miles of automated conveyor belts at distribution centers and reach stores
within 48 hours of the order.
Marketing and Sales Limited inventory allows low percentage of unsold inventory (10%); POS at stores linked
to headquarters track how items are selling; customers ask for what they want, and this
information is transmitted daily from stores to designers over handheld computers.
Service No focus on service on products.
Support Activities
Organization IT supports tightly knit collaboration among designers, store managers, market specialists,
production managers, and production planners.
Human Resources Managers are trained to understand what’s selling and report data to designers every day.
The manager is key to making customers feel listened to and to communicating with head-
quarters to keep each store and the entire Zara clothing line at the cutting edge of fashion.
Technology Technology is integrated to support all primary activities. Zara’s IT staff works with vendors
to develop automated conveyors to support distribution activities.
Purchasing Vertical integration reduces amount of purchasing needed.
7 Don Goeltz, “Hypercompetition,” vol. 1 of The Encyclopedia of Management Theory, ed. Eric Kessler (Los Angeles: Sage, 2013), 359–60.
c02.indd 43 11/26/2015 6:20:49 PM
44 Strategic Use of Information Resources
Rather than arguing that sustaining a competitive advantage is a deadly distraction, Piccoli and Ives8 provide
a framework that outlines the ways in which a “rm can provide barriers to competitors, which would build sus-
tainability. The framework outlines four types of barriers: IT project barrier, IT resources and capabilities barrier,
complementary resources barrier, and preemption barrier. See Figure 2.8 for a brief de”nition and a few examples
of each.
So, should a “rm focus attention on building barriers to the competition, or should it just give up on the
established competitive advantage and focus on seeking the next revolution? Given that some technologies can be
copied quickly, or even just purchased from the same well‐known vendor who supplied it to the leader, it seems
prudent to spend some time to explore each technological option in the Piccoli and Ives’ framework and determine
where the “rm can increase sustainability. If the project is rather small, then the “rm should focus on the other
three barriers. If the “rm can build loyalty with customers who appreciate innovation, a two‐month competitive
advantage might turn into a two‐year or longer advantage (thus building a preemption barrier). If a “rm can capture
valuable data right at the beginning, a copycat “rm may fall further behind. Also, building partnerships or securing
exclusive rights to some of the technologies can further slow down a competitor.
It would not be wise to stop there, however. The “rm should continue to seek ways in which IT can improve
offerings or service to customers. And the “rm should go beyond those steps, focusing on how it might change
its entire industry. One example is the way in which Net#ix continued to speed its DVD delivery service while
focusing on movie streaming, a technology that will someday make the delivery service obsolete. Net#ix was more
than aware that its revenue was falling every quarter, but it expected and embraced the shortfall with its strategic
move into streaming.9 Given that other services such as Amazon and many cable companies had begun streaming,
Net#ix has created original series offerings such as House of Cards and Orange Is the New Black.
Therefore, a “rm might (1) seek ways to build sustainability by looking into each of the four potential barriers
to identify promising ways to block the competition and at the same time (2) continue to innovate and change the
industry. Net#ix has done both by building a dependable and ef”cient mailing business and creating new business
models such as streaming and series production. Focusing only on building sustainability has the potential effect of
“ghting a losing battle, and focusing only on new business models might be too risky as the sole source of growth.
The last strategic framework, resource‐based view, is more general and emphasizes ways in which to exploit its
many potential resources. The framework, described next, can be helpful for sustaining and creating competitive
advantage.
FIGURE 2.8 Barriers to competition and building sustainability.
Barrier De#nition Examples
IT project barrier It would be a large undertaking for a
competitor to build the system to copy
the capability.
• Requires a large investment
• Requires a long time to build
• Complicated to build
IT assets and capabilities barrier Competitors might lack the IT resources
to copy the capability.
• Database of customers that cannot
be copied
• Expert developers or project
managers
Complementary resources barrier The #rm has other resources that create
a synergy with the IT that provides
competitive advantage.
• Respected brand
• Partnership agreements
• Exclusivity arrangements
• Good location
Preemption barrier The #rm “got there #rst.” • Loyal customer base built at the
beginning
• Firm known as “the” source
8 Piccoli and Ives, “IT‐Dependent Strategic Initiatives and Sustained Competitive Advantage,” 755.
9 Greg Sandoval, “Netflix CEO, DVD Subscribers to Decline Now and Forever,” CNET, http://www.cnet.com/news/netflix‐ceo‐dvd‐subscribers‐to‐
decline‐now‐and‐forever (accessed August 19, 2015).
c02.indd 44 11/26/2015 6:20:50 PM
http://www.cnet.com/news/netflix%E2%80%90ceo%E2%80%90dvd%E2%80%90subscribers%E2%80%90to%E2%80%90decline%E2%80%90now%E2%80%90and%E2%80%90forever
http://www.cnet.com/news/netflix%E2%80%90ceo%E2%80%90dvd%E2%80%90subscribers%E2%80%90to%E2%80%90decline%E2%80%90now%E2%80%90and%E2%80%90forever
http://www.cnet.com/news/netflix%E2%80%90ceo%E2%80%90dvd%E2%80%90subscribers%E2%80%90to%E2%80%90decline%E2%80%90now%E2%80%90and%E2%80%90forever
45Sustaining Competitive Advantage
Using the Resource‐Based View (RBV)
A fourth framework, the resource‐based view (RBV),10 is useful for determining whether a “rm’s strategy has
created value by using IT. Like the value chain model, the RBV concentrates on areas that add value to the “rm.
Whereas the value chain model focuses on a “rm’s activities, the resource‐based view focuses on the resources that
it can manage strategically in a rapidly changing competitive environment. Like the Piccoli and Ives framework,
the RBV focuses on sustaining competitive advantage but through use of resources rather than by raising compet-
itive barriers.
The RBV has been applied in the area of IS to help identify two types of information resources: those that enable
a “rm to attain competitive advantage and those that enable a “rm to sustain the advantage over the long term.
From the IS perspective,11 some types of resources are better than others for creating attributes that enable a “rm to
attain competitive advantage (i.e., value, rarity) whereas other resources are better for creating attributes to sustain
competitive value (e.g., low substitutability, low mobility, low imitability).
Resources to Attain Competitive Advantage
Valuable and rare resources that “rms must leverage to establish a superior resource position help companies attain
competitive advantage. A resource is considered valuable when it enables the “rm to become more ef”cient, effec-
tive, or innovative. It is a rare resource when other “rms do not possess it. For example, many banks today would
not think of doing business without a mobile banking app. Mobile banking apps are very valuable to the banks in
terms of their operations. A bank’s customers expect it to provide a mobile banking app that can be used on any
mobile device. However, because many other banks also have mobile banking apps, they are not a rare resource,
and they do not offer a strategic advantage. Some call them table stakes or resources required just to be in the
business. Many systems in Eras I and II, and especially Era III, were justi”ed on their ability to provide a rare and
valuable resource. In some cases these very systems have become table stakes.
Resources to Sustain Competitive Advantage
Many “rms that invested in systems learned that gaining a competitive advantage does not automatically mean that
they could sustain it over the long term. The only way to do that is to continue to innovate and to protect against
resource imitation, substitution, or transfer. For example, Walmart’s complex logistics management is deeply
embedded in both its own and its suppliers’ operations so that imitations by other “rms is unlikely. The Oakland
Athletics’ use of information systems propelled it to victory, as depicted in the movie Moneyball, but as soon as
other teams learned about the secret behind the success Oakland was having with analytics and information sys-
tems, they, too began to use similar techniques, reducing the advantage Oakland initially enjoyed. Finally, to sustain
competitive advantage, resources must be dif”cult to transfer or replicate, or relatively immobile. Some information
resources can be easily bought. However, technical knowledge—especially that which relates to a “rm’s opera-
tion—an aggressive and opportunistic company culture, deep relationships with customers, and managerial experi-
ence in the “rm’s environment is less easy to obtain and, hence, considered harder to transfer to other “rms.
Some IT management skills are general enough in nature to make them easier to transfer and imitate. Although
it clearly is important for IS executives to manage internally oriented resources such as IS infrastructure, systems
development, and running cost‐effective IS operations, these skills can be acquired in many different forms. They
are basic IT management skills possessed by virtually all good IS managers. Other skills, however, are unique to a
“rm and require considerable time and resources to develop. For example, it takes time to learn how the “rm oper-
ates and to understand its critical processes and socially complex working relationships. However, the message sug-
gested by the RBV is that IS executives must look beyond their own IS shop and concentrate on cultivating resources
10 The resource‐based view was originally proposed by management researchers, most prominently Jay Barney, “Firm Resources and Sustained Compet-
itive Advantage,” Journal of Management 17, no. 1 (1991), 99–120 and “Is the Resource‐Based ‘View’ a Useful Perspective for Strategic Management
Research? Yes,” Academy of Management Review 26, no. 1 (2001), 41–56; M. Wade and J. Hulland, “Review: The Resource‐Based View and Information
Systems Research: Review, Extension and Suggestions for Future Research,” MIS Quarterly 28, no. 1 (2004), 107–42. This article reviewed the resource‐
based view’s application in the MIS literature and derived a framework to better understand its application to IS resources.
11 http://www.minonline.com/best_of_web/Best‐of‐the‐Web‐CommunitySocial‐Networking_10185.html (accessed January 1, 2012).
c02.indd 45 11/26/2015 6:20:50 PM
http://www.minonline.com/best_of_web/Best%E2%80%90of%E2%80%90the%E2%80%90Web%E2%80%90CommunitySocial%E2%80%90Networking_10185.html
46 Strategic Use of Information Resources
that help the “rm understand changing business environments and allow it to work well with all its external stake-
holders. Even when considering internally oriented information resources, there are differences in the extent to
which these resources add value. Many argue that IS personnel are willing to move, especially when offered higher
salaries by “rms needing these skills. Yet, some technical skills, such as knowledge of a “rm’s use of technology to
support business processes, and technology integration skills are not easily exported to, or imported from, another
“rm. Further, hardware and many software applications can be purchased or outsourced, making them highly imita-
ble and transferrable. Because it is unlikely that two “rms have exactly the same strategic alternatives, resources at
one “rm might have only moderate substitutability in the other “rm.
Zara and RBV
Figure 2.9 indicates the extent to which the attributes of each information resource may add value to Zara, the
company discussed earlier in the chapter. Zara’s advantage did not come from the speci”c hardware or software
technologies it employed. Its management spent “ve to ten times less on technology than its rivals. In contrast,
FIGURE 2.9 Information resources at Zara, by attribute.
Source: Based on M. Wade and J. Hulland, “The Resource‐Based View and Information Systems Research: Review, Extension and
Suggestions for Future Research,” MIS Quarterly 28, no. 1 (2004), 107–42.
Value Creation Value Sustainability
Resource/Attribute Value Rarity Imitation Substitution Transfer
IT ASSET
IT Infrastructure Moderate because of its skillful use
of the POS equipment, handheld
computers, automated conveyors,
and computer‐controlled equipment
to cut patterns, but similar
technology could be purchased
and used by competitors
Easy to imitate and transfer its infrastructure
Moderate for substitution of infrastructure (automated
conveyers)
Information
Repository
High value and rarity because of
its information about customers’
preferences and body types, which
Zara leverages strategically; well
integrated with Zara’s operations
and personnel; retail information
analyzed by designers to identify
future products
Dif#cult to imitate and transfer
Extremely dif#cult to substitute because of the volume
and nature of the data
IT CAPABILITY
Technical Skills Low value/rarity because IS
professionals could be hired
relatively easily to perform the
technical work
Moderately dif#cult to imitate, substitute, or transfer;
some sustainability results because the skills are used to
integrate across a range of systems
IT Management
Skills
High value/rarity because they were
acquired over time
Dif#cult to imitate, substitute, or transfer; resources
leveraged well
Relationship
Skills—Externally
Focused
High value from relationships with
European manufacturers
Moderate rarity because other
companies also have relationships
with manufacturers although required
time to develop the relationship
Dif#cult to imitate, substitute, or transfer; turnaround time
of under 5 weeks from conception to distribution
Relationship
Skills—Spanning
High rarity of spanning Dif#cult to imitate, substitute, or transfer spanning; unusual
tight‐knit teams at headquarters not easy to imitate or
purchase in the marketplace, allowing the ability to
correctly interpret and quickly respond to customer needs
c02.indd 46 11/26/2015 6:20:50 PM
47Strategic Alliances
Zara has created considerable value from the other information asset—its valuable information repository with cus-
tomers ’ preferences and body types.
In terms of information capability, much of Zara ’ s value creation is from its valuable and rare IT management
skills. Zara ’ s relationship skills also serve as a tool for value creation and sustainability. Overall, Zara is able to
create high value from its IT management and relationship skills. It would be moderately to extremely dif” cult to
substitute, imitate, or transfer them.
The resource‐based theory, although highly cited, has received its share of criticism. 12 The major criticism is that
it doesn ’ t clearly distinguish between value and strategic competitive advantage. Another criticism of the original
theory is that it doesn ’ t consider different types of resources. However, IS researchers addressed this concern when
they categorized resources into assets and capabilities and then provided examples of each. In applying the theory,
it is important to recognize that it is focused on internal sources of a ” rm ’ s competitive advantage and, thus, does
not thoroughly take into account the environment in which the ” rm is embedded, especially when the environment
is quite dynamic.
Most ” rms don ’ t really have a choice of creating competitive advantage by manipulating industry forces either
through their use of information resources or IT‐enhanced activities. Yet, like Zara , they can leverage the IT
resources they do have to create and sustain strategic value for their ” rms.
Strategic Alliances
The value chain helps a ” rm focus on adding value to the areas of most value to its partners. The resource‐based
view suggests adding value using externally oriented relationship skills. The Eras framework emphasizes the
importance of collaborative partnerships and relationships. The increasing number of Web applications focused on
collaboration and social networking only foreshadow even more emphasis on alliances. These relationships can
take many forms, including joint ventures, joint projects, trade associations, buyer–supplier partnerships, or car-
tels. Often such partnerships use information technologies to support strategic alliances and integrate data across
Social Business Lens: Social Capital
A management theory that is gaining in popularity as a tool in understanding a social business is the social capital
theory. Social capital is the sum of the actual and potential resources embedded within, available through, and
derived from the network of relationships possessed by an individual or social unit. Relationships associated with
networks have the potential of being a valuable resource for businesses. The theory ’ s focus is not on managing
individuals but on managing relationships.
The value from networks may be derived in one of three interrelated ways: structural, relational, and cognitive.
The structural dimension is concerned with the pattern of relationships in the network—who is connected to whom.
The relational dimension looks at the nature of relationships among members in the network (i.e., respect, friend-
ship)—how the connected people interact. The third cognitive dimension looks at the way people think about
things in the network, in particular whether they have a shared language, system of meanings or interpretations—
how the connected people think. The unusual thing about social capital is that no one person owns it. Rather, the
people in the relationship own it jointly. Thus, it can ’ t be traded easily, but it can be used to do certain things more
easily. In particular, in social business applications, social capital may make it easier to get the information needed
to perform a task or connect with certain key people. In IS development teams, social capital may improve the
willingness and ability of team members to coordinate their tasks in completing a project.
Source: J. Nahapiet and S. Ghosal , “ Social Capital, Intellectual Capital and the Organizational Value , “ Academy of Management
Review , 23 , no. 2 ( 1998 ), 242 – 66 .
12 For an excellent discussion of criticisms of the resource‐based view, see J. Kraaijenbrink , J‐C Spender , and A. J. Groen “ The Resource‐Based View:
A Review and Assessment of Its Critiques ,” Journal of Management , 36 , no. 1 , ( 2010 ), 349 – 72 .
c02.indd 47 11/26/2015 6:20:50 PM
48 Strategic Use of Information Resources
partners’ information systems. A strategic alliance is an interorganizational relationship that affords one or more
companies in the relationship a strategic advantage. An example is the strategic alliance between game maker
Zynga and Facebook. As documented in Facebook’s IPO “ling in January 2012, the relationship is a mutually
bene”cial one. Zynga developed some of the most popular games found on Facebook, including Ma”a Wars,
Farmville, and WordsWithFriends. Facebook has exclusive rights to Zynga’s games, many of which have generated
thousands of new members for Facebook. It also gained access to Zynga’s customer database. The alliance gen-
erates signi”cant revenue for both parties because players of these games purchase virtual goods with real money
and Zynga purchases signi”cant advertising space from Facebook to promote its games. Zynga bene”ts from the
revenue resulting from its gamers on Facebook community.13
Business ecosystems are often groups of strategic alliances in which a number of partners provide important ser-
vices to each other and jointly create value for customers. The Facebook ecosystem could be said to include many
of the companies that use that platform to deliver their apps, that allow customers to post directly on their Facebook
page from the app, or that allow customers to log on to their site using their Facebook account. This adds value
for customers by providing greater convenience, and by offering the ability to automatically update their activity
stream with information from the app, and both Facebook and the app provider bene”t from their alliance.
IS often provides the platform upon which a strategic alliance functions. Technology can help produce the prod-
uct developed by the alliance, share information resources across the partners’ existing value systems, or facilitate
communication and coordination among the partners. Because many services are information based today, an IS
platform is used to deliver these services to customers. The Facebook– Zynga alliance is an example of this type of
IS platform. Further, linking value chains through supply chain management (SCM) is another way that “rms build
an IT‐facilitated strategic alliance.
Co‐opetition
Clearly, not all strategic alliances are formed with suppliers or customers as partners. Rather, co‐opetition is an
increasingly popular alternative model. As de”ned by Brandenburg and Nalebuff in their book of the same name,
co‐opetition is a strategy whereby companies cooperate and compete at the same time with companies in their
value net.14 The value net includes a company and its competitors and complementors as well as its customers and
suppliers and the interactions among all of them. A complementor is a company whose product or service is used in
conjunction with a particular product or service to make a more useful set for the customer. For example, Goodyear
is a complementor to Ford and GM because tires are a complementary product to vehicles. Likewise, Amazon is a
complementor to Apple in part because the Amazon reading application, the Kindle, the reading tablet that Amazon
sells, is one of the most popular apps for the iPad. Finally, a cellular service is a complementor to Google’s search
engine because the service allows more consumers to use Google’s search function.
Co‐opetition, then, is the strategy for creating the best possible outcome for a business by optimally combining
competition and cooperation. It can also be used as a strategy for sourcing as discussed in Chapter 10. It fre-
quently creates competitive advantage by giving power in the form of information to other organizations or groups.
For example, Covisint.com hosts the auto industry’s e‐marketplace, which grew out of a consortium of compet-
itors, including General Motors, Ford, DaimlerChrysler, Nissan, and Renault. By addressing multiple automo-
tive functional needs across the entire product life cycle, Covisint offers support for collaboration, supply chain
management, procurement, and quality management. Covisint.com has extended this business‐to‐partner platform
to other industries including health care, manufacturing, life sciences, food and beverage, and oil and gas. Thus,
co‐opetition as demonstrated by Covisint not only streamlines the internal operations of its backers but also has the
potential to transform an industry.
13 Adapted from N. Wingfield, “Virtual Products, Real Profits” The Wall Street Journal (September 9, 2011), A1, 16; L. B. Baker, “Zynga’s Sales Soar
on Facebook Connection,” Reuters News (February 2, 2012), http://www.reuters.com/article/2012/02/02/us‐zynga‐shares‐idUSTRE8111PO20120202
(accessed September 14, 2015); Jackie Cohen, “So Much for the Facebook Effect: Zynga Sees $978.6 Million Loss In 2011,” Yahoo News (February 14,
2012), http://www.allfacebook.com/facebook‐zynga‐eps‐2012‐02 (accessed February 20, 2012).
14 A. Brandenburg and B. Nalebuff, Co‐opetition (New York: Doubleday, 1996).
c02.indd 48 11/26/2015 6:20:50 PM
http://www.reuters.com/article/2012/02/02/us%E2%80%90zynga%E2%80%90shares%E2%80%90idUSTRE8111PO20120202
http://www.allfacebook.com/facebook%E2%80%90zynga%E2%80%90eps%E2%80%902012%E2%80%9002
49Risks
Risks
As demonstrated throughout this chapter, information resources may be used to gain strategic advantage even if that
advantage is #eeting. When information systems are chosen as the tool to outpace a “rm’s competitors, executives
should be aware of the many risks that may surface. Some of these risks include the following:
• Awakening a sleeping giant: A “rm can implement IS to gain competitive advantage only to “nd that it
nudged a larger competitor with deeper pockets into implementing an IS with even better features. FedEx
offered its customers the ability to trace the transit and delivery of their packages online. FedEx’s much
larger competitor, UPS, rose to the challenge. UPS not only implemented the same services but also added
a new set of features eroding some of the advantages FedEx enjoyed, causing FedEx to update its offerings.
Both the UPS and FedEx sites passed through multiple Web site iterations as the dueling delivery companies
continue to struggle for competitive advantage.
• Demonstrating bad timing: Sometimes customers are not ready to use the technology designed to gain
strategic advantage. For example, Grid Systems created the GRiDPAD in 1989. It was a tablet computer
designed for businesses to use in the “eld and was well reviewed at that time. But it didn’t get traction.
Three decades later, in 2010, Apple introduced the iPad, and tablet computing took off.
• Implementing IS poorly: Stories abound of information systems that fail because they are poorly imple-
mented. Typically, these systems are complex and often global in their reach. An implementation “asco took
place at Hershey Foods when it attempted to implement its supply and inventory system. Hershey devel-
opers brought the complex system up too quickly and then failed to test it adequately. Related systems prob-
lems crippled shipments during the critical Halloween shopping season, resulting in large declines in sales
and net income. More recently, in 2012, more than 100,000 Austin Energy customers received incorrect util-
ity bills due to problems with the company’s vendor‐supplied bill collection system. Some customers went
months without a bill, and others were incorrectly billed. Some businesses that owed $3,000 were billed
$300,000. Still others tried to pay their bill online only to be told that the payment had not recorded when it
had been. The utility calculated that the problems cost it more than $8 million.15
• Failing to deliver what users want: Systems that do not meet the needs of the “rm’s target market are likely
to fail. For example, in 2011, Net#ix leadership divided the company into two, calling the DVD‐rental
business Qwikster and keeping the streaming business under Net#ix. But customers complained, and worse,
closed their accounts, and less than a month later, Qwikster was gone. Net#ix reunited both businesses
under the Net#ix name.16
• Running afoul of the law: Using IS strategically may promote litigation if the IS results in the violation of
laws or regulations. Years ago, American Airlines’ reservation system, Sabre, was challenged by the airline’s
competitors on the grounds that it violated antitrust laws. More recently, in 2010, Google said it was no
longer willing to adhere to Chinese censorship. The Chinese government responded by banning searching
via all Google search sites (not only google.cn but all language versions, e.g., google.co.jp. google.com.au),
including Google Mobile. Google then created an automatic redirect to Google Hong Kong, which stopped
June 30, 2010, so that Google would not lose its license to operate in China. Today, Google, Inc. is acting
in compliance with the Chinese government’s censorship laws and Chinese users of Google.cn see “ltered
results as before. More recently, European antitrust of”cials claimed that Google’s search engine unfairly
generates results that favor its shopping sites over those of its competitors and that its Android mobile phone
operating system unfairly features Google as the default search engine.17
15 Marty Toohey, “More Than 100,000 Austin Energy Customers Hit by Billing Errors from $55 Million IBM System,” Statesman (February 18, 2012),
http://www.statesman.com/news/local/more‐than‐100‐000‐austin‐energy‐customers‐hit‐2185031.html (accessed February 20, 2012).
16 Qwikster = Gonester (October 10, 2011), http://www.breakingcopy.com/netflix‐kills‐qwikster (accessed February 20, 2012).
17 “Viewed as a Monopoly in Europe, Google Takes on Role as a Wireless Trust‐Buster in U.S.,” The New York Times (May 8, 2015), B1, B6.
c02.indd 49 11/26/2015 6:20:50 PM
http://www.statesman.com/news/local/more%E2%80%90than%E2%80%90100%E2%80%90000%E2%80%90austin%E2%80%90energy%E2%80%90customers%E2%80%90hit%E2%80%902185031.html
http://www.breakingcopy.com/netflix%E2%80%90kills%E2%80%90qwikster
50 Strategic Use of Information Resources
Every business decision has risks associated with it. However, with the large expenditure of IT resources needed
to create sustainable, strategic advantages, the manager should carefully identify and then design a mitigation strat-
egy to manage the associated risks.
Co‐Creating IT and Business Strategy
This chapter has discussed the alignment of IT strategy with business strategy. Certainly, the two strategies must
be carefully choreographed to ensure receiving maximum value from IT investments and obtaining the maximum
opportunity to achieve the business strategy. However, in the fast‐paced business environment where information
is increasingly a core component of the product or service offered by the ” rm, managers must co‐create IT and
business strategy. That is to say that IT strategy is business strategy; one cannot be created independently of the
other. In many cases, they are now one in the same.
For companies whose main product is information, such as ” nancial services companies, it ’ s clear that information
management is the core of the business strategy itself. How an investment ” rm manages the clients ’ accounts, how
its clients interact with the company, and how investments are made are all done through the management of
information. A ” nancial services company must co‐create business and IT strategy.
But consider a company like FedEx , most well known as the package delivery company. Are customers paying
to have a package delivered or to have information about that package ’ s delivery route and timetable? One could
argue that they are one in the same and that increasingly the company ’ s business strategy is its IS strategy. Certainly,
there are components of the operation that are more than just information. There are actual packages to be loaded
on actual trucks and planes, which are then actually delivered to their destinations. However, to make it all work,
the company must rely on IS. Should the IS stop working or have a serious failure, FedEx would be unable to do
business. A company like this must co‐create IT strategy and business strategy.
This was not true a few years ago. Companies could often separate IS strategy from business strategy in part
because their products or services did not have a large information component. For example, a few years ago,
should the IS of a trucking company stop working, the trucks would still be able to take their shipments to their
destination and pick up new ones. It might be slower or a bit more chaotic, but the business wouldn ’ t stop. Today,
that ’ s not the case. Complicated logistics are the norm, and IS are the foundation of the business as seen at FedEx .
With the increasing number of IS applications on the Web and on mobile devices, ” rms increasingly need to
co‐create business and IT strategy. Managers who think they can build a business model without considering the
opportunities and impact of information systems, using both the resources owned by the ” rm and those available on
the Web, will ” nd they have signi” cant dif” culties creating business opportunities as well as sustainable advantage
in their marketplace.
Geographic Box: Mobile‐Only Internet Users Dominate Emerging Countries
More than 25% of mobile Web users in emerging markets connect to the Internet solely through mobile devices.
This is the case for 70% of mobile Web users in Egypt, 59% in India, and 50% in Nigeria but only for 25% of U.S. and
22% of U.K. mobile Web users. Malaysia is emerging as a test case for a mobile‐only Internet. It has rolled out a
next‐generation, high‐speed broadband network that covers most of its population. This infrastructure makes it
possible to make video calls with Apple ’ s FaceTime application in locations throughout the country using a tiny
pocket router that accesses a WiMAX wireless‐broadband network set up by a local conglomerate, YTL Corp.
Bhd . To further encourage the spread of Internet, Malaysia ’ s leaders have pledged not to censor the Internet.
Sources: G. Dunaway , “ Mobile‐Only Internet Users Dominate Emerging Markets ” Adotas.com (October 24, 2011), http://www.adotas.
com/201w1/10/mobile‐only‐internet‐users‐dominate‐emerging‐markets/ (accessed August 19, 2015) ; J. Hookway , “ Broadband in
the Tropics ,” The Wall Street Journal (September 21, 2011 ) , B6.
c02.indd 50 11/26/2015 6:20:50 PM
http://www.adotas.com/201w1/10/mobile%E2%80%90only%E2%80%90internet%E2%80%90users%E2%80%90dominate%E2%80%90emerging%E2%80%90markets/
51Discussion Questions
S U M M A R Y
• Information resources include data, technology, people, and processes within an organization. Information resources can
be either assets or capabilities.
• IT infrastructure and information repositories are IT assets. Three major categories of IT capabilities are technical skills,
IT management skills, and relationship skills.
• Using IS for strategic advantage requires an awareness of the many relationships that affect both competitive business
and information strategies.
• The “ve competitive forces model implies that more than just the local competitors in#uence the reality of the business
situation. Analyzing the “ve competitive forces—threat of new entrants, buyers’ bargaining power, suppliers’ bargaining
power, industry competitors, and threat of substitute products—from both a business view and an information systems
view helps general managers use information resources to minimize the effect of these forces on the organization.
• The value chain highlights how information systems add value to the primary and support activities of a “rm’s internal
operations as well as to the activities of its customers and of other components of its supply chain.
• The resource‐based view (RBV) helps a “rm understand the value created by its strategy. RBV maintains that compet-
itive advantage comes from a “rm’s information resources. Resources enable a “rm to attain and sustain competitive
advantage.
• IT can facilitate strategic alliances. Ecosystems are groups of strategic alliances working together to deliver goods and
services. Supply chain management (SCM) is a mechanism that may be used for creating strategic alliances.
• Co‐opetition is the complex arrangement through which companies cooperate and compete at the same time with other
companies in their value net.
• Numerous risks are associated with using information systems to gain strategic advantage: awaking a sleeping giant,
demonstrating bad timing, implementing poorly, failing to deliver what customers want, avoiding mobile‐based alterna-
tives, and running afoul of the law.
K E Y T E R M S
business ecosystem (p. 34)
co‐opetition (p. 48)
customer relationship management
(CRM) (p. 42)
enterprise resource planning
(ERP) (p. 42)
information resources (p. 36)
IT asset (p. 36)
IT capability (p. 36)
network effects (p. 34)
resource‐based view (RBV) (p. 45)
strategic alliance (p. 48)
social capital (p. 47)
supply chain management
(SCM) (p. 42)
D I S C U S S I O N Q U E S T I O N S
1. How can information itself provide a competitive advantage to an organization? Give two or three examples. For each
example, describe its associated risks.
2. Use the five competitive forces model as described in this chapter to describe how information technology might be used to
provide a winning position for each of these businesses:
a. A global advertising agency
b. A local restaurant
c. A mobile applications provider
d. An insurance company
e. A Web‐based audio book service
c02.indd 51 11/26/2015 6:20:50 PM
52 Strategic Use of Information Resources
3. Using the value chain model, describe how information technology might be used to provide a winning position for each of
these businesses:
a. A global advertising agency
b. A local restaurant
c. A mobile applications provider
d. An insurance company
e. A Web‐based audio book service
4. Use the resource‐based view as described in this chapter to describe how information technology might be used to provide
and sustain a winning position for each of these businesses:
a. A global advertising agency
b. A local restaurant
c. A mobile applications provider
d. An insurance company
e. A Web‐based audio book service
5. Some claim that the only sustainable competitive advantage for an organization is its relationships with its customers. All
other advantages eventually erode. Do you agree or disagree? How can information systems play a role in maintaining the
organization ’ s relationship with its customers? Defend your position.
6. Cisco Systems has a network of component suppliers, distributors, and contract manufacturers that are linked through
Cisco ’ s extranet. When a customer orders a Cisco product at its Web site, the order triggers contracts to manufacturers of
printed circuit board assemblies when appropriate and alerts distributors and component suppliers. Cisco ’ s contract manu-
facturers are aware of the order because they can log on to its extranet and link with Cisco ’ s own manufacturing execution
systems. What are the advantages of Cisco ’ s strategic alliances? What are the risks to Cisco? To the suppliers?
Groupon, Inc. raised $700 million at its IPO in the fall of 2011, instantly providing a valuation of almost $13 billion for a
company that was only three years old at the time. Some question the value, claiming Groupon has no sustainable compet-
itive advantage. Others see Groupon as an innovative company with high potential.
Groupon sells Internet coupons for events, services, and other popular items that customers might want to buy. Customers
sign up for daily e‐mails targeted to their local market. The daily deal, offered for one‐day only and only if a predetermined
minimum number of customers buy it, gives customers 50% off the “retail” price. For example, a $100 three‐month health
club membership would sell for $50 on Groupon . The customer pays $50 to Groupon and prints a certi” cate to redeem at the
health club. Groupon keeps 50% of the revenue, or $25 in this case, and gives the rest to the health club. Effectively, retailers
are offering 75% off with the customer saving 50% and Groupon taking the rest.
Groupon pays the retailer when the coupon is redeemed, making money both on the # oat between the time revenue is
collected and the time the retailer is paid and on the certi” cates that are never redeemed at all, which the industry calls break-
age. Retailers make money in the long run by introducing customers to their products, selling them additional products and
services when they come in to redeem their coupons, and turning them into repeat customers. And retailers bene” t from the
buzz created when their business is on Groupon .
In August 2010, Groupon launched its ” rst national deal, a coupon worth $50 of Gap apparel and accessories for $25.
It sold over 440,000 coupons, netting Groupon and the Gap close to $11 million. But not all vendors are the size of the
Gap , and smaller vendors have been overwhelmed with too many coupons. One local business owner said the company lost
$8,000 on its Groupon promotion when too many coupons were issued. In fact, a study of 150 retailers showed that only
66% found their deals pro” table.
Around the time of the IPO, analysts and observers alike claimed that Groupon ’ s business model was not sustainable. In
addition to the large number of retailers who found their deals unpro” table, observers noted that Groupon does not produce
anything of value, and it isn ’ t adding value to the retailers. Further, there are no barriers to entry to stop competitors. In May
2011, more than 450 competitors offering discounts and deals included LivingSocial , another daily deal site; restaurant.com,
a site for restaurant gift certi” cates at a deep discount; and overstock.com and woot.com , sites offering discounted merchan-
dise, not to mention deep‐pocketed competitors like Amazon.com .
■ CASE STUDY 2‐1 Groupon
c02.indd 52 11/26/2015 6:20:50 PM
53Case Study
Zipcar is an answer for customers who want to rent a car for a few hours in their home city rather than for a few days from
a traditional rental agency. Car reservations are for a speci” c pick‐up time and location around the city, often in neighbor-
hoods so the customers need only to walk to pick up their reserved car. Customers apply for a Zipcard, which enables them
to reserve a car online and unlock their car when they arrive at its location.
The company operates with a very small staff compared to traditional rental agencies. Very little human interaction is
required between the customer and Zipcar for a transaction. A customer reserves a car online, enters into the reserved car by
waving the RFID‐enabled Zipcard against the card reader mounted behind the driver ’ s side windshield, returns the car to the
same location, and is billed on the credit card already on ” le. The customer can check all rental records and print receipts
from the online reservation system. The system also has a color‐coded time chart showing the availability and location of all
rental cars in the vicinity. This transparent information exchange allows a customer to pick the car he or she wants, if avail-
able, or delay the reservation until that car is returned by another customer. Zipcar also created and installed a GPS‐enabled
wireless device in each car, which allows members to ” nd and reserve a vehicle nearby using a cell phone. Customers also
can use an iPhone or Android app on their iPhone or Android mobile device to ” nd and reserve a Zipcar on a 24/7 basis.
Zipcar sends text alerts near the end of the rental period, and customers can text back if they want to extend their rental time.
All cars were out” tted with patented wireless technology. Zipcar ’ s proprietary IT platform carries information # ow bet-
ween customers, vehicles, and the company. It is used to monitor car security, ful” ll reservations, record hourly usage, and
maintain mileage information. The platform also relays vital technical information such as battery voltage and fuel level. It
even informs the central system if a customer forgot to turn off headlights, which can quickly drain battery power.
This business model provides unique advantages over traditional car rentals. Customers do not have to stand in line or
” ll out papers to rent a car. They know exactly which make and model they will be getting. Unlike most off‐airport rental
agency locations, which are open only during business hours, Zipcar locations are open 24 hours. The company ’ s rates also
include the cost of gas and insurance as well as reserved parking spots at some locations.
Additionally, the company uses social networking technologies to develop an online community of Zipcar members—
Zipsters. It encourages Zipsters to talk about their Ziptrips (i.e., share their personal experiences with Zipcar ).
Thus, information technology is not only the key enabler of this business model but also a facilitator in creating a
buzz and encouraging community development around the concept. Zipcar changed the rules of the rental car industry by
■ CASE STUDY 2‐2 Zipcar
But Groupon added to its business strategy with mobile capability and new services. In February 2012, it purchased
Kima Labs , a mobile payment specialist, and Hyperpublic , a company that builds databases of local information. In May
2011, in a few cities, the company launched Groupon Now, a time‐based local application that gives customers instant deals
at merchants nearby using location‐based software. CEO Andrew Mason told Wall Street analysts in February 2012 that he
saw signi” cant growth potential, including working on new features that will help customers personalize offers and avoid
deals they don ’ t want.
Discussion Questions
1. How does information technology help Groupon compete?
2. Do you agree or disagree with the statement that “Groupon has no sustainable competitive advantage?” Please explain
your point of view.
3. How does Groupon add value to the companies whose offers are sold on the site?
4. What impact, if any, will Groupon Now have on Groupon ’ s competitive position? Explain.
5. What would you advise Groupon leaders to consider as their next application?
6. Analyze the business model of Groupon using Porter ’ s five forces model.
Sources: Adapted from http://mashable.com/2010/08/19/gap‐groupon/ (accessed February 21, 2012); http://www.forbes.com/sites/
petercohan/2011/06/06/memo‐to‐sec‐groupon‐has‐no‐competitive‐advantage‐stop‐its‐ipo/ (accessed February 21, 2012); http://blogs.
wsj.com/venturecapital/2010/09/29/rice‐university‐study‐groupon‐renewal‐rate‐not‐so‐hot/ (accessed February 21, 2012); http://articles.
chicagotribune.com/2011‐05‐18/business/ct‐biz‐0519‐groupon‐now‐20110518_1_groupon‐chief‐executive‐andrew‐mason‐# rst‐phase
(accessed February 21, 2012); http://www.reuters.com/article/2012/02/09/us‐groupon‐idUSTRE81727 B20120209 (accessed February 21,
2012).
c02.indd 53 11/26/2015 6:20:50 PM
http://mashable.com/2010/08/19/gap%E2%80%90groupon
http://www.forbes.com/sites/petercohan/2011/06/06/memo%E2%80%90to%E2%80%90sec%E2%80%90groupon%E2%80%90has%E2%80%90no%E2%80%90competitive%E2%80%90advantage%E2%80%90stop%E2%80%90its%E2%80%90ipo/
http://blogswsj.com/venturecapital/2010/09/29/rice%E2%80%90university%E2%80%90study%E2%80%90groupon%E2%80%90renewal%E2%80%90rate%E2%80%90not%E2%80%90so%E2%80%90hot/%20
http://articles.chicagotribune.com/2011%E2%80%9005%E2%80%9018/business/ct%E2%80%90biz%E2%80%900519%E2%80%90groupon%E2%80%90now%E2%80%9020110518_1_groupon%E2%80%90chief%E2%80%90executive%E2%80%90andrew%E2%80%90mason%E2%80%90first%E2%80%90phase
http://www.reuters.com/article/2012/02/09/us%E2%80%90groupon%E2%80%90idUSTRE81727
54 Strategic Use of Information Resources
bringing the new Web 2.0 mind‐set of focusing on automation, customer empowerment, transparency, and community.
Zipcar is very successful; as of August 2015, its Website boasts over 900,000 paying members and renting over 10,000
vehicles in 30 major metro markets in the United States, Canada, and the United Kingdom, as well as 400 college cam-
puses and 50 airports.
Discussion Questions
1. Apply the resource‐based view to Zipcar ’ s business model to show how information resources may be used to gain and
sustain competitive advantage.
2. Discuss the synergy between the business strategy of Zipcar and information technology.
3. What network effects are part of Zipca r ’ s strategy? How do they add value?
4. As the CEO of Zipca r, what is your most threatening competition? What would you do to sustain a competitive
advantage?
Sources: Adapted from Paul Boutin , “ A Self‐Service Rental Car ,” Businessweek (May 3 , 2006 ), http://www.bloomberg.com/bw/
stories/2006‐05‐03/a‐self‐service‐rental‐car (accessed August 19, 2015) ; Mary K. Pratt , “ RFID: A Ticket to Ride ,” Computerworld (Decem-
ber 18, 2006 ), http://www.computerworld.com/article/2554153/mobile‐wireless/r# d—a‐ticket‐to‐ride.html (accessed August 19, 2015) ;
“Zipcar: Our Technology Downloaded,” http://www.zipcar.com/how/technology; Zipcar: “Zipcar Overview,” http://www.zipcar.com/
press/overview (accessed August 19, 2015).
c02.indd 54 11/26/2015 6:20:51 PM
http://www.bloomberg.com/bw/stories/2006%E2%80%9005%E2%80%9003/a%E2%80%90self%E2%80%90service%E2%80%90rental%E2%80%90car
http://www.computerworld.com/article/2554153/mobile%E2%80%90wireless/rfi
http://www.zipcar.com/how/technology
http://www.zipcar.com
55
3
chapter
In order for information systems (IS) to support an organization in achieving its goals, the
organization must re$ ect the business strategy and be coordinated with the organizational
strategy. This chapter focuses on linking and coordinating the IS strategy with the three
components of organizational strategy:
• Organizational design (decision rights, formal reporting relationships and structure,
informal networks)
• Management control systems (planning, data collection, performance measurement,
evaluation, incentives, and rewards)
• Internal culture (values, locus of control)
Organizational Strategy
and Information Systems
After 20 years of fast growth, in 2014 Cognizant Technology Solutions was a company with $8.84
billion in revenues from providing IS outsourcing services. However, growing at such a breakneck
speed, it had to reinvent its organizational structure many times to make sure that it facilitated the
# ow of information. Initially, its India‐centric structure located managers of each group in India
along with software engineers. Employees at customer locations worldwide reported to the man-
agers. As the company grew and its focus shifted from simple, cost‐based solutions to complex,
relationship‐based solutions, this structure had to be changed to be more customer oriented. Under
the redesigned reporting structure, managers were moved to customer locations but software engi-
neers remained in India. This change improved customer relations but brought about new headaches
on the technical side. Under the new arrangement, managers had to spend their days with cus-
tomers and unexpectedly ended up spending their nights with software engineers to clarify customer
requirements and ” x bugs. This created a tremendous strain on managers, who threatened to quit.
It also hampered the company ’ s business of systems development. Thus, neither of these organiza-
tional structures was working well. Neither structure was well aligned with the business strategy
and the IS strategy.
However, Cognizant found that despite these problems, some work teams were working and
performing well. Upon an extensive analysis of those groups, the company decided to adopt a matrix
structure of comanagement throughout the company. In this matrix structure, each project has two
managers equally responsible for the project in a location. One manager is in India and the other
is at the client site. They work out among themselves how and when to deal with issues. And both
managers are equally responsible for customer satisfaction, project deadlines, and group revenue.
The new structure (Figure 3.1 ) enables Cognizant to work more closely with its clients to focus on
improving operations. That is, the new matrix structure makes it possible to build IS that the cus-
tomers wanted.
During the same time period in 2008, the largest outsourcing company and software exporter
in India, Tata Consultancy Services (TCS), also found that growth led to problems. “As we scale
up over 100,000 employees, TCS needs a structure that allows us to build a nimble organization to
c03.indd 55 11/26/2015 6:22:12 PM
Steven Wang
高亮
咨询公司
Steven Wang
高亮
起初印度中心,全球向印度汇报
Steven Wang
高亮
改了之后经理去一线,技术留印度,经理很头疼,夹在中间很heavy,威胁不干了
Steven Wang
高亮
Steven Wang
高亮
56 Organizational Strategy and Information Systems
capture new growth opportunities,” said then TCS CEO and Managing Director S. Ramadorai.1 Growth led to a
high volume of issues that needed the attention of the CEO and COO, and eventually it was dif”cult to keep up.
At the same time, there was a need to spend signi”cantly more time investigating new potential markets and new
strategic initiatives than the CEO/COO could spare. In 2011, the new TCS CEO N. Chandrasekaran modi”ed the
structure and added a new layer of leaders to oversee the businesses and free up their time to work on strategy (see
Figure 3.2). The new layer focuses on customers and aims to boost revenue growth.2
While both Cognizant and TCS are large Indian outsourcing companies that found they needed to reorganize
to respond to problems resulting from growth, their problems were profoundly different. Cognizant’s main prob-
lem was its lack of necessary information #ows between the software engineers in India and the customer service
managers on the client location. Its complex problems resulted in a correspondingly complex matrix structure. It
focused on the delivery of information systems that re#ect re”ned technical solutions to their problems to its cus-
tomers. Its new organization structure both improves customer responsiveness and necessary information #ows.
It focuses on system development and delivery and seeks to address the information #ow problem that Cognizant
previously experienced in building systems.
In contrast, TCS’s organization chart re#ects a focus not only on current customers but also on future markets.
That is why it added major units called “New Growth Markets” and “Strategic Initiative Unit.” The Business Pro-
cess Outsourcing and Small and Medium Enterprise solutions in this latter major unit indicate the strategic direc-
tions that TCS wants to take. The organizational structure is designed to emphasize these new growth areas and
facilitate information #ows along these lines in the organization. Its focus is on building an ever bigger market for
its IS and the IS services that it provides.
CEO
Vertical Functions
Software Engineer
Business Manager
Customer 1 USA
H
or
iz
on
ta
l F
un
ct
io
ns
Business Manager
Customer 2 UK
Business Manager
Customer 3 China
Database Manager
Telecommunication
Specialist
FIGURE 3.1 Example of possible cognizant matrix structure.
Source: Adapted from “The Issue: For Cognizant, Two’s Company,” Businessweek (January 17, 2008), http://www.bloomberg.
com/bw/stories/2008‐01‐17/the‐issue‐for‐cognizant‐twos‐companybusinessweek‐business‐news‐stock‐market‐and‐#nancial‐advice
(accessed August 20, 2015).
1 “Reinvented Blog by Prashanth Rai” (March 19, 2008), http://cio‐reinvented.typepad.com/cioreinvented/2008/03/tcs—new‐organ.html (accessed
December 19, 2011).
2 N. Shivapriya, “TCS CEO N Chandrasekaran Creates New Layer to Oversee Verticals” (May 25, 2011), http://articles.economictimes.indiatimes.
com/2011‐05‐25/news/29581999_1_tcs‐ceo‐n‐chandrasekaran‐tcs‐spokesperson‐structure (accessed December 19, 2011).
c03.indd 56 11/26/2015 6:22:12 PM
http://www.bloomberg.com/bw/stories/2008%E2%80%9001%E2%80%9017/the%E2%80%90issue%E2%80%90for%E2%80%90cognizant%E2%80%90twos%E2%80%90companybusinessweek%E2%80%90business%E2%80%90news%E2%80%90stock%E2%80%90market%E2%80%90and%E2%80%90financial%E2%80%90advice
http://cio%E2%80%90reinvented.typepad.com/cioreinvented/2008/03/tcs%E2%80%94new%E2%80%90organ.html
http://articles.economictimes.indiatimes.com/2011%E2%80%9005%E2%80%9025/news/29581999_1_tcs%E2%80%90ceo%E2%80%90n%E2%80%90chandrasekaran%E2%80%90tcs%E2%80%90spokesperson%E2%80%90structure
Steven Wang
高亮
57 Organizational Strategy and Information Systems
Cognizant and TCS are both in the same business but chose different organizational structures to carry out
their objectives. The point is that different organizational structures re#ect different organizational strategies
that are used to implement business strategies and accomplish organizational goals. These organizational strat-
egies need to be aligned with IS strategies. When used appropriately, IS leverage human resources, capital, and
materials to create an organization that optimizes performance. Companies that design organizational strategy
without considering IS strategies run into problems like those Cognizant experienced. A synergy results from
designing organizations with IS strategy in mind—a synergy that cannot be achieved when IS strategy is just
added on.
Chapter 1 introduced a simple framework for understanding the role of IS in organizations. The Information
Systems Strategy Triangle relates business strategy with IS strategy and organizational strategy. In an organization
that operates successfully, an overriding business strategy drives both organizational strategy and information strat-
egy. The most effective businesses optimize the interrelationships between the organization and its IS, maximizing
ef”ciency and productivity.
Organizational strategy includes the organization’s design, as well as the managerial choices that de”ne, set
up, coordinate, and control its work processes. As discussed in Chapter 1, many models of organizational strategy
are available. One is the managerial levers framework that includes the complementary design variables shown
in Figure 3.3. Optimized organizational designs support optimal business processes, and they, in turn, re#ect the
“rm’s values and culture. Organizational strategy may be considered as the coordinated set of actions that lever-
ages the use of organizational design, management control systems, and organizational culture to make the orga-
nization effective by achieving its objectives. The organizational strategy works best when it meshes well with
the IS strategy.
This chapter builds on the managerial levers model. Of primary concern is how IS impact the three types of
managerial levers: organizational, control, and cultural. This chapter looks at organizational designs that incorpo-
rate IS to de”ne the #ow of information throughout the organization, explores how IS can facilitate management
control at the organizational and individual levels, and concludes with some ideas about how culture impacts IS
and organizational performance. It focuses on organizational‐level issues related to strategy. The next two chapters
complement these concepts with a discussion of new approaches to work and organizational processes.
Chief Executive
Officer
Chief Operating
Officer
Director,
Industry
Solutions Unit
Director,
Organization
Infrastructure
Director,
Strategic
Initiative Unit
Director,
Major
Markets
Director, New
Growth
Markets
India
APAC
Emerging
Markets Europe
UK
USA
Business
Process
Outsourcing
Solutions
SME
Solutions
Financial
Solutions
Process
Excellence
Resource
Management
Shared
Services
Technology
Excellence
Multiple units
FIGURE 3.2 Tata Consultancy Services.
Source: “TCS Plans New Organizational Structure” (February 12, 2008), http://www.livemint.com/Companies/2ODg7L1mCcRlFow
K1ktX5N/TCS‐plans‐new‐organisational‐structure.html (accessed August 20, 2015).
c03.indd 57 11/26/2015 6:22:12 PM
http://www.livemint.com/Companies/2ODg7L1mCcRlFowK1ktX5N/TCS%E2%80%90plans%E2%80%90new%E2%80%90organisational%E2%80%90structure.html%20
Steven Wang
高亮
架构不同策略不同
Steven Wang
高亮
Steven Wang
高亮
Steven Wang
高亮
58 Organizational Strategy and Information Systems
Information Systems and Organizational Design
Organizations must be designed in a way that enables them to perform effectively. Different designs accomplish
different goals. This section examines organizational variables. It focuses on how IS are designed in conjunction
with an organization’s structure. Ideally, an organizational structure is designed to facilitate the communication
and work processes necessary for it to accomplish the organization’s goals, and the use of IS is often the way
coordination and work#ow are done. The organizational structures of Cognizant and TCS, while very different,
re#ect and support the goals of each company. Perhaps intuitively, organizational designers at those companies used
organizational variables described in Figure 3.3 to build their structures. Those variables include decision rights
that underlie formal structures, formal reporting relationships, and informal networks. Organizational processes are
another important design component discussed in more detail in Chapter 5.
Decision Rights
Decision rights indicate who in the organization has the responsibility to initiate, supply information for, approve,
implement, and control various types of decisions. Ideally, the individual who has the most information about a
decision and who is in the best position to understand all of the relevant issues should be the person who has its
decision rights. But this may not happen, especially in organizations in which senior leaders make most of the
important decisions. Much of the discussion of IT governance and accountability in Chapter 9 is based upon who
has the decision rights for critical IS decisions. When talking about accountability, one has to start with the person
who is responsible for the decision—that is, the person who has the decision rights. Organizational design is all
about making sure that decision rights are properly assigned—and re#ected in the structure of formal reporting
FIGURE 3.3 Organizational design variables.
Source: Adapted from James I. Cash, Robert G. Eccles, Nitin Nohria, and Richard L. Nolan, Building the Information Age Organiza-
tion (Homewood, IL: Richard D. Irwin, 1994).
Variable Description
Organizational variables
Decision rights The authority to initiate, approve, implement, and control various types
of decisions necessary to plan and run the business
Business processes The set of ordered tasks needed to complete key objectives of the
business
Formal reporting relationships The structure set up to ensure coordination among all units within the
organization; re$ects allocation of decision rights
Informal networks Mechanisms, such as ad hoc groups, which work to coordinate and
transfer information outside the formal reporting relationships
Control variables
Data The facts collected, stored, and used by the organization
Planning The processes by which future direction is established, communicated,
and implemented
Performance measurement and evaluation The set of measures that are used to assess success in the execution of
plans and the processes by which such measures are used to improve
the quality of work
Incentives The monetary and nonmonetary devices used to motivate behavior
within an organization
Cultural variables
Values The set of implicit and explicit beliefs that underlies decisions made and
actions taken; re$ects aspirations about the way things should be done
Locus The span of the culture, i.e., local, national, regional
c03.indd 58 11/26/2015 6:22:13 PM
59Information Systems and Organizational Design
relationships. IS support decision rights by getting the right information to the decision maker at the right time and
then transmitting the decision to those who are affected. In some cases, IS enables a centralized decision maker
to pass information that has been gathered from operations and stored centrally down through the organization. If
information systems fail to deliver the right information, or worse, deliver the wrong information to the decision
maker, poor decisions are bound to be made.
Consider the case of Zara from the last chapter. Each of its 1,000 stores orders clothes in the same way, using the
same type of handheld devices, and follows a rigid weekly timetable for ordering, which provides the headquarters
commercial team with the information needed to manage ful”llment. Many other large retailers make the decision
centrally about what to send to their stores, using forecasting and inventory control models. However, at Zara, store
managers have decision rights for ordering, enabling each store to re#ect the tastes and preferences of customers
in its localized area. But, the store managers do not have decision rights for order ful”llment because they have no
way of knowing the consolidated demand of stores in their area. The decision rights for order ful”llment lie with the
commercial team in headquarters because it is the team that knows about overall demand, overall supply, and store
performance in their assigned areas. The information from the commercial team then #ows directly to designers
and production, allowing them to respond quickly to customer preferences.3
Formal Reporting Relationships and Organizational Structures
Organizational structure is the design element that ensures that decision rights are correctly allocated. The structure
of reporting relationships typically re#ects the #ow of communication and decision making throughout the orga-
nization. Traditional organizational structures are hierarchical, #at, or matrix. The networked structure is a newer
organizational form. A comparison of these four types of organizational structures may be found in Figure 3.4.
Hierarchical Organizational Structure
As business organizations entered the 20th century, their growth prompted a need for systems for processing and
storing information. A new class of worker—the clerical worker—#ourished. From 1870 to 1920 alone, the number
of U.S. clerical workers mushroomed from 74,200 to more than a quarter of a million.4
FIGURE 3.4 Comparison of organizational structures.
Hierarchical Flat Matrix Networked
Description Bureaucratic form
with de#ned levels
of management
Decision making
pushed down to the
lowest level in the
organization
Workers assigned to
multiple supervisors
in an effort to
promote integration
Formal and informal
communication networks
that connect all parts of
the company
Characteristics Division of labor,
specialization, unity
of command,
formalization
Informal roles,
planning, and control;
often small and young
organizations
Dual reporting
relationships based
on function and
purpose
Known for $exibility and
adaptability
Type of Environment
Best Supported
Stable, certain Dynamic uncertain Dynamic uncertain Dynamic uncertain
Basis of Structuring Primarily function Very loose Function and
purpose (i.e.,
location, product,
customer)
Networks
Power Structure Centralized Decentralized Distributed (matrix
managers)
Distributed (network)
3 Andrew McAfee and Erik Brynjolfsson, “Investing in the IT That Makes a Competitive Difference, https://cb.hbsp.harvard.edu/cbmp/product/R0807J‐
PDF‐ENG (accessed August 20, 2015); James Surowiecki, The Wisdom of Crowds (New York: Anchor Books, 2005).
4 Frances Cairncross, The Company of the Future (London: Profile Books, 2002).
c03.indd 59 11/26/2015 6:22:13 PM
https://cb.hbsp.harvard.edu/cbmp/product/R0807J%E2%80%90PDF%E2%80%90ENG
https://cb.hbsp.harvard.edu/cbmp/product/R0807J%E2%80%90PDF%E2%80%90ENG
https://cb.hbsp.harvard.edu/cbmp/product/R0807J%E2%80%90PDF%E2%80%90ENG
60 Organizational Strategy and Information Systems
Factories and of”ces structured themselves using the model that Max Weber observed when studying the
Catholic Church and the German army. This model, called a bureaucracy, was based on a hierarchical organiza-
tional structure.
Hierarchical organizational structure is an organizational form based on the concepts of division of labor,
specialization, span of control, and unity of command. Decision rights are highly speci”ed and centralized. When
work needs to be done, orders typically come from the top and work is subjected to the division of labor. That
means it is segmented into smaller and smaller pieces until it reaches the level of the business in which it will be
done. Middle managers do the primary information processing and communicating, telling their subordinates what
to do and telling senior managers the outcome of what was done. Jobs within the enterprise are specialized and
often organized around particular functions, such as marketing, accounting, manufacturing, and so on. Span of
control indicates the number of direct reports. The new TCS CEO, N. Chandrasekaran, revised the organizational
structure to lower his span of control by inserting a new layer with only a few leaders reporting directly to him.
Unity of command means that each person has a single supervisor. Rules and policies are established to handle the
routine work performed by employees of the organization. When in doubt about how to complete a task, employees
turn to the rules. If a rule doesn’t exist to handle the situation, employees turn to a supervisor in the hierarchy for the
decision. Key decisions are made at the top and “lter down through the organization in a centralized fashion. Hier-
archical structures, which are sometimes called vertical structures, are most suited to relatively stable, certain envi-
ronments in which the top‐level executives are in command of the information needed to make critical decisions.
This allows them to make decisions quickly.
IS are typically used to store and communicate information and to support the information needs of managers
throughout the hierarchy. IS convey the decisions of top managers downward and data from operations are sent
upward through the hierarchy using IS. Hierarchical structures are also very compatible with efforts to organize
and manage data centrally. The data from operations that have been captured at lower levels and conveyed through
IS increasingly need to be consolidated, managed, and made secure at a high level. The data are integrated into
databases that are designed so that employees at all levels of the organization can see the information that they need
when they need it. Often there is an information dashboard for executives, a system that provides a summary of key
performance indicators (KPIs). Each level of KPI has additional detail behind it and executives can drill down into
the details as necessary. For example, a KPI revealing lower pro”tability might have been caused by higher costs
or lower sales, and managers would need to drill down through additional levels of information to understand why
the KPI changed. Managers throughout the hierarchy often have similar dashboards with the KPIs for their organi-
zation so that up and down the hierarchy, managers are looking at the same information consolidated for their level
of decision making.
Flat Organizational Structure
In contrast to the hierarchical structure, the “at, or horizontal, organizational structure has a less well‐de”ned
chain of command. You often don’t see an actual organization chart for a #at organization because the relationships
are #uid and the jobs are loosely de”ned. That is, drawing an organization chart for a #at organization is like trying
to tie a ribbon around a puddle. In #at organizations, everyone does whatever needs to be done to conduct business.
There are very few “middle managers.” For this reason, #at organizations can respond quickly to dynamic, uncer-
tain environments. Entrepreneurial organizations, as well as smaller organizations, often use this structure because
they typically have fewer employees, and even when they grow, they initially build on the premise that everyone
must do whatever is needed. Teamwork is important in #at organizations. To increase #exibility and innovation,
decision rights may not be clearly de”ned. Hence, the decision making is often decentralized because it is spread
across the organization to where the decisions are made. It is also time consuming. As the work grows, new indi-
viduals are added to the organization, and eventually a hierarchy is formed where divisions are responsible for
segments of the work processes. Many companies strive to keep the “entrepreneurial spirit,” but in reality, work is
done in much the same way as with the hierarchy described previously. Flat organizations often use IS to off‐load
certain routine work in order to avoid hiring additional employees. As a hierarchy develops, the IS become the glue
tying together parts of the organization that otherwise would not communicate. IS also enable #at organizations to
respond quickly to their environment.
c03.indd 60 11/26/2015 6:22:13 PM
61Information Systems and Organizational Design
Matrix Organizational Structure
The third popular form, which Cognizant ultimately adopted, is the matrix organizational structure. It typically
assigns employees to two or more supervisors in an effort to make sure multiple dimensions of the business are
integrated. Each supervisor directs a different aspect of the employee’s work. For example, a member of a matrix
team from marketing would have a supervisor for marketing decisions and a different supervisor for a speci”c
product line. The team member would report to both, and both would be responsible in some measure for that mem-
ber’s performance and development. That is, the marketing manager would oversee the employee’s development of
marketing skills and the product manager would make sure that the employee develops skills related to the product.
Thus, decision rights are shared between the managers. The matrix structure allows organizations to concentrate
on both functions and purpose. The matrix structure allows the #exible sharing of human resources and achieves
the coordination necessary to meet dual sets of organizational demands. It is suited for complex decision making
and dynamic and uncertain environments. IS reduce the operating complexity of matrix organizations by allowing
information sharing among the different managerial functions. For example, a saleswoman’s sales would be entered
into the information system and appear in the results of all managers to whom she reports.
Cognizant might have moved to the matrix structure (see Figure 3.1) from a hierarchical structure because the
complexity of its projects had increased. “As part of the structure of a Cognizant engagement, we always pair our
technologists with people who have business context experience,” says Raj Mamodia, who was then the Assistant
Vice President of Cognizant’s Consumer Goods business unit. The purpose of these formally structured relation-
ships is to meet the customer’s needs, and not just focus on “how beautiful the technology is in and of itself.”5
The matrix organizational structure carries its own set of weaknesses. Although theoretically each boss has a
well‐de”ned area of authority, the employees often “nd the matrix organizational structure frustrating and confus-
ing because they are frequently subjected to two authorities with con#icting opinions. Consequently, working in
a matrix organizational structure can be time consuming because confusion must be dealt with through frequent
meetings and con#ict resolution sessions. Matrix organizations often make it dif”cult for managers to achieve their
business strategies because they #ood managers with more information than they can process.
Networked Organizational Structure
Made possible by advances in IT, a fourth type of organizational structure emerged: the networked organiza-
tional structure. Networked organizations characteristically feel #at and hierarchical at the same time. An article
published in the Harvard Business Review describes this type of organization: “Rigid hierarchies are replaced by
formal and informal communication networks that connect all parts of the company. . . . [This type of organiza-
tional structure] is well known for its #exibility and adaptiveness.”6 It is particularly suited to dynamic, unstable
environments.
Networked organizational structures are those that rely on highly decentralized decision rights and utilize distrib-
uted information and communication systems to replace in#exible hierarchical controls with controls based in IS.
Networked organizations are de”ned by their ability to promote creativity and #exibility while maintaining opera-
tional process control. Because networked structures are distributed, many employees throughout the organization
can share their knowledge and experience and participate in making key organizational decisions. IS are fundamental
to process design; they improve process ef”ciency, effectiveness, and #exibility. As part of the execution of these
processes, data are gathered and stored in centralized data warehouses for use in analysis and decision making. In
theory at least, decision making is more timely and accurate because data are collected and stored instantly. The
extensive use of communication technologies and networks also renders it easier to coordinate across functional
boundaries. In short, the networked organization is one in which IT ties together people, processes, and units.
The organization feels #at when IT is used primarily as a communication vehicle. Traditional hierarchical lines
of authority are used for tasks other than communication when everyone can communicate with everyone else, at
5 Cognizant Computer Goods Technology, “Creating a Culture of Innovation: 10 Steps to Transform the Consumer Goods Enterprise” (October 2009),
6, http://www.cognizant.com/InsightsWhitepapers/Cognizant_Innovation (accessed August 20, 2015).
6 L. M. Applegate, J. I. Cash, and D. Q. Mills, “Information Technology and Tomorrow’s Manager,” Harvard Business Review (November–December
1988), 128–36.
c03.indd 61 11/26/2015 6:22:13 PM
http://www.cognizant.com/InsightsWhitepapers/Cognizant_Innovation
62 Organizational Strategy and Information Systems
least in theory. The term used is technological leveling because the technology enables individuals from all parts of
the organization to reach all of its other parts.
Portions of Zara’s organizational structure appear networked. Being networked enables the store managers to
use technology to communicate directly with designers. Zara uses the technology‐supported structure to coordinate
the actions and decisions of tens of thousands of its employees so that they can focus their attention on the same
goal of making and selling clothes that people want to buy.
Other Organizational Structures
An organization is seldom a pure form of one of the four structures described here. It is much more common to see
a hybrid structure in which different parts of the organization use different structures depending on the information
needs and desired work processes. For example, the IS department may use a hierarchical structure that allows
more control over data warehouses and hardware, whereas the research and development (R&D) department may
employ a networked structure to capitalize on knowledge sharing. In the hierarchical IS department, information
#ows from top to bottom, whereas in the networked R&D department, all researchers may be connected to one
another.
Further, IS are enabling even more advanced organization forms such as the adaptive organization, the zero
time organization,7 and the elastic enterprise.8 Common to these advanced forms is the idea of agile, responsive
organizations that can con”gure resources and people quickly. These organizations are #exible enough to sense
and respond to changing demands. Elastic enterprises, for example, have a core competency of adding partners
as necessary to quickly respond to customer needs. They do this by creating a platform and common interfaces
to reduce the effort and friction of partnering. Building in the capability to respond instantly means designing the
organization so that each of the key structural elements is able to respond instantly.
Informal Networks
The organization chart re#ects the authority derived from formal reporting relationships in the organization’s for-
mal structure. However, informal relationships also exist and can play an important role in an organization’s func-
tioning. Informal networks, in addition to formal structures, are important for alignment with the organization’s
business strategy.
Sometimes, management designs some of the informal relationships or networks. For example, when working
on a special project, an employee might be asked to let the manager in another department know what is going
on. This is considered an informal reporting relationship. Or a company may have a job rotation program that
provides employees with broad‐based training by allowing them to work a short time in a variety of areas. Long
after they have moved on to another job, employees on job rotations may keep in touch informally with former
colleagues, or call upon their past co‐workers when a situation arises that their input may be helpful. Hewlett Pack-
ard’s Decision Support and Analytics Services unit encouraged the development of work‐related informal networks
when it established focused interest group/forums known as Domain Excellence Platforms (DEPs). An IT‐enabled
DEP allows at least “ve people who hold a common interest related to the business to form a team to share their
knowledge on a topic (e.g., cloud computing, Web analytics). For nonbusiness related topics, the employees can
join conferences to talk about the topic and get to know one another better. The hope is that they will start thinking
beyond their work silos.9
However, not all informal relationships are a consequence of a plan by management. Some networks unintended
by management develop for a variety of other factors including work proximity, friendship, shared interests, family
ties, and so on. The employees can make friends with employees in another department when they play together on
7 For more information on zero time organizations, see R. Yeh, K. Pearlson, and G. Kozmetsky, ZeroTime: Providing Instant Customer Value Every Time,
All the Time (Hoboken, NJ: John Wiley, 2000).
8 For more information on elastic enterprises, see N. Vitalari and H. Shaughnessy, The Elastic Enterprise (Longboat Key, FL: Telemachus Press, 2012).
9 T. S. H. Teo, R. Nishant, M. Goh, and S. Agarwal, “Leveraging Collaborative Technologies to Build a Knowledge Sharing Culture at HP Analytics,”
MIS Quarterly Executive 10, no. 1 (March 2011), 1–18.
c03.indd 62 11/26/2015 6:22:13 PM
63Information Systems and Management Control Systems
the company softball team, share the same lunch period in the company cafeteria, or see one another at social gath-
erings. Informal networks can also arise for political reasons. Employees can cross over departmental, functional,
or divisional lines in an effort to create political coalitions to further their goals. Some informal networks even cross
organizational boundaries. As computer and information technologies facilitate collaboration across distances,
social networks and virtual communities are formed. Many of these prove useful in getting a job done, even if not
all of the members of the network belong to the same organization. LinkedIn is an example of a tool that enables
large, global informal networks.
Information Systems and Management Control Systems
Controls are the second type of managerial lever. Not only does IS change the way organizations are structured, but
also it profoundly affects the way managers control their organizations. Management control is concerned with how
planning is performed in organizations and how people and processes are monitored, evaluated, and compensated or
rewarded. Ultimately, it means that senior leaders make sure the things that are supposed to happen actually happen.
Management control systems are similar to room thermostats. Thermostats register the desired temperature.
A sensing device within the thermostat determines whether the temperature in the room is within a speci” ed range
of the one desired. If the temperature is beyond the desired range, a mechanism is activated to adjust the temper-
ature. For instance, if the thermostat is set at 70 degrees and the temperature in the room is 69, then the heater
can be activated (if it is winter) or the air conditioning can be turned off (if it is summer). Similarly, management
control systems must respond to the goals established through planning. Measurements are taken periodically and
if the variance is too great, adjustments are made to organizational processes or practices. For example, operating
processes might need to be changed to achieve the desired goals.
IS offer new opportunities for collecting and organizing data for three management control processes:
1. Data collection: IS enable the collection of information that helps managers determine whether they are
satisfactorily progressing toward realizing the organization ’ s mission as re# ected in its stated goals.
Social Business Lens: Social Networks
Social networks are a form of informal networks. They even have begun to supplement and possibly replace
organization charts in enterprises. A social network is an IT‐enabled network that links individuals together in
ways that enable them to # nd experts, get to know colleagues, and see who has relevant experience for pro-
jects across traditional organization lines. Much like the networked organization, a social network provides an IT
backbone linking all individuals in the enterprise, regardless of their formal title or position. Some might regard a
social network as a “super‐directory” that provides not only the names of the individuals but also their role in the
company, their title, their contact information, and their location. It might even list details such as their supervisor
(and their direct reports and peers), the project(s) they are currently working on, and personal information speci# c
to the enterprise.
What differentiates a social network from previous IT solutions to connect individuals is that it is integrated with
the work processes themselves. Conversations can take place, work activities can be recorded, and information
repositories can be linked or merely represented within the structure of the social network.
IBM has a good example of how a social network permeates an organization, changing its culture, structure,
and collaboration processes. With over 400,000 employees, the company has a $ urry of social activity embod-
ied in more than 17,000 individual blogs, 1 million daily page views of internal wikis and Web sites, and 400,000
employee pro# les on IBM Connections. Its social network allows employees to share status updates, collaborate
on internal systems, and share # les. There have been 15 million downloads of employee‐generated videos and
podcasts so far.
Source: http://www.forbes.com/sites/haydnshaughnessy/2011/12/09/is‐social‐business‐the‐same‐as‐social‐media/ (accessed April
5, 2012).
c03.indd 63 11/26/2015 6:22:13 PM
http://www.forbes.com/sites/haydnshaughnessy/2011/12/09/is%E2%80%90social%E2%80%90business%E2%80%90the%E2%80%90same%E2%80%90as%E2%80%90social%E2%80%90media
64 Organizational Strategy and Information Systems
2. Evaluation: IS facilitate the comparison of actual performance with the desired performance that is
established as a result of planning.
3. Communication: IS speed the #ow of information from where it is generated to where it is needed. This
allows an analysis of the situation and a determination about what can be done to correct for problematic
situations.
When managers need to control work, IS can play a crucial role. IS provide decision models for scenario
planning and evaluation. For example, the airlines routinely use decision models to study the effects of changing
routes or schedules. IS collect and analyze information from automated processes, and they can make automatic
adjustments to the processes. For example, a paper mill uses IS to monitor the mixing of ingredients in a batch of
paper and to add more ingredients or change the temperature of the boiler as necessary. IS collect, evaluate, and
communicate information, leaving managers with time to make more strategic decisions.
Planning and Information Systems
In the “rst chapter, the importance of aligning organizational strategy with the business strategy was discussed.
An output of the strategizing process is a plan to guide in achieving the strategic objectives. IS can play a role in
planning in four ways:
• IS can provide the necessary data to develop the strategic plan. They can be especially useful in collecting
data from organizational units and integrating the data to transform those data into information for the stra-
tegic decision makers.
• IS can provide scenario and sensitivity analysis through simulation and data analysis.
• IS can be a major component of the planning process.
• In some instances, an information system is a major component of a strategic plan. That is, as discussed in
Chapters 1 and 2, information systems can be used to gain strategic advantage.
Data and Information Systems
In addition to focusing on organizational‐level planning and control, managers use information systems to build
controls for individuals. An important part of management control lies in making sure that individuals perform
appropriately. At the individual level, IS can streamline the process of data collection (usually through monitoring
and analytical processes that use the collected data, as Chapter 4 discusses) and support performance measurement
and evaluation as well as compensation through salaries, incentives, and rewards.
Monitoring work can take on a completely new meaning with the use of information technologies. IS make it
possible to collect such data as the number of keystrokes, the precise time spent on a task, exactly who was con-
tacted, and the speci”c data that passed through the process. The data collected from operations creates large data
stores that can be analyzed for trends. For example, a call center that handles customer service telephone calls is
typically monitored by an information system that collects data on the number of calls each representative received
and the length of time each representative took to answer each call and then to respond to the question or request for
service. Managers at call centers can easily and nonintrusively collect data on virtually any part of the process. The
organizational design challenge in data collection is twofold: (1) to embed monitoring tasks within everyday work
and (2) to reduce the negative impacts to employees being monitored. Workers perceive their regular tasks as value
adding but have dif”culty in seeing how value is added by tasks designed to provide information for management
control. Research has found that monitoring does not always increase stress of the employee, especially when it “ts
the task and is automatic and nonintrusive.10 But employees often avoid activities aimed at monitoring their work
10 D. Galletta and R. Grant, “Silicon Supervisors and Stress: Merging New Evidence from the Field,” Accounting, Management and Information Tech-
nology 5, no. 3 (1995), 163–83.
c03.indd 64 11/26/2015 6:22:13 PM
65Information Systems and Management Control Systems
or worse, “nd ways to ensure that data recorded are inaccurate, falsi”ed, or untimely. Collecting monitoring data
directly from work tasks—or embedding the creation and storage of performance information into software used to
perform work—renders the data more reliable.
A large number of software products are available for companies to monitor employees. Software monitoring
products are installed by companies to get speci”c data about what employees are doing. This information can help
ensure that work is being performed correctly. It can also be used to avoid barriers to employee productivity from
“cyberslacking” and “cyberslouching.”11 The intention may seem both ethical and in the best interest of business,
but in practice, the reverse may actually be true. In many cases, employees are not informed that they are being
monitored or that the information gleaned is being used to measure their productivity. In these cases, monitoring
violates both privacy and personal freedoms. Managers need to take into account employee privacy rights and try to
balance their right to privacy against the needs of the business to have surveillance mechanisms in place.
Performance Measurement, Evaluation, and Information Systems
IS make it possible to evaluate actual performance data against reams of standard and historical data, often by using
models and simulations. Analytics and big data tools have changed the way many companies use data to make
decisions. Managers can more easily and completely understand work progress and performance. In fact, the ready
availability of so much information catches some managers in “analysis paralysis”: analyzing too much or too long.
In our example of the call center, a manager can compare an employee’s output to that of colleagues, to earlier
output, and to historical outputs re#ecting similar work conditions at other times. Even though evaluation consti-
tutes an important use of IS, how the information is used has signi”cant organizational consequences. Information
collected for evaluation may be used to provide feedback so that the employee can improve personal performance;
it also can be used to determine rewards and compensation. The former use—for improvement in performance—is
nonthreatening and generally welcomed.
Using the same information for determining compensation or rewards, however, can be threatening. Suppose a
call center manager is evaluating the number and duration of calls that service representatives answer on a given
day. The manager’s goal is to make sure all calls are answered quickly, and he communicates that goal to his staff.
Now think about how the evaluation information is used.
If the manager simply provides the employees with information, then the evaluation is not threatening. If han-
dled this way, employees might respond by improving their call numbers and duration. A discussion may even
occur in which the service representative highlights other important considerations, such as customer satisfaction
and quality. Perhaps the representative takes longer than average on each call because she believes that the attention
devoted to the customer would result in higher customer satisfaction.
On the other hand, some managers use the same information to rank employees so that top‐ranked employees
are rewarded and those lower ranked are, in some way, punished or reprimanded. This may cause employees to
feel threatened and respond accordingly. The representative who is not on the top of the list might shorten calls or
deliver less quality, consequently decreasing customer satisfaction, while increasing the values of the metrics that
are measured. The lesson for managers is to pay attention to what is monitored and how the information is used.
Metrics for performance must be meaningful in terms of the organization’s broader goals, and measured, managed,
and communicated appropriately.
How feedback is communicated in the organization plays a role in affecting behavior. Some feedback can be
communicated via IS themselves. A simple example is the feedback built into an electronic form that will not allow
it to be submitted until it is properly “lled out. For more complex feedback, IS may not be the appropriate vehi-
cle. For example, no one would want to be told she or he was doing a poor job via e‐mail or voice mail. Negative
feedback of signi”cant consequence often is best delivered in person.
IS can allow for feedback from a variety of participants who otherwise could not be involved. Many companies
provide “360‐degree” feedback in which the individual’s supervisors, subordinates, and co‐workers all provide
11 Bernd Carsten Stahl, “The Impact of the UK Human Rights Act 1998 on Privacy Protection in the Workplace,” Computer Security, Privacy and
Politics: Current Issues, Challenges and Solutions (Hershey, PA: Idea Group Publishing, 2008), 55–68.
c03.indd 65 11/26/2015 6:22:13 PM
66 Organizational Strategy and Information Systems
formal input. Social tools are making inroads in evaluation, too. For example, a “thumbs up” or “1–5 stars” evalu-
ation system makes it easy and fast to provide informal feedback and evaluate activities. Because that feedback is
received more quickly, improvements can be made faster.
Incentives and Rewards and Information Systems
Incentives and rewards are the ways organizations encourage good performance. A clever reward system can make
employees feel good without paying them more money. IS can affect these processes, too. Some organizations use
their Web sites to recognize high performers, giving them electronic badges that are displayed on the social network
to identify them as award recipients. Others reward them with new technology. At one organization, top performers
get new computers every year, while lower performers get the “hand‐me‐downs.”
IS make it easier to design complex incentive systems, such as shared or team‐based incentives. IS make it eas-
ier to keep track of contributions of team members and, in conjunction with qualitative inputs, allocate rewards
according to complex formulas. For example, in a call center, agents can be motivated to perform better by providing
rewards based on tracking metrics, such as average time per call, number of calls answered, and customer satis-
faction. Information systems can provide measures of all of these on a real‐time basis—even customer satisfaction
through automated audio or Web site questionnaires after a customer interaction.
When specifying reward metrics, managers must be careful because they tend to drive the behavior they specify.
For example, call center agents who know they will be evaluated only by the volume of calls they process may rush
callers and provide poorer service in order to maximize their performance according to the narrow metric. Those
measured only by customer satisfaction might spend more time than necessary on each call and perhaps try end-
lessly to solve problems that should be routed to more technical personnel.
Information Systems and Culture
The third managerial lever of organizational strategy is culture. Culture plays an increasingly important role in
information system management and use. Because information systems management and use are complicated
by human factors, it is important to consider culture’s impact. Culture is de”ned as the set of “shared values and
beliefs” that a group holds and that determines how the group perceives, thinks about, and appropriately reacts to
its various environments.12
A “collective programming of the mind” distinguishes not only societies (or nations) but also industries, profes-
sions, and organizations.13 Beliefs are the perceptions that people hold about how things are done in their community
whereas values re#ect the community’s aspirations about the way things should be done. Culture is something of a
moving target because it evolves over time as the group solves problems adapting to the environment and internal
operations.
Culture has been compared to an iceberg because, like an iceberg, only part of the culture is visible from the
surface. In fact, it is necessary to look below the surface to understand the deep‐rooted aspects of culture that are
not visible. That is, culture may be thought of in terms of layers: observable artifacts, values, and assumptions.
Observable artifacts are the most visible level. They include such physical manifestations as type of dress, sym-
bols in art, acronyms, awards, myths and stories told about the group, rituals, and ceremonies. Espoused values
are the explicitly stated preferred organizational values. Ideally, they should be consistent with the enacted values,
which are the values and norms that are actually exhibited or displayed in employee behavior. For example, if
an organization says that it believes in a good work–life balance for its employees but actually requires them to
work 12‐hour days and on weekends, the enacted values don’t match with the espoused ones. The deepest layer of
culture is the underlying assumption layer, or the fundamental part of every culture that helps discern what is real
12 A. Kinicki, Organizational Behavior: Core Concepts (Boston, MA: McGraw‐Hill Irwin, 2008), 183.
13 G. J. Hofstede, Culture’s Consequences: Comparing Values, Behaviors, Institutions, and Organizations Across Nations, 2nd ed. (Thousand Oaks, CA:
Sage Publications, 2001).
c03.indd 66 11/26/2015 6:22:13 PM
67Information Systems and Culture
and important to the group. Assumptions are unobservable because they re#ect organizational values that have
become taken for granted to such an extent that they guide organizational behavior without any group members
thinking about them.14
Levels of Culture and IT
Culture can vary depending upon which group you are studying. Countries, organizations, and subgroups in orga-
nizations all have a culture. IS management and use can be impacted by culture at all these levels. IS can even play
a role in promoting it. For instance, Cognizant used IT to implement “10/10/10,” a program designed to keep its
associates focused on innovation. On the tenth workday of each month at 10 a.m., everyone’s computer screen is
frozen, allowing the entire Cognizant workforce to spend 10 minutes thinking about and sharing innovative ideas.15
With the growth of analytics and the availability of large stores of data, many organizations are adopting a data‐
driven culture in which virtually all decisions are made with the support of analytics. In a data‐driven culture, man-
agers are typically expected to provide data to support their recommendations and to back up decisions. Information
is often freely shared in this culture, and IS take on the important role of collecting, storing, analyzing, and deliver-
ing data and information to all levels of the organization. Dell, Procter and Gamble, GE, Google, and Facebook are
examples of companies that are known to have a data‐driven culture. Sometimes the employees in these companies
are said to “speak the language of data” as part of their culture.
When IS developers have values that differ from the clients in the same organization for whom they are devel-
oping systems, cultures can clash. For example, clients may favor computer‐based development practices that
encourage reusability of components to enable #exibility and fast turnaround. Developers, on the other hand, may
prefer a development approach that favors stability and control but tends to be slower. Both national and organiza-
tional cultures can affect IT management and usage and vice versa. National culture may affect IT in a variety of
ways, impacting information systems development, technology adoption and diffusion, system use and outcomes,
and management and strategy. These relationships are shown in Figure 3.5 and described next. The model and the
discussion of the impact of culture on IT issues draws heavily from the work of Leidner and Kayworth.16
14 E. Schein, Organizational Change and Leadership, 4th ed. (San Francisco, CA: Jossey‐Bass, 2010).
15 Cognizant Computer Goods Technology, “Creating a Culture of Innovation,” 1–6.
16 D. Leidner and T. Kayworth, “A Review of Culture in Information Systems Research: Toward a Theory of Information Technology Culture Conflict,”
MIS Quarterly 30, no. 2 (2006), 357–99.
Information
Systems
Development
IT Adoption
and Diffusion
IT Issues
Organizational Values
(Entire Organization and within Organization)
National Values
IT Use and
Outcomes
IT Management
and Strategy
FIGURE 3.5 Levels of culture.
Source: Adapted from D. Leidner and T. Kayworth, “A Review of Culture in Information Systems Research: Toward a Theory of
Information Technology Culture Con$ict,“ MIS Quarterly 30, no. 2 (2006), 372, Figure 1.
c03.indd 67 11/30/2015 7:25:49 PM
68 Organizational Strategy and Information Systems
Culture and Information Systems Development
Variation across national cultures may lead to differing perceptions and approaches to IS development. In particular,
systems designers may have different perceptions of the end users and how the systems would be used. For example,
Danish designers who had more socialist values were more concerned about people‐related issues when compared
to Canadian designers with more capitalist values. The Canadian designers were more interested in technical issues.
National culture may also affect the perceptions of project risk and risk management behaviors. At the organiza-
tional level, cultural values can affect the features of new software and the way it is implemented.
Culture and Information Technology Adoption and Diffusion
National cultures that are more willing to accept risk appear to be more likely to adopt new technologies. Those
cultures that are less concerned about power differences among people (i.e., have low power distance) are more
likely to adopt technologies that help promote equality. People are more likely to adopt a new technology if they
think that the technology’s embedded values match those of their national culture. Further, if a technology is to be
successfully implemented into an organization, either the technology must “t with the organization’s culture or the
culture must be shaped to “t the behavioral requirements of the technology. For example, a dashboard that shares
analytics and key performance indicators to all employees would reduce the “power” of leaders in a hierarchical
organization in which only the senior managers have access to the data. In such organizations, implementation of
such an information system would likely be very slow or rejected altogether because the culture would not support
broad information sharing.
Culture and Information Technology Use and Outcomes
Research has shown that differences in culture result in differences in the use and outcomes of IT. At the orga-
nizational level, cultural values are often related to satis”ed users, successful IS implementations or knowledge
management successes. At the national level, e‐mail adoption was much slower in Japan than in the United States.
Japanese prefer richer forms of communication such as meeting face‐to‐face. The lean e‐mail can’t accommodate
the symbols in their language as easily as a fax. Further, in countries that are more likely to avoid uncertainty like
Japan and Brazil, IT is used often for planning and forecasting, whereas in countries that are less concerned about
risk and uncertainty, IT is more often used for maintaining #exibility. Furthermore, some things are acceptable in
one country but not another. For example, DitchWitch could not use its logo globally because a witch is offensive
in some countries.
Culture and Information Technology Management and Strategy
National and organizational culture affects planning, governance, and perceptions of service quality. For example,
having planning cultures at the top levels of an organization typically signal that strategic systems investment is
important. At Adidas, a multinational sports apparel company headquartered in Germany, national culture played
a role in its multisourcing strategy. Adidas’ managers selected an Eastern European vendor because they were
looking for a provider whose culture was similar to their own. They thought that vendor’s employees were more
likely to question system requirements and to make creative, innovative contributions than the Indian vendors they
had hired.17
National Cultural Dimensions and Their Application
One of the best‐known (and proli”c) researchers in the area of differences in the values across national cultures
is Geert Hofstede. Most studies about the impact of national cultures on IS have used Hofstede’s dimensions
of national culture. Hofstede18 originally identi”ed four major dimensions of national culture: power distance,
17 Martin Wiener and Carol Saunders, “Forced Coopetition in IT Multi‐Sourcing,” Journal of Strategic Information Systems 23, no. 3 (2014), 210–25.
18 G. Hofstede, Culture’s Consequences: International Differences in Work‐Related Values (London: Sage, 1980).
c03.indd 68 11/26/2015 6:22:14 PM
69Information Systems and Culture
uncertainty avoidance, individualism‐collectivism, and masculinity‐femininity.19 To correct for a possible bias
toward Western values, a new dimension, Confucian work dynamism, also referred to “short‐term vs. long‐term
orientation,” was added.20 Many others have used, built upon, or tried to correct problems related to Hofst-
ede’s four dimensions. One notable project is the Global Leadership and Organizational Behavior Effectiveness
(GLOBE) research program, which is a team of 150 researchers who have collected data on cultural values and
practices and leadership attributes from over 18,000 managers in 62 countries. The GLOBE project has uncov-
ered nine cultural dimensions, six of which have their origins in Hofstede’s pioneering work. The Hofstede
dimensions and their relationship to the GLOBE dimensions are summarized in Figure 3.6.
19 Ibid.
20 G. Hofstede and M. H. Bond, “The Confucius Connection: From Cultural Roots to Economic Growth,” Organizational Dynamics 16 (1988), 4021.
FIGURE 3.6 National cultural dimensions.
Hofstede Dimensions (Related
GLOBE Dimensions)
Descriptiona Examples of Effect on ITb
Uncertainty Avoidance (Uncertainty
Avoidance)
Extent to which a society tolerates
uncertainty and ambiguity; extent to
which members of an organization or
society strive to avoid uncertainty by
reliance on social norms, rituals, and
bureaucratic practices to alleviate the
unpredictability of future events.
Countries with high uncertainty
avoidance are less likely to adopt
new IT and have higher perceptions
of project risk than countries with low
uncertainty avoidance.
Power Distance (Power Distance) Degree to which members of an
organization or society expect and
agree that power should be equally
shared.
Individuals from high power distance
countries are found to be less
innovative and less trusting of
technology than individuals from
low power distance countries.
Individualism/Collectivism (Societal
and In‐Group Collectivism)
Degree to which individuals are
integrated into groups; extent to
which organizational and societal
institutional practices encourage
and reward collective distribution of
resources and collective action.
Individualistic cultures are more
predisposed than collectivistic
cultures to report bad news about
troubled IT projects; companies in
collectivist societies are more likely
than individualistic societies to #ll an
IS position from within the company.
Masculinity/Femininity (General
Egalitarianism and Assertiveness)
Degree to which emotional roles are
distributed between the genders;
extent to which an organization or
society minimizes gender role
differences and gender
discrimination; often focuses on
caring and assertive behaviors.
Australian groups (high masculinity)
generated more con$ict and relied
less on con$ict resolution strategies
than Singaporean groups (low
masculinity).
Confucian Work Dynamism (Future
Orientation)
Extent to which society rewards
behaviors related to long‐ or
short‐term orientations; degree to
which individuals in organizations or
societies engage in future‐oriented
behaviors such as planning, investing
in the future, and delaying
grati#cation.
When considering future orientation,
studies found differences in the use
of Executive Information Systems
and the evaluation of service quality
across countries.
a Adapted from R. House, M. Javidan, P. Hanges, and P. Dorfman, “Understanding Cultures and Implicit Leadership Theories across the Globe: An Introduction to
Project GLOBE, “ Journal of World Business 37, no. 1 (2002), 3–10; and G. Hofstede and G. J. Hofstede, Dimensions of National Culture, http://www.geerthofstede.
nl/dimensions‐of‐national‐cultures.aspx (accessed August 20, 2015).
b Examples were provided in D. Leidner and T. Kayworth, “A Review of Culture in Information Systems Research: Toward a Theory of Information Technology
Culture Con$ict,” MIS Quarterly 30, no. 2 (2006), 357–99.
c03.indd 69 11/26/2015 6:22:14 PM
http://www.geerthofstedenl/dimensions%E2%80%90of%E2%80%90national%E2%80%90cultures.aspx
70 Organizational Strategy and Information Systems
Even though the world may be becoming “# atter,” cultural differences have not totally disappeared. But some
leadership traits, such as being trustworthy, just, and honest; having foresight and planning ahead; being positive,
dynamic, encouraging, and motivational; and being communicative and informed are seen as universally acceptable
across cultures. 21
The generally accepted view is that the national culture predisposes citizens of a nation to act in a certain way
along a Hofstede or GLOBE dimension, such as in an individualistic way in England or in a collectivist way in
China. Yet, the extent of the in# uence of a national culture may vary among individuals, and culturally based idi-
osyncrasies may surface based upon the experiences that shape each person ’ s ultimate orientation on a dimension.
Having an understanding and appreciation for cultural values, practices, and subtleties can help in smoothing the
challenges that occur in dealing with these idiosyncrasies. An awareness of the Hofstede or GLOBE dimensions
may help to improve communications and reduce con# ict.
Effective communication means listening, framing the message in a way that is understandable to the receiver,
and responding to feedback. Effective cross‐cultural communication involves each of these plus searching for an
integrated solution that can be accepted and implemented by members of diverse cultures. This may not be as
simple as it sounds. For instance, typical American managers, noted for their high‐performance orientation, pre-
fer direct and explicit language full of facts and ” gures. However, managers in lower performance‐oriented coun-
tries like Russia or Greece tend to prefer indirect and vague language that encourages the exploration of ideas. 22
Communication differences surfaced when one of this book ’ s authors was designing a database in Malaysia. She
asked questions that required a “yes” or “no” response. In trying to reconcile the strange set of responses she
received, the author learned that Malaysians are hesitant to ever say “no.” Communication in meetings is also
subject to cultural differences. In countries with high levels of uncertainty avoidance such as Switzerland and
Geographic Lens: Does National Culture Affect Firm Investment in IS Training?
In a massive study of 6,000 # rms in 21 countries, Hilla Peretz and Zehava Rosenblatt found that differences along
Hofstede ’ s cultural dimensions do affect employee training. In particular, # rms in countries that embrace low
power distance (i.e., Germanic countries, Anglo‐American countries, the Netherlands, and Israel) tend to invest
more in training than # rms in countries with high power distance (i.e., some Asian, Latin America, and Middle
Eastern countries).
Why might this be the case? Perhaps # rms in high power distance societies view investment in training as less
favorable because it might narrow the power gaps by making a higher level of skills available across all levels of
the organization. Those in power might not want to see a leveling of power throughout the organization.
Peretz and Rosenblatt also discovered that # rms in countries that had a strong orientation toward the future
(i.e., some Asian countries) were more likely to invest in training than # rms in countries with a shorter‐term orien-
tation (i.e., some Anglo‐American countries). The researchers think this might be so because training is all about
helping employees develop so that they can perform better in the future. Better‐trained employees help the
# rm ’ s competitive prospects down the line.
Finally, the researchers found that # rms in countries with high uncertainty avoidance (i.e., some Hispanic cul-
tures, Japan, South Korea, Israel, and Russia) spend more on training than countries with low uncertainty avoid-
ance (i.e., the United Kingdom, Ireland, Hong Kong, and Singapore)—maybe because employee training may be
seen as a way to reduce uncertainty.
Although the study was about training in general, the # ndings are even more likely to hold for IS training.
Because IS change so quickly, IS professionals need considerable training to stay current and do their jobs well.
Source: H. Peretz and Z. Rosenblatt , “ The Role of Societal Cultural Practices in Organizational Investment in Training: A Comparative
Study in 21 Countries ,” Journal of Cross‐Cultural Psychology 42 , no. 5 ( 2011 ), 817 – 31 .
21 Mansour Javidan and R. J. House , “ Cultural Acumen for the Global Manager ,” Organizational Dynamics 29 , no. 4 ( 2001 ), 289 – 305 .
22 Ibid.
c03.indd 70 11/26/2015 6:22:14 PM
71Discussion Questions
Austria, meetings should be planned in advance with a clear agenda. The managers in Greece or Russia who come
from a low uncertainty avoidance culture often shy away from agendas or planned meetings.
Knowing that a society tends to score high or low on certain dimensions helps a manager anticipate how a per-
son from that society might react. However, this provides only a starting point because each person is different.
Importantly, without being aware of cultural differences, a company is unlikely to develop IS or to use it effectively.
S U M M A R Y
• Organizational strategy re#ects the use of the managerial levers of an organization’s design, organizational culture, and
management control systems that coordinate and control work processes.
• Organizational designers today must have a working knowledge of what information systems can do and how the choice
of information system will affect the organization itself.
• Organizational structures can facilitate or inhibit information #ows.
• Organizational design should take into account decision rights, organizational structure, and informal networks.
• Structures such as #at, hierarchical, matrix and, networked organizations are being enhanced by information technology.
Increasingly information technology enables and supports networked organizations that can better respond to dynamic,
uncertain organizational environments.
• Information technology affects managerial control mechanisms: planning, data, performance measurement and evalua-
tion, incentives and rewards.
• Management control at the individual level is concerned with monitoring (i.e., data collection), evaluating, providing
feedback, compensating, and rewarding. It is the job of the manager to ensure that the proper control mechanisms are
in place and the interactions between the organization and the information systems do not undermine the managerial
objectives.
• Organizational and national culture should be taken into account when designing, managing, and using IS.
K E Y T E R M S
assumptions (p. 67)
beliefs ( p. 66)
bureaucracy (p. 60)
culture (p. 66)
decision rights (p. 58)
enacted values (p. 66)
espoused values (p. 66)
#at organizational structure (p. 60)
hierarchical organizational
structure (p. 60)
matrix organizational
structure (p. 61)
networked organizational
structure (p. 61)
observable artifacts (p. 66)
organizational strategy (p. 57)
social network (p. 63)
span of control (p. 60)
unity of command (p. 60)
values (p. 66)
D I S C U S S I O N Q U E S T I O N S
1. How might IS change a manager’s job?
2. Is monitoring an employee’s work on a computer a desirable or undesirable activity from a manager’s perspective? From the
employee’s perspective? How does the organization’s culture impact your position? Defend your position.
3. Consider the brief description of the elastic enterprise. What is an example of a control system that would be critical to man-
age for success in elastic enterprise? Why?
4. Mary Kay, Inc. sells facial skin care products and cosmetics around the globe. The business model is to provide one‐on‐one,
highly personalized service. More than 500,000 Independent Beauty Consultants (IBCs) sell in 43 markets worldwide. Each
IBC runs his or her own business by developing a client base and then providing services and products for sale to those
clients. The IBCs were offered support through an e‐commerce system with two major components: mymk.com and Mary
c03.indd 71 11/26/2015 6:22:14 PM
72 Organizational Strategy and Information Systems
Southwest Airlines ’ merger with AirTran Airlines , valued at over US$3 billion, made Southwest the largest domestic car-
rier based on number of passengers # own. 25 The merger increases Southwest ’ s presence in a number of major cities, most
notably New York (LaGuardia) and Washington D.C. (Ronald Reagan National Airport). Thanks to AirTran , Southwest now
# ies into the coveted Atlanta ’ s Harts” eld‐Jackson Atlanta International, the world ’ s busiest airport, along with a number
of international vacation destinations such as Aruba, Puerto Rico, and the Bahamas. In all, 21 new cities were added, 7 of
which were in the international market, positioning Southwest to expand in Central and South America. The result was a
signi” cant increase in pro” tability for Southwest , growing from $178 million in 2011 to $1.1 billion in 2014. 26
Southwest has grown organically, acquiring only two other smaller carriers—Morris Air and Muse Air —in the 1980s.
This has made it easier to maintain its quirky identity. On the other hand, AirTran was created from several airlines, includ-
ing the former ValuJet , about 15 years ago. It is known mostly as a low‐cost, on‐time carrier. The Company Culture page
on AirTran ’ s Web site prior to the merger claimed that “loyal crew members keep AirTran airways customers soaring” and
who have a “timely and accommodating demeanor.” AirTran ’ s values included a total commitment to safety, technical ex-
cellence, continuous learning, fun, and pro” t. 27
Southwest , headquartered at Love Field in Dallas, uses the ticker symbol LUV and uses all kinds of ways to show that
“Luv” to their customers. Southwest has cultivated a corporate culture that focuses on employees and customers having a
good time while # ying. The company carefully selects its employees using interviews that involve creative activities and
even asking the recruits to wear tutus. Southwest ’ s training program with karaoke and amusing challenges is designed
to socialize the new recruits into the airline ’ s fun‐loving culture. According to its Web site, its cultural values include
“A Warrior Spirit, A Servant ’ s Heart, A Fun‐Luving Attitude.” 28
Wharton management professor Peter Cappelli commented just after the merger was announced in 2010 that “South-
west ’ s whole business model is built on a particular approach to managing employees. It ’ s a big bet they are making that
they can swallow AirTran . . . . This is a very different approach, taking thousands of AirTran employees, dumping them
into the system and hoping it works. It ’ s a pretty risky move.” Cappelli adds that airline mergers are always dif” cult because
integration has to take place while a carrier continues to carry out complex operations. Thousands of employees can ’ t easily
be put through an orientation program in the merger ’ s short time frame, and the information systems supporting the complex
operations of two airlines can ’ t be easily changed. 29
■ CASE STUDY 3‐1 The Merger of Airtran by Southwest Airlines: Will the Organizational Cultures Merge? 24
Kay InTouch. Mymk.com allows IBCs to create instant online sites where customers can shop anytime directly with their
personal IBC. Mary Kay InTouch streamlines the ordering process by automatically calculating discounts, detecting pro-
motion eligibility, allowing the IBCs to access up‐to‐date product catalogs, and providing a faster way to transact business
with the company. 23
a. How would the organizational strategy need to change to respond to Mary Kay ’ s new business strategy and information
system?
b. What changes would you suggest Mary Kay, Inc. managers make in their management systems in order to realize the
intended benefits of the new systems? Specifically, what types of changes would you expect to make in the evaluation
systems, the reward systems, and feedback systems?
23 Adapted from “ Mary Kay, Inc .,” Fortune (Microsoft supplement, November 8, 1999 ) .
24 An earlier version of this case was written by Parul Acharya.
25 “ What Has AirTran Done for Southwest Airlines ,” Forbes (December 11, 2014), http://www.forbes.com/sites/greatspeculations/2014/12/11/what‐has‐
airtran‐done‐for‐southwest‐airlines/ (accessed April 27, 2015) .
26 Charisse Jones , “ Southwest Scores Record Profit—Again ” USA Today (January 22, 2015 ), http://www.usatoday.com/story/money/2015/01/22/
southwest‐sees‐record‐profits‐in‐2014/22166225/ (accessed August 20, 2015).
27 www.airtran.com (accessed April 2011).
28 Southwest Airlines, http://www.southwest.com/html/about‐southwest/careers/culture.html (accessed January 27, 2012).
29 “ By Acquiring AirTran, Will Southwest Continue to Spread the LUV? ” Knowledge@Wharton (October 13, 2010), http://knowledge.wharton.upenn.
edu/article.cfm?articleid=2614 (accessed August 20, 2015) ; and B. Snyder , “ How the Southwest‐AirTran Merger Creates a Labor Problem ,” CBS
Money (October 5, 2010 ), http://www.cbsnews.com/8301‐505123_162‐43642550/how‐the‐southwest‐airtran‐merger‐creates‐a‐labor‐problem/ (accessed
April 12, 2012) .
c03.indd 72 11/26/2015 6:22:14 PM
http://www.forbes.com/sites/greatspeculations/2014/12/11/what%E2%80%90has%E2%80%90airtran%E2%80%90done%E2%80%90for%E2%80%90southwest%E2%80%90airlines
http://www.forbes.com/sites/greatspeculations/2014/12/11/what%E2%80%90has%E2%80%90airtran%E2%80%90done%E2%80%90for%E2%80%90southwest%E2%80%90airlines
http://www.forbes.com/sites/greatspeculations/2014/12/11/what%E2%80%90has%E2%80%90airtran%E2%80%90done%E2%80%90for%E2%80%90southwest%E2%80%90airlines
http://www.usatoday.com/story/money/2015/01/22/southwest%E2%80%90sees%E2%80%90record%E2%80%90profits%E2%80%90in%E2%80%902014/22166225/
http://www.airtran.com
http://www.southwest.com/html/about%E2%80%90southwest/careers/culture.html
http://knowledge.wharton.upennedu/article.cfm?articleid=2614
http://www.cbsnews.com/8301%E2%80%90505123_162%E2%80%9043642550/how%E2%80%90the%E2%80%90southwest%E2%80%90airtran%E2%80%90merger%E2%80%90creates%E2%80%90a%E2%80%90labor%E2%80%90problem
73Case Study
The Federal Bureau of Investigation of the U.S. government, the FBI, was forced to scrap its $170 million virtual case ” le
(VCF) management system. Of” cial reports blamed numerous delays, cost overruns, and incompatible software. But a deep-
er examination of the cause of this failure uncovered issues of control, culture, and incompatible organizational systems.
Among its many duties, the FBI is charged with the responsibility to ” ght crime and terrorism. To do so requires a
large number of agents located within the United States and around the world. That means agents must be able to share
information among themselves within the bureau and with other federal, state, and local law enforcement agencies. But
sharing information has never been standard operating procedure for this agency. According to one source, “agents are accus-
tomed to holding information close to their bulletproof vests and scorn the idea of sharing information.” This turned out to
be a real problem in an investigation of DarkMarket, an Internet forum that connected buyers and sellers so that they could
exchange stolen information such as bank details and credit card numbers. When both the FBI and Secret Service agents were
investigating each other as criminals, it took their British colleagues, who knew the secrets of both agencies, to avert a crisis.
Enter the FBI ’ s efforts to modernize its infrastructure, codenamed “Trilogy.” The efforts included providing agents with
30,000 desktop PCs, high‐bandwidth networks to connect FBI locations around the world, and the VCF project to facilitate
sharing of case information worldwide. The FBI Director explained to Congress that VCF would provide “an electronic
means for agents to globally send ” eld notes, documents, pieces of intelligence and other evidence so they could hopefully
act faster on leads.” It was designed to replace a paper‐intensive process with an electronic, Web‐based process. With such
a reasonable goal, why didn ’ t it work?
■ CASE STUDY 3‐2 The FBI
In November 2011, Southwest Airlines ’ more than 6,000 pilots and AirTran Airways ’ 1,700 pilots overwhelmingly
approved a plan to combine the seniority lists of the two carriers with ” ve of six pilots voting in favor. 30 The personnel sys-
tems had to be modi” ed to re# ect the new seniority and pay systems.
The disparate cultures of Southwest and AirTran also posed problems for the merger of their online reservation systems
and their frequent‐# yer programs. Southwest switched from Sabre to Amadeus system to better accommodate merchandis-
ing and international # ights. AirTran ’ s reservations system vendor was Navitaire. 31 AirTran and Southwest had diametrically
opposed views on distribution through online travel agencies. Southwest usually sold its tickets via telephone or through its
Web site whereas AirTran preferred online reservation systems such as Orbitz and Expedia. 32 It took several years after to
” gure out how to blend the two different reservations systems. The Southwest frequent‐# yer program was the last system
to be updated to include the top customers of AirTran. In December 2014, the new merged airline was just ” nishing up the
integration. Will the cultures of Southwest and AirTran come together? People are optimistic, but the real answer lies in the
future.
Discussion Questions
1. Discuss the layers of culture that are evident in this case. Why do you think Southwest has preferred to grow organically
over its history?
2. What are the similarities and dissimilarities between the cultures, values, and beliefs of Southwest and AirTran airlines?
Where would you expect the differences to be most difficult to manage? Why?
3. What problems could arise due to the different perspectives of both airlines toward online reservation systems? What do
you recommend the managers do to solve these problems?
4. What would you recommend managers to do ensure a smooth integration of the information systems given the culture
differences?
30 T. Maxon , “ Southwest Airlines, AirTran Pilots Overwhelming Approve Plan to Combine Seniority Lists ,” Aviationblog, Dallas News (November 7,
2011 ), http://aviationblog.dallasnews.com/archives/mergers‐consolidation/ (accessed November 7, 2011) ; Snyder, “How the Southwest‐AirTran Merger
Creates a Labor Problem.”
31 D. Schall , “ Distribution Questions Loom Following US Approval of Southwest‐AirTran Merger ,” tnooz.com (April, 27, 2011 ), http://www.tnooz.
com/2011/04/27/news/distribution‐questions‐loom‐following‐us‐approval‐of‐southwest‐airtran‐merger/ (accessed April 12, 2012) .
32 J. Brancatelli , “ The Fight Stuff: Why the Airlines Are Fighting Travel Sites ,” Portfolio.com (January 5, 2011 ), http://www.portfolio.com/business‐
travel/2011/01/05/why‐legacy‐airlines‐are‐warring‐with‐expedia‐and‐orbitz/ (accessed November 7, 2011) .
c03.indd 73 11/26/2015 6:22:14 PM
http://aviationblog.dallasnews.com/archives/mergers%E2%80%90consolidation
http://www.tnooz.com/2011/04/27/news/distribution%E2%80%90questions%E2%80%90loom%E2%80%90following%E2%80%90us%E2%80%90approval%E2%80%90of%E2%80%90southwest%E2%80%90airtran%E2%80%90merger/
http://www.portfolio.com/business%E2%80%90travel/2011/01/05/why%E2%80%90legacy%E2%80%90airlines%E2%80%90are%E2%80%90warring%E2%80%90with%E2%80%90expedia%E2%80%90and%E2%80%90orbitz
http://www.portfolio.com/business%E2%80%90travel/2011/01/05/why%E2%80%90legacy%E2%80%90airlines%E2%80%90are%E2%80%90warring%E2%80%90with%E2%80%90expedia%E2%80%90and%E2%80%90orbitz
http://www.portfolio.com/business%E2%80%90travel/2011/01/05/why%E2%80%90legacy%E2%80%90airlines%E2%80%90are%E2%80%90warring%E2%80%90with%E2%80%90expedia%E2%80%90and%E2%80%90orbitz
74 Organizational Strategy and Information Systems
The CIO of the FBI offered one explanation. He claimed that the FBI needed to change its culture. “If the Bureau is ever
going to get the high‐tech analysis and surveillance tools it needs to. . . ” ght terrorism, we must move from a decentralized
amalgam of 56 ” eld of” ces. . . to a seamlessly integrated global intelligence operation capable of sharing information and
preventing crimes in real‐time.” He added that the Bureau personnel were also very distrustful of the technology, as well as
others not only in other organizations but also within the FBI.
A former project manager at the FBI further explained, “They work under the idea that everything needs to be kept secret.
But everything doesn ’ t have to be kept secret. To do this right, you have to share information.”
The VCF system has been shut down, but the CIO is working on a new approach. He is busy trying to win buy‐in from
agents in the ” eld so that the next case management system will work. In addition, he is working to establish a portfolio
management plan that will cover all of the FBI ’ s IT projects, even those begun in decentralized of” ces. His team has been
designing an enterprise architecture that will lay out standards for a bureauwide information system. The Director of the
FBI has helped too. He reorganized the governance of IT, taking its budget control away from the districts and giving total
IT budget authority to the CIO.
The FBI is building a new case management system called Sentinel in four phases. The ” rst two phases have been de-
ployed and, according to the Federal IT dashboard, the project is on schedule and on budget. The new system, according to
the CIO, will include work# ow, document management, record management, audit trails, access control, and single sign‐on.
It will provide enhanced information sharing, search, and analysis capabilities to FBI agents and facilitate information
sharing with members of the law enforcement and intelligence communities. To manage the expectations of the agents, the
CIO plans to communicate often and signi” cantly increase the training program for the new system. The CIO commented,
“We want to automate those things that are the most manually cumbersome for the agents so they can see that technology
can actually enhance their productivity. That is how to change their attitudes.”
The FBI also has a billion‐dollar Next Generation Identi” cation (NGI) system with 52 million searchable facial images
and 100 million individual ” ngerprint records as well as millions of palm prints, DNA samples, and iris scans. NGI can scan
mug shots for a match and pick out suspects from a crowd scanned by a security camera or in a photograph on the Internet.
The information can be exchanged with 18,000 law enforcement agencies 24 hours a day, 365 days a year. 33 When combined
with Sentinel, NGI will further enhance the effectiveness of the FBI ’ s antiterror efforts.
Discussion Questions
1. What do you think were the real reasons why the VCF system failed?
2. What were the points of alignment and misalignment between the information systems strategy and the FBI
organization?
3. What do you think of the CIO ’ s final comment about how to change attitudes? Do you think it will work? Why or
why not?
4. If you were the CIO, what would you do to help the FBI modernize and make better use of information technology?
Sources: Adapted from Allan Holmes , “ Why the G‐Men Aren ’ t IT Men “ CIO (June 15, 2005 ), 42 – 45 ; IT Dashboard, ”FBI Sentinel,” http://
www.itdashboard.gov/investment?buscid=441 ; Marc Goodman , Future Crimes ( Toronto, Canada : Random House , 2015 ) .
33 Federal Bureau of Investigation, “FBI Announces Full Operational Capability of the Next Generation Identification System” (September 15, 2014),
https://www.fbi.gov/news/pressrel/press‐releases/fbi‐announces‐full‐operational‐capability‐of‐the‐next‐generation‐identification‐system (accessed
August 20, 2015).
c03.indd 74 11/26/2015 6:22:14 PM
http://www.itdashboard.gov/investment?buscid=441
http://www.itdashboard.gov/investment?buscid=441
https://www.fbi.gov/news/pressrel/press%E2%80%90releases/fbi%E2%80%90announces%E2%80%90full%E2%80%90operational%E2%80%90capability%E2%80%90of%E2%80%90the%E2%80%90next%E2%80%90generation%E2%80%90identification%E2%80%90system
75
4
chapter
New approaches to work such as workplace $ exibility and remote work combined with
newer collaboration and social technologies, mobile technologies, and cloud computing
have drastically changed the way we work. This chapter explores the impact technology has
on the nature and design of work. A Work Design Framework is used to explore how digital
technology can be used effectively to support these changes and help make employees
more effective. In particular, this chapter discusses technologies to support communication
and collaboration, new types of work, new ways of doing traditional work, new challenges
in managing employees, and issues in working remotely and on virtual teams. It concludes
with a section on change management.
Digital Systems and the
Design of Work
Consumer ” nancial services powerhouse American Express viewed workplace # exibility as a stra-
tegic lever. Its award‐winning BlueWork program was a good example of turning strategic intent
into action. In addition to receiving the Chairman ’ s Award for Innovation—Top Innovators Prize, the
BlueWork program enabled increased employee productivity and more than $10 million in annual
savings from reduced cost of of” ce space. 1 BlueWork was Amex ’ s term for arrangements for # exi-
bility in workspace. Integrated into the company ’ s human resource policies, the # exibility included
staggered working hours, off‐site work areas such as home/virtual of” ce arrangements, shared of” ce
space, touch‐down (laptop‐focused, temporary) space, and telecommuting. The corporate focus is on
results rather than on hours clocked in the of” ce and face‐to‐face time. But BlueWork also supported
the sustainability and corporate social responsibility objectives. According to the Amex Web site,
Our sustainable facilities story is also woven into the fabric of our employees ’ daily routine. BlueWork,
our $ exible workplace program, allows American Express employees to better utilize company work
space and work remotely. The installation of 63 telepresence studios in 46 of# ce locations encourages
virtual meetings, reduces the need for travel, and contributes positively to our carbon reduction target. 2
Employees are assigned to a type of work arrangement based on their role. Hub employees
require a ” xed desk because they work in the of” ce every day. Club employees can share time bet-
ween the of” ce and other locations because their roles involve both face‐to‐face and virtual meet-
ings. Home employees work from home at least three days a week. Roam employees are on the road
or at customer sites. Susan Chapman, SVP at American Express commented on the importance of
1 Christopher Palafax , “ American Express ’ s New Design Team ,” American Builders Quarterly (April/May/June 2014), http://
americanbuildersquarterly.com/2014/american‐express/ (accessed August 25, 2015); http://www.employeralliance.sg/toolkit/tool
kit/tk1_13_2a.html (accessed August 25, 2015); Monak Mitra , “ Best Companies to Work for 2012 ,” The Economic Times, http://
articles.economictimes.indiatimes.com/2012‐07‐16/news/32698433_1_employee‐benefits‐jyoti‐rai‐american‐express‐india (accessed
August 25, 2015) ; Jeanne Meister , “ Flexible Workspaces: Employee Perk or Business Tool to Recruit Top Talent? ” Forbes (April 1,
2013), http://www.forbes.com/sites/jeannemeister/2013/04/01/flexible‐workspaces‐another‐workplace‐perk‐or‐a‐must‐have‐to‐attract‐
top‐talent/ (accessed August 25, 2015) .
2 American Express Corporate Social Responsibility Report, Quarter 3 2014 Update , http://about.americanexpress.com/csr/crr‐2014‐
q3.aspx (accessed August 25, 2015) .
c04.indd 75 11/26/2015 7:16:44 PM
http://americanbuildersquarterly.com/2014/american%E2%80%90express
http://americanbuildersquarterly.com/2014/american%E2%80%90express
http://www.employeralliance.sg/toolkit/toolkit/tk1_13_2a.html
http://articles.economictimes.indiatimes.com/2012%E2%80%9007%E2%80%9016/news/32698433_1_employee%E2%80%90benefits%E2%80%90jyoti%E2%80%90rai%E2%80%90american%E2%80%90express%E2%80%90india
http://articles.economictimes.indiatimes.com/2012%E2%80%9007%E2%80%9016/news/32698433_1_employee%E2%80%90benefits%E2%80%90jyoti%E2%80%90rai%E2%80%90american%E2%80%90express%E2%80%90india
http://www.forbes.com/sites/jeannemeister/2013/04/01/flexible%E2%80%90workspaces%E2%80%90another%E2%80%90workplace%E2%80%90perk%E2%80%90or%E2%80%90a%E2%80%90must%E2%80%90have%E2%80%90to%E2%80%90attract%E2%80%90top%E2%80%90talent
http://www.forbes.com/sites/jeannemeister/2013/04/01/flexible%E2%80%90workspaces%E2%80%90another%E2%80%90workplace%E2%80%90perk%E2%80%90or%E2%80%90a%E2%80%90must%E2%80%90have%E2%80%90to%E2%80%90attract%E2%80%90top%E2%80%90talent
http://www.forbes.com/sites/jeannemeister/2013/04/01/flexible%E2%80%90workspaces%E2%80%90another%E2%80%90workplace%E2%80%90perk%E2%80%90or%E2%80%90a%E2%80%90must%E2%80%90have%E2%80%90to%E2%80%90attract%E2%80%90top%E2%80%90talent
http://about.americanexpress.com/csr/crr%E2%80%902014%E2%80%90q3.aspx
http://about.americanexpress.com/csr/crr%E2%80%902014%E2%80%90q3.aspx
76 Digital Systems and the Design of Work
technology’s role in alternative work arrangements, “Technology drives workplace #exibility. . . . Technology has
become a strategic competency that drives revenue growth. It’s not just about enabling productivity.”3
How has BlueWork impacted the staff? In addition to the productivity improvements and savings in of”ce expense,
overall employee satisfaction is up. American Express managers are happy with these arrangements too. They have
found employees to be more engaged while working, more committed to the company, and better able to drive needed
results.4 American Express has clearly adopted one of the most accommodating approaches to work hours, but many
employers allow their employees some #exibility in their work schedule. A third or more of IBM, Aetna, and AT&T
employees have no of”cial desks at the company. Communications giant Cisco, which has over 75,000 employees on
six continents, uses technology‐enabled #exible work practices such as telecommuting, remote work, and #ex time.5
Sun Microsystems Inc. calculates that it has saved over $400 million in real estate costs by allowing nearly half of
its employees to work anywhere they want.6 Even the U.S. Government has a #exible work program, Flexiwork, that
enables eligible employees to do their job under alternative work arrangements such as work from home.7
The American Express example illustrates how the nature of work has changed—and information technology is
supporting, if not propelling, the changes. In preindustrial societies, work was seamlessly interwoven into everyday
life. Activities all revolved around nature’s cyclical rhythms (i.e., the season, day, and night; the pangs of hunger)
and the necessities of living. The Industrial Revolution changed this. With the practice of dividing time into mea-
surable, homogeneous units for which they could be paid, people started to separate work from other spheres of life.
Their workday was distinguished from family, community, and leisure time by punching a time clock or responding
to the blast of a factory whistle. Work was also separated into space as well as time as people went to a particular
place to work.8
Technology and new work arrangements have once again enabled an integration of work activities into every-
day life. Technologies have made it possible for employees to do their work in their own homes, on the road, or
at an alternative work space at times that accommodate home life and leisure activities.9 Paradoxically, however,
employees often want to create a sense of belonging within the space where they work. That is, they wish to create a
sense of “place,” which is a bounded domain in space that structures their experiences and interactions with objects
that they use and other people that they meet in their work “place.” People learn to identify with these “places,” or
locations in space, based on a personal sharing of experiences with others within the space. Over time, visitors to
the place associate it with a set of appropriate behaviors.10 Increasingly “places” are being constructed in space with
Web tools that encourage collaboration, allowing people to easily communicate on an ongoing basis, once again
changing the nature of where work is done.
The Information Systems Strategy Triangle, discussed in Chapter 1, suggests that changing information sys-
tems (IS) results in altered organizational characteristics. Signi”cant changes in IS and the work environments in
which they function are bound to coincide with signi”cant changes in the way that companies are structured and
how people experience work in their daily lives. Chapter 3 explores how information technology (IT) in#uences
organizational design. This chapter moves the focus to the way IT is changing the nature of work, the rise of new
work environments, and IT’s impact on different types of employees, where and when they do their work, and how
they collaborate. This chapter looks at how IT enables and facilitates a shift toward collaborative and virtual work.
The terms IS and IT are used interchangeably in this chapter, and only basic details are provided on technologies
used. The point of this chapter is to look at the impact of IT on the way work is done by individuals and teams.
This chapter should help managers understand the challenges in designing technology‐intensive work and develop
a sense of how to address these challenges and overcome resistance to IT in our rapidly changing world.
3 Gensler, Dialog 22, http://www.gensler.com/uploads/documents/Dialogue‐22 (accessed August 25, 2015).
4 http://www.forbes.com/sites/jeannemeister/2013/04/01/flexible‐workspaces‐another‐workplace‐perk‐or‐a‐must‐have‐to‐attract‐top‐talent/.
5 http://csr.cisco.com/casestudy/flexible‐work (accessed May 30, 2015).
6 “Smashing the Clock,” Bloomberg News (December 10, 2006), http://www.bloomberg.com/bw/stories/2006‐12‐10/smashing‐the‐clock (accessed May
29, 2015).
7 The IRS is one example of these U.S. government programs. For more information, see http://www.irs.gov/irm/part6/irm_06‐800‐002.html (accessed
May 29, 2015).
8 S. Barley and G. Kunda, “Bringing Work Back In,” Organizational Science 12, no. 1 (2001), 76–95.
9 S. Harrison and P. Dourish, “Re‐Place‐ing Space: The Roles of Place and Space in Collaborative Systems,” Proceedings of the 1996 ACM Conference
on Computer Supported Cooperative Work (1996), 67–76.
10 C. Saunders, A. F. Rutkowski, M. Genuchten, D. Vogel, and J. M. Orrega, “Virtual Space and Place: Theory and Test,” MIS Quarterly 35, no. 4 (2011),
1079–98.
c04.indd 76 11/26/2015 7:16:44 PM
http://www.gensler.com/uploads/documents/Dialogue%E2%80%9022
http://www.forbes.com/sites/jeannemeister/2013/04/01/flexible%E2%80%90workspaces%E2%80%90another%E2%80%90workplace%E2%80%90perk%E2%80%90or%E2%80%90a%E2%80%90must%E2%80%90have%E2%80%90to%E2%80%90attract%E2%80%90top%E2%80%90talent%00
http://csr.cisco.com/casestudy/flexible%E2%80%90work
http://www.bloomberg.com/bw/stories/2006%E2%80%9012%E2%80%9010/smashing%E2%80%90the%E2%80%90clock
http://www.irs.gov/irm/part6/irm_06%E2%80%90800%E2%80%90002.html
http://www.forbes.com/sites/jeannemeister/2013/04/01/flexible%E2%80%90workspaces%E2%80%90another%E2%80%90workplace%E2%80%90perk%E2%80%90or%E2%80%90a%E2%80%90must%E2%80%90have%E2%80%90to%E2%80%90attract%E2%80%90top%E2%80%90talent%00
77Work Design Framework
Work Design Framework
As the place and time of work becomes less distinguishable from other aspects of people’s lives, the concept of
“jobs” is changing and being replaced by the concept of work. Prior to the Industrial Revolution, a job meant a
discrete task of a short duration with a clear beginning and end.11 By the mid‐20th century, the concept of job
had evolved into an ongoing, often unending stream of meaningful activities that allowed the worker to ful”ll a
distinct role. More recently, organizations are moving away from organization structures built around particular
jobs to a setting in which a person’s work is de”ned in terms of what needs to be done.12 In many organizations,
it is no longer appropriate for people to establish their turfs and narrowly de”ne their jobs to address only speci”c
functions. Yet, as jobs “disappear,” IT can enable employees to better perform their roles in tomorrow’s workplace;
that is, IT can help employees function and collaborate in accomplishing work that more broadly encompasses all
the tasks that need to be done.
In this chapter, a simple framework is used to assess how emerging technologies may affect work. As is suggested
by the Information Systems Strategy Triangle (in Chapter 1), this framework links the organizational strategy with
IS decisions. This framework is useful in designing characteristics of work by asking key questions and helping
identify where IS can affect how the work is done.
Consider the following questions:
• What work will be performed? Understanding what tasks are needed to complete the process being done
by the employee requires an assessment of speci”c desired outcomes, inputs, and transformation needed to
turn inputs into outcomes. Many types of work are based upon recurring operations such as those found in
manufacturing plants or service industries. The value chain helps in understanding the work#ow for key tasks
that are performed (i.e., purchasing, materials handling, manufacturing, customer service, repair). Increas-
ingly, much work is done at a keyboard and involves managing knowledge, information, or data. Each type
of work has a unique set of characteristics and tasks that needs to be supported by information technology.
• Who is going to do the work? Sometimes the work can be automated. However, if a person is going to do the
work, who should that person be? What skills are needed? From what part of the organization should that
person come? If a team is going to do the work, many of these same questions need to be asked. However, they
are asked within the context of the team: Who should be on the team? What skills do the team members need?
What parts of the organization need to be represented by the team? Will the team members be dispersed?
• Where will the work be performed? With the increasing availability of networks, Web tools, apps, mobile
devices, cloud‐based computing, and the Internet in general, managers can now design work for employees
who come to the of”ce or who work remotely. Does the work need to be performed locally at a company
of”ce? Can it be done remotely at home? On the road?
• When will the work be performed? Traditionally, work was done during “normal business hours,” which
meant 9 a.m. to 5 p.m. In many parts of the world, a job between the hours of 9 and 5 is an anomaly. Tech-
nologies also make it easier to work whenever necessary. The reality of modern technologies is that they
often tether employees to a schedule of 24 hours a day, seven days a week (24/7) when they are always
accessible to calls or other communications through their mobile devices.
• How can the acceptance of IT‐induced change be increased? In this text, the overarching questions are
how to leverage IT to help improve work and how to keep IT from inhibiting work. Sometimes this means
automating certain tasks. For example, computers are much better at keeping track of inventory, calculating
compensation, and many other repetitious tasks that are opportunities for human error. On the other hand,
technologies provide increasing support for tasks at which humans excel, such as decision making, com-
munication, and collaboration tasks among employees. Using a structured change management approach to
manage IT‐induced change will increase the probability of success.
11 William Bridges, JobShift: How to Prosper in a Workplace without Jobs (New York: Addison‐Wesley, 1995).
12 Ibid.
c04.indd 77 11/26/2015 7:16:44 PM
78 Digital Systems and the Design of Work
Figure 4.1 shows how these questions can be used in a framework to incorporate technologies into the design of
work. Although it is outside the scope of this chapter to discuss the current research on either work or job design,
you are encouraged to read these rich literatures.
How Information Technology Changes the Nature of Work
Advances in IT provide an expanding set of tools that make individual employees more productive and broaden
their capabilities. They transform the way work is performed—and the nature of the work itself. This section exam-
ines three ways in which new IT alters employee life: by creating new types of work, by enabling new ways to do
traditional work, and by supporting new ways to manage people.
Creating New Types of Work
IT often leads to the creation of new jobs or rede”nes existing ones. The high‐tech “eld has emerged in its entirety
over the past 60 years and has created a wide range of positions in the IT sector, such as programmers, analysts,
managers, hardware assemblers, Web site designers, software sales personnel, social media specialists, and consul-
tants. A study based on the Bureau of Labor statistics places the number of IT employees in the United States at an
all‐time high of 4.9 million.13 Even within traditional non‐IT organizations, the growing reliance on IS creates new
types of jobs, such as data scientists who mine for insights in the company’s data, community managers who man-
age the “rm’s online communities, and communications managers who manage the use of communication technol-
ogies for the business. IS departments also employ individuals who help create and manage the technologies, such
WHAT:
What work will be
performed?
(e.g., operations,
sales,
management)
HOW:
How can acceptance of IT-induced
change be increased?
(e.g., unfreeze-change-refreeze,
Kotter’s 8 steps to managing
change, technology
acceptance model)
WHO:
Who is going to do the
work?
(e.g., individuals,
groups)
WHERE:
Where will the work be
performed?
(e.g., at the office,
at home,
on the road)
WHEN:
When will the work be
performed?
(e.g., 9–5, 24/7,
flexible scheduling)
FIGURE 4.1 Framework for work design.
13 TechServe Alliance, “IT Employment Grows Modestly in April,” http://www.techservealliance.org/pressroom/documents/Press_Release_May2015_
MBR (accessed May 30, 2015).
c04.indd 78 11/26/2015 7:16:44 PM
http://www.techservealliance.org/pressroom/documents/Press_Release_May2015_MBR
79How Information Technology Changes the Nature of Work
as systems analysts, database administrators, network administrators, and network security advisors. The Internet
has given rise to many other types of jobs, such as Web masters and site designers. Virtually every department in
every business has someone who “knows the information systems” as part of her or his job.
New Ways to Do Traditional Work
Changing the Way Work Is Done
IT has changed the way work is done. Many traditional jobs are now done by computers. For example, computers
can check spelling in documents, whereas traditionally that was the job of an editor or writer. Jobs once done by art
and skill are often greatly changed by the introduction of IT. Workers at one time needed an understanding of not
only what to do but also how to do it; now their main task often is to make sure the computer is working because the
computer does the task for them. Sadly, many cashiers no longer seem to be able to add, subtract, or take discounts
because they have grown up letting the computer in their point‐of‐sale (POS) terminal do the calculations for them.
Workers once were familiar with others in their organization because they passed work to them; now they may
never know those co‐employees because the IT routes the work. In sum, the introduction of IT into an organization
can greatly change the day‐to‐day tasks performed by its employees.
In her landmark research, Shoshana Zuboff describes a paper mill in which papermakers’ jobs were radically
changed with the introduction of computers.14 The papermakers mixed big vats of paper and knew when the paper
was ready by the smell, consistency, and other subjective attributes of the mixture. For example, one employee
could judge the amount of chlorine in the mixture by snif”ng and squeezing the pulp. They were masters at their
craft, but they were not able to explicitly describe to anyone else exactly what was done to make paper. An appren-
ticeship was needed to train new generations of masters, and the process of learning how to smell and squeeze the
paper pulp was arduous. The company, in an effort to increase productivity in the papermaking process, installed
an information and control system. Instead of the employees looking at and personally testing the vats of paper,
the system continuously tested parameters and displayed the results on a panel located in the control room. The
papermakers sat in the control room, reading the numbers, and making decisions on how to make the paper.
Many found it much more dif”cult, if not impossible, to make the same quality paper when watching the control
panel instead of personally testing, smelling, and looking at the vats. The introduction of the information system
resulted in the need for different skills to make paper. Abstracting the entire process and displaying the results
on electronic readouts required skills to interpret the measurements, conditions, and data generated by the new
computer system.
In another example, sales and delivery people at a snack company have portable devices that not only keep
track of inventory but also help them in the selling function. Prior to the information system, the salespeople used
manual processes to keep track of inventory in their trucks. When visiting customers, it was possible only to tell
them what was missing from their shelves and to replenish any stock they wanted. With IT, the salespeople have
become more like marketing and sales consultants, helping the customers with models and data of previous sales,
#oor layouts, and replenishment as well as forecasting demand based on analysis of the data histories stored in the
IS. The salespeople need to do more than be persuasive. They now must also do data analysis and #oor plan design
in addition to using the computer. Thus, the skills needed by the salespeople as well as the work#ow, have greatly
changed with the introduction of IT.
One of the biggest changes in work#ow has been in the area of data entry. In the past, the work#ow included
capturing the data, keying it into the system, rekeying it to check its accuracy, and then processing it. The work#ow
has now changed to capture the data directly when it is entered by the user in a variety of ways such as from the
Web, with a GPS signal, or by reading the RFID code. A program may check its accuracy when it is captured and
then process it. Companies are moving way from entering sales data at all; customers enter it for them when they
place an order. As data entry tasks are eliminated, the steps in the work#ow are drastically reduced, and the process
is much faster.
14 Shoshana Zuboff, In the Age of the Smart Machine: The Future of Work and Power (New York: Basic Books, 1988), 211.
c04.indd 79 11/26/2015 7:16:44 PM
80 Digital Systems and the Design of Work
A study by Frey and Osborn examined 702 occupations and noted that 47% of total U.S. employment is at
high risk of being automated in the next few years. Least likely to be automated are those jobs with nonroutine
tasks involving complex perception and manipulation as well as creative and social intelligence.15 Even knowledge
employees, who once felt safe in their jobs because of the high degree of analysis and diagnosis they performed,
are at risk of automation as analytics and cognitive intelligence systems become increasingly more accurate in their
predictions and diagnoses.
The Internet enables changes in many types of work. For example, within minutes, “nancial analysts can down-
load an annual report from a corporate Web site to their smartphones and check what others have said about the
company’s growth prospects on social networks. Librarians can check the holdings of other libraries online and
request that particular volumes be routed to their own clients or download the articles from a growing number of
databases. Marketing professionals can pretest the reactions of consumers to potential products in virtual worlds.
Technical support agents diagnose and resolve problems on remote client computers using the Internet. The cost
and time required to access information has plummeted, increasing personal productivity and giving employees
new tools. It is hard to imagine a job today that doesn’t have a signi”cant information systems component.
For those tasks that must be done by people, companies can use information technology to “nd willing employees
at what may seem like bargain rates. Amazon’s Mechanical Turk has created a marketplace site on which an orga-
nization can post tasks at speci”ed rates. Willing employees can use this site to “nd those tasks. For example, a
company posted that it wanted employees to enter data from photos of cash register receipts. Another company
posted a task offer of transcribing a 25‐second audiotape. Many of these task offers involve very small amounts,
often $.05 to $.25. Some tasks take a signi”cant portion of an hour and pay up to $5 or more. Some of the employees
do very brief tasks at low pay so they can gain higher status and qualify for higher‐paying tasks. Although this isn’t
automating a task inside an organization, from the manager’s perspective, it’s another way to use IT to change the
work done by the employees of the organization.
Changing Communication Patterns
All one has to do is observe people walking down a busy downtown street or a college campus to note changes in
communication patterns over a period as short as the last decade. Some people are talking on their cell phones, but
even more are texting or using apps for all kinds of reasons, such as checking out game scores, specials at nearby
restaurants, or movie times. Or observe what happens when a plane lands. It seems that over half the people on
the plane whip out their portable devices or cell phones as soon as the plane touches down. They are busy making
arrangements to meet the people who are picking them up at the airport or checking to see the calls or e‐mails they
missed while in #ight. Finally, consider meeting a friend at a busy subway station in Hong Kong. It is virtually
impossible without the aid of a cell phone to locate each other. Some may say that we are addicted to our mobile
technologies, unable to put them away even when driving or walking, unfortunately sometimes leading to dan-
gerous behaviors.
Applications (Apps) such as iMessage, Skype, Twitter, and Sina Weibo (Chinese Twitter) have changed how
people communicate. Traditionally, people found each other in person to have a conversation in the moment. With
the telephone, people called each other and both parties had to participate at the same time to have a conversation.
Along came e‐mail, which rapidly became the communication technology of choice because it eliminated the need
for those involved in the conversation to participate at the same time. Today, people have an array of communica-
tions technologies, and, once again, IT is changing communication patterns. Some rely on texting, others on video
conferences, such as Facetime or Skype, and still others on social networks such as Facebook or Renren, for their
primary communications channel. The challenge created by the large number of choices is that individuals now
must have a presence on numerous platforms to ensure that they can be contacted. Further, one must know how
not only to contact someone but also to recognize that the person’s preferred medium might change during the day,
week, or month. For example, during normal business hours, an employee might prefer to receive e‐mail or a phone
call. But after hours, he or she might prefer a text, and late at night, while sur”ng the Web, may prefer a message on
15 C. B. Frey and M. Osborn, “The Future of Employment: How Susceptible Are Jobs to Computerisation?” (September 17, 2013), http://www.oxfordmartin.
ox.ac.uk/downloads/academic/The_Future_of_Employment (accessed August 25, 2015).
c04.indd 80 11/26/2015 7:16:44 PM
http://www.oxfordmartinox.ac.uk/downloads/academic/The_Future_of_Employment
81How Information Technology Changes the Nature of Work
Facebook Messenger or Skype. Without knowledge of the recipients’ preferences for how to receive the message,
the sender is likely to be unsuccessful in communicating with the recipients over the proper channel. A sender who
doesn’t know which medium the recipient prefers might use one medium (e.g., e‐mail) to see whether the recipient
is open to using another medium (e.g., phone).
Similarly, IT is changing the communication patterns of employees. There are still some employees who do not
need to communicate with others for the bulk of their workday. For example, many truck drivers do not interact
with others in their organization while driving to their destination. But there are other ways communication tech-
nologies have changed the work done by truck drivers. Consider the example of a Walmart driver who picks up
goods dropped off by manufacturers at the Walmart distribution center and then delivers them in small batches to
one or more Walmart stores. Walmart has provided its drivers with radios and satellite systems so that, on short
notice, on their way back to the distribution center to load up for the next delivery, they can opportunistically pick
up goods from manufacturers and take them to the distribution center. In this way, the company saves the delivery
charges from that manufacturer and conserves energy in the process. Walmart of”ce staff and drivers therefore use
IT to save money by enhancing their communications with suppliers.16
Many changes in communication have been supported, if not propelled, by IT. Some communication technol-
ogies, such as social networking and microblogs, are rather new and unfamiliar, motivating managers in many orga-
nizations to understand how to apply them to work‐related applications in a way that adds value to their business.
These and other communication tools help make large companies feel smaller by bringing together employees
from geographic disparate locations and from a variety of divisions and levels in the organization. Large companies
can feel smaller because communications technology enables individuals to “nd each other despite the organiza-
tion’s size. These tools also help small companies feel like large companies because, to some degree, they level the
playing “eld in the ways companies communicate and collaborate. Thomas Friedman, the author of the popular
The World Is Flat and other books, argues that collaboration is the way that small companies can “act big” and
#ourish in today’s #at world. The key to success is for such companies “to take advantage of all the new tools for
collaboration to reach farther, faster, wider and deeper.”17 For example, any company can have a Facebook page or
a Twitter feed, making it dif”cult to distinguish between small and large organizations simply by interacting over
these technologies.
Changing Organizational Decision Making and Information Processing
IT changes not only organizational decision‐making processes but also the information used in making those
decisions. Data processed to create more accurate and timely information are being captured earlier in a process.
Analytics (see Chapter 12) have made it possible to mine data stores and identify insights, make predictions, and
even suggest decisions. Through information technologies, information that employees need to do their job can be
pushed to them in real time or saved and made available when they need it.
IT can change the amount and type of information available to employees. For example, salespeople can use
technology to get quick answers to customer questions. Further, IT‐based tools allow salespeople to search for
best practices on a marketing topic over a social network and to bene”t from blogs and wikis written by informed
employees in their company. Organizations now maintain large comprehensive business databases, called data
warehouses, that can be mined by using tools to analyze patterns, trends, and relationships. We discuss data
management in Chapter 12.
Modern devices with voice interfaces have assistants that further change decision‐making processes. Apps such
as Siri, Cortana, and Google‐Now allow users to talk to their devices, often mobile ones, to access information from
either their devices or the Internet. These types of interfaces are increasingly being built into enterprise systems to
supplement ways employees gather information, increasing employee ef”ciency.
In their classic 1958 Harvard Business Review article, Leavitt and Whisler boldly predicted that IT would
shrink the ranks of middle management by the 1980s.18 Because of IT, top‐level executives would have access
16 Thomas L. Friedman, The World is Flat (New York: Farrar, Straus and Giroux, 2005), 145.
17 Ibid.
18 Harold Leavitt and Thomas Whisler, “Management in the 1980s,” Harvard Business Review (November–December 1958), 41–48.
c04.indd 81 11/26/2015 7:16:44 PM
82 Digital Systems and the Design of Work
to information and decision‐making tools and models that would allow them to easily assume tasks previously
performed by middle managers. Other tasks clearly in the typical job description of middle managers at the time
would become so routinized and programmed because of IT that lower‐level managers could perform them. As
Leavitt and Whisler predicted, the 1980s saw a shrinking in the ranks of middle managers. This trend was partly
attributable to widespread corporate downsizing, which forced many organizations to “nd alternatives to getting
the work done and IT solutions to proliferate to “ll the gap. However, it was also attributable to changes in decision
making induced by IT. Since the 1980s, IT has become an even more commonly employed tool of executive
decision makers. IT has increased the #ow of information to them and provided tools for “ltering and analyzing
the information.
Changing Collaboration
IT helps make work more team oriented and collaborative. Technologies such as texting (SMS), instant messaging
(IM), Web logs (blogs), virtual worlds, groupware, wikis, social networking, and video teleconferencing are at the
heart of collaboration today. Groups can form and share documents with less effort using these platforms. Group
members can seek or provide information from or to each other much more easily than ever before. And groups can
connect by voice or with voice and video using these platforms.
Collaboration takes place in one of four ways. Teams are collocated and work together at the same time, they are
collocated but work at different times, they are not located in the same place but work at the same time, or they work
from different places at different times. Figure 4.2 summarizes these options and lists representative technologies
that facilitate collaboration for each type of team.
Consider the New York‐based marketing “rm CoActive Digital whose president decided to implement a wiki to
have a common place where 25 to 30 people could go to share a variety of documents ranging from large “les to
meeting notes and PowerPoint presentations.19 An added bene”t was that the wiki was encrypted, protected, and
could be used only with a virtual private network (VPN). The president recognized that the challenge for imple-
menting the wiki would be to change a culture in which e‐mail had long been the staple for communication. Conse-
quently, he decided to work closely with the leader of the business development group. This group handles inquiries
from customers and coordinates the work (i.e., marketing campaigns) internally. The group needed to hold many
meetings and share much work. He populated the wiki site with the documents that had formerly been traded over
e‐mail and asked the leader to encourage her group members to use the wikis. It took some effort, but eventually the
group learned to appreciate the bene”ts of the wiki for collaboration and to reduce members’ dependence on e‐mail.
Verifone’s company culture is one that encourages information sharing. A story is told of a new salesperson who
was trying to close a particularly big deal. He was about to get a customer signature on the contract when he was
asked about the competition’s system. Being new to the company, he did not have an answer, but he knew he could
FIGURE 4.2 Collaboration technologies matrix: Examples of key enabling technologies.
Source: Adapted from Geraldine DeSanctis and R. Brent Gallupe, “A Foundation for the Study of Group Decision Support
Systems,” Management Science 33, no. 5 (May 1987), 589–609.
Team Works at the Same Time Team Works at Different Time
Team Works in the Same Place Face‐to‐face meetings
Meeting room technologies
Document sharing systems (wikis)
Electronic bulletin boards
Document sharing systems (wikis)
Team Works in Different Places Video conferencing
Chat rooms
Texting (SMS) and instant messaging (IM)
Document sharing systems (wikis)
E‐mail
Microblogs (e.g., Twitter)
Texting (SMS) and instant messaging (IM)
Document sharing systems (wikis)
19 C. G. Lynch, “How a Marketing Firm Implemented an Enterprise Wiki,” http://www.cio.com/article/print/413063 (accessed July 9, 2008).
c04.indd 82 11/26/2015 7:16:44 PM
http://www.cio.com/article/print/413063
83How Information Technology Changes the Nature of Work
count on the company’s information network for help. He asked his customer for 24 hours to research the answer.
He then sent an e‐mail to everyone in the company asking the questions posed by the customer. The next morning,
he had several responses from others around the company. He went to his client with the answers and closed the
deal. What is interesting about this example is that others around the world treated the “new guy” as a colleague
even though they did not know him personally. He was also able to collaborate with them instantaneously. It was
standard procedure, not panic time, because of the culture of collaboration in this company. With increased use of
social networks and other social tools, instantaneous collaboration is commonplace.20
The Internet has greatly enhanced collaboration. Beyond sharing and conversing, teams can also use the Web
to create something together. An example of this is Wikipedia on which individuals who do not know each other
contribute to the information on a topic. At computer company Dell, a Web‐based site named IdeaStorm has
been used since 2008 for idea generation, discussion, and prioritization between and among individuals in the
Dell community, including staff, executives, customers, and potential customers. Recent statistics show that over
23,000 ideas have been submitted, over 747,000 votes for ideas have been recorded, and over 100,000 comments
have been posted about the ideas suggested. Dell’s management has implemented over 500 of the ideas. Ideas
can range from small incremental improvements such as adding a port to an existing product to large sweeping
changes such as creating a new product line. Some ideas, such as how to change the retail experience or support
activities, are process oriented. Some ideas are about education, the environment, and other topics related to Dell’s
business. The company has since implemented an internal version of this system, Employee Storm, only open to
internal staff. Employee Storm invites ideas on company bene”ts, innovations, ways to work better, and other
company‐focused issues. Many other companies have implemented similar platforms, including IBM’s Think-
Place, BestBuy’s BlueShirt Nation, and ESPN’s SportsNation.
Changing the Ways to Connect
Probably one of the biggest changes that people are experiencing as a result of new technologies is that they are
always connected. In fact, many feel tethered to their mobile phones, tablets, or laptops to such a large extent that
they must be available at all times so that they can respond to requests from their supervisors, colleagues, or cus-
tomers. As a result, the boundaries between work and play have become blurred, now causing people to struggle
even more with work–life balance.
Businesses are still trying to understand the technological advances that have become commonplace. Many in
the workforce “nd that their technology at home differs from that at work and prefer those at home. For example,
while although many use social media tools on their tablets, laptops, or smartphones during the weekend at home,
on Monday morning, they “nd themselves working on an older desktop system with slow access to the “les and
Web‐based systems they want to use for their work.21 They “nd this quite bothersome. In fact, a Cisco Systems
survey of young professionals and college students found that one in three believes the Internet is as important as
air, water, food, and shelter. Two people in “ve say they would accept a lower‐paying job that had more #exibility
with regard to device choice, social media access, and mobility over a higher‐paying job with less #exibility.22 In
commenting on the survey “ndings, Marie Hattar, vice president, Enterprise Marketing, Cisco, stated:
The results of the Cisco Connected World Technology Report should make businesses re‐examine how they need to
evolve in order to attract talent and shape their business models. Without a doubt, our world is changing to be much
more Internet‐focused, and becomes even more so with each new generation.
CIOs need to plan and scale their networks now to address the security and mobility demands that the next generation
workforce will put on their infrastructure, and they need to do this in conjunction with a proper assessment of corporate
policies.23
20 Hossam Galal, Donna Stoddard, Richard Nolan, and Jon Kao, “VeriFone: The Transaction Automation Company,” Harvard Business School Case
Study 195–088, July 1994.
21 Cognizant, “The Future of Work Has Arrived: Time to Re‐Focus IT” (February 2011), 1–15, http://www.cognizant.com/SiteDocuments/CBC_FoW_
Time_to_Refocus_IT (accessed August 25, 2015).
22 Cisco Connected World Technology Report, 2011 Findings, http://www.cisco.com/en/US/netsol/ns1120/index.html#~2011 (accessed August 25, 2015).
23 “Air, Food, Water, Internet—Cisco Study Reveals Just How Important Internet and Networks Have Become as Fundamental Resources in Daily Life,”
http://newsroom.cisco.com/press‐release‐content?type=webcontent&articleId=474852 (accessed August 25, 2015).
c04.indd 83 11/26/2015 7:16:44 PM
http://www.cognizant.com/SiteDocuments/CBC_FoW_Time_to_Refocus_IT
http://www.cisco.com/en/US/netsol/ns1120/index.html%23~2011
http://newsroom.cisco.com/press%E2%80%90release%E2%80%90content?type=webcontent&articleId=474852
84 Digital Systems and the Design of Work
Consider IBM ’ s SmallBlue—an opt‐in social network analysis tool that maps the knowledge and the connec-
tions of IBM employees. SmallBlue can be used to ” nd employees with speci” c knowledge or skills, display
employee networks on particular topics, validate a person ’ s expertise based on her or his corporate pro” le, and
display a visualization of an employees ’ personal social networks. IBM claims that SmallBlue has promoted inno-
vation, effectiveness, and ef” ciency. 24
The preceding examples show how technologies have become a key component in the design of work. IT has
greatly changed day‐to‐day tasks, which in turn has changed the skills needed by employees. The examples show
how adding IT to a work environment can change the way that work is done.
New Ways to Manage People
New working arrangements create new challenges in how employees are supervised, evaluated, compensated, and
even hired. When most work was performed individually in a central location, supervision and evaluation were
relatively easy. A manager could directly observe the employee who spent much of his or her day in an of” ce. It
was fairly simple to determine whether or not the employee was present and productive.
Modern organizations often face the challenge of managing a workforce that is spread across the world in iso-
lation from direct supervision and working mostly in teams. Sales work is one area in which we see this. Rather
than working in a central of” ce, external salespeople work remotely, relying on laptop computers, smart phones,
the Web and apps linking them to customers, of” ce colleagues, sales support information, and other databases.
The technical complexity of some products, such as enterprise software, necessitates a team‐based sales approach
combining the expertise of many individuals, and technologies connect the team together.
Modern organizations must also choose among three types of formal controls to ensure that work is done
properly. 25 Behavior controls involve direct monitoring and supervision of employee actions while the work is being
done. Vivid depictions of behavior controls are provided in road construction projects that have one employee dig-
ging and another watching, motionless with arms folded. On the other hand, outcome controls involve examining
work outcomes rather than work actions. Finally, personnel controls represent a proper ” t between the person and
the job, often involving picking the right person for the task.
Social Business Lens: Activity Streams
An activity stream is a list of activities on a Web site that brie$ y highlight what the individuals connected to that
stream are doing. Activity streams can include posts by individuals who share what they are doing or thinking and
posts directly by other programs, which deposit an update about what an individual is doing. By collecting all of
these posts in a single feed, the activity stream gives a reader a good sense of what is happening in a community.
Examples of activity streams are Facebook ’ s news feed and Salesforce.com ’ s Chatter. Companies that incor-
porate activity streams in their social business platform report that teams using that technology had fewer face‐to‐
face meetings, reduced e‐mail, faster information $ ows, better collaboration, and increased responsiveness. An
activity stream can keep staff updated on the happenings around an organization. For example, SAS , the interna-
tional statistics and analytics software company, implemented an activity stream for its employees. Staff were able
to keep track of what others were working on over an activity stream that mimicked the news feed that Facebook
users see on their home page. Staff could share, comment on, or “like” pages and documents they found in their
systems or on the Web and those entries would show up in the activity stream.
Source: David F. Carr , “ SAS Creates Internal Facebook with Socialcast ” (April 29, 2011 ), http://www.informationweek.com/
thebrainyard/news/social_networking_private_platforms/229402527/sas‐institute‐creates‐internal‐facebook‐with‐socialcast
(accessed on April 5, 2012) .
24 For additional information on SmallBlue, see http://www.watson.ibm.com/cambridge/Projects/project8.shtml (accessed May 31, 2015).
25 L. J. Kirsch , “ Portfolios of Control Modes and IS Project Management ,” Information Systems Research 8 , no. 3 ( 1997 ), 215 – 239 ; W. G. Ouchi , “ The
Transmission of Control through Organizational Hierarchy ,” Academy of Management Journal 21 , no. 2 ( 1978 ), 173 – 92 ; K. A. Merchant , Modern
Management Control Systems, Text and Cases ( Upper Saddle River, NJ : Prentice‐Hall , 1998 ).
c04.indd 84 11/26/2015 7:16:45 PM
http://www.informationweek.com/thebrainyard/news/social_networking_private_platforms/229402527/sas%E2%80%90institute%E2%80%90creates%E2%80%90internal%E2%80%90facebook%E2%80%90with%E2%80%90socialcast
http://www.watson.ibm.com/cambridge/Projects/project8.shtml
85How Information Technology Changes the Nature of Work
It is important for a “rm to choose the right type of control for each position being supervised. Behavior controls
make the most sense for physical labor in which incorrect particular body movements might be inef”cient or even
dangerous. Programmers would consider it quite insulting to have a supervisor exercise action control and watch
every keystroke whereas transcriptionists might understand the need to track each keystroke. Outcome controls
make more sense not only for programmers but also for many other personnel, such as engineers, sales managers,
and ad writers. However, personnel controls are more useful when it would take several years to evaluate the results
of work, which is often the case when goals are inde”nable, con#icting, or confusing and the stakes are high. For
instance, when Apple was having dif”culty de”ning a meaningful product line in the mid‐1990s, the “rm resorted
to personnel controls when it determined that the right way to rede”ne its mission was to bring back Steve Jobs.
After two decades, hindsight shows that Jobs was the right choice. Personnel controls are useful for situations in
which it is dif”cult not only when to expect results but also to de”ne what results should even be expected.
When the results of work are fairly well de”ned, technology can change dramatically how it is monitored. One
technological solution, electronic employee monitoring (introduced in Chapter 3), can replace direct supervision
and provide detailed behavior controls, automatically logging keystrokes, listing the Web sites visited, or even
recording the contents of an employee’s screen. Technology can also provide outcome controls by tracking the
number of calls processed, e‐mail messages sent, or time spent sur”ng the Web. When output is monitored digi-
tally, pay‐for‐performance compensation strategies reward employees for deliverables produced or targets met as
opposed to vague subjective factors such as “attitude” or “teamwork.” Further, supervisors can spend time coaching,
motivating, and planning rather than personally monitoring performance because they can utilize the information
gathered from electronic monitoring systems for that task. The introduction of BlueWork at American Express illus-
trates the need to change from an approach in which managers watch employees and count the hours they spend at
their desks to one that focuses instead on the work they actually do. These changes are summarized in Figure 4.3.
IT has also impacted the way employees are hired, becoming an essential part of that process for many “rms.
Open positions are posted on job Web sites, and applicants submit resumes over the Web, complete applications on
line, and refer potential employers to their personal Web sites. When researching candidates, companies often look
at their Facebook pages and do online searches of the candidates to see what pops up. Social networking provides
a forum for informal introductions and casual conversations in cyberspace. Interviews can be arranged in virtual
worlds or via teleconferencing to reduce travel costs. A face‐to‐face interview is usually eventually required, but
recruiters can signi”cantly and more effectively “lter the applicant pool, reducing the number of expensive site visits.
In addition, companies increasingly realize that hiring is changing and that recruiting efforts should re#ect
the new approaches people are using to look for jobs. Tech‐savvy job applicants are now using business‐oriented
social networks such as LinkedIn to seek contacts for jobs and online job search engines like Monster.com and
CareerBuilder.com to “nd job listings. A Facebook app, BeKnown, provides a pro”le detailing an individual’s work
experience, a news feed for contact updates and actions, a search tool to locate people and connect with them, and
FIGURE 4.3 Changes to supervision, evaluations, compensation, and hiring.
Traditional Approach: Subjective Observation Digital Approach: Objective Assessment
Supervision It is personal and informal. Manager is usually
present or relies on others to ensure that the
employee is present and productive.
It is electronic or assessed by deliverables. As
long as the employee is producing value, he or
she does not need direct formal supervision.
Evaluation Behavior controls are predominant. Focus
is on process through direct observation.
Manager sees how employee performs at
work. Subjective (personal) factors are very
important.
Outcome controls are predominant. Focus is on
output by deliverable (e.g., produce a report by
a certain date) or by target (e.g., meet a sales
quota). Fewer subjective measures are used.
Compensation
and Rewards
It is often individually based. It is often team based or contractually spelled out.
Hiring Hiring is done through meetings with HR
personnel with little concern for computer
skills.
It is often electronic with recruiting Web sites and
electronic testing for more information‐based
work that requires a higher level of IT skills.
c04.indd 85 11/26/2015 7:16:45 PM
86 Digital Systems and the Design of Work
a way to recommend other users or display badges earned for completing certain professional goals. The app also
is integrated with Monster.com’s job listings.26
Furthermore, the way an organization uses IT affects the array of technical and nontechnical skills needed in
its employees. For example many basic clerical tasks can be performed expeditiously with IT, so fewer employees
with those basic skills are required, making room for those with more targeted skills. Just to be sure employees are
IT savvy, too, the actual hiring process may require applicants to complete an assessment or perform other activities
online. In this way, hiring managers can raise the overall IT competency exhibited by employees in their businesses.
Employees who cannot keep pace with IT are increasingly unemployable.
The design of the work needed by an organization is a function of the skill mix required for its work processes
and of the #ow of those processes themselves. Thus, a company that infuses technology effectively and employs
a workforce with a high level of IT skills designs itself differently from a company that does not. The skill mix
required by an IT‐savvy “rm re#ects a high capacity for using the technology itself. For example, because many
clerical skills are now embedded in the technologies staff use, fewer clerical staff are needed and those who are
hired by the company often do specialized work that is not easily automated or subsumed by technology.
As workforce demographics shift, so do the IT needs and opportunities to change work. Digital natives—people
who have grown up using computers, social networking sites, texting, and the Web as a normal, integrated part of
their daily lives—are “nding new and innovative ways to do their work. There are widely varying impacts from
the skills these employees bring to their work, including how to do their work in a new, and often more ef”cient,
manner.
IT has drastically changed the landscape of work today. As a result of IT, many new jobs have been created. In
the next section, we examine how IT can change where work is done, when it is done, and who does it.
Where Work Is Done and Who Does It: Mobile and Virtual
Work Arrangements
This section examines another important effect of IT on work: the ability of some employees to work anywhere
at any time. With WiFi virtually ubiquitous, individual employees can connect to the Web from almost anywhere.
And with powerful technologies available in the consumer space, employees often “nd the tools and apps they
have at home function as well as, or even better than, their workplace technologies. Research also suggests that
employees—especially those younger employees who have never known a world without ubiquitous access to
personal smart devices and the Web—prefer to have the work–life #exibility that remote and mobile work arrange-
ments provide. At the group level, virtual teams have become standard operating mechanisms to bring the best
individuals available to work together on a task. We explore remote work from the perspective of both individuals
and teams in the next section.
Remote Work and Virtual Teams
Flexible work arrangements, although not the norm for many organizations, have been gaining support as
technologies enable employees to be “virtually present” for their employers. The terms telecommuting, mo-
bile worker, and remote worker are often used to describe #exible work arrangements. Telecommuting, some-
times called teleworking, refers to employees working from home, at a customer site, or from other convenient
locations instead of coming into the corporate of”ce. The word telecommute is derived from combining “tele-
communications” with “commuting,” indicating that these employees use telecommunications instead of driving,
or commuting, to the of”ce. Mobile workers are those who work from wherever they are. They are out”tted
with the technology necessary for access to co‐workers, company computers, intranets, and other information
sources. We use the term remote workers when we refer to both telecommuters and mobile workers.
26 Kristin Burnham, “Monster.com Brings Professional Social Networking to Facebook,” CIO.com (July 15, 2011), http://blogs.cio.com/print/16406
(accessed February 2, 2012).
c04.indd 86 11/26/2015 7:16:45 PM
http://blogs.cio.com/print/16406
87Where Work Is Done and Who Does It: Mobile and Virtual Work Arrangements
Phase Preparation Launch Performance
Management
Team
Development
Disbanding
Key Activities Mission statement
Personnel selection
Task design
Rewards system
Technology
selection and
installment
Kick‐off meetings
Getting acquainted
Goal clari#cation
Norm development
Leadership
Communication
Con$ict resolution
Task accomplishment
Motivation
Knowledge
management
Norm enforcement
and shaping
Assessment of
needs/de#cits
Individual
and/or team
training
Evaluation of
training effects
Trust building
Recognition of
achievements
Re‐integration of
team members
Such employees work not only on a remotely independent basis but also with remote members on virtual teams.
Virtual teams are de”ned as two or more people who (1) work together interdependently with mutual accountability
for achieving common goals, (2) do not work in either the same place and/or at the same time, and (3) must use
electronic communication and other digital technologies to communicate, coordinate their activities, and complete
their team’s tasks. Initially, virtual teams were seen as an alternative to conventional teams that meet face‐to‐face.
However, it is simplistic to view teams as either meeting totally face‐to‐face or totally virtually. Rather, teams may
re#ect varying degrees of virtuality. Virtual team members may be in different locations, organizations, time zones,
or work shifts (day, evening, or overnight). Further, like most teams, virtual teams may have distinct, relatively
permanent membership, or they may be relatively #uid as they evolve to respond to changing task requirements and
as members leave and are replaced by new members.
Virtual teams are thought to have a life cycle like most teams.27 Their lifecycle, shown in Figure 4.4, is note-
worthy because it the important activities in team development: Teams are formed; their work is completed; and,
the team is disbanded.
Factors Driving Use of Remote Work and Virtual Teams
Remote working has been around since the 1970s, but it has steadily been gaining popularity since the late 1990s.
One poll of 11,300 employees in 22 countries found that one 1 of 6 telecommute worldwide.28 And as managers
move to build teams of the best talent available, they inevitably turn to virtual teams as the mechanism to bring
people together for a task. Several factors that drive these trends are shown in Figure 4.5.
The “rst factor is that work is increasingly knowledge based. The United States and many other world econ-
omies continue to shift from manufacturing to service industries. Equipped with the right IT, employees can create,
assimilate, and distribute knowledge as effectively from home as they can from an of”ce. The shift to knowledge‐
based work thus tends to minimize the need for a particular locus of activity.
The second factor is that remote workers and virtual team members often shift the time of their work to accom-
modate their lifestyles. For instance, parents modify their work schedules to allow time to take their children to
school and attend extracurricular activities. Telecommuting provides an attractive alternative for parents who might
otherwise decide to take leaves of absence from work for child rearing. Telecommuting also enables people who are
housebound by illness, disability, or the lack of access to transportation to join the workforce.
FIGURE 4.4 Key activities in the life cycle of teams.
27 G. Hertel, S. Geister, and U. Konradt, “Managing Virtual Teams: A Review of Current Empirical Research,” Human Resource Management Review
15, no. 1 (2005), 69–95.
28 The actual statistics for the number of telecommuters is hard to find. These figures were obtained from Smart Planet, http://www.smartplanet.com/blog/
business‐brains/one‐sixth‐of‐the‐worlds‐employees‐now‐telecommute‐survey/21616 (accessed June 19, 2015).
Source: Adapted from Guido Hertel, Susanne Geister, and Udo Konradt, “Managing Virtual Teams: A Review of Current Empirical
Research,” Human Resource Management Review 15, no. 1 (2005), 69–95.
c04.indd 87 11/26/2015 7:16:45 PM
http://www.smartplanet.com/blog/business%E2%80%90brains/one%E2%80%90sixth%E2%80%90of%E2%80%90the%E2%80%90worlds%E2%80%90employees%E2%80%90now%E2%80%90telecommute%E2%80%90survey/21616
88 Digital Systems and the Design of Work
Geographic Lens: How Do People Around the World Feel About Working Remotely?
A recent survey by Cisco found marked national differences about how professionals viewed their ability to be
productive when working remotely. On average, 39% of the 1,303 professionals in 13 countries surveyed answered
“yes” when asked whether it was necessary for them to be in the of# ce to make decisions more effectively and
ef# ciently (i.e., nothing replaces daily in‐person interaction), but only 7% answered “yes” in India whereas 56%
and 57% answered “yes” in Japan and Germany, respectively. That is, a large percentage of people in Japan and
Germany thought they had to come into the physical of# ce to be productive. This wasn ’ t the case at all in India.
A very small percentage of Indians felt they had to be tethered to a desk in a physical of# ce. They could do their
work by staying connected to their workplaces through a variety of devices including their laptops, tablets, and
smartphones.
Source: “ The Cisco Connected World Report ” (October 2010), http://newsroom.cisco.com/dlls/2010/ekits/ccwr_final (accessed
February 4, 2012).
FIGURE 4.5 Driving factors of remote work and virtual teams.
Driver Effect
Shift to knowledge‐based work Eliminates requirement that certain work be performed in a
speci# c place
Changing demographics and lifestyle preferences Provides workers geographic and time‐shifting $ exibility
New technologies with enhanced bandwidth Makes remotely performed work practical and cost effective
Reliance on Web Provides employees the ability to stay connected to
co‐workers and customers and to access work‐related apps,
even on a 24/7 basis
Energy concerns Reduces the cost of commuting (for telecommuters), energy
costs associated with real estate (for companies) and travel
costs (for companies and for people on virtual teams)
Remote work also provides employees and virtual team members enormous geographic # exibility. The freedom
to live where one wishes, even at a location remote from one ’ s corporate of” ce, can boost employee morale and
job satisfaction. As a workplace policy, it may also lead to improved employee retention. For example, American
Express employees use the BlueWork program as part of its recruiting pitch. Further, productivity and employee sat-
isfaction for those on the BlueWork program are markedly higher, and voluntary turnover is down. Many employees
can be more productive at home, and they actually work more hours than if they commuted to an of” ce. Further-
more, such impediments to productivity as traf” c delays, canceled # ights, bad weather, and mild illnesses become
less signi” cant. Companies enjoy this bene” t, too. Those who build in remote work as a standard work practice are
able to hire employees from a much larger talent pool than those companies that require geographical presence.
The third driving factor is that the new technologies, which make work in remote locations viable, are becoming
better, cheaper, and more widely available. Telecommunication and PC speeds are increasing exponentially at
the same time that their costs are plummeting. The oft‐cited time frame involved in this progression is a doubling
of computer capabilities (such as speed) every 18 months. 29 The drastic increase in capabilities of portable tech-
nologies makes small devices more powerful than the computers of yesterday, enabling effective and productive
mobile work. Applications also provide integration between applications. Virtual team members can use Skype,
Webex, Zoom, or any number of video and audio conferencing technologies to work together. Cloud computing
also has contributed to this trend because applications are moved from computers housed in company data centers
to Web‐based hosts such as Amazon Web Services (AWS), Rackspace, and other service providers.
29 Gordon Moore, head of Intel, observed that the capacity of microprocessors doubled roughly every 12 to 18 months. Even though this observation was
made in 1965, it still holds true. Eventually, it became known in the industry as Moore ’ s law.
c04.indd 88 11/26/2015 7:16:45 PM
http://newsroom.cisco.com/dlls/2010/ekits/ccwr_final
89Where Work Is Done and Who Does It: Mobile and Virtual Work Arrangements
A fourth driving factor is the increasing reliance on Web‐based technologies by all generations, especially
younger generations, such as Generation Y and the Millennials. The younger generations are at ease with Web‐
based social relationships and are adept at using social networking tools to grow these relationships. Face‐to‐face
work arrangements are not necessary for these employees to build productive connections. Web‐based tools allow
them to stay connected with their co‐workers and customers. Further, as more and more organizations turn to
# exible working hours in programs such as BlueWork implemented by American Express and as 24/7 becomes
the norm in terms of service, the Web becomes the standard platform to allow employees to respond to work ’ s
increasing demands.
A ” fth factor is the increasing emphasis on energy conservation. As concerns about greenhouse gasses, carbon
footprints, and even potential future gasoline price increases, employees are looking for ways to be more respon-
sible and frugal at the same time. Telecommuting is quite appealing in such a scenario, especially when public
transportation is not readily available. Companies can also experience lower energy usage and costs from telecom-
muting. SAP reduced its global greenhouse footprint by encouraging employees to shift their commuting behavior.
As a result of these ongoing efforts, emissions from employees ’ commutes dropped. In addition to telecommuting
and encouraging the use of mass transit and carpooling, SAP also began providing employees information on their
carbon footprint from commuting through a new internal dashboard aimed at ensuring greater transparency and
accountability. 30
Many employees no longer need to be tied to of” cial desks. Thus, the real estate needs of their employers are
shrinking, and companies are saving costs by reducing the of” ce space they own or rent. This reduction lowers
their energy needs by no longer needing to heat, cool, or maintain these spaces. Companies are realizing that they
can comply with the Clean Air Act and be praised for their “green computing” practices at the same time they are
reaping considerable cost savings.
Advantages and Disadvantages of Remote Work
There are clearly advantages to remote work. Employees have greater # exibility in where they work. They can
work from home or from just about any location as long as they have a laptop and a WiFi connection. Employees
often ” nd that they are more productive because they can work in the environment of their choosing without the
distractions of the of” ce. Homebound individuals can work for a company that embraces remote work. Employees
also seem to have higher morale and lower absenteeism in part because they can work from wherever they are,
wearing whatever clothes they want. A remote employee who has a cold may not want to go into the of” ce and
risk spreading the germs to others but can work from home. Employers ” nd advantages of enabling remote work
compelling, too. They are able to hire employees who do not live in the geographic area of the of” ce. They don ’ t
have to monitor the employees the same way, freeing up their time to focus on exceptions and issues that require a
Geographic Lens: Who Telecommutes? A Look at Global Telecommuting Habits
Flexible work arrangements have been around for decades, but as technologies enable new capabilities for
work away from a traditional of# ce, telework has been gaining popularity. In 2015, advisory services # rm EY sur-
veyed about 9,700 employees in the eight top economies across the globe—the United States, United Kingdom,
India, Japan, China, Germany, Mexico, and Brazil. The # rm found $ exible work arrangements varied signi# cantly
by country. The report cited countries with the highest and lowest percentages of employees with $ exible work
schedules. Germany (70%), India (61%), and the United States (61%) had the highest percentage, and Japan (30%)
and China (22%) had the lowest.
Source: “EY Global Generations: A Global Study on Work‐Life Challenges Across Generations,” EY.com, http://www.ey.com/
Publication/vwLUAssets/EY‐global‐generations‐a‐global‐study‐on‐work‐life‐challenges‐across‐generations/$FILE/EY‐global‐
generations‐a‐global‐study‐on‐work‐life‐challenges‐across‐generations (accessed August 26, 2015), 6.
30 SAP Sustainability Report, Greenhouse Gas Footprint, http://www.sapsustainabilityreport.com/greenhouse‐gas‐footprint (accessed February 2, 2012).
c04.indd 89 11/26/2015 7:16:45 PM
http://www.ey.com/Publication/vwLUAssets/EY-global-generations-a-global-study-on-work-life-challenges-across-generations/$FILE/EY-globalgenerations-a-global-study-on-work-life-challenges-across-generations
http://www.sapsustainabilityreport.com/greenhouse%E2%80%90gas%E2%80%90footprint
90 Digital Systems and the Design of Work
supervisor. And employers often “nd that it is less expensive to provide a remote employee the tools needed than
to pay for the of”ce space to house the employee.
Remote employees sometimes report that work–life balance often suffers. Because work can be done anyplace
and anytime, they sometimes “nd the option attractive because of the ability to work around the schedules of chil-
dren or other family members. Paradoxically, it is often dif”cult for them to separate work from their home life.
Consequently, they may work many more hours than the standard nine‐to‐”ve employee or experience the stress
of trying to separate work from play.
Remote work challenges managers to address performance evaluation and compensation. Managers of remote
workers must evaluate employee performance in terms of results or deliverables. Virtual of”ces make it more dif-
“cult for managers to appreciate the skills of the people reporting to them, which in turn makes it more dif”cult to
evaluate their performance. Managers must rely heavily on the remote worker’s self‐discipline to ensure that work
is done. As a result, managers may feel they are losing control over their employees, and some remote employees
do, in fact, abuse their privileges. Managers accustomed to traditional work models in which they are able to exert
control more easily may strongly resist remote working. In fact, managers are often the biggest impediment to
implementing remote work programs.
Self‐discipline is a key concern for many remote workers. Workers who go to an of”ce or who must make
appearances at customer locations have a structure that gets them up and out of their home. But remote workers “nd
that working from home, in particular, is full of distractions such as personal phone calls, visitors, the television,
Facebook and other social networking sites, and inconvenient family disruptions. A remote worker must carefully
set up a home‐work environment and develop strategies to enable quality time for the work task.
Remote work also requires managers to undertake special planning and communicating activities. In terms of
planning, business and support tasks must be designed to support remote workers. Managers must also work to
coordinate schedules, ensure adequate communication among all workers, establish policies to support communi-
cations, and build business processes to support remote workers.
Working remotely can disconnect employees from their company’s culture and make them feel isolated. The
casual, face‐to‐face encounters that take place in of”ces transmit extensive cultural, political, and other organiza-
tional information. These encounters are lost to an employee who seldom, if ever, works at the of”ce. Consequently,
telecommuters need to undertake special efforts to stay connected. They must engage in forms of conversation to
replace “water cooler” talk. This could take the form of instant messaging or participating in telephone calls/con-
ferences, e‐mail, social networking, blogs, or even video conferencing. The most successful remote work arrange-
ments do include regular visits to the of”ce to solidify personal connections.
Not all jobs are suitable for remote work. Some jobs, such as server in a restaurant, a clerk in a grocery store,
and a facilities manager in a high‐rise building, require the employee to be at the work location. Further, new
employees who need to be socialized into the organization’s practices and culture are not good candidates for
remote work. Finally, some organizations’ culture does not support remote workers. Notably, when Marissa Meyer
took over as President of Yahoo, one of her “rst decisions was to eliminate remote work and bring everyone back
into the home of”ce. She felt that the culture had taken a wrong turn and the only way to “x it was to have everyone
in the same place.
Remote work also raises the specter of offshoring, or foreign outsourcing of jobs once performed internally in
the organization. Once a company establishes an infrastructure for remote work, it often can be performed abroad
as easily as domestically. U.S. immigration laws limit the number of foreigners who may work in the United States.
However, no such limitations exist on work performed outside this country by employees who transmit their work
to the United States electronically. Because such work is not subject to minimum wage controls, companies may
have a strong economic incentive to outsource work abroad. They “nd it particularly easy to outsource clerical work
related to electronic production, such as data processing and computer programming. Sourcing is further discussed
in Chapter 9. Bene”ts and potential problems associated with telecommuting are summarized in Figure 4.6.
Security is another issue for remote workers who might bring to the of”ce an infected computer and plug it into
the network, posing a threat to other of”ce computers. Further, as demonstrated by the Department of Veterans
Affairs (VA) employee whose laptop carrying unencrypted, sensitive personal information on more that 2.2 million
active‐duty military personnel was stolen from the employee’s home, remote workers can be the source of security
c04.indd 90 11/26/2015 7:16:45 PM
91Where Work Is Done and Who Does It: Mobile and Virtual Work Arrangements
breaches.31 Organizational security mechanisms are continually increasing in effectiveness; however, it is impos-
sible for organizations to make remote workers totally secure. General managers need to get involved in assessing
the areas and severity of risk and take appropriate steps, via policies, education, and technology, to reduce the risks
and make remote workers as secure as possible. IS leaders are aware that even with the best policies and tools avail-
able, breaches occur. The IS organizations typically has many levels of security to sense and respond to threats. IT
security is discussed more fully in Chapter 7.
Advantages and Disadvantages of Virtual Teams
Virtual teams clearly offer advantages in terms of expanding the knowledge base through team membership. Thanks
to new and ever‐emerging communication and information technologies, managers can draw team members with
needed skills or expertise from around the globe without having to commit to huge travel expenses. Further, virtual
teams can bene”t from following the sun. One classic example of this can be found in software development.
London members of a virtual team of software developers at Tandem Services Corporation initially code a project
and transmit its code each evening to a U.S. team for testing. The U.S. team forwards the tested code to Tokyo for
debugging. London team members start their next day with the code debugged by the Japanese team, and another
cycle is initiated.32 Increasingly, growing pressure for faster turn around time for systems has resulted in systems
development by global virtual teams whose members are located around the world.
There are some clear disadvantages to virtual teams. For example, different time zones, although helpful when
following the sun, can work against virtual team members when they are forced to stay up late or work in the middle
of the night to communicate with team members in other time zones. There also are a considerable number of chal-
lenges that if not correctly managed could turn into disadvantages. A summary of these challenges in comparison
with more traditional teams can be found in Figure 4.7.
Managing Remote Workers and Virtual Teams
Managers cannot manage remote workers or virtual teams in the same way that they manage in‐of”ce workers or
traditional teams. The differences in management control activities are particularly pronounced because managers
cannot observe the actual behavior of remote workers or virtual team members. Thus, monitoring behavior is likely
to be more limited. As stated earlier, performance for both remote workers and virtual teams is more likely to be
evaluated through outcomes controls rather than behavior controls. Because team members and remote workers are
dispersed, providing feedback is especially important—not just at the end of a project, but throughout the workers’
employment and the team’s life.
FIGURE 4.6 Some advantages and disadvantages of remote work.
Advantages of Remote Working Potential Problems
Reduced stress due to increased ability to meet
schedules and to have fewer work‐related distractions
Increased stress from inability to separate work life from
home life
Higher morale; lower absenteeism Harder for managers to evaluate and communicate about
performance
Geographic $exibility for worker; capitalization on
distant expertise for organization
Employee may become disconnected from company culture
Higher personal productivity Lack of suitability for all jobs or employees
Inclusion of housebound individuals in the workforce Telecommuters more easily replaced by offshore workers
Very informal dress is acceptable Harder to achieve high security
31 Robert Lemos, “VA Data Theft Affects Most Soldiers” (June 7, 2006), http://www.securityfocus.com/brief/224 (accessed May 7, 2012).
32 Marie‐Claude Boudreau, Karen Loch, Daniel Robey, and Detmar Straub, “Going Global: Using Information Technology to Advance the Competitive-
ness of the Virtual Transnational Organization,” Academy of Management Executive 12, no. 4 (1998), 120–28.
c04.indd 91 11/26/2015 7:16:45 PM
http://www.securityfocus.com/brief/224
92 Digital Systems and the Design of Work
Compensation for virtual teams must be based heavily on the team’s performance and ability to reach its goal
rather than on individually measured performance. Compensating team members for individual performance may
result in “hot‐rodding” or lack of cooperation among team members. Organizational reward systems must be
aligned with the accomplishment of desired team goals. This alignment is especially dif”cult when virtual team
members belong to different organizations, each with her or his own unique reward and compensation system, each
of which may affect individual performance in a different way. Managers need to be aware of differences and dis-
cover ways to provide motivating rewards to all team members. Further, policies about the selection, evaluation,
and compensation of virtual team members may need to be enacted.
In addition to management control challenges, there are other challenges as included in Figure 4.7. The rest of
this section is devoted to managing the challenges.
Managing Communication Challenges
Because virtual teams and remote workers communicate differently than workers in the of”ce, managers must
make sure the communications policies and practices support these work arrangements. For example, holding a
team meeting in the of”ce and expecting remote members to listen in requires the manager to prepare differently
for the meeting. Any presentation slides to be used in the meeting must also be shared with the remote participants,
either over a video conference with meeting software or beforehand. When most of the co‐workers are in the of”ce
and only one or two are dialing in from other locations, the remote participants miss all the nonverbal communica-
tion that takes place in the meeting room. Soft‐spoken individuals are often dif”cult to hear. Managers must make
sure key messages are being conveyed to the remote participants or the results of the meeting are sub‐optimal.
Team leaders may decide to initiate or supplement a team’s virtual activity with a face‐to‐face meeting so that
the seeds of trust can be planted and team members feel as if they know one another on a more personal basis. Face‐
to-face meetings indeed appear to contribute to successful global virtual teams. An in‐depth study of three global
virtual teams found that the two effective teams created a rhythm organized around regularly scheduled face‐to‐face
meetings coupled with virtual meetings as needed. Before each face‐to‐face meeting, there was a #urry of com-
munication and activity as team members prepared for the meeting. After the meeting, there were many follow‐up
messages and tasks. The ineffective team did not demonstrate a similar pattern.33 Because not all teams can meet
face‐to‐face, well‐managed synchronous meetings using video teleconferencing or in a virtual world can activate
the rhythm and accelerate the work#ow.
FIGURE 4.7 Comparison of challenges facing virtual teams and traditional teams.
Challenges Virtual Teams (VT) Traditional Teams
Communication • Dif#culties in terms of scheduling meetings and interactions
• Increased inef#ciencies when passing work between time
zones
• Altered communication dynamics such as facial expressions,
vocal in$ections, verbal cues, and gestures
• Collocated in same time zone.
Scheduling is less dif#cult
• Use of richer communication
media, including face‐to‐face
discussions
Technology • Need for pro#ciency across wide range of technologies
• Automatic creation of electronic repository to build
organizational memory
• Need for ability to align group structure and technology
with the task environment
• Support for face-to-face
interaction without replacing it
• Electronic communication skills
not needed by team members
• Task technology #t less critical
Team Diversity • Harder to establish a group identity
• Require better communication skills
• More dif#cult to build trust, norms, and shared meanings
about roles because team members have fewer cues
about their teammates’ performance
• More likely to have different perceptions about time and
deadlines
• Group identity easier to create
• Easier communication among
members
33 M. L. Maznevski and K. Chudoba, “Bridging Space Over Time: Global Virtual Team Dynamics and Effectiveness,” Organization Science 11, no. 5
(2000), 373–92.
c04.indd 92 11/26/2015 7:16:45 PM
93Where Work Is Done and Who Does It: Mobile and Virtual Work Arrangements
Because team leaders cannot always see what their team members are doing or whether they are experiencing
any problems, frequent communications are important. If remote employee or team members are quiet, the team
leader must reach out to them to identify their participation and ensure that they feel their contributions are appre-
ciated. Further, team leaders can scrutinize the team’s asynchronous communications and its repository to evaluate
and give feedback about each team member’s contributions. Even when a majority of team members are in one
location, the team leader should rotate meeting times to alternate the convenience among team members. The rule
of thumb is that “more communication is better than less” because it is very dif”cult to “overcommunicate.” Man-
agers and team leaders with remote participants must make sure to think about how their remote colleagues are
receiving the information they need, not just how the managers are communicating it.
Managing Technology Challenges
Information and communication technologies are at the heart of the success of remote work and virtual team
accomplishments. However, managers must ensure that their remote colleagues have access to the technologies
and support they need. All team members must have the ability to connect to the information sources and com-
munications pathways used by the group. Well‐designed Web‐based conferencing applications make this easier
because any device connected to the Internet can access them. Managers must make sure meetings over video
or audio conference tools are well coordinated and all attendees have the right access codes and meeting times.
Time zone differences often confuse this issue, so it is critical to make sure everyone knows the right time for
a meeting.
Support processes for technologies must also be designed with remote employees in mind. If the only support
for them is in the of”ce, they will “nd it dif”cult if not impossible to access the help they need. Bringing a laptop to
the of”ce during normal business hours may not be possible if the remote worker is hundreds or thousands of miles
away. Processes must be designed to accommodate the remote employee or team member.
Managers must ensure that all employees and team members have the tools they need to do their jobs. That
might mean providing seamless telephone transfers, desktop support, network connectivity, and security support
to the remote workers. How and where information is stored must be considered because all workers must have
access to the “les and applications they need to do their work. And, of course, the importance of security for remote
work cannot be overstated. A good rule of thumb is to design work processes so they work for remote workers,
and consider the of”ce as just another location. If the process works for the remote workers, it most likely will
work for someone in the of”ce, but the converse is not necessarily true. Unforeseen problems can develop for those
remotely located.
Further, managers must also provide the framework for using the technology. Policies and norms or unwritten
rules about how all employees should use the technology to work with one another must be established.34 These
include norms about telephone, e‐mail, and videoconferencing etiquette (i.e., how often to check for messages, the
maximum time to wait to return e‐mails, and alerting team members about absences or national holidays), work to
be performed, and so on. Such norms are especially important when team members are not in the same of”ce and
cannot see when team members are unavailable. For example, leaving a paper note on someone’s desk works “ne if
that person is in the of”ce, but that option does not exist for remote participants. Leaving an e‐mail or sending texts
may be a better alternative because both work for everyone.
Managing Diversity Challenges
Managers may also seek to provide technologies to support diverse team member characteristics. For example,
team members from different parts of the globe may have different views of time. Team members from Anglo‐
American cultures (i.e., United States, United Kingdom, Canada, Australia, New Zealand) may view time as a
continuum from past to present and future. For such team members, each unit of time is the same. These team
members are likely to be concerned with deadlines and often prefer to complete one task before starting another
(i.e., are monochronic). For team members who are conscious of deadlines, planning and scheduling software may
34 C. Saunders, C. Slyke, and D. R. Vogel, “My Time or Yours? Managing Time Visions in Global Virtual Teams,” Academy of Management Executive
18, no. 1 (2004), 19–31.
c04.indd 93 11/26/2015 7:16:45 PM
94 Digital Systems and the Design of Work
be especially useful. In contrast, team members from India often have a cyclical view of time. They do not get
excited about deadlines and there is no hurry to make a decision because it is likely to cycle back—at which time
the team member may be in a better position to make the decision. Many people from India tend to be polychronic,
preferring to do several activities at one time. Team members who are polychronic may bene”t from having instant
messaging or instant video chats available to them so that they can communicate with their teammates and still
work on other tasks.35
In addition to providing the appropriate technologies, managers with team members who have different views
of time need to be aware of the differences and try to develop strategies to motivate those who are not concerned
with deadlines to deliver their assigned tasks on time. Or the managers may wish to assign these team members to
do tasks that are not sensitive to deadlines.
Of course, views of time are only one dimension of diversity. Although team diversity has been demonstrated
to lead to more creative solutions, it can also make it harder for team members to learn to communicate, to trust
one another, and to form a single group identity. Through open communications, managers may be able to uncover
and deal with other areas of diversity, such as culture, training, gender, personality, position, and language, that
positively or negatively affect the team.36 Managers may establish an expertise directory at the start of the team’s
life or encourage other ways of getting team members to know more about one another. The rule of thumb here is
to not assume a team will work just because it has been created by management. Speci”c thought must be giving
to helping the team members function together and embrace, rather than reject, the differences diversity brings to
the table.
Gaining Acceptance for IT‐Induced Change
The changes described in this chapter no doubt alter the frames of reference of organizational employees and may
be a major source of concern for them. Employees may resist the changes if they view the changes as negatively
affecting them. In the case of a new information system that they do not fully understand or are not prepared to
operate, they may resist in several ways:
• They may deny that the system is up and running.
• They may sabotage the system by distorting or otherwise altering inputs.
• They may try to convince themselves, and others, that the new system really will not change the status quo.
• They may refuse to use the new system when its usage is voluntary.
Managing Change
To help avoid these resistance behaviors, John Kotter37 builds upon Kurt Lewin’s38 change model of unfreezing,
changing, and refreezing. Kotter recommends eight speci”c steps to bring about change. Kotter’s steps are related
to Lewin’s changes and listed in Figure 4.8.
Managers can keep these eight steps in mind as they introduce change into their workplaces. It is important for
managers to make clear why the change is being made before it is implemented, and they must follow the change
with reinforcement behaviors such as rewarding those employees who have successfully adopted new desired
behaviors.
35 Ibid.
36 Terri R. Kurtzberg and Teresa M. Amabile, “From Guilford to Creative Synergy: Opening the Black Box of Team‐Level Creativity,” Creativity
Research Journal 13, no. 3–4 (2001), 285–94.
37 John Kotter, Leading Change (Boston, MA: Harvard Business School Press, 1996).
38 Kurt Lewin, “Frontiers in Group Dynamics II. Channels of Group Life; Social Planning and Action Research,” Human Relations 1, no. 22 (1947),
143–53.
c04.indd 94 11/26/2015 7:16:45 PM
95Gaining Acceptance for IT‐Induced Change
Technology Acceptance Model and Its Variants
To avoid the negative consequences of resistance to change, those implementing change must actively manage
the change process and gain acceptance for new IS. To help explain how to gain acceptance for a new technology,
Professor Fred Davis and his colleagues developed the Technology Acceptance Model (TAM). Many variations of
TAM exist, but its most basic form is displayed on the right‐hand side in Figure 4.9. TAM suggests that managers
FIGURE 4.8 Stages and steps in change management.
Source: Adapted from John Kotter, Leading change (Boston, MA: Harvard Business School Press, 1996).
Lewin’s Stage Unfreezing Changing Refreezing
De#nition Creating motivation to change Providing stakeholders with new
information, systems, products, or
services
Reinforcing change by
integrating stakeholders’
changed behaviors and
attitudes into new operations
resulting from change
Kotter’s Steps 1. Establish a sense of urgency:
Create a compelling reason
why change is needed.
2. Create the guiding coalition:
Select a team with enough
expertise and power to lead
the change.
3. Develop a vision and strategy:
Use the vision and strategic
plan to guide the change
process.
4. Communicate the change
vision: Devise and implement
a communication strategy to
consistently convey the vision.
5. Empower broad‐based
action: Encourage risk‐taking
and creative problem solving
to overcome barriers to
change.
6. Generate short‐term wins:
Celebrate short‐term
improvements and reward
contributions to change effort.
7. Consolidate gains and
produce more change: Use
credibility from short‐term
wins to promote more change
so that change cascades
throughout the organization.
8. Anchor new approaches
in the culture: Reinforce
change by highlighting
areas in which new
behaviors and processes
are linked to success.
Individual
Differences
Perceived
Usefulness
Social
Influence
Facilitating
Conditions
Perceived
Ease of Use
Technology Acceptance Model (TAM)
Behavioral
Intention
Use
Behavior
System
Characteristics
FIGURE 4.9 Simpli”ed technology acceptance model (TAM3).
Source: Viswanath Venkatesh and Hillol Bala, “Technology Acceptance Model 3 and a Research Agenda on Interventions,”
Decision Sciences 39, no. 2 (2008), 276.
c04.indd 95 11/26/2015 7:16:46 PM
96 Digital Systems and the Design of Work
cannot get employees to use a system until they want to use it. To convince employees to want to use the system,
managers may need to employ unfreezing tactics to change employee attitudes about the system. Attitudes may
change if employees believe that the system will allow them to do more or better work for the same amount of effort
(perceived usefulness), and that it is easy to use. Training, documentation, and user support consultants are external
variables that may help explain the usefulness of the system and make it easier to use.
The left‐hand side of Figure 4.9 provides four categories of determinants of perceived usefulness and perceived
ease of use from the point of view of organizational users. Speci”cally, they are individual differences (e.g., gender,
age), system characteristics (e.g., output quality and job relevance that help individuals develop favorable or unfa-
vorable views about the system), social in#uence (e.g., subjective norms), and facilitating conditions (e.g., top
management support). TAM assumes that system use is under the control of the individual users. When employees
are mandated to use the system, they may use it in the short run, but over the long run, negative consequences of
their resistance may surface. Thus, gaining acceptance of the system is important, even in those situations where
it is mandated.
S U M M A R Y
• The nature of work is changing, and IT supports, if not propels, these changes.
• Communication and collaboration are vital for today’s work. Technology to support communication includes e‐mail,
intranets, instant messaging (IM), video conferences, virtual private networks (VPN), and “le transfer software. Tech-
nology to support collaboration includes social networking sites, Web logs (blogs), virtual worlds, wikis, teleconference
systems, groupware, microblogs and Internet sharing sites.
• IT affects work by creating new work, creating new working arrangements, and presenting new managerial challenges
in employee supervision, evaluation, compensation, and hiring.
• Newer approaches to management re#ect increased use of computer and information technology in hiring and super-
vising employees, a more intense focus on output (compared to behavior), and an increased team orientation.
• The shift to knowledge‐based work, changing demographics and lifestyle preferences, new technologies, growing reli-
ance on the Web, and energy concerns contribute to the increase in remote work and virtual teams.
• Companies “nd that building telecommuting capabilities can be an important tool for attracting and retaining
employees, increasing their productivity, providing #exibility to otherwise overworked individuals, reducing of”ce
space and associated costs, responding to environmental concerns about energy consumption, and complying with the
Clean Air Act. Alternative work arrangements also promise employees potential bene”ts: schedule #exibility, higher
personal productivity, less commuting time and fewer expenses, and increased geographic #exibility.
• Disadvantages of remote work include increased stress from trying to maintain work–life balance; dif”culties in
planning, communicating, and evaluating performance; feelings of isolation among employees; easier displacement of
employees by offshoring; and limitations of jobs and employees in its application.
• Virtual teams can be de”ned as two or more people who (1) work together interdependently with mutual account-
ability for achieving common goals, (2) do not work in either the same place and/or at the same time, and (3) must use
electronic communication technology to communicate, coordinate their activities, and complete their team’s tasks. They
are an increasingly common organizational phenomenon and must be managed differently than more traditional teams.
• Managers of remote workers and virtual teams must focus on overcoming the challenges of communication, technology,
and diversity of team members.
• To gain acceptance of a new technology, potential users must exhibit a favorable attitude toward the technology. In the
case of information systems, the users’ beliefs about its perceived usefulness and perceived ease of use color their atti-
tudes about the system. Kotter provides some suggested steps for change management that are related to Lewin’s three
stages of change: unfreezing, change, and refreezing.
c04.indd 96 11/26/2015 7:16:46 PM
97Case Study
D I S C U S S I O N Q U E S T I O N S
1. Why might an employee resist the implementation of a new technology? What are some of the possible consequences of
asking an employee to use a computer or similar device in his or her job?
2. How can IT alter an individual ’ s work? How can a manager ensure that the impact is positive rather than negative?
3. What current technologies do you predict will show the most impact on the way work is done? Why?
4. Given the growth in telecommuting and other mobile work arrangements, how might offices physically change in the com-
ing years? Will offices as we think of them today exist by 2030? Why or why not?
5. How is working at an online retailer different from working at a brick‐and‐mortar retailer? What types of jobs are necessary
at each? What skills are important?
6. Paul Saffo, former director of the Institute for the Future, noted, “Telecommuting is a reality for many today, and will con-
tinue to be more so in the future. But beware, this doesn ’ t mean we will travel less. In fact, the more one uses electronics,
the more they are likely to travel.” 39 Do you agree with this statement? Why or why not?
7. The explosion of information‐driven self‐serve options in the consumer world is evident at the gas station where customers
pay, pump gas, and purchase a car wash without ever seeing an employee; in the retail store such as Walmart, Home Depot,
and the local grocery where self‐service checkout stands mean that customers can purchase a basket of items without ever
speaking to a sales agent; at the airport where customers make reservations and pay for and print tickets without the help of
an agent; and at the bank, where ATMs have long replaced tellers for most transactions. But a backlash is coming, experts
predict. Some say that people are more isolated than they used to be in the days of face‐to‐face service, and they question
how much time people are really saving if they have to continually learn new processes, operate new machines, and over-
come new glitches. Labor‐saving technologies were supposed to liberate people from mundane tasks, but it appears that
these technologies are actually shifting some tasks to the customer. On the other hand, many people like the convenience of
using these self‐service systems, especially because it means customers can visit a bank for cash or order books or gifts from
an online retailer 24 hours a day. Does this mean the end of “doing business the old‐fashioned way”? Will this put a burden
on the elderly or the poor when corporations begin charging for face‐to‐face services? 40
K E Y T E R M S
behavior controls (p. 84)
mobile workers (p. 86)
offshoring (p. 90)
outcome controls (p. 84)
personnel controls (p. 84)
remote workers (p. 86)
telecommuting (p. 86)
virtual teams (p. 87)
39 “Online Forum: Companies of the Future,” http://www.msnbc.com/news/738363.asp (accessed June 11, 2002).
40 Stevenson Swanson , “ Are Self‐Serve Options a Disservice? ” Chicago Tribune (May 8, 2005 ), Section H, 1d .
Martin Andersen is responsible for 143 of Trash and Waste Pickup Services, Inc. ’ s (TWPS ’ s) garbage trucks. TWPS is a
commercial and household trash hauler. When a caller recently complained to Andersen that a brown and green Trash and
Waste Pickup Services truck was speeding down Farm Route 2244, Andersen turned to the company ’ s information system.
He learned that the driver of a company front‐loader had been on that very road at 7:22 a.m., doing 51 miles per hour (mph)
in a 35 mph zone. The driver of that truck was in trouble!
The TWPS information system uses a global positioning system (GPS) not only to smooth its operations but also to
keep closer track of its employees, who may not always be doing what they are supposed to be doing during work hours.
Andersen pointed out, “If you ’ re not out there babysitting them, you don ’ t know how long it takes to do the route. The guy
could be driving around the world, he could be at his girlfriend ’ s house.”
■ CASE STUDY 4‐1 Trash and Waste Pickup Services, Inc.
c04.indd 97 11/26/2015 7:16:46 PM
http://www.msnbc.com/news/738363.asp
98 Digital Systems and the Design of Work
IBM ’ s award‐winning developerWorks site was established in 2000 as a technical resource repository for the company ’ s
global development community. Designed to share knowledge and skills related to IBM products and other key technol-
ogies, it has been a solid success. The site attracts about 4 million unique visitors a month—including students, profes-
sionals, and developers from almost all the world ’ s countries—who search its library of 30,000 articles, demos, podcasts,
and tutorials. developerWorks is available in eight languages, including Russian, Chinese, and Spanish, and about 70% of
its visitors come from outside IBM.
My developerWorks, a social networking function, was added to the repository platform in 2009 to allow developers to
connect, communicate, and collaborate on projects. Soon the network had added more than 600,000 user pro” les as well as
numerous blogs and forums. In addition to allowing established business, start‐ups, and partners to collaborate, it has also
helped users ” nd answers to support questions that would otherwise go to IBM ’ s call centers and help desks, thus saving
the company an estimated $100 million.
Alice Chou, Director of IBM developerWorks, carefully monitored the number of My developerWorks pro” les and the
volume of traf” c to the site. She looked at unique visitors, developer demographics, time spent on the site, and patterns of
page views. She created a reward and recognition framework so that when users contributed a highly regarded article or
blogpost to the site, “they got the kudos they deserve.”
Discussion Questions
1. How might My developerWorks leverage changes in the way people work?
2. Why do you think Alice Chou carefully monitors the My developerWorks site? What would be an example of an insight
she would gain from the data she ’ s collecting?
3. Why do you think Alice Chou thinks a rewards program is necessary for My developerWorks because so many profiles
have already been developed. Do you agree that a reward would be necessary?
Sources: IBM, www.ibm.com/developerworks (accessed April 17, 2012); Ellen Traudt and Richard Vancil , “ Becoming a Social Business: The
IBM Story ,” IDC White Paper #226706 (January 2011), 1–14 (quote on p. 6, developerWorks at http://www.ibm.com/developerworks/) .
■ CASE STUDY 4‐2 Social Networking: How Does IBM Do It?
Before TWPS installed the GPS system, the drivers of his 37 front‐loaders clocked in approximately 250 hours a week
of overtime at one and a half times pay. Once TWPS started monitoring the time they spent in the yard before and after
completing their routes and the time and location of stops that they made, the number of overtime hours plummeted to 70
per week. This translated to substantial savings for a company whose drivers earn about $20 an hour.
TWPS also installed GPS receivers in salesmen ’ s cars. Andersen was not surprised to learn that some of the company ’ s
salespeople frequented The Zone, a local bar, around 4 p.m . when they were supposed to be calling on customers. Andersen
decided to set digital boundaries around the bar.
Understandably, the drivers and salespeople aren ’ t entirely happy with the new GPS‐based system. Ron Simon, a TWPS
driver, admits: “It ’ s kind of like Big Brother is watching a little bit. But it ’ s where we ’ re heading in this society. . . . I get testy
in the deli when I ’ m waiting in line for coffee, because it ’ s like, hey, they ’ re (managers) watching. I ’ ve got to go.”
Andersen counters that employers have a right to know what their employees are up to: “If you come to work here, and
I pay you and you ’ re driving one of my vehicles, I should have the right to know what you ’ re doing.”
Discussion Questions
1. What are the positive and negative aspects of Andersen ’ s use of the GPS‐based system to monitor his drivers and sales-
people?
2. What advice do you have for Andersen about the use of the system for supervising, evaluating, and compensating his
drivers and salespeople?
3. As more and more companies turn to IS to help them monitor their employees, what do you anticipate the impact will
be on employee privacy? Can anything be done to ensure employee privacy?
Source: This is a # ctitious case. Any resemblance to an actual company is purely coincidental.
c04.indd 98 11/26/2015 7:16:46 PM
http://www.ibm.com/developerworks
http://www.ibm.com/developerworks
99
5
chapter
1 Adapted from S. Balaji , C. Ranganathan , and T. Coleman , “ IT‐Led Process Reengineering: How Sloan Valve Redesigned Its New
Product Development Process ,” MIS Quarterly Executive 10 , no. 2 ( June 2011 ), 81 – 92 .
Transformation requires discontinuous thinking—recognizing and shedding outdated rules
and fundamental assumptions that underlie operations. Business processes, the cross‐
functional sets of activities that turn inputs into outputs, are at the heart of how businesses
operate and how transformation takes place. This chapter discusses business processes
and the systems that support them. The chapter begins with a discussion of a functional (silo)
versus a process perspective of a # rm, including agile and dynamic business processes.
The chapter then focuses on the way managers change business processes, including
incremental and radical approaches. Information systems ( IS ) including work$ ow and
business process management systems and enterprise systems that support and automate
business processes follow. The chapter concludes by examining when IS drive business
transformations and the complexities that arise when companies integrate systems.
Information Systems and
Business Transformation
Business strategy at Sloan Valve Company , 1 a family‐owned global manufacturer of plumbing prod-
ucts, had executives launching a range of new products every year. The new product development
(NPD) process was both core and strategic for Sloan , but it was also complex and slow; over
16 functional units were involved, and it often took 18–24 months to bring a new product to
market. Sloan Valve ’ s process of initiating and screening new product ideas was broken. More
than 50% of the ideas that began the process didn ’ t make it through, resulting in wasted resources.
Further, no one was accountable for the process, making it dif” cult to get a handle on process
management and improvement. Information # ow was blocked in part because of the structure of
the organization.
Management initially invested in an enterprise system to automate the company ’ s internal
processes, believing that IS would provide a common language, database, and platform. Despite
successful implementation, the communication and coordination problems continued. Further, the
new system did not provide an NPD process. Upon deeper analysis by a new CIO brought in to “” x
things,” management realized that the enterprise system was working ” ne, but the underlying pro-
cess was broken. Top management decided to redesign the NPD process.
The NPD process redesign team was led by an IT manager with considerable process experience
and involved members from manufacturing, engineering, IT, ” nance, marketing, operations, and
quality assurance. The director of design engineering was made process owner to provide oversight
for all changes. The team spent nine months assessing the current way of working and proposed a
new end‐to‐end NPD process. The reengineered NPD process included six subprocesses: ideation,
business case development, project portfolio management, product development, product and pro-
cess validation, and launch. The underlying information system was the enterprise system upgraded
to include newer modules, which supported product life cycle management.
c05.indd 99 11/26/2015 6:25:53 PM
100 Information Systems and Business Transformation
The quality, timing, and output of NPD greatly improved. The new NPD process reduced time‐to‐market to less
than 12 months. New product ideas that were unlikely to work were “ltered out early, eliminating problems of wast-
ing resources. Synthesis of product and process information improved. Customer feedback was easier to access.
And accountability increased, smoothing out responsibilities and work#ow.
Not all IS enterprise system implementations are as successful as that at Sloan Valve. There are hundreds of
stories of companies that ran into signi”cant problems when automating and transforming their business processes,
especially when an information system is at the heart of the change. Overstock.com’s order tracking system failed
for a full week when it rolled out a new enterprise system. By rushing to implement the new system, a glitch put
the enterprise system out of sync with the accounting system, causing the company to have to restate more than “ve
years of earnings, which showed lower revenue and higher losses. Clothing manufacturer Levi Strauss had simi-
lar problems with its new enterprise system, causing shipping errors and issues with its “nancial control systems.
The latter was blamed for the company’s 98% decrease in net income for the second quarter in 2008. Avis Europe
attempted to implement an enterprise system, but project delays and cost overruns caused the company to cancel
the project and write off £28 million on its books. With so much at risk, general managers must be informed and
involved in these types of complex information systems that change business processes.2
IS can enable or impede business change. The right design coupled with the right technology can result in
changes such as those experienced by Sloan Valve. The wrong business process design or the wrong technology,
however, can force a company into operational, and sometimes “nancial, crisis as the Overstock.com, Levi Strauss,
and Avis Europe examples show.
To a manager in today’s business environment, an understanding of how IS enable business change is essential.
The terms management and change management are used almost synonymously in today’s business vocabulary:
To manage effectively means to manage change effectively. As IS become ever more prevalent and more power-
ful, the speed and magnitude of the changes that organizations must address to remain competitive continue to
increase. To be a successful manager, one must understand how IS enable change in a business; one must gain
a process perspective of business and must understand how to transform business processes effectively. This
chapter provides managers a view of business process change. It provides tools for analyzing how a company
currently does business and for thinking about how to effectively manage the inevitable changes that result from
competition and the availability of IS. This chapter also describes an IT‐based solution commonly known as
enterprise IS.
A brief word to the reader is needed. The term process is used extensively in this chapter. In some instances, it
is used to refer to the steps taken to change aspects of the business. At other times, it is used to refer to the part of
the business to be changed: the business process. The reader should be sensitive to the potentially confusing use of
the term process.
Silo Perspective versus Business Process Perspective
When effectively linked with improvements to business processes, advances in IS enable changes that make it pos-
sible to do business in a new way, one that is better and more competitive than before. On the other hand, IS can
also inhibit change, which occurs when managers fail to adapt business processes because they rely on in#exible
systems to support those processes. Finally, IS can also drive change for better or for worse. Examples abound of
industries that were fundamentally changed by advances in IS and of companies whose success or failure depended
on the ability of their managers to adapt. This chapter considers IS as an enabler of business transformation, a
partner in transforming business processes to achieve competitive advantages. We begin by comparing a process
view of the “rm with a functional view.
Transformation requires discontinuous thinking—recognizing and shedding outdated rules and fundamental
assumptions that underlie operations. “Unless we change these rules, we are merely rearranging the deck chairs
on the Titanic. We cannot achieve breakthroughs in performance by cutting fat or automating existing processes.
2 Adapted from http://www.baselinemag.com/c/a/ERP/Five‐ERP‐Disasters‐Explained‐878312/ (accessed February 24, 2012).
c05.indd 100 11/26/2015 6:25:53 PM
http://www.baselinemag.com/c/a/ERP/Five%E2%80%90ERP%E2%80%90Disasters%E2%80%90Explained%E2%80%90878312
101Silo Perspective versus Business Process Perspective
Rather, we must challenge old assumptions and shed the old rules that made the business under perform in the
“rst place.”3
Functional (Silo) Perspective
Many think of business by imagining a hierarchical structure (described in Chapter 3) organized around a set of
functions. Looking at a traditional organization chart allows an understanding of what the business does to achieve
its goals. A typical hierarchical structure, organized by function, results in disconnected silos that might look like
the one in Figure 5.1.
When an organization has silos, departments are organized on the basis of their core competencies. Specialized
silos allow them to focus on what they do best. For example, the operations department focuses on operations, the
marketing department focuses on marketing, and so on. Each major function within the organization usually forms
a separate department to ensure that work is done by groups of experts in that function. This functional structure
is widespread in today’s organizations and is reinforced by business education curricula, which generally follow
functional structures, that is, students take courses in functions (i.e., marketing, management, accounting) and
major in functions and then are predisposed to think in terms of these same functions.
Even when companies use the perspective of the value chain model (as discussed in Chapter 2), they still focus on
functions that deliver their portion of the process and “throwing it over the wall” to the next group on the value chain.
These silos become self‐contained functional units, which can be useful for several reasons. First, they allow an orga-
nization to optimize expertise and training. For example, all the marketing people can belong to the same department,
allowing them to informally network and learn from each other. Second, the silos allow the organization to avoid
redundancy in expertise by hiring one person who can be assigned to projects across functions on an as‐needed basis
instead of hiring an expert in each function. Third, with a silo organization, it is easier to benchmark outside organi-
zations, utilize bodies of knowledge created for each function, and easily understand the role of each silo.
On the other hand, silo organizations can experience signi”cant suboptimization. First, individual departments
often recreate information maintained by other departments. Second, communication gaps between departments
are often wide. Third, handoffs between silos are often a source of problems, such as “nger‐pointing and lost
information. Finally, silos tend to lose sight of the objective of the overall organization and operate in a way that
maximizes their local goals. The last point is illustrated by a production department that pushes the concept of a
small number of product sizes or options while the marketing department urges management to consider a larger
variety or highly customized products. Such con#icts do arise in many organizations, and it can be dif”cult to nego-
tiate to “nd a solution that is best, overall, for the “rm.
A “rm’s work changes over time. In a functionally organized silo business, each group is primarily concerned
with its own set of objectives. The executive of”cers jointly seek to ensure that these functions work together to
create value, but the task of providing the “big picture” to so many functionally oriented personnel can prove
extremely challenging. As time passes and business circumstances change, new work is created that relies on more
than one of the old functional departments. Departments that took different directions must now work together.
They negotiate the terms of any new work processes with their own functional interests in mind, and the “big
Typical Hierarchical Organization Structure
Operations Marketing Accounting Finance Administration
Executive Offices
CEO
President
FIGURE 5.1 Hierarchical structure.
3 Michael Hammer, “Reengineering Work: Don’t Automate, Obliterate” Harvard Business Review 68, no. 4 (July–August 1990), 104–12.
c05.indd 101 11/26/2015 6:25:54 PM
102 Information Systems and Business Transformation
picture” optimum gets scrapped in favor of suboptimal compromises among the silos. These compromises then
become repeated processes; they become standard operating procedures.
Losing the big picture means losing business effectiveness. After all, a business’s main objective is to create as
much value as possible for its shareholders and other stakeholders by satisfying its customers to stimulate repeat
sales and positive word of mouth. When functional groups duplicate work, fail to communicate with one another, or
lose the big picture and establish suboptimal processes, the customers and stakeholders are not being well served.
Business Process Perspective
A manager can avoid such suboptimization—or begin to “”x” it—by managing from a business process perspec-
tive. A business process perspective, or more simply a process perspective, keeps the big picture in view and
allows the manager to concentrate on the work that must be done to ensure the optimal creation of value. A process
perspective helps the manager avoid or reduce duplicate work, facilitate cross‐functional communication, optimize
business processes, and ultimately, best serve the customers and stakeholders.
In business, a process is de”ned as an interrelated, sequential set of activities and tasks that turns inputs into
outputs and includes the following:
• A beginning and an end
• Inputs and outputs
• A set of tasks (subprocesses or activities) that transform the inputs into outputs
• A set of metrics for measuring effectiveness
Metrics are important because they focus managers on the critical dimensions of the process. Metrics for a
business process are things like throughput, which is how many outputs can be produced per unit time, or cycle
time, which is how long it takes for an entire process to execute. Examples of process measures are the number of
handoffs in the process or actual work versus total cycle time. Other metrics are based on the outputs themselves,
such as customer satisfaction, revenue per output, pro”t per output, and quality of the output.
Examples of business processes include customer order ful”llment, manufacturing planning and execution,
payroll, “nancial reporting, and procurement. A procurement process might look like the sample in Figure 5.2.
The process has a beginning and an end, inputs (requirements for goods or services) and outputs (receipt of goods,
vendor payment), and subprocesses (“lling out a purchase order, verifying the invoice). Metrics of the success of
the process might include turnaround time and the number of paperwork errors.
The procurement process in Figure 5.2 cuts across the functional lines of a traditionally structured business.
For example, the requirements for goods might originate in the operations department based on guidelines from
the “nance department. Paperwork would likely #ow through the administration department, and the accounting
department would be responsible for paying the vendor.
Focusing on business processes ensures focusing on the business’s goals (the “big picture”) because each pro-
cess has an “endpoint” that is usually a deliverable to a customer, supplier, or other stakeholder. A business process
perspective recognizes that processes are often cross‐functional. In the diagram in Figure 5.3, the vertical bars
represent functional departments within a business. The horizontal bars represent processes that #ow across those
functional departments. A business process perspective requires an understanding that processes properly exist to
serve the larger goals of the business and that functional departments must work together to optimize processes in
regard to these goals.
Receive
Requirement
for Goods/
Services
Pay
Vendor
Verify
Invoice
Receive
Goods
Create and
Send
Purchase
Order
FIGURE 5.2 Sample procurement business process.
c05.indd 102 11/26/2015 6:25:54 PM
103Silo Perspective versus Business Process Perspective
For example, an order‐ful”llment process might include payment, order delivery, product implementation, and
after‐sales service tasks. This process would involve multiple functions, including operations, accounting, service,
and sales, making it a cross‐functional business process. The “sales order” would be the input for this process. A sat-
is”ed customer might be the output, and a number of metrics, such as a survey of the customer’s satisfaction, time to
complete the order ful”llment process, number of defects (or other quality measure), can be used to measure success.
When managers take a business process perspective, they are able to optimize the value that customers and
stakeholders receive by managing the #ow as well as the tasks. They begin to manage processes by:
• Identifying the customers of processes (who receives the output of the process?)
• Identifying these customers’ requirements (what are the criteria for successful implementation of the process?)
• Clarifying the value that each process adds to the overall goals of the organization
• Sharing their perspective with other organizational members until the organization itself becomes more pro-
cess focused
The differences between the silo and business process perspectives are summarized in Figure 5.4. A silo
perspective refers to self‐contained functional units such as marketing, operations, “nance, and so on. Unlike a
Functions
Sample
Business
Processes
Purchasing
Customer Support
O
P
E
R
A
T
I
O
N
S
M
A
R
K
E
T
I
N
G
A
C
C
O
U
N
T
I
N
G
F
I
N
A
N
C
E
A
D
M
I
N
I
S
T
R
A
T
I
O
N
FIGURE 5.3 Cross‐functional nature of business processes.
FIGURE 5.4 Comparison of silo perspective and business process perspective.
Silo Perspective Business Process Perspective
De#nition Self‐contained functional units such as
marketing, operations, #nance, and so on
Interrelated, sequential set of
activities and tasks that turns inputs into
outputs
Focus Function Cross‐function
Goal Accomplishment Goals optimized for the function, which
may be suboptimal for the organization
Goals optimized for the organization, or
the “big picture”
Bene#ts Core competencies highlighted and
developed; functional ef#ciencies
Avoidance of work duplication and
cross‐functional communication gaps;
organizational effectiveness
Problems Redundancy of information
throughout the organization;
cross‐functional inef#ciencies;
communication dif#culties
Dif#culty in #nding staff who can be
knowledgeable generalists; need for
sophisticated software
c05.indd 103 11/26/2015 6:25:54 PM
104 Information Systems and Business Transformation
silo perspective, a business process perspective recognizes that businesses operate as a set of processes that #ow
across functional departments. The business process perspective enables a manger to analyze the processes of the
business in regard to its larger goals in comparison to the functional orientation of the silo perspective. Finally, it
provides a manager with insights into how those processes might better serve these goals.
An example illustrates the problem. Using a silo perspective, a customer with a warranty issue would need to
explain a problem with a product to a customer service representative in the service department. If the problem is
technical, the call would be transferred to a technical support person (in a different department), and the customer
might need to explain the entire problem again. If the technical support representative determined that a part is
needed, the customer would be transferred to the sales department and would need to explain the issue yet another
time. Because the departments are not talking with one another, the customer might even need to provide proof of
purchase several times to avoid having to pay for a warranty problem.
In contrast, with a business process perspective, either one representative would work with the customer on all
problems or an enterprise system would enable the representative to transfer both the call and notes with the details
to any specialists who are needed along the way. Having one representative handle all problems is not always pos-
sible because it is often dif”cult to “nd staff able to handle an entire process for the same reasons that support the
functional hierarchical structure: People are normally trained in a function, such as marketing or accounting, not
in a process that requires many different skill sets. For example, individuals who excel at marketing may not also
possess the accounting skills needed to “x a billing problem.
Zara’s Cross‐Functional Business Processes
Consider Spanish clothing retailer Zara (introduced in Chapter 2). With over 1,600 stores in 78 countries around
the world and a well‐designed set of cross‐functional business processes, Zara often is able to design, produce, and
deliver a garment within 15 days. For this to happen, its managers must regularly create and rapidly replenish small
batches of goods all over the world. Zara’s organization, operational procedures, performance measures, and even
its of”ce layout are all designed to make information transfer easy.
Zara’s designers are colocated with the production team, including marketing, procurement, and production
planners. Prototypes are created nearby, facilitating easy discussion about the latest design. Large circular tables
in the middle of the production process encourage impromptu meetings where ideas are readily exchanged among
the designers, market specialists, and production planners. The speed and quality of the design process is greatly
enhanced by the colocation of the entire team because the designers can quickly check their ideas with others on
their cross‐functional teams. For example, the market specialists can quickly respond to designs in terms of the
style, color, and fabric whereas the procurement and production planners can update these specialists about manu-
facturing costs and available capacity.
Zara’s information technology provides a platform but does not preclude informal face‐to‐face conversations.
Retail store managers are linked to marketing specialists through customized handheld computers but sometimes
use the telephone to share order data, sales trends, and customer reactions to a new style. Zara’s cross‐functional
teams enable information sharing among everyone who “needs to know” and therefore creates the opportunity to
change directions quickly to respond to new market trends.
Building Agile and Dynamic Business Processes
To stay competitive and consistently meet changing customer demands, organizations build dynamic business
processes or agile business processes, processes that repeat through a constant renewal cycle of design, deliver,
evaluate, redesign, and so on. Agile business processes are designed to simplify redesign and recon”guration. They
are designed to be #exible and easily adaptable to changes in the business environment and can be incrementally
changed with little effort. Dynamic business processes, on the other hand, recon”gure themselves as they “learn”
and the business utilizes them.
c05.indd 104 11/26/2015 6:25:54 PM
105Changing Business Processes
To be agile or dynamic, a process necessitates a high degree of IT use. The more of the process that can be done
with software, the easier it is to change, and the more likely it can be designed to be agile or dynamic.
Examples of agile processes are often found in manufacturing operations, where production lines are recon”g-
ured regularly to accommodate new products and technologies. For example, automobile production lines produce
large numbers of vehicles, but very few are identical to the one made before or after it on the production line. Also,
vehicles are often built with space and wiring for options (such as a remote starter) that can be added by a dealer
quickly and with minimal labor. The design of the line is such that many changes in design, features, or options are
just incorporated into the assembly of the vehicle at hand.
Another common example is in software development. Agile software development methodologies underlie an
incremental and iterative development process that is often used to rapidly and collaboratively create working and
relevant software.
More recently, with the use of the Internet and social technologies, building agility into business processes is
increasingly common. Processes run entirely in the digital world. Some common examples are order management,
service/product provisioning, human resource support, and bill payment. The pervasiveness of the digital world has
necessitated rethinking many business processes; customers, employees, and other stakeholders expect to be able
to access processes on the Web and perform self‐service.
In fact, many processes have been designed as an app, as described in the Introduction. Consider smart phones
or tablets. Each app loaded on these devices is, in reality, an automated business process. And because it’s an app,
it’s relatively easy for the developer to upgrade, “x, and enhance. Apps are good examples of software that supports
agile processes.
An example of a dynamic process is a network with a changing #ow of data. The network could have sensors
built in to monitor the #ow, and when #ow is greater than the current network con”guration can handle, the net-
work automatically redistributes or requisitions more capacity to handle the additional data and recon”gures itself
to balance the #ow over the new channels. Another example, with a more physical con”guration, would be a call
center. Call center systems are designed to monitor the #ow of calls coming into a center and the time it takes for
agents to respond to them. These systems can automatically redistribute calls to or from other centers as volume
increases or decreases. The system might be suf”ciently sophisticated so that it can add additional agents to the
schedule or alert a supervisor of an increase and route calls to standby agents. Enabling the system to redistribute
incoming calls to respond to changes in the center is an important capability.
Dynamic IT applications, a component of software de”ned architecture, described more fully in Chapter 6,
are required for dynamic business processes. When the underlying IT is not designed with this goal in mind,
the business process itself cannot adapt as necessary to changing requirements of the business environment. The
bene”ts of agile and dynamic business processes are operational ef”ciency gained by the ease of incrementally
improving the process as necessary and the ability to create game‐changing innovative processes more quickly.
Sloan Valve’s NPD process is another example of a more #exible approach. Previously steeped in the old way of
doing things, and tied to legacy information systems, the redesigned NPD process was faster and enabled detection
of and reaction to customer feedback, process problems, and team misalignments.
Changing Business Processes
Sloan Valve decided to do a complete redesign of its NPD process. After trying to incrementally change it with a
new IS, and minor changes to the process, managers realized that a complete transformation was necessary.
Transforming a business today means redesigning business processes. Two techniques used to transform a static
business process are: (1) radical process redesign, which is sometimes called business process reengineering
(BPR) or simply reengineering and (2) incremental, continuous process improvement, which includes total quality
management (TQM) and Six Sigma. Radical and incremental improvement concepts are important; they continue
to be different tools a manager can use to effect change in the way his or her organization does business. The basis
of both approaches is viewing the business as a set of business processes rather than using a silo perspective.
c05.indd 105 11/26/2015 6:25:54 PM
106 Information Systems and Business Transformation
Incremental Change
At one end of the continuum, managers use incremental change approaches to improve business processes through
small, incremental changes. This improvement process generally involves the following activities:
• Choosing a business process to improve
• Choosing a metric by which to measure the business process
• Enabling personnel to “nd ways to improve the business process based on the metric
Personnel often react favorably to incremental change because it gives them control and ownership of improve-
ments and, therefore, renders change less threatening. The improvements grow from their grassroots efforts. TQM
is one such approach that incorporates methods of continuous process improvement. At the core of the TQM
method is W. Edwards Deming’s “14 Points,” or key principles to transform business processes. The principles
outline a set of activities for increasing quality and improving productivity.4 TQM has lost some of its luster in the
United States, but it continues to be very popular in Europe and Asia.
Six Sigma is an incremental and data‐driven quality management approach for eliminating defects from
a process. The term six sigma comes from the idea that if the quality of all output from a process were to be
mapped on a bell‐shaped curve, the tail of the curve, six sigma (standard deviations) from the mean, would
represent less than 3.4 defects per million. Such a low rate of defects would be close to perfect. The Six Sigma
methodology is carried out by experts known as Green Belts and more experienced experts known as Black
Belts, who have taken special Six Sigma training and worked on numerous Six Sigma projects. Motorola was
one of the “rst companies in the United States to use Six Sigma, but GE made the method a part of its business
culture driving signi”cant and continuous improvement throughout the corporation. The GE Web site states “Six
Sigma is a highly disciplined process that helps us focus on developing and delivering near‐perfect products
and services.”5
Radical Change
Incremental change approaches work well for tweaking existing processes. However, they tend to be less effec-
tive for addressing cross‐functional processes. Major changes usually associated with cross‐functional processes
require a different type of management tool. At the other end of the change continuum, radical change enables
the organization to attain aggressive improvement goals (again, as de”ned by a set of metrics). The goal of rad-
ical change is to make a rapid, breakthrough impact on key metrics. Some businesses even have made radical
process recon”guration a core competency so that they can better serve customers whose demands are constantly
changing.
Sloan Valve is an example of a company that set aggressive improvement goals and reached them with a rad-
ical change approach. The company set out to dramatically improve new products’ time to market and was able to
reduce it from 18–24 months to 12 months.
The difference in the incremental and radical approaches over time is illustrated by the graph in Figure 5.5. The
vertical axis measures, in one sense, how well a business process meets its goals. Improvements are made either
incrementally or radically. The horizontal axis measures time.
Not surprisingly, radical change typically faces greater internal resistance than does incremental change. There-
fore, radical change processes should be carefully planned and used only when major change is needed in a short
time. Some examples of situations requiring radical change are when the company is in trouble, when it imminently
4 For more information about TQM and Deming’s 14 Point approach to quality management, see the ASQ (Formerly known as the American Society
for Quality), a global community of experts on quality and the administrators of the Malcolm Baldrige National Quality Award program, http://asq.org/
learn‐about‐quality/total‐quality‐management/overview/overview.html (accessed August 26, 2015).
5 http://www.ge.com/en/company/companyinfo/quality/whatis.htm (accessed August 27, 2015).
c05.indd 106 11/26/2015 6:25:54 PM
http://asq.org/learn%E2%80%90about%E2%80%90quality/total%E2%80%90quality%E2%80%90management/overview/overview.html
http://www.ge.com/en/company/companyinfo/quality/whatis.htm
107Work#ow and Mapping Processes
faces a major change in the operating environment, or when it must change signi”cantly to outpace its competition.
Key aspects of radical change approaches include the following:
• Need for major change in a short amount of time
• Thinking from a cross‐functional process perspective
• Challenge to old assumptions
• Networked (cross‐functional) organization
• Empowerment of individuals in the process
• Measurement of success via metrics tied directly to business goals and the effectiveness of new processes
(e.g., production cost, cycle time, scrap and rework rates, customer satisfaction, revenues, and quality)
Work#ow and Mapping Processes
Work”ow in its most basic meaning is the series of connected tasks and activities performed by people and com-
puters that together form a business process. Consideration of work#ow is a way to assess a cross‐functional
process. But the term work#ow has come also to mean software products that document and automate processes.
Work#ow software facilitates the design of business processes and creates a digital work#ow diagram. work#ow
software lets the manager diagram answers to questions such as how a process will work, who will do what, what
the information system will do, and what decisions will be made and by whom. When combined with business pro-
cess management modules, processes can be managed, monitored, and modi”ed.
The tool used to understand a business process is a work”ow diagram, which shows a picture, or map, of the
sequence and detail of each process step. More than 200 products are available for helping managers diagram the
work#ow. The objective of process mapping is to understand and communicate the dimensions of the current pro-
cess. Typically, process engineers begin the process mapping procedure by de”ning the scope, mission, and bound-
aries of the business process. Next, engineers develop a high‐level overview #owchart of the process and a detailed
#ow diagram of everything that happens in the process. The diagram uses active verbs to describe activities and
identi”es all process actors, inputs, and outputs. The engineers verify the detailed diagram for accuracy with the
actors in the process and adjust it accordingly.
Business Process Management (BPM)
Thinking about the business as a set of processes has become more common, but managing the business as a set of
processes is another story. Some claim that to have truly dynamic or agile business processes requires a well‐de”ned
80
Ra
dic
al60
Time
P
er
ce
nt
Im
pr
ov
em
en
t
Incremental40
20
0
FIGURE 5.5 Comparison of radical and incremental improvement.
c05.indd 107 11/26/2015 6:25:54 PM
108 Information Systems and Business Transformation
and optimized set of IT processes, tools, and skills called business process management (BPM). In the 1990s,
a class of systems to help manage work#ows in the business emerged. The systems primarily helped track docu-
ment‐based processes where people executed the steps of the work#ow. BPM systems go way beyond document
management capabilities and include features that manage person‐to‐person process steps, system‐to‐system steps,
and those processes that include a combination of them. Systems include process modeling, simulation, code gener-
ation, process execution, monitoring, and integration capabilities for both company‐based and Web‐based systems.
The tools allow an organization to actively manage and improve its processes from beginning to end.
Enterprise Rent‐a‐Car, one of the largest car rental companies in the world with 7,000 locations and more than
65,000 employees worldwide, used BPM to model, manage, and streamline its IT‐based processes. It used BPM to
build Request Online, the system through which employees requested laptops, software and applications, system
access, reports, and other services available from the IS department. The prior system was mostly manual, not
scalable as volume increased, and not automatable. Not surprisingly, it was dif”cult to make improvements to that
system. Using a BPM system, the IT staff developed a model that copied the way service requests were already
handled so the experience would be familiar and added features slowly to enhance the experience. The result was a
BPM‐based system that provided better management capabilities and created a common platform for rapid change
and capacity for future growth. That proved critical when Enterprise acquired National Car Rental and Alamo Rent
A Car, creating much more demand for Request Online. Enterprise was able to shift development to less costly
IT staff who could make process modi”cations directly through the BPM. Finally, the usability of the system was
increased as the BPM facilitated the creation of customized interfaces based on characteristics of the speci”c users.6
BPM systems provide a way to build, execute, and monitor automated processes that may go across organiza-
tional boundaries. Some of the functionality of a BPM may be found in enterprise applications such as enterprise
resource planning (ERP), customer relationship management (CRM), and “nancial software because these systems
also manage processes within a corporation. But BPM systems go outside a speci”c application to help companies
manage across processes. Some BPM systems manage front of”ce applications that are often person‐to‐person
processes such as sales or ordering. These processes are people centric and incorporate social IT. Other BPM sys-
tems support back‐of”ce processes that often are more system‐to‐system oriented and possibly extend outside the
corporation to include Web‐based components. See Figure 5.6 for a representative illustration of the components
of a BPM system.
Enterprise’s Request Online used a BPM system by Appian, which includes components to help a company
design, manage, and optimize core business processes. Appian offers sophisticated features that combine social
Social ITProcess
P
ro
ce
ss
E
ng
in
e
B
us
in
es
s
R
ul
es
E
ve
nt
s
A
na
ly
tic
s
A
ct
iv
ity
M
on
ito
ri
ng
In
te
gr
at
io
n
C
on
te
nt
P
or
ta
l
C
ol
la
bo
ra
tio
n
Data
Web/Mobile/Cloud/Internal Data Center
Business Process Management (BPM) Platform
FIGURE 5.6 Sample BPM architecture.
Source: Adapted from www.appian.com (accessed May 1, 2012).
6 Adapted from http://www.appian.com/about/news‐item/enterprise‐rent‐car‐goes‐live‐appian‐enterprise/ (accessed August 27, 2015).
c05.indd 108 11/26/2015 6:25:55 PM
http://www.appian.com
http://www.appian.com/about/news%E2%80%90item/enterprise%E2%80%90rent%E2%80%90car%E2%80%90goes%E2%80%90live%E2%80%90appian%E2%80%90enterprise
109Work# ow and Mapping Processes
IT capabilities with process modeling, content management, data management, and integration with existing
enterprise systems. Microsoft ’ s SharePoint, one of the most popular collaboration environments, can be managed
through Appian ’ s suite, creating a one‐stop‐shop for managing business processes in an enterprise.
Two other common vendors for BPM are IBM and SoftwareAG ’ s ARIS, which stands for architecture of
integrated information systems. ARIS has also come to mean an entire modeling approach. ARIS structures four
views of the enterprise, including an organizational view, a data view, a functional view, and a control view.
Using ARIS, managers can model the business, including its processes, using a common language and set of
procedures.
Integration versus Standardization
Processes are the ways organizations deliver goods and services to customers. Designing, building, and execut-
ing processes is one of the roles of management. Dr. Jeanne Ross, Principal Research Scientist at MIT ’ s Center for
Information Research, suggested that the level of integration and standardization of business processes, another
management decision, determines the role of IS. Ross pointed out that “Companies make two important choices
in the design of their operations: (1) how standardized their business processes should be across operational
units (business units, region, function, market segment) and (2) how integrated their business processes should
be across those units.” The resulting model de# nes important IT and business capabilities (see the following # g-
ure). The level of process integration and standardization de# nes the necessary IS capabilities and ultimately the
investment the # rm will need to make in IS.
Process Integration versus Standardization
Business Process Standardization
Bu
si
ne
ss
P
ro
ce
ss
In
te
g
ra
tio
n
Low High
High The business is focused on process integration,
usually creating a single face to customers and
suppliers but does not usually impose process
standards on operating units.
The business has a centralized design with high
needs for reliability, predictability, and sharing
data across business units, creating a single view
of the process.
Low The business has a decentralized design with
which business units make local decisions on
processes to meet customer needs.
The business is focused on process standardiza-
tion in which tasks are done the same way with
the same systems across business units, but the
business units have little need to interact.
CEMEX , the multinational cement company based in Monterrey, Mexico, built a business high in process stan-
dardization and low in process integration. CEMEX standardized on eight information systems‐based business
processes to cover logistics, manufacturing, accounting, planning, operations, procurement, # nance, and HR. Each
operating unit uses the same processes and creates similar data, but each runs autonomously, rarely sharing data.
This approach provides a competitive advantage because it enables the company to grow quickly, easing the
assimilation of acquired companies.
Merrill Lynch ’ s Global Private Client business with high integration and low standardization provides a wide
range of # nancial services to clients across multiple channels such as # nancial advisory services, online services,
and help center support services. The key to the company ’ s success is integration across processes to provide
a single view of the customer, which can then be leveraged when new products and services are announced. At
the same time, the company does not expect standardization across processes; each operating unit can create
what it needs as long as it uses a standardized technology platform that supports the integrated design. That is,
the separate systems need to coordinate the various information resources among themselves.
Source: J. Ross , “ Forget Strategy: Focus IT on Your Operating Model ,” MIT Center for Information Research, Research Briefing
(December 2005 ), V(3C), http://cisr.mit.edu/blog/documents/2005/12/09/2005_12_3c_operatingmodels / (accessed May 23, 2015) .
c05.indd 109 11/26/2015 6:25:55 PM
http://cisr.mit.edu/blog/documents/2005/12/09/2005_12_3c_operatingmodels
110 Information Systems and Business Transformation
Enterprise Systems
Information technology is a critical component of almost every business process today because information #ow
is at its core. A class of IT applications called enterprise systems is a set of information systems tools that
many organizations use to enable this information #ow within and between processes across the organization.
These tools help ensure integration and coordination across functions such as accounting, production, customer
management, and supplier management. Some are designed to support a particular industry such as health care,
retail, and manufacturing.
Computer systems in the 1960s and early 1970s were typically designed around a speci”c application. These
early systems were often not connected with each other and often had their own version of data. One of the authors
moved to another home in 1980 and visited the bank to change his address. He had to “ll out a separate form for
his checking and savings account. It was lucky that the post of”ce forwarded mail for a year after the move; four
months after moving, the bank sent a year‐end auto loan summary document via his old address, requiring another
update of the address, and nearly a year later, the bank sent his safe deposit box renewal form via his old address
too, requiring yet another update. It was obvious that each system contained its own copy of redundant data and
existed in its own silo.
Organizational computing groups faced the challenge of linking and maintaining the patchwork of loosely over-
lapping, redundant systems. In the 1980s and 1990s, software companies in a number of countries, including the
United States, Germany, and the Netherlands, began developing integrated software packages that used a common
database and cut across organizational systems. Some of these packages were developed from administrative sys-
tems (e.g., “nance and human resources), and others evolved from materials resource planning (MRP) in manu-
facturing. These comprehensive software packages that incorporate all modules needed to run the operations of
a business are called enterprise information systems (EIS) or simply enterprise systems. Enterprise systems
include ERP, supply chain management (SCM), CRM, and product life cycle management (PLM) systems (see
Figure 5.7). Some companies develop proprietary enterprise systems to support mission‐critical processes when
they believe these processes give them an advantage and using a vendor‐supplied system would jeopardize that
advantage. Other enterprise systems may be developed speci”cally to integrate organizational processes. Figure 5.8
describes some examples of the processes supported by an enterprise system.
Two of the largest vendors of enterprise systems are German‐based SAP and California‐based Oracle. Initially,
SAP de”ned the ERP software space, and Oracle had the database system supporting it. But more recently, SAP
has moved to its own database system, and Oracle has acquired many other smaller vendors, creating their own
suite of enterprise software solutions.
Sloan Valve, the case introduced at the beginning of this chapter, used SAP. Initially, Sloan implemented the
ERP module, but as the design emerged for the NPD process, the PLM module was key. It enabled the process
owner to keep track of targets, look at ef”ciencies in the process, and understand process problems. It also helped
track and allocate resources for each new product idea and enabled coordination between all the cross‐functional
team members.
Enterprise Resource Planning (ERP)
Enterprise resource planning (ERP) was designed to help large companies manage the fragmentation of
information stored in hundreds of individual desktop, department, and business unit computers across the organi-
zation. These modules offered the IS department in many large organizations an option for switching from under-
performing, obsolete mainframe systems to client‐server environments designed to handle the changing business
demands of their operational counterparts. Many “rms moved from their troubled systems in the late 1990s to avoid
the year 2000 (Y2K) problem7 and to standardize processes across their businesses.
7 The Y2K problem was of great concern in the 1990s because many old systems used two digits instead of four digits to represent the year, making it
impossible to distinguish between years such as 2000 and 1900.
c05.indd 110 11/26/2015 6:25:55 PM
111Enterprise Systems
FIGURE 5.8 Enterprise systems and examples of processes they support.
Enterprise System Sample Processes
Enterprise resource
planning (ERP)
Financial management (accounting, #nancial close, invoice to pay process, receivable
management); human capital management (talent management, payrolls, succession
planning); operations management (procurement, logistics, requisition invoice payment,
parts inventory)
Customer relationship
management (CRM)
Marketing (brand management, campaign management); lead management; loyalty
program management; sales planning and forecasting; territory and account management;
customer service and support (claims, returns, warranties)
Supply chain
management (SCM)
Supply chain design; order ful#llment; warehouse management; demand planning,
forecasting; sales and operations planning; service parts planning; source‐to‐pay/
procurement process; supplier life cycle management; supply contract management
Product life cycle
management (PLM)
Innovation management (strategy and planning, idea capture and management, program/
project management); product development and management; product compliance
management
Implements functions of order
placement, order scheduling,
shipping and invoicing. Maximise cost savings with support
for the end-to-end procurement and
logistics processes.
Helps in planning and optimising
the manufacturing capacity and
material resources. It is evolved
from the MRP.
Control warehouse processes and
manage movements in the
warehouse and respond faster to
challenges and changes in
supply and demand.
Automate any financial operations
while ensuring regulatory compliance
and gaining real-time insight into overall
performance.
Maintain a complete employee
database and to optimally utilise of
all employees.
Aims to streamline and gain
greater control of the corporate
services.
Capture and maintain customer
relationships, facilitate the use of
customer experiences and evaluate
the knowledge management.
Analyse data and
convert to information. Focus on external strategies.
Efficiently and sustainably manage
the entire asset lifecycle, improve
asset usage and cut costs with
powerful analytics.
Customer services
(CRM)
Business Intelligence
Sales
Enterprise asset
management
e-Commerce
and others…
Procurement (SRM)
Production (PLM)
Distribution (SCM)
AccountingHuman Resource
Corporate performance
and governance
Traditional ERP modules ERP II modulesIII
I
I I
II
II
II
II
II
II
II
I
FIGURE 5.7 Enterprise systems and the processes they automate.
Source: Adapted from Shing Hin Yeung, http://commons.wikimedia.org/wiki/File:ERP_Modules (accessed August 27, 2015).
The next generation of enterprise system emerged: ERP II systems. Whereas an ERP makes company information
immediately available to all departments throughout the company, ERP II also makes company information
immediately available to external stakeholders, such as customers and partners. ERP II enables e‐business by inte-
grating business processes between an enterprise and its trading partners. More recently, a move to better manage
information systems using the cloud has again called into question the design of some business processes.
c05.indd 111 11/26/2015 6:25:55 PM
http://commons.wikimedia.org/wiki/File:ERP_Modules
112 Information Systems and Business Transformation
Today, ERP systems include all of the ERP II functionality plus social and collaboration features. A good example
is Chatter from Salesforce.com,8 which includes an activity stream interface (similar to Facebook) for employees
with easy connections to the “rm’s information in its ERP. SAP’s ERP solution includes SAP ERP Financials, SAP
ERP Human Capital Management, and SAP ERP Operations. Oracle’s ERP solution, EnterpriseOne, offers these
same functions. Both vendors have integrated their ERP solutions with their supply chain/logistics solutions, their
CRM solutions, and several other modules that make them a one‐stop shop for software that provides the backbone
of an enterprise.
Characteristics of ERP Systems
ERP systems have several characteristics:9
• Integration. ERP systems are designed to seamlessly integrate information #ows throughout the company.
ERP systems are con”gured by installing various modules, such as:
• Manufacturing (materials management, inventory, plant maintenance, production planning, routing,
shipping, purchasing, etc.)
• Accounting (general ledger, accounts payable, accounts receivable, cash management, forecasting, cost
accounting, pro”tability analysis, etc.)
• Human resources (employee data, position management, skills inventory, time accounting, payroll, travel
expenses, etc.)
• Sales (order entry, order management, delivery support, sales planning, pricing, etc.)
• Packages. ERP systems are usually commercial packages purchased from software vendors. Unlike many
packages, ERP systems usually require long‐term relationships with software vendors because the complex
systems must typically be modi”ed on a continuing basis to meet the organization’s needs.
• Best practices. ERP systems re#ect industry best (or at least “very good”) practices for generic business
processes. To implement them, businesses often have to change their processes in some way to accommo-
date the software.
• Some assembly required. The ERP system is software that needs to be integrated with the organization’s
hardware, operating systems, databases, and network. Further, ERP systems often need to be integrated with
proprietary legacy systems. It often requires that middleware (software used to connect processes running in
one or more computers across a network) or “bolt‐on” systems be used to make all the components opera-
tional. Vendor‐supplied ERP systems have a number of con”gurable components, too, which need to be set
up to best “t with the organization. Rarely does an organization use an ERP system directly “out of the box”
without con”guration.
• Evolving. ERP systems were designed “rst for mainframe systems, then for client‐server architectures, and
now for Web‐enabled or cloud‐based delivery.
Integrating ERP packages with other software in a “rm is often a major challenge. For example, integrating
internal ERP applications with supply chain management software seems to create issues. Making sure the link-
ages between the systems happen seamlessly is a challenge. One important problem in meeting this challenge is to
allow companies to be more #exible in sourcing from multiple (or alternative) suppliers while also increasing the
transparency in tightly coupled supply chains. A second problem is to integrate ERP’s transaction‐driven focus into
a “rm’s work#ow.10
8 See http://www.salesforce.com/chatter/overview/ (accessed August 27, 2015).
9 M. Lynne Markus and Cornelis Tanis, “The Enterprise System Experience—From Adoption to Success,” Framing the Domains of IT Management:
Projecting the Future Through the Past, ed. R. Zmud (Cincinnati, OH: Pinaflex Educational Resources, 2000), 176–79.
10 Amit Basu and Akhil Kumar, “Research Commentary: Workflow Management Issues in e‐Business,” Information Systems Research 13, no. 1 (March
2002), 1–14.
c05.indd 112 11/26/2015 6:25:55 PM
http://www.salesforce.com/chatter/overview
113Enterprise Systems
Managing Customer Relationships
A type of software package that is increasingly considered an enterprise system is customer relationship management
systems. Customer relationship management (CRM) is a set of software programs that supports management
activities performed to obtain, enhance relationships with, and retain customers. They include sales, support, and
service processes. Today, CRM has come to mean the enterprise systems that support these processes, and the term
is used interchangeably with the set of activities.
CRM processes create ways to learn more about customers ’ needs and behaviors with the objective of developing
stronger relationships. CRM systems consist of technological components as well as many pieces of information
about customers, sales, marketing effectiveness, responsiveness, and market trends. Optimized CRM processes and
systems can lead to better customer service, more ef” cient call centers, product cross‐selling, simpli” ed sales and
marketing efforts, more ef” cient sales transactions, and increased customer revenues. The goal of CRM is to pro-
vide more effective interaction with customers and bring together all information the company has on a customer.
The top‐selling CRM systems are from Salesforce.com, SAP, Oracle, and Microsoft Dynamics . 11 Oracle and
SAP have CRM systems that integrate with their other enterprise systems. Oracle ’ s CRM system includes mod-
ules for pricing, sales force automation, sales order management, support activities, customer self‐service, and
11 Louis Columbus , “ Gartner CRM Market Share Update: 41% Of CRM Systems Are SaaS‐based, Salesforce Dominating Market Growth ,” Forbes ,
May 6, 2014 , http://www.forbes.com/sites/louiscolumbus/2014/05/06/gartners‐crm‐market‐share‐update‐shows‐41‐of‐crm‐systems‐are‐saas‐based‐with‐
salesforce‐dominating‐market‐growth/ (accessed August 27, 2015) .
Geographic Lens: Global vs. Local ERPs
ERP systems are usually designed around best practices—but whose best practices? SAP and Oracle , the leading
vendors of ERP systems, have a Western bias. More speci# cally, best practices at the heart of their systems are
based upon business processes that are found in successful companies in Germany and North America. How-
ever, when these systems are transplanted into Asian companies, problematic “mis# ts” have been found to occur.
An example is the use of ERP systems designed for hospitals. Western health care models are decidedly dif-
ferent from those used in Singapore. In Western countries, insurance enables patients to pay a fraction of their
medical expenses themselves, and the government or private insurance covers the rest. Singapore has a com-
pletely different model. In Singapore, health care expenses are covered primarily by the individual. Government
subsidies and other community support is minimal.
How does this affect processes embedded in ERP systems in hospitals? When ERP systems are designed for
Western hospitals, they include modules that help manage the complexity of billing and collections that result
from claims submissions and insurance veri# cation. When the primary payment is from individuals paying at the
time of service or in installments, the collections process is signi# cantly different. Further, “bed class” is important
in Singapore where patients in public hospitals can choose from a variety of plans ranging from one bed to six or
more per room. The Western model is simpler because single‐bed rooms are more common.
Because of differences and “mis# ts,” businesses in many non‐Western companies are turning to local vendors that
have developed systems re$ ecting local best practices. For example, local ERP vendors in Taiwan have developed
ERP systems to support the majority of # rms in the market space—small‐ to medium‐sized Taiwanese companies with
sophisticated, adaptive logistic networks. The local ERP vendors have adopted a strategy of customization and are
more willing to modify their systems to satisfy local needs than are their large global competitors.
These examples suggest that another factor needs to be considered when designing and implementing and
ERP: It should not be implemented if the system is based on a cultural model that con$ icts with the local customs
and that cannot easily be accommodated.
Sources: C. Soh , S. K. Sia , and J. Tay‐Yap , “ Cultural Fits and Misfits: Is ERP a Universal Solution ,” Communications of the ACM 43 ,
no. 4 ( 2000 ), 47 – 51 ; E. T. G. Wang , G. Kleing , and J. J. Jiang , “ ERP Misfit: Country of Origin and Organizational Factors ,” Journal
of Management Information Systems 23 , no. 1 ( 2006 ), 263 – 92 .
c05.indd 113 11/26/2015 6:25:55 PM
http://www.forbes.com/sites/louiscolumbus/2014/05/06/gartners%E2%80%90crm%E2%80%90market%E2%80%90share%E2%80%90update%E2%80%90shows%E2%80%9041%E2%80%90of%E2%80%90crm%E2%80%90systems%E2%80%90are%E2%80%90saas%E2%80%90based%E2%80%90with%E2%80%90salesforce%E2%80%90do
http://www.forbes.com/sites/louiscolumbus/2014/05/06/gartners%E2%80%90crm%E2%80%90market%E2%80%90share%E2%80%90update%E2%80%90shows%E2%80%9041%E2%80%90of%E2%80%90crm%E2%80%90systems%E2%80%90are%E2%80%90saas%E2%80%90based%E2%80%90with%E2%80%90salesforce%E2%80%90do
http://www.forbes.com/sites/louiscolumbus/2014/05/06/gartners%E2%80%90crm%E2%80%90market%E2%80%90share%E2%80%90update%E2%80%90shows%E2%80%9041%E2%80%90of%E2%80%90crm%E2%80%90systems%E2%80%90are%E2%80%90saas%E2%80%90based%E2%80%90with%E2%80%90salesforce%E2%80%90do
114 Information Systems and Business Transformation
service management. SAP’s CRM system has similar modules plus marketing support such as resource and brand
management, campaign management, real‐time offer management, loyalty management, and e‐marketing. There
is also an e‐commerce module that facilitates personalized interface and self‐service applications for customers.
Salesforce.com is a different type of CRM. Whereas Oracle and SAP came from the enterprise systems space and
then created a CRM module, Salesforce.com started with a CRM solution. In addition, the products by Oracle
and SAP grew from on‐premise enterprise systems, and each company eventually built Web‐based versions of its
products, but Salesforce.com started as a Web‐based cloud system. Managers who seek a CRM system for their
organizations should compare the features and delivery systems of these and other solutions provided by niche ven-
dors who specialize in systems optimized for speci”c industry applications.
Social IT is increasingly integrated into CRM solutions. Providing software or Web applications that extend
the brand, engage customers, allow customers to interact with each other and with employees, and provide ser-
vice options generates additional “touches” with customers. CRM systems record these touches. The information
becomes an additional channel of data useful for building customer relationships. Salesforce.com teamed with Dun
& Bradstreet to use Data.com, a cloud‐based storehouse of company and customer contact information for use in
CRM systems. Data.com uses a crowd‐sourcing model to collect up‐to‐date information with users of the server
contributing data and helping to keep that data accurate.
In Chapter 1, we described the Ritz‐Carlton’s CRM, Class, which captures information about guest pref-
erences and enables the chain to provide enhanced, customized service during future visits. Web sites collect
information from customers who visit, make purchases, or request information. That information is stored in the
company’s CRM and used in many ways to better meet customer needs and enhance the customer experience.
For example, movie site Net#ix stores all the purchases and product reviews a customer makes in its CRM. Using
that information, the site recommends additional “lms the customer might enjoy based on analysis of the data
in the CRM.
Managing Supply Chains
Another type of enterprise system in common use is a supply chain management (SCM) system, which manages
the integrated supply chain. Business processes are not just internal to a company. With the help of information
technologies, many processes are linked across companies with a companion process at a customer or supplier,
creating an integrated supply chain. Technology, especially Web‐based technology, allows the supply chains of a
company’s customers and suppliers to be linked through a single network that optimizes costs and opportunities
for all companies in the supply chain. By sharing information across the network, guesswork about order quan-
tities for raw materials and products can be reduced, and suppliers can make sure they have enough on hand if
demand for their products unexpectedly rises.
The supply chain of a business is the process that begins with raw materials and ends with a product or service
ready to be delivered (or in some cases actually delivered) to a customer. It typically includes the procurement
of materials or components, the activities to turn these materials into larger subsystems or “nal products, and
the distribution of these “nal products to warehouses or customers. But with the increase in information systems
use, the supply chain may also include product design, product planning, contract management, logistics, and
sourcing. Globalization of business and ubiquity of communication networks and information technology have
enabled businesses to use suppliers from almost anywhere in the world. At the same time, this has created an
additional level of complexity for managing the supply chain. Supply chain integration is the approach of tech-
nically linking supply chains of vendors and customers to streamline the process and to increase ef”ciency and
accuracy.
Without such linking, a temporary increase in demand from a retailer might become interpreted by its suppliers
as permanent, and the changes can become magni”ed by each supplier up the chain when each supplier attempts to
add another percent or two just to be “safe.” Those erratic and wild changes are called the bullwhip effect. Linking
synchronizes all suppliers to the same demand increase up and down the chain and prevents that effect.
c05.indd 114 11/26/2015 6:25:55 PM
115Enterprise Systems
Integrated supply chains have several challenges, primarily resulting from different degrees of integration and
coordination among supply chain members.12 At the most basic level, there is the issue of information integration.
Partners must agree on the type of information to share, the format of that information, the technological stan-
dards they both use to share it, and the security they use to ensure that only authorized partners access it. Trust
must be established so the partners can solve higher‐level issues that may arise. At the next level is the issue of
synchronized planning. At this level, the partners must agree on a joint system of planning, forecasting, and replen-
ishment. The partners, having already agreed on what information to share, now have to agree on what to do with
it. The third level can be described as work#ow coordination—the coordination, integration, and automation of
critical business processes between partners. For some supply chains, this might mean simply using a third party
to link the procurement process to the preferred vendors or to communities of vendors who compete virtually for
the business. For others, it might be a more complex process of integrating order processing and payment systems.
Ultimately, supply chain integration leads to new business models as varied as the visionaries who think them up.
These business models are based on new ideas of coordination and integration made possible by the Internet and
information‐based supply chains. In some cases, new services have been designed by the partnership between
supplier and customer, such as new “nancial services offered when banks link up electronically with businesses
to accept online payments for goods and services purchased by the businesses’ customers. In other cases, a new
business model for sourcing has resulted, such as one in which companies list their supply needs and vendors elec-
tronically bid to be the supplier for that business.
Demand‐driven supply networks are the next step for companies with highly evolved supply chain capabilities.
Kimberly Clark, the 135‐year‐old consumer products company, is one such example. Its vision is for a highly
integrated suite of supply chain systems that provide end‐to‐end visibility of the supply processes in real time.
Key processes in the company’s demand‐driven supply network are forecast to stock and order to cash. Using an
integrated suite of systems allows the “rm’s users to share the same information as close to real time as possible and
to use the data in their systems for continually updating their supply chain, category management, and consumer
insight processes. IS have allowed managers to reduce the problems of handing off data from one system or process
to another (because now everything is in one system), having employees work from different databases (because it’s
now one database), and working with old data (because it’s as real time as possible). This has improved managers’
ability to see what’s going on in the marketplace and evaluate the impact of promotions, production, and inventory
much more quickly.
Integrated supply chains are truly global in nature. Thomas Friedman, in his book The World is Flat, describes
how the Dell computer that he had ordered for writing his book was developed from the contributions of an
integrated supply chain that involved about four hundred companies in North America, Europe, and, primarily,
Asia. However, the globalization of integrated supply chains faces a growing challenge from skyrocketing trans-
portation costs. For example, Tesla Motors, a pioneer in electric‐power cars, had originally planned the production
of a luxury roadster for the U.S. market based on an integrated global supply chain. The 1,000‐pound battery packs
for the cars were to be manufactured in Thailand, shipped to Britain for installation, and then shipped to the United
States where they would be assembled into cars. However, because of the extensive costs associated with shipping
the batteries more than 5,000 miles, Tesla decided to make the batteries and assemble the cars near its headquarters
in California. Darryl Siry, Tesla’s Senior Vice President of Global Sales, Marketing, and Service explains: “It was
kind of a no‐brain decision for us. A major reason was to avoid the transportation costs, which are terrible.” Econ-
omists warn managers to expect the “neighborhood effect” in which factories may be built closer to component
suppliers and consumers to reduce transportation costs. This effect may apply not only to cars and steel but also to
chickens and avocados and a wide range of other items.13
12 Hau Lee and Seungjin Whang, “E‐Business and Supply Chain Integration,” Stanford University Global Supply Chain Management Forum (November
2001).
13 Larry Rohter, “Shipping Costs Start to Crimp Globalization” The New York Times, 1, 10, http://www.nytimes.com/2008/08/03/business/worldbusiness/
03global.html (accessed August 27, 2015).
c05.indd 115 11/26/2015 6:25:56 PM
http://www.nytimes.com/2008/08/03/business/worldbusiness/03global.html
116 Information Systems and Business Transformation
Dell continues to be not only a great example of an integrated supply chain but also of the neighborhood
effect. Its “build‐to‐order” strategy of building computers as they are ordered rather than to mass‐produce them for
inventory requires an integrated supply chain. One of the authors of this textbook visited a Dell plant in Malaysia
with several dozen students. An of”cial there described how the plant’s zero inventory goal was accomplished by
ordering components only when computers were ordered, to arrive on the day of assembly. Also, suppliers were
strategically located in adjacent buildings surrounding the plant with an airport practically in walking distance. In
this way, suppliers are closely linked with the actual production process.
Product Life Cycle Management (PLM)
A less well-known type of enterprise system is a product life cycle management (PLM) system. PLM systems
automate the steps that take ideas for products and turn them into actual products. PLM refers to the process that
starts with the idea for a product and ends with the “end of life” of a product. It includes the innovation activities,
new product development, and management, design, and product compliance (if necessary). PLM systems con-
tain all the information about a product such as design, production, maintenance, components, vendors, customer
feedback, and marketing.
Advantages and Disadvantages of Enterprise Systems
One major bene”t of enterprise systems is that they represent a set of industry best practices. One con”dential
story relayed to the authors described a large university that had suffered for years with inconsistent, incomplete,
and immature processes. The university’s leader announced in advance that rather than customize a new ERP
to “t those processes, the directive was to replace completely those poor processes provided by the ERP. As a
result, the ERP’s best practices dramatically improved the university’s ability to provide information services to
faculty, staff, and students and also to track the entire “life cycle” of people from initial inquiry to graduation
and beyond.
Another major bene”t of an enterprise system is that all modules of the information system easily communi-
cate with each other, offering enormous ef”ciencies over stand‐alone systems. In business, information from one
functional area is often needed by another area. For example, an inventory system stores information about vendors
who supply speci”c parts. This same information is required by the accounts payable system, which pays vendors
for their goods. It makes sense to integrate these two systems to have a single accurate record of vendors and to use
an enterprise system to facilitate that integration.
Because of the focus on integration, enterprise systems are useful tools for an organization seeking to centralize
operations and decision making. As described earlier in the Integration versus Standardization box about the Ross
framework, high integration allows units to coordinate easily and unify their data for global access. Redundant data
entry and duplicate data may be eliminated; standards for numbering, naming, and coding may be enforced; and
data and records can be cleaned up through standardization. Further, the enterprise system can reinforce the use of
standard procedures across different locations.
The obvious bene”ts notwithstanding, implementing an enterprise system represents an enormous amount of
work. For example, if an organization has allowed both the manufacturing and the accounting departments to keep
their own records of vendors, then most likely these records are kept in somewhat different forms (one department
may enter the vendor name as IBM, the other as International Business Machines or even IBM Corp., all of which
make it dif”cult to integrate the databases). Making matters worse, a simple data item’s name itself might be stored
differently in different systems. In one system, it might be named Phone_No, but in another, it might be simply
Phone. Such inconsistencies in data items and values must be recognized and “xed so that the enterprise system
can provide optimal advantage.
Moreover, even though enterprise systems are #exible and customizable to a point, most also require business
processes to be redesigned to achieve optimal performance of the integrated modules. It is rare that an off‐the‐
shelf system is perfectly harmonious with an existing business process; the software usually requires signi”cant
modi”cation or customization to “t with the existing processes, or the processes must change to “t the software.
c05.indd 116 11/26/2015 6:25:56 PM
117Enterprise Systems
In most installations of enterprise systems, both take place. The system is usually customized when it is installed
in a business by setting a number of parameters. Many ERP projects are massive undertakings, requiring formal,
structured project management tools (as discussed in Chapter 11).
All systems make assumptions about how the business processes work, and at some level, customization is not
possible. For example, one major Fortune 500 company refused to implement a vendor’s enterprise system because
the company manufactured products in lots of “one,” and the vendor’s system would not handle the volume this
company generated. If the company had decided to use the ERP, a complete overhaul of its manufacturing process
in a way that executives were unwilling to do would have been necessary.
Implementing enterprise systems requires organizations to make changes beyond just the processes, but also in
their organization structure. Recall from Chapter 1 that the Information Systems Strategy Triangle suggests that
implementing an information system must be accompanied with appropriate organizational changes to be effective.
Implementing an enterprise system is no different; a 2014 Panorama report stated directly that only “rms that allo-
cate enough of the project budget to organizational change management will achieve the best results.14 For example,
who will now be responsible for entering the vendor information that was formerly kept in two locations? How
will that information be entered into the enterprise system? The answer to such simple operational questions often
requires managers minimally to modify business processes and more likely to redesign them completely to accom-
modate the information system.
Enterprise systems are also risky. The number of enterprise system horror stories demonstrates this risk. For
example, Kmart wrote off its $130 million ERP investment. American LaFrance (ALF), the manufacturer of highly
customized emergency vehicles, declared bankruptcy, blaming its IT vendor and its ERP implementation. The
problems with the implementation kept ALF from being able to manufacture many preordered vehicles.15 Two
months after the installation of a new ERP system, the Fort Worth Police Of”cers Association complained that pay-
checks were not being received correctly or on a timely basis by of”cers. Some of”cers had not been paid since the
installation, and others were shortchanged in their paychecks because the new system was not able to handle odd
hours and shift work.
Furthermore, enterprise systems and the organizational changes they induce tend to come with a hefty price tag.
In a study of the initial acquisition and implementation costs of ERP systems in primarily midsize companies (with
$100 million to $1 billion in annual revenues), half of the responding 157 chief “nancial of”cers (CFOs) admitted
spending more than $1 million for the license, service, and “rst year’s maintenance on their current ERP systems.
Nine of 10 respondents said they spent a minimum of $250,000. Unreported were additional hidden costs in the
form of technical and business changes, likely to be necessary when implementing an enterprise system. These
include project management, user training, and IT support costs.16 Some surveys uncover negative impacts on
performance. For instance, in 2014, overruns in costs were found to plague 54% of ERP projects, and 72% of the
“rms reporting encountered implementation delays. Perhaps more important were disruptions in service such as
dif”culties in shipping products, experienced by 51% of the “rms surveyed.17
One of the reasons that ERP systems are so expensive is that they are sold as a suite, such as “nancials or manu-
facturing, and not as individual modules. Because buying modules separately is dif”cult, companies implementing
ERP software often “nd the price of modules they won’t use hidden in the cost of the suite.
Seventy percent of survey respondents report that they are satis”ed with their ERP systems in spite of the large
expense, overruns, delays, and disruptions experienced, largely due to the capabilities of ERP systems. However,
only 63% considered the project a “success,” perhaps due to overruns.18 A set of advantages and disadvantages of
enterprise systems is provided in Figure 5.9.
14 Panorama Consulting, “Organizational Issues Number One Reason for Extended Durations,” http://panorama‐consulting.com/company/press‐releases/
panorama‐consulting‐solutions‐releases‐2014‐erp‐report/ (accessed February 26, 2015).
15 For additional examples of IT failures in general and enterprise systems failures in particular, please visit the blog written by Michael Krigsman, http://
blogs.zdnet.com/projectfailures/.
16 T. Wailgum, “Why CEOs and CFOs Hate It: ERP” (April 8, 2009), http://advice.cio.com/thomas_wailgum/why_cfos_and_ceos_hate_it_erp (accessed
February 14, 2012).
17 Panorama Consulting 2014 Report.
18 Ibid.
c05.indd 117 11/26/2015 6:25:56 PM
http://panorama%E2%80%90consulting.com/company/press%E2%80%90releasespanorama%E2%80%90consulting%E2%80%90solutions%E2%80%90releases%E2%80%902014%E2%80%90erp%E2%80%90report/%20
http://blogs.zdnet.com/projectfailures
http://blogs.zdnet.com/projectfailures
http://advice.cio.com/thomas_wailgum/why_cfos_and_ceos_hate_it_erp
118 Information Systems and Business Transformation
When the System Drives the Transformation
When is it appropriate to use the enterprise system to drive transformation and business process redesign, and when
is it appropriate to redesign the process ” rst and then implement an enterprise system? Although it may seem like
the process should be redesigned ” rst and then the information system aligned to the new design, there are times
when it is appropriate to let the enterprise system drive business process redesign. First, when an organization is just
starting out and processes do not yet exist, it is appropriate to begin with an enterprise system as a way to structure
operational business processes. After all, most processes embedded in the “plain vanilla” enterprise system from
a top vendor are based on the best practices of corporations that have been in business for years. Second, when an
organization does not rely on its operational business processes as a source of competitive advantage, then using an
enterprise system to redesign these processes is appropriate. Third, it is reasonable when the current systems are in
Social Business Lens: Crowdsourcing Changes Innovation Processes
One business process that has been radically changed by the use of social IT is the way innovation is managed
using crowdsourcing. Enterprises have found ways to use a social IT platform to solicit, discuss, and prioritize new
ideas. Anyone in the community can add an idea, and then the entire community can discuss, comment on, and
rate the idea. Managers then have a wealth of ideas along with community input to use as input into the innova-
tion process.
One of the original examples of this is Dell ’ s Ideastorm. Anyone in the community can access Ideastorm to
view ideas posted by the community, post an idea for Dell products or services, vote on the ideas presented,
and see what Dell managers have decided to do with the ideas presented. Ideas presented by the community
range from suggestions for new features on existing systems to new products and services Dell might offer. By
allowing the community to comment and vote on ideas, managers get a sense of the importance and viability of
implementing the innovation.
Similar social platforms have been implemented by numerous other companies including Starbucks ’ mystar-
bucksidea.com and Best Buy ’ s IdeaX. Companies have also taken this idea inside the corporation to solicit ideas
and innovations about processes, products, and other enterprise issues. Dell ’ s EmployeeStorm and the City of
New York ’ s Simplicity are two social IT examples of soliciting ideas to improve processes and ef# ciencies from
employees.
Companies have also embraced the crowd for individual projects; Sam Adams , the beer company, used a
Facebook application for crowdsourcing the next $ avor of beer. The application let fans select the color, clar-
ity, body, malt, hops, and yeast components of a recipe. For each component, the crowdsourcing application
educated fans about the contribution each component made to the resulting beer. The company collected the
crowd ’ s preferences, sharing them along the way for comment and discussion. The results not only gave Sam
Adams managers information about preferences of their fans but also prioritized ideas about the next product to
create with a high probability that it will have a large fan base to get it started.
Sources: https://gigaom.com/2011/01/19/new‐york‐city‐crowdsourcing/ (accessed August 27, 2015) ; http://www.facebook.com/
SamuelAdams?sk=app_299970113373932 (accessed January 19, 2012); http://www.ideastorm.com (accessed on August 30, 2015).
FIGURE 5.9 Advantages and disadvantages of enterprise systems.
Advantages Disadvantages
• Represent “best practices”
• Allow modules throughout the organization to
communicate with each other
• Enable centralized decision making
• Eliminate redundant data entry
• Enable standardized procedures in different locations
• Require enormous amount of work
• Require redesign of business practices for maximum
bene# t
• Have very high cost
• Are sold as a suite, not individual modules
• Require organizational changes
• Have high risk of failure
c05.indd 118 11/26/2015 6:25:56 PM
https://gigaom.com/2011/01/19/new%E2%80%90york%E2%80%90city%E2%80%90crowdsourcing
http://www.facebook.com/SamuelAdams?sk=app_299970113373932
http://www.ideastorm.com
119Summary
crisis and there is not enough time, resources, or knowledge in the “rm to “x them. Even though it is not an optimal
situation, managers must make tough decisions about how to “x the problems. A business must have working oper-
ational processes; therefore, using an enterprise system as the basis for process design may be the only workable
plan. It was precisely this situation that many companies faced with Y2K.
Likewise, it is sometimes inappropriate to let an enterprise system drive business process change. When an
organization derives a strategic advantage through its operational business processes, it is usually not advisable
for it to buy a vendor’s enterprise system. Using a standard, publicly available information system that both the
company and its competitors can buy from a vendor may mean that any system‐related competitive advantage is
lost. For example, consider a major computer manufacturer that relied on its ability to process orders faster than
its competitors to gain strategic advantage. Adopting an enterprise system’s approach would result in a loss of that
advantage. Furthermore, the manufacturer might “nd that relying on a third party as the provider of such a strategic
system would be a mistake in the long run because any problems with the system due to bugs or changed business
needs would require negotiating with the ERP vendor for the needed changes. With a system designed in house, the
manufacturer was able to ensure complete control over the IS that drives its critical processes.
Another situation in which it would be inappropriate to let an enterprise system drive business process change
is when the features of available packages and the needs of the business do not “t. An organization may use spe-
cialized processes that cannot be accommodated by the available enterprise systems. For example, many ERPs
were developed for discrete part manufacturing and do not support some processes in paper, food, or other process
industries.19
A third situation would result from lack of top management support, company growth, a desire for strategic #ex-
ibility, or decentralized decision making that render the enterprise system inappropriate. For example, Dell stopped
the full implementation of SAP R/3 after only the human resources module had been installed because the CIO did
not think that the software would be able to keep pace with Dell’s extraordinary growth. Enterprise systems were
also viewed as culturally inappropriate at the highly decentralized Kraft Foods.
Challenges for Integrating Enterprise Systems Between Companies
With the widespread use of enterprise systems, the issue of linking supplier and customer systems to the business’s
systems brings many challenges. As with integrated supply chains, there are issues of deciding what to share, how
to share it, and what to do with it when the sharing takes place. There are also issues of security and agreement on
encryption or other measures to protect data integrity as well as to ensure that only authorized parties have access.
Some companies have tried to reduce the complexity of this integration by insisting on standards either at the
industry level or at the system level. An example of an industry‐level standard is the bar coding used by all who do
business in the consumer products industry. An example of a system‐level standard is the use of SAP or Oracle to
provide the ERP system used by both supplier and customer. And the increasing use of cloud‐based systems with
standard interfaces makes the integration easier.
S U M M A R Y
• Most business processes today have a signi”cant information systems component to them. Either the process is com-
pletely executed through software or an important information component complements the physical execution of the
process. Transforming business, therefore, involves rethinking the information systems that support business processes.
• IS can enable or impede business process change. IS enables change by providing both the tools to implement the
change and the tools on which the change is based. IS can impede change, particularly when the process #ow is mis-
matched with the capabilities of the IS.
• To understand the role IS plays in business transformation, one must take a business process rather than a functional
(silo) perspective. Business processes are well‐de”ned, ordered sets of tasks characterized by a beginning and an end,
19 Markus and Tanis, “The Enterprise System Experience,” 176–79.
c05.indd 119 11/26/2015 6:25:56 PM
120 Information Systems and Business Transformation
sets of associated metrics, and cross‐functional boundaries. Most businesses operate business processes even if their
organization charts are structured by functions rather than by processes.
• Agile business processes are processes that are designed to be easily recon”gurable. Dynamic processes are designed
to automatically update themselves as conditions change. Both types of processes require a high degree of information
systems, which makes the task of changing the process a software activity rather than a physical activity.
• Making changes in business processes typically involves either incremental or radical change. Incremental change with TQM
and Six Sigma implies an evolutionary approach. Radical change with a BPR approach, on the other hand, is more sudden.
Either approach can be disruptive to the normal #ow of the business; hence, strong project management skills are needed.
• BPM systems are used to help managers design, control, and document business processes and ultimately the work#ow
in an organization.
• An enterprise system is a large information system that provides the core functionality needed to run a business.
These systems are typically implemented to help organizations share data between divisions. However, in some cases,
enterprise systems are used to effect organizational transformation by imposing a set of assumptions on the business
processes they manage.
• An ERP system is a type of enterprise system used to manage resources including “nancial, human resources, and
operations.
• A CRM system is a type of enterprise system used to manage the processes related to customers and the relationships
developed with customers.
• An integrated supply chain is often managed using an SCM system, an enterprise system that crosses company bound-
aries and connects vendors and suppliers with organizations to synchronize and streamline planning and deliver products
to all members of the supply chain.
• A PLM system is a type of enterprise system support product development from its “rst idea up through its end.
• Information systems are useful as tools to both enable and manage business transformation. The general manager must
take care to ensure that consequences of the tools themselves are well understood and well managed.
D I S C U S S I O N Q U E S T I O N S
1. Why was radical design of business processes embraced so quickly and so deeply by senior managers of so many com-
panies? In your opinion, and using hindsight, was its popularity a benefit for businesses? Why or why not?
2. Off‐the‐shelf enterprise IS often forces an organization to redesign its business processes. What are the critical success
factors to make sure the implementation of an enterprise system is successful?
3. ERP systems are usually designed around best practices. But whose best practices are the right ones? A Western bias is
common; practices found in North America or Europe are often the foundation. When transferred to Asia, however, the
K E Y T E R M S
agile business processes (p. 104)
business process management
(BPM) (p. 107)
business process
perspective (p. 102)
business process reengineering
(BPR) (p. 105)
customer relationship management
(CRM) (p. 113)
cycle time (p. 102)
dynamic business processes (p. 104)
Enterprise Information Systems
(EIS) (p. 110)
enterprise resource planning
(ERP) (p. 110)
enterprise systems (p. 110)
middleware (p. 112)
process (p. 102)
process perspective (p. 102)
product life cycle management
(PLM) (p. 116)
silo perspective (p.103)
Six Sigma (p. 105)
supply chain management
(SCM) (p. 114)
throughput (p. 102)
total quality management
(TQM) (p. 105)
work#ow (p. 107)
work#ow diagram (p. 107)
c05.indd 120 11/26/2015 6:25:56 PM
121Case Study
Bicycle enthusiasts not only love the ride their bikes provide but also are often willing to pay for newer technology, espe-
cially when it will increase their speed or comfort. Innovating new technologies for bikes is only half the battle for bike
manufacturers. Designing the process to manufacture the bikes is often the more daunting challenge.
Consider the case of Santa Cruz Bicycles . It digitally designs and builds mountain bikes and tests them under the most
extreme conditions to bring the best possible product to its customers. A few years back, the company designed and patented
the Virtual Pivot Point (VPP) suspension system, a means to absorb the shocks that mountain bikers encounter when on the
rough terrain of the off‐road ride. One feature of the new design allowed the rear wheel to bounce 10 inches without hitting
the frame or seat, providing shock absorption without feeling like the rider was sitting on a coiled spring.
The ” rst few prototypes did not work well; in one case, the VPP joint ’ s upper link snapped after a quick jump. The expe-
rience was motivation for a complete overhaul of the design and engineering process to ” nd a way to go from design to
prototype faster. The 25‐person company adopted a similar system used by large, global manufacturers: product life cycle
management (PLM) software.
The research and development team had been using computer‐aided‐design (CAD) software, but it took seven months to
develop a new design, and if the design failed, starting over would be the only solution. This design approach was a drain
not only on the company ’ s time but also on its ” nances. The design team found a PLM system that helped members analyze
and model capabilities in a much more robust manner. The team used simulation capabilities to watch the impact of the
new designs on rough mountain terrain. The software tracks all the variables the designers and engineers need so they can
quickly and easily make adjustments to the design. The new system allows the team to run a simulation in a few minutes,
representing a very large improvement over their previous design software, which took seven hours to run a simulation.
The software was just one component of the new process design. The company also hired a new master frame builder to
build and test prototypes in house and invested in a van‐size machine that can fabricate intricate parts for the prototypes, a
process the company previously outsourced. The result was a signi” cant decrease in its design‐to‐prototype process. What
once averaged about 28 months from start of design to shipping of the new bike now takes 12 to 14 months.
■ CASE STUDY 5‐1 Santa Cruz Bicycles
resulting systems may be problematic. Why do you think this is the case? What might be different in the way different coun-
tries use processes (besides the standard “language” difference)?
4. Have you been involved with a company doing a redesign of its business processes? If so, what were the key things that went
right? What went wrong? What could have been done better to minimize the risk of failure?
5. What do you think the former CIO of Dell , Jerry Gregoire, meant when he said, “Don ’ t automate broken business
processes”? 20
6. What might an integrated supply chain look like for a financial services company such as an insurance provider or a bank?
What are the components of the process? What would the customer relationship management process look like for this
same firm?
7. Tesco , the U.K. retail grocery chain, used its CRM system to generate annual incremental sales of £100 million. Using a fre-
quent shopper card, a customer got discounts at the time of purchase, and the company got information about the customer ’ s
purchases, creating a detailed database of customer preferences. Tesco then categorized customers and customized dis-
counts and mailings, generating increased sales and identifying new products to expand the organization ’ s offerings. At the
individual stores, data showed which products must be priced below competitors, which products had fewer price‐sensitive
customers, and which products must have regular low prices to be successful. In some cases, prices were store specific,
based on the customer information. The information system has enabled Tesco to expand beyond groceries to books, DVDs,
consumer electronics, flowers, and wine. The chain also offers services such as loans, credit cards, savings accounts, and
travel planning. What can Tesco management do now that the company has a CRM that it could not do prior to the CRM
implementation? How does this system enable Tesco to increase the value provided to customers?
20 “Technology: How Much? How Fast? How Revolutionary? How Expensive?” Fast Company 56, no. 62, http://www.fastcompany.com/online/56/
fasttalk.html (accessed May 30, 2002).
c05.indd 121 11/26/2015 6:25:56 PM
http://www.fastcompany.com/online/56
122 Information Systems and Business Transformation
The ” rst Boeing 787 Dreamliner was delivered to Japan ’ s ANA in the third quarter of 2011, more than three years after the
initial planned delivery date. Its complicated, unique design (including a one‐piece fuselage that eliminated the need for
1,500 aluminum sheets and 50,000 fasteners and reduced the resulting weight of the plane proportionally) promised both
a reduction in out‐of‐service maintenance time and a 20% increase in fuel economy, but problems with early testing of
the new design contributed to the giant project ’ s troubles. Even after those delays, the 787 was grounded in January 2013
because the main battery had problems of overheating and subsequently burning. The problems were ” nally reported solved
in December 2014.
Delivery of Boeing ’ s 787 Dreamliner project was delayed, in part, because of the company ’ s global supply chain net-
work, which was touted to reduce cost and development time. In reality, the network turned out to be a major cause for
problems. Boeing decided to change the rules of the way large passenger aircraft were developed through its Dreamliner
program; rather than simply relying on technological know‐how, it decided to use collaboration as a competitive tool embed-
ded in a new global supply chain process.
With the Dreamliner project, Boeing not only attempted to create a new aircraft through the innovative design and
new material but also radically changed the production process. It built an incredibly complex supply chain involving
over 50 partners scattered in 103 locations all over the world. The goal was to reduce both the ” nancial risks involved in a
$10 billion‐plus project for designing and developing a new aircraft and the new product development cycle time. Boeing
tapped the expertise of various ” rms in different areas such as composite materials , aerodynamics, and IT infrastructure to
create a network in which partners ’ skills complement each other. This changed the basis of competition to skill set rather
than the traditional basis of low cost. In addition, this was the ” rst time Boeing had outsourced the production on the two
most critical parts of the plane—the wings and the fuselage.
The ” rst sign of problems showed up just six months into the trial production. Engineers discovered unexpected bubbles
in the skin of the fuselage during baking of the composite material. This delayed the project a month. Boeing of” cials in-
sisted that they could make up the time and all things were under control. But next to fail was the test version of the nose
section. This time, a problem was found in the software programs, which were designed by various manufacturers. They
failed to communicate with each other, leading to a breakdown in the integrated supply chain. Then problems popped up in
the integration of electronics. The Dreamliner program entered the danger zone when Boeing declared that it was having
trouble getting enough permanent titanium fasteners to hold together various parts of the aircraft. The global supply network
did not integrate well for Boeing and left it highly dependent on a few suppliers.
The battery problems involved lithium‐ion batteries that could not recover from a situation involving a rare but serious
internal short circuit that would cause # ames to spread from one cell to another. Lithium‐ion batteries had not previously
been used in an airplane and had not been tested under an assumption of a short circuit.
This case clearly underscores the hazards in relying on an extensive supply chain, failing to expect the worst case with
critical new parts, and encountering information exchange problems that caused long delays and seriously compromised a
company ’ s ability to carry out business as planned. Creating a radically different process can mean encountering unexpected
problems. In some cases, it would put a company so far behind its competition that it was doomed to fail. However, in this
case, the major competitor to the Dreamliner, the Airbus 380 program, was also using a global supply chain model, and its
program was delayed by a couple of years. The result for Boeing was a much‐anticipated plane with fuel economy and out-
standing design that made the wait worth it. However, because of compromises in design, the Dreamliner holds only up to
250 passengers, compared to the A380, which has a seating capacity between 525 and 853.
■ CASE STUDY 5‐2 Boeing 787 Dreamliner
Discussion Questions
1. Would you consider this transformation to be incremental or radical? Why?
2. What, in your opinion, was the key factor in Santa Cruz Bicycles ’ successful process redesign? Why was that factor
the key?
3. What outside factors had to come together for Santa Cruz Bicycles to be able to make the changes it did?
4. Why is this story more about change management than software implementation?
Source: Adapted from Mel Duvall, “Santa Cruz Bicycles,” www.baselinemag.com (accessed February 24, 2008).
c05.indd 122 11/26/2015 6:25:56 PM
123Case Study
Discussion Questions
1. Why did Boeing adopt the radical change approach for designing and developing the 787 Dreamliner? What were the
risks? In your opinion, was it a good move? Defend your choice.
2. Using the silo perspective versus business process perspective, analyze the Dreamliner program.
3. What are your conclusions about the design of the integrated supply chain? Give some specific ideas about what could
have been done to integrate it better.
4. If you were the program manager, what would you have done differently to avoid the problems faced by the Dreamliner
program?
Sources: Adapted from J. Lynn Lunsford , “ Boeing Scrambles to Repair Problems with New Plane ,” The Wall Street Journal (December 7,
2007 ), A1, 13 ; Stanley Holmes , “ The 787 Encounters Turbulence ,” Businessweek ( June 19 , 2006 ), 38 – 40 ; Zach Honig , “ Boeing 787 Review:
ANA ’ s Dreamliner Flies Across Japan, We Join for the Ride ” (December 16, 2011 ), http://www.engadget.com/2011/12/16/boeing‐787‐
review‐anas‐dreamliner‐$ ies‐across‐japan‐we‐join/ (accessed August 27, 2015) ; J. Mouawad , “ Report on Boeing 787 Dreamliner Battery
Flaws Finds Lapses at Multiple Points ,” The New York Times (December 1, 2014 ), http://www.nytimes.com/2014/12/02/business/report‐
on‐boeing‐787‐dreamliner‐batteries‐assigns‐some‐blame‐for‐$ aws.html?
c05.indd 123 11/26/2015 6:25:56 PM
http://www.engadget.com/2011/12/16/boeing%E2%80%90787%E2%80%90review%E2%80%90anas%E2%80%90dreamliner%E2%80%90flies%E2%80%90across%E2%80%90japan%E2%80%90we%E2%80%90join/
http://www.engadget.com/2011/12/16/boeing%E2%80%90787%E2%80%90review%E2%80%90anas%E2%80%90dreamliner%E2%80%90flies%E2%80%90across%E2%80%90japan%E2%80%90we%E2%80%90join/
http://www.nytimes.com/2014/12/02/business/report%E2%80%90on%E2%80%90boeing%E2%80%90787%E2%80%90dreamliner%E2%80%90batteries%E2%80%90assigns%E2%80%90some%E2%80%90blame%E2%80%90for%E2%80%90fl
http://www.nytimes.com/2014/12/02/business/report%E2%80%90on%E2%80%90boeing%E2%80%90787%E2%80%90dreamliner%E2%80%90batteries%E2%80%90assigns%E2%80%90some%E2%80%90blame%E2%80%90for%E2%80%90fl
http://www.nytimes.com/2014/12/02/business/report%E2%80%90on%E2%80%90boeing%E2%80%90787%E2%80%90dreamliner%E2%80%90batteries%E2%80%90assigns%E2%80%90some%E2%80%90blame%E2%80%90for%E2%80%90fl
124
6
chapter
Mohawk , 1 a paper mill in upstate New York, was established in 1931. Contrary to a common assump-
tion that information technology is not critical to old technology industry players facing a declining
market, the ” rm has not only embraced cloud computing but also has been able to transform its
business because of the cloud in three ways: (1) moving from manufacturing as its primary focus to
providing service, (2) shifting from a self‐suf” cient model to one of collaboration with a network
of partners, and (3) ensuring that the partner network is # exible and its capabilities are integrated
with those of Mohawk . Mohawk accomplished this # exibility by using service‐oriented architecture
(SOA) tools, which enable a ” rm to scale technology services (and expenses) up and down instanta-
neously according to its needs. 2 Also, applications under SOA can be added or subtracted as needed.
Mohawk ’ s new envelope manufacturing facility serves as a vivid example to illustrate the ben-
e” ts of # exibility. Along the way, the company learned of the anticipated bankruptcy of the largest
envelope manufacturing ” rm in the United States and developed a list of six outsourced ” rms to
turn its premium papers into envelopes. After six months of using those suppliers and investing
in building its own in‐house envelope manufacturing capabilities, Mohawk was able to shift to an
insourcing model for 90% of its volume. The cloud services approach avoided the information sys-
tems dif” culties usually inherent in such a transformation.
There are also bene” ts to internal # exibility as well. As processing volumes increase and decrease,
sometimes on a seasonal basis and sometimes due to new or discontinued lines of business, Mohawk
experiences corresponding increases and decreases in its requirements for space, servers, and
processing. Its cloud approach allows the company to set up or dismantle servers quickly.
This chapter provides managers with an overview of IT architecture and infrastructure
issues and designs. It begins by translating a business into IT architecture and then from the
architecture into infrastructure. The manager ’ s role is then discussed, and an example of a # cti-
tious company, GiantCo.com, is used to show how strategy leads to infrastructure. The frame-
work used to describe the basic components of architecture and infrastructure, introduced in
Chapter 1 , is revisited here, providing a language and structure for describing hardware, soft-
ware, network, and data considerations. Common architectures are then presented, including
centralized, decentralized and Web‐based service‐oriented architecture (SOA). Architectural
principles are covered, followed by a discussion of enterprise architecture. Virtualization and
cloud computing, two current architectural considerations, are reviewed. The chapter con-
cludes with a discussion of managerial considerations that apply to any architecture.
Architecture and Infrastructure
1 Adapted from Paul J. Stamas , Michelle L. Kaarst‐Brown , and Scott A. Bernard , “ The Business Transformation Payoffs of Cloud
Services at Mohawk ,” MIS Quarterly Executive 13 , no. 4 ( 2014 ) .
2 Christopher Hale : “ Liaison Technologies to Deliver SOA‐in‐the‐Cloud Services to Mohawk Papers ,” Business Wire (February
24, 2010 ), http://www.businesswire.com/news/home/20100224006065/en/Liaison‐Technologies‐Deliver‐SOA‐in‐the‐Cloud‐ Services‐
Mohawk‐Papers#.VYFh_0ZZWjs (accessed June 17, 2015) .
c06.indd 124 11/26/2015 7:23:18 PM
http://www.businesswire.com/news/home/20100224006065/en/Liaison%E2%80%90Technologies%E2%80%90Deliver%E2%80%90SOA%E2%80%90in%E2%80%90the%E2%80%90Cloud%E2%80%90Services%E2%80%90Mohawk%E2%80%90Papers%23.VYFh_0ZZWjs
http://www.businesswire.com/news/home/20100224006065/en/Liaison%E2%80%90Technologies%E2%80%90Deliver%E2%80%90SOA%E2%80%90in%E2%80%90the%E2%80%90Cloud%E2%80%90Services%E2%80%90Mohawk%E2%80%90Papers%23.VYFh_0ZZWjs
125From Vision to Implementation
Mohawk’s experience shows that cloud computing is not just a mechanism to avoid or reduce costs or to gain
operational bene”ts. The cloud can enable transformation of the business itself. Mohawk’s mission changed from
“making paper” to “making connections,” which involves being able to sell directly to consumers “ve times the
number of products than in the pre‐2011 period when it mainly sold a few lines of paper to 10–15 large distributors.
Partners now offer many of those products, and the system provides the capabilities to sell from Mohawk’s own
inventory or from the partners in a seamless way directly to many thousands of small businesses and consumers
via its Web site.
Mohawk was able to make the changes it believed were necessary by shifting from an electronic data interchange
(EDI) approach to a simpler, more interchangeable format using XML and other tools. Liaison Technologies, its
integration consulting “rm, enabled these changes by “rst developing what it calls a cloud integration platform and
building upon that platform in several stages to ultimately arrive at an enhanced Web services platform that enabled
other organizations and customers to request information, inquire about freight charges and pricing, place orders,
and pay for their orders through connections with banks. The platform enables designers to “mash up” (combine)
applications as needed on Web sites that can be built rather quickly. Each feature “plugs in” using tools that make
it easy to connect the Web sites to existing databases.
Payoffs to Mohawk included:
• Shaking the precloud annual earnings decreases of 2%–5% per year to tripling its earnings in two years
• Automating its transaction processes, saving $1 million to $2 million annually in staff costs
• Increasing its product variety “vefold
• Increasing its customer base from 10–15 distributors to 100 business partners and many thousands of direct
customers
Not all “rms can base their entire operations on a cloud platform that permits integration with other organiza-
tions. Mohawk’s experiences can be considered to be “cutting edge,” and integration consulting is a rather new
phenomenon. Further, even if “rms use a cloud approach, they will need to estimate the extent of services they
will need to purchase up front. The Mohawk story illustrates how infrastructure can enable the strategic objectives
of a “rm. However, building such an infrastructure cannot come “rst. Firms must begin by determining a strate-
gic vision, determining the IS architecture needed to ful”ll that vision, and then making it all tangible by putting
together an IS infrastructure.
This chapter examines the mechanisms by which business strategy is transformed into tangible IS architecture
and infrastructure. The terms architecture and infrastructure are often used interchangeably in the context of IS.
This chapter discusses how the two differ and the important role each plays in realizing a business strategy. Then
this chapter examines some common architectural components for IS today.
From Vision to Implementation
As shown in Figure 6.1, architecture translates strategy into infrastructure. Building a house is similar: The owner
has a vision of how the “nal product should look and function. The owner must decide on a strategy about where to
live—in an apartment or in a house. The owner’s strategy also includes deciding how to live in the house in terms of
taking advantage of a beautiful view, having an open #oor plan, or planning for special interests by designing such
special areas as a game room, study, music room, or other amenities. The architect develops plans based on this vision.
These plans, or blueprints, provide a guide—unchangeable in some areas but subject to interpretation in others—for
the carpenters, plumbers, and electricians who actually construct the house. Guided by past experience and by industry
standards, these builders select the materials and construction techniques best suited to the plan. The plan helps them
determine where to put the plumbing and wiring, important parts of the home’s infrastructure. When the process works,
the completed house ful”lls its owner’s vision, even though he or she did not participate in the actual construction.
An IT architecture provides a blueprint for translating business strategy into a plan for IS. An IT infrastructure
is everything that supports the #ow and processing of information in an organization, including hardware, software,
data, and network components. It consists of components, chosen and assembled in a manner that best suits the
c06.indd 125 11/26/2015 7:23:18 PM
126 Architecture and Infrastructure
plan and therefore best enables the overarching business strategy.3 Infrastructure in an organization is similar to the
beams, plumbing, and wiring in a house; it’s the actual hardware, software, network, and data used to create the
information system.
The Manager’s Role
Even though he or she is not drawing up plans or pounding nails, the homeowner in this example needs to know
what to reasonably expect from the architect and builders. The homeowner must know enough about architecture,
speci”cally about styling and layout, to work effectively with the architect who draws up the plans. Similarly, the
homeowner must know enough about construction details such as the bene”ts of various types of siding, windows,
and insulation to set reasonable expectations for the builders.
Like the homeowner, managers must understand what to expect from IT architecture and infrastructure to be
able to make full and realistic use of them. The manager must effectively communicate his or her business vision
to IT architects and implementers and, if necessary, modify the plans if IT cannot realistically create or support
those plans. Without the involvement of the manager, IT architects could inadvertently make decisions that limit
the manager’s business options in the future.
For example, a sales manager for a large distribution company did not want to partake in discussions about
providing sales force automation systems for his group. He felt that a standard package offered by a well‐known
vendor would work “ne. After all, it worked for many other companies, he rationalized, so it would be “ne for
his company. No architecture was designed, and no long‐range thought was given to how the application might
support or inhibit the sales group. After implementation, it became clear that the application had limitations and
did not support the type of sales process in use at this company. He approached the IT department for help, and in
the discussions that ensued, he learned that earlier infrastructure decisions now made it prohibitively expensive to
implement the capability he wanted. Involvement with earlier decisions and the ability to convey his vision of what
the sales group wanted to do might have resulted in an IT infrastructure that provided a platform for the changes the
manager now wanted to make. Instead, the infrastructure lacked an architecture that met the business objectives of
the sales and marketing departments.
The Leap from Strategy to Architecture to Infrastructure
The huge number of IT choices available coupled with the incredible speed of technology advances makes the
manager’s task of designing an IT infrastructure seem nearly impossible. However, in this chapter, the task is bro-
ken down into two major steps: “rst, translating strategy into architecture and second, translating architecture into
Owner’s
Vision
Architect’s
Plans
Builder’s
Implementation
Strategy Architecture Infrastructure
Abstract Concrete
Building
Information
Technology
FIGURE 6.1 From the abstract to the concrete—building versus IT.
3 Gordon Hay and Rick Muñoz, “Establishing an IT Architecture Strategy,” Information Systems Management 14, no. 3 (Summer 1997), 67–69.
c06.indd 126 11/26/2015 7:23:18 PM
127The Leap from Strategy to Architecture to Infrastructure
infrastructure. This chapter describes a simple framework to help managers sort through IT issues. This framework
stresses the need to consider business strategy when de”ning an organization’s IT building blocks. Although this
framework may not cover every possible architectural issue, it does highlight major issues associated with effec-
tively de”ning IT architecture and infrastructure.
From Strategy to Architecture
The manager must start out with a strategy and then use the strategy to develop more speci”c goals as shown in
Figure 6.2. Then detailed business requirements are derived from each goal. In the Mohawk case, the business
strategy was to integrate its own product offerings with those from partners and to present the larger product line
directly to a large number of customers as well as an expanded list of wholesalers. The business requirements
were to integrate the disparate functionality into a modular, #exible system. By outlining the overarching business
strategy and then #eshing out the business requirements associated with each goal, the manager can provide the
architect with a clear picture of what IS must accomplish and the governance arrangements needed to ensure their
smooth development, implementation, and use. The governance arrangements specify who in the company retains
control of and responsibility for the IS. Preferably this is somebody in upper management.
Of course, the manager’s job is not “nished here. Continuing with Figure 6.2, the manager must work with the
IT architect to translate these business requirements into a more detailed view of the systems requirements, stan-
dards, and processes that shape an IT architecture. This more detailed view, the architectural requirements, includes
consideration of such things as data and process demands as well as security objectives. These are the architectural
requirements. The IT architect takes the architectural requirements and designs the IT architecture.
From Architecture to Infrastructure
Mohawk’s decision to use a service‐oriented architecture led to the design of a number of services and composite
applications. This illustrates the next step, translating the architecture into infrastructure. This task entails add-
ing yet more detail to the architectural plan that emerged in the previous phase. Now the detail comprises actual
hardware, data, networking, and software. Details extend to location of data and access procedures, location of
“rewalls, link speci”cations, interconnection design, and so on. This phase is also illustrated in Figure 6.2 where
the architecture is translated into functional speci”cations. The functional speci”cations can be broken down into
hardware speci”cations, software speci”cations, storage speci”cations, interface speci”cations, network speci”ca-
tions, and so on. Then decisions are made about how to implement these speci”cations: what hardware, software,
storage, interface, network, and so forth to use in the infrastructure.
When we speak about infrastructure, we are referring to more than the components. Plumbing, electrical wiring,
walls, and a roof do not make a house. Rather, these components must be assembled according to the blueprint to
create a structure in which people can live. Similarly, hardware, software, data, and networks must be combined
in a coherent pattern to have a viable infrastructure. This infrastructure can be considered at several levels. At the
most global level, the term may be focused on the enterprise and refer to the infrastructure for the entire organi-
zation. The term may also focus on the interorganizational level by laying the foundation for communicating with
customers, suppliers, or other stakeholders across organizational boundaries. Sometimes infrastructure refers to
those components needed for an individual application. When considering the structure of a particular application,
it is important to consider databases and program components, as well as the devices and operating environments
on which they run.
Often when referring to an infrastructure, the underlying computer system is called the platform. The term has
been used in a variety of ways: to identify the hardware and operating system of a computer, such as Microsoft Win-
dows, Apple OSX, or Linux, or smartphone and tablet operating systems, such as Android and iOS. Vendors need to
provide an entirely separate version of their software on each chosen platform, and they often have tools that allow
their programs to produce, nearly automatically, versions that run on multiple platforms.
A platform can also refer to a “rm’s collection of cloud‐based, modular tools as the example from Mohawk
illustrated. Such platforms use open standards for easy “plugging‐in” of components, enabling “mashing‐up” of a
c06.indd 127 11/26/2015 7:23:18 PM
128
c06.indd 128 11/26/2015 7:23:19 PM
Functional
Spec
Functional
Spec
Architectural
Requirement
Architectural
Requirement
Business
Requirement
Business
Requirement
Goal
Interface
Spec Infrastructure
Data
Protocol
SWb
Spec
HWa
Spec
Architecture
Strategy Goal
Goal
a Hardware.
b Software.
FIGURE 6.2 From strategy to architecture to infrastructure.
129The Leap from Strategy to Architecture to Infrastructure
variety of resources at once. Google Maps is an excellent example of a standardized resource that can be accessed
by any platform that provides the proper requests.
Framework for the Infrastructure and Architecture Analysis
When developing a framework for transforming business strategy into architecture and then into infrastructure,
these basic components should be considered:
• Hardware: The physical components that handle computation, storage, or transmission of data (e.g., personal
computers, servers, mainframes, hard drives, RAM, “ber‐optic cabling, modems, and telephone lines).
• Software: The programs that run on the hardware to enable work to be performed (e.g., operating systems,
databases, accounting packages, word processors, sales force automation, and enterprise resource planning
systems). Software is usually divided into two groups: system software, such as Microsoft Windows, Apple
OSX, and Linux, and applications, such as word processors, spreadsheets, and digital photo editors. Sys-
tem software is often referred to as a platform because application software runs upon it, sometimes only
on a particular version.
• Network: Software and hardware components for local or long‐distance networking. Local networking com-
ponents include switches, hubs, and routers; long‐distance networking components include cable, “ber, and
microwave paths for communication and data sharing. All work according to a common protocol, most often
Internet protocol (IP). Some networks are private, requiring credentials to connect. Others, like the Internet,
are public.
• Data: The electronic representation of the numbers and text. Here, the main concern is the quantity and
format of data and how often it must be transferred from one piece of hardware to another or translated from
one format to another.
The framework that guides the analysis of these components was introduced in the “rst chapter in Figure 1.6
This framework is simpli”ed to make the point that initially understanding an organization’s infrastructure is not
dif”cult. Understanding the technology behind each component of the infrastructure and the technical requirements
of the architecture is a much more complex task. The main point is that the general manager must begin with an
overview that is complete and that delivers a big picture.
This framework asks three types of questions that must be answered for each infrastructure component: what,
who, and where. The “what” questions are those most commonly asked and that identify the speci”c type of tech-
nology. The “who” questions seek to understand what individuals, groups, and departments are involved. In most
cases, the individual user is not the owner of the system or even the person who maintains it. In many cases, the
systems are leased, not owned, by the company, making the owner a party completely outside the organization. In
understanding the infrastructure, it is important to get a picture of the people involved. The third set of questions
addresses “where” issues. With the proliferation of networks, many IS are designed and built with components in
multiple locations, often even crossing oceans. Learning about infrastructure means understanding where every-
thing is located.
We can expand the use of this framework to also understand architecture. To illustrate the connections between
strategy and systems, the table in Figure 6.3 has been populated with questions that typify those asked in addressing
architecture and infrastructure issues associated with each component.
The questions shown in Figure 6.3 are only representative of many that would need to be addressed; the speci”c
questions depend on the business strategy the organizations are following. However, this framework can help IT
staff ask managers to provide further information as they seek to translate business strategy into architecture and ul-
timately into infrastructure in their organizations. The answers derived with IT architects and implementers should
provide a robust picture of the IT environment. That means that the IT architecture includes plans for the data and
information, the technology (the standards to be followed and the infrastructure that provides the foundation), and
the applications to be accessed via the company’s IT system.
c06.indd 129 11/26/2015 7:23:19 PM
130 Architecture and Infrastructure
FIGURE 6.3 Infrastructure and architecture analysis framework with sample questions.
Component What Who Where
Architecture Infrastructure Architecture Infrastructure Architecture Infrastructure
Hardware What type
of personal
device will our
users use?
What size hard
drives do we
equip our
laptops with?
Who knows
the most about
servers in our
organization?
Who will
operate the
server?
Does our
architecture
require
centralized
or distributed
servers?
What speci#c
computers will we
put in our Tokyo
data center?
Software Does ful#llment
of our strategy
require ERP
software?
Shall we go
with SAP or
Oracle
applications?
Who is affected
by a move to
SAP?
Who will need
SAP training?
Does our
geographical
organization
require
multiple
database
instances?
Can we use a
cloud instance
of Oracle for our
database?
Network How should
the network be
structured to
ful#ll our
strategy?
Will a particular
Cisco switch be
fast enough for
what we need?
Who needs a
connection to
the network?
Who provides
our wireless
network?
Will we let each
user’s phone be
a hotspot?
Shall we lease
a cable or use
satellite?
Data What data
do we need
for our sales
management
system?
What format
will we store
our data in?
Who needs
access to
sensitive data?
How will
authorized
users identify
themselves?
Will backups be
stored on‐site or
off‐site?
Will data be in the
cloud or in our
data center?
Traditionally, there are three common con”gurations of IT architecture as shown in Figure 6.4. Enterprises
sometimes like the idea of a centralized architecture with everything purchased, supported, and managed cen-
trally, usually in a data center, to eliminate the dif”culties that come with managing a distributed infrastructure.
In addition, almost every sizable enterprise has a large data center with servers and/or large mainframe computers
that support many simultaneous users. Because of that history, there are a signi”cant number of legacy mainframe
environments still in operation today. However, one large computer at the center of the IT architecture is not used
as regularly today as it was in the past. Instead, many smaller computers are linked together to form a centralized
IT core that operates very much like the mainframe, providing the bulk of IT services necessary for the business.
A more common con”guration is a decentralized architecture. The hardware, software, networking, and data
are arranged in a way that distributes the processing and functionality between multiple small computers, servers,
and devices, and they rely heavily on a network to connect them together. Typically, a decentralized architecture
uses numerous servers, often located in different physical locations, at the backbone of the infrastructure, called a
server‐based architecture.
A third increasingly common con”guration is service‐oriented architecture (SOA), the architecture that
Mohawk, in this chapter’s opening case, decided to use. An example of a service is an online employment form that,
when completed, generates a “le with the data for use in another service. Another example is a ticket‐processing
service that identi”es available concert seats and allocates them. These relatively small chunks of functionality are
available for many applications through reuse. The type of software used in an SOA architecture is often referred
to as software‐as‐a‐service, or SaaS. Another term for these applications when delivered over the Internet is Web
services.
A cutting‐edge type of con”guration is one that can allocate or remove resources by itself, referred to as a
software‐de#ned architecture.4 Two illustrations can provide an idea of this trend. The “rst is a true story of a
4 See K. Pearlson, “Software Defined Future: Instant Provisioning of IT Services,” Connect-Converge (Fall 2014), http://connect‐converge.com/
issues/2014_fall/A1767E8395A03D54262BE6F0B892F986/Converge%20C2‐2014‐Fall (accessed August 27, 2015).
c06.indd 130 11/26/2015 7:23:20 PM
http://connect%E2%80%90converge.com/issues/2014_fall/A1767E8395A03D54262BE6F0B892F986/Converge%20C2%E2%80%902014%E2%80%90Fall
131The Leap from Strategy to Architecture to Infrastructure
FIGURE 6.4 Common architectures.
Architecture Description Other Terms When to Use?
Centralized
Architecture
• A large central computer
system runs all applications
and stores all data.
• Typically, the computer is
housed in a data center and
managed directly by the IT
department.
• Networking allows users to
access remotely.
Mainframe
architecture
• To make it easier to manage—
all functionality is located in
one place
• When the business is highly
centralized
Decentralized
Architecture
• Computing power is spread
out among a number of
devices in different locations.
• Servers in different locations,
personal computers, laptops,
smartphones, and tablets are
also included.
• The “client” devices can
perform many of the services
needed with only occasional
requests to central servers for
data and services.
Server‐based
architecture
• To modularize and address
concerns about scalability
• When the business is primarily
decentralized
Service‐Oriented
Architecture (SOA)
• Software is broken down into
services “orchestrated” and
connected to each other.
• Together those services form
an application for an entire
business process.
• The services are often offered
from multiple vendors on the
Internet and are combined to
form applications.
Cloud‐based
architecture
• To be agile—reusability and
componentization can create
new apps
• When the business is new and
rapid app design is important
Software‐De#ned
Architecture
• Infrastructure recon#gures
based on load or time of day.
• Infrastructure can be
recon#gured autonomously
based on rules.
Software‐de#ned
network, network
virtualization
• When resources need to be
$exible and recon#gured often
• When usage varies
dramatically depending
on time of day
company selling 10 bird baths per month. It had a Web site for its small family business. For a while, the site was
adequate for its needs. However, when Oprah Winfrey featured the company’s high‐quality designs on her show, the
number of monthly orders jumped to 80,000. Fortunately, the “rm’s IT consultants were able to create a software‐
de”ned network that adapted to the increase in orders. It was able to sense a change in the volume of orders and
allocate additional resources such as storage and processing power to keep the Web site working. A typical hosting
provider would have treated a monthly 8,000‐fold volume increase as an attack and would shut down the site to
protect it. Also, a typical provider would not have enough storage allocated for the orders. The software‐de”ned
network saved thousands of sales (and hundreds of thousands of dollars) from being lost.
Sometimes software‐de”ned networks can even change the architecture on the #y. For example, many fast‐food
restaurants and coffee shops offer free WiFi to customers. This capability requires more than one connection to the
Internet in very busy locations, and the shop itself needs its own secure, dedicated connection to record sales trans-
actions and inventory updates from individual restaurant and shop operations. If that operation connection fails, a
software‐de”ned network could automatically recon”gure to switch one of the customer connections to become
a substitute operations connection. Customers might “nd their WiFi connections to be a little slower until the
situation returns to normal, but the automatic recon”guration prevents the restaurant or shop from having to close
c06.indd 131 11/26/2015 7:23:20 PM
132 Architecture and Infrastructure
or revert to a very clumsy manual system. Even without a catastrophe, customer traf”c on the WiFi system and the
need for operations capacity can #uctuate as well. After closing, the WiFi system for customers is not needed, but
during busy times, it might be saturated. When software updates are performed or large volumes of transactions are
transmitted, the operations connection might be overwhelmed. Shifting resources automatically from one separate
architectural component to another is a powerful way to reduce costs.
A manager must be aware of the trade‐offs when considering architectural decisions. For example, decentralized
architectures are more modular than centralized architectures, allowing other servers to be added with relative ease
and provide increased #exibility for adding clients with speci”c functionality for speci”c users. Decentralized orga-
nizational governance, such as that associated with the networked organization structure (discussed in Chapter 3), is
consistent with decentralized architectures. In contrast, a centralized architecture is easier to manage in some ways
because all functionality is centralized in the main computer instead of distributed throughout all the devices and
servers. A centralized architecture tends to be a better match in companies with highly centralized governance, for
example, those with hierarchical organization structures. SOA is increasingly popular because the design enables
large units of functionality to be built almost entirely from existing software service components. SOA is useful
for building applications quickly because it offers managers a modular and componentized design and, therefore, a
more easily modi”able approach to building applications. Software‐de#ned architectures are even easier to man-
age because they self‐manage many of their features. However, each self‐managing feature must be imagined and
de”ned; the systems are not autonomous beyond those features.
An example of an organization making these trade‐offs is the Veterans Health Administration (VHA), a part of
the Department of Veterans Affairs of the U.S. federal government.5 The organization included 14 different business
units that served various administrative and organizational needs. The primary objective of the organization was to
provide health care for veterans and their families. In addition, the VHA was a major contributor to medical research,
allowing medical students to train at VHA hospitals. The medical centers operated independently and sometimes
competed against each other. When the U.S. Congress passed an act that enabled the VHA to restructure itself from
a system of hospitals to a single health care system, the IT architecture was recon”gured from a very centralized
design, which enabled the Of”ce of Data Management and Telecommunications to retain control, to a decentral-
ized hospital‐based architecture that gave local physicians and administrators the opportunity to deploy applications
addressing local needs while ensuring that standards were developed across the different locations. The VA then
introduced the “One‐VA” architecture to unify the decentralized systems and “to provide an accessible source of con-
sistent, reliable, accurate, useful, and secure information and knowledge to veterans and their families. . . .”6 Efforts
were made to encrypt, secure, and account for every piece of computer hardware in the system, and a national and
regional data warehouse initiative was launched to standardize business data storage and management.
Technological advances such as peer‐to‐peer architecture and wireless or mobile infrastructure make possible
a wide variety of options. These designs can either augment a “rm’s existing way of operating or become its main
focus. For example, a peer‐to‐peer architecture allows networked computers to share resources without needing a
central server to play a dominant role. ThePirateBay.org, the Web site for sharing music, movies, games, and more,
and Skype, a site for teleconferencing, texting, and telephoning, are examples of businesses that use a peer‐to‐peer
architecture. Wireless (mobile) infrastructures allow communication from remote locations using a variety of
wireless technologies (e.g., “xed microwave links; wireless LANs; data over cellular networks; wireless WANs;
satellite links; digital dispatch networks; one‐way and two‐way paging networks; diffuse infrared, laser‐based com-
munications; keyless car entry; and global positioning systems).
Web‐based and cloud architectures locate signi”cant hardware, software, and possibly even data elements on
the Internet. Web‐based architectures offers greater #exibility when used as a source for capacity‐on‐demand, or
the availability of additional processing capability for a fee. IT managers like the concept of capacity on demand to
help manage peak processing periods when additional capacity is needed. It allows them to use the Web‐available
capacity as needed, rather than purchasing additional computers to handle the larger loads.
5 Adapted from V. Venkatesh, H. Bala, S. Venkatraman, and J. Bates, “Enterprise Architecture Maturity: The Story of the Veterans Health Administration,”
MIS Quarterly Executive 6, no. 2 (June 2007),79–90; and J. Walters, “IBM Transformation Series, 2009,” http://www.businessofgovernment.org/report/
transforming‐information‐technology‐department‐veterans‐affairs (accessed August 27, 2015).
6 Venkatesh, Venkatraman, and Bates, “Enterprise Architecture Maturity,” p. 86.
c06.indd 132 11/26/2015 7:23:20 PM
http://www.businessofgovernment.org/report/transforming%E2%80%90information%E2%80%90technology%E2%80%90department%E2%80%90veterans%E2%80%90affairs
133From Strategy to Architecture to Infrastructure: An Example
With the proliferation of smartphones and tablets, enterprises increasingly have employees who want to bring
their own devices and connect to enterprise systems. Some call this Bring Your Own Device (BYOD), and it
raises some important managerial considerations. When employees connect their own devices to the corporate
network, issues such as capacity, security, and compatibility arise. For example, many corporate applications are
not designed to function on the small screen of a smartphone. Redesigning them for personal devices may require
signi”cant investment to accommodate the smartphone platform. And not all smartphone platforms are the same.
Designing for an iPhone is different than for an Android phone. Even if a system were redesigned for these two
platforms, the resources required to maintain the system increase because each platform evolves at a different rate
and the applications need to appear similar on each device. In some circles, the drive to port applications to personal
devices and the ensuing issues to make them work is referred to as the consumerization of IT.
Consumerization of IT is a growing phenomenon. Not only do employees want to use their own devices to
access corporate systems but also customers increasingly expect to access company systems from their mobile
devices. Making applications robust yet simple enough for customers to use from virtually any mobile device over
the Web is a challenge for many information systems departments. Companies such as Good Technology have been
created to provide services that allow enterprise employees to connect, communicate, and collaborate using their
own devices, supplementing the IT organization’s ability to meet this new demand. Websites are designed with the
philosophy of “responsive design,” permitting them to adapt to screens of any size.
From Strategy to Architecture to Infrastructure: An Example
This section7 considers a simple example to illustrate the process of converting strategy to architecture to infra-
structure: We introduce GiantCo.com, a “ctitious competitor of Amazon and Wal‐Mart, which sells a wide variety
of products online.
De”ne the Strategic Goals
The managers at GiantCo.com recognize that they have a large amount of competition, so they have decided to try
to provide outstanding customer service. In fact, their strategy is to become highly customer focused. Among their
immediate strategic goals are the following:
• To increase the period of a money‐back guarantee from one week to a month
• To provide cross‐selling opportunities by temporarily discounting accessories or items that complement
those purchased within the previous year
• To provide a return shipping label with every purchase
• To decrease out‐of‐stock occurrences by 20%
• To answer emails within 24 hours
Translate Strategic Goals to Business Requirements
To keep things simple, consider more closely only the “rst two of GiantCo.com’s strategic goals: to increase the
period of a money‐back guarantee from one week to a month and to suggest goods that complement all those sold
to a customer in the past year. How can GiantCo.com’s architecture enable this goal? Its goal must be translated into
business requirements. A few of the business requirements that address these two goals are to track
• At least a year’s worth of sales for all customers
• All refunds provided to customers
7 Only a few questions raised from the framework are provided; a comprehensive, detailed treatment of this situation would require more information
than provided in this simple example.
c06.indd 133 11/26/2015 7:23:20 PM
134 Architecture and Infrastructure
• Return patterns by customer to detect excesses
• Sales of complementary goods to provide advice for future potential purchasers
Translate Business Requirements into Architecture
To support the business requirements, architectural requirements are speci”ed that dictate the architecture to be
established. One major component of the architecture deals with how to obtain, store, and use data to support the
business requirements.
The database needs to store the sales data for all customers for more than an entire year. The data can be used for
many purposes, including summarizing for an annual report and identifying whether customers who wish to return
goods are within the 30‐day period. It also provides the foundation for suggesting complementary goods when cou-
pled with data pinpointing goods that are related. As customers use the Web site, the sales data can be very useful
for their own decision making.
Translate Architecture to Infrastructure
With the architecture goals in hand, the framework presented in Figure 6.2 outlines how to build the infrastructure.
The architecture outlines the functions needed by the infrastructure, enabling a functional speci”cation to be cre-
ated. Those specs are then translated into hardware, software, data protocols, interface designs, and other compo-
nents that will make up the infrastructure. For GiantCo.com’s database, the functional speci”cation would include
details such as how big it should be, how fast data access should be, what the format of the data will be, and more.
These functional speci”cations then help narrow the technical speci”cations, which answer these questions. For
example, after considering the current customer base and forecasts for growth, GiantCo.com’s database might need
the following:
• Sample functional speci”cations for a year’s worth of activity
• Space to fit transaction data for 22,500 customers who purchase 25 items a year on average with 30 facts
(date, price, quantity, item number, customer number, address shipped, credit card billed, and so on)
recorded for each. On average, each fact occupies 10 characters of storage.
• Ability to insert 1,070 records per minute. One server can handle one update per second, or 60 per min-
ute, suggesting the need for 18 servers to handle online sales. Accounting information will be placed on
its own server. That totals 168,750,000,000 characters of storage for the year, indicating that 200 giga-
bytes will be needed for this information alone. An analysis of vendors’ products and pricing indicates
that one terabyte is considered more than adequate for each server given that 18 will be purchased.
• Software to do the required tracking for suggesting complementary goods because the current system
does not have that functionality.
• Hardware speci”cations
• One terabyte RAID (redundant array) level 3 hard drive space.
• Nineteen 3‐gigahertz Core 2 duo servers.
• Software speci”cations
• Apache operating system.
• My SQL database.
c06.indd 134 11/26/2015 7:23:20 PM
135Architectural Principles
Additional technical speci”cations would be created until the entire infrastructure is designed. Then GiantCo.
com’s IT department is ready to pick speci”c hardware, software, network, data, etc., to put into its infrastructure.
Figure 6.5 lists possible infrastructure components needed by GiantCo.com.
Architectural Principles
Any good architecture is based on a set of principles, or fundamental beliefs about how the architecture should
function. Architectural principles must be consistent with both the values of the enterprise as well as with the
technology used in the infrastructure. The principles are designed by considering the key objectives of the orga-
nization and then translated into principles to apply to the design of the IT architecture. The number of principles
vary widely, and there is no set list of what must be included in a set of architectural principles. However, a guide-
line for developing architectural principles is to make sure they are directly related to the operating model of the
enterprise and IS organization. Principles should de”ne the desirable behaviors of the IT systems and the role of the
organization(s) that support it. A sample of architectural principles is shown in Figure 6.6.
FIGURE 6.5 GiantCo.com’s infrastructure components.
Hardware Software Network Data
19 servers:
• 18 for sales
• 1 for accounting
LaCie 10‐GB Thunderbolt
RAID hard drive storage
system
ERP system with modules for
• Sales
• Accounting
• Inventory
Enterprise application
integration (EAI) software
Apache operating system
MySQL database software
• Cable modem to ISP
• Dial‐up lines for backup
• Cicso routers, hubs, and
switches
• Firewalls from CheckPoint
Database
• Sales
• Inventory
• Accounting
• Complementary items
FIGURE 6.6 Sample architectural principles.
Source: Adapted from examples of IT architecture from IBM, The Open Group Architecture Framework, the U.S. Government,
and the State of Wisconsin.
Principle Description of What the Architecture Should Promote
Ease of use Ease of use in building and supporting the architecture and solutions based on the
architecture
Single point of view A consistent, integrated view of the business regardless of how it is accessed
Buy rather than build Purchase of applications, components, and enabling frameworks unless there is a
competitive reason to develop them internally
Speed and quality Acceleration of time to market for solutions while still maintaining required quality
levels
Flexibility and agility Flexibility to support changing business needs while enabling evolution of the
architecture and the solutions built on it
Innovation Incorporation of new technologies, facilitating innovation
Data security Data protection from unauthorized use and disclosure
Common data vocabulary Consistent de#nitions of data throughout the enterprise, which are understandable and
available to all users
Data quality Accountability of each data element through a trustee responsible for data quality
Data asset Management of data like other valuable assets
c06.indd 135 11/26/2015 7:23:20 PM
136 Architecture and Infrastructure
Enterprise Architecture
Many companies apply even more complex and comprehensive frameworks than those described earlier for devel-
oping an IT architecture and infrastructure than those described earlier. They employ an enterprise architecture
(EA), or the “blueprint” for all IS and their interrelationships in the “rm. EA is the term used for the organizing
logic for the entire organization. It often speci”es how information technologies support business processes. EA
differs from an IT architecture in its level of analysis, although it shares some design principles of the lower‐level
architectures. It identi”es the core processes of the company and how they will work together, how the IT sys-
tems will support the processes, the standard technical capabilities and activities for all parts of the enterprise, and
guidelines for making choices. As experts Jeanne Ross, Peter Weill, and David Robertson describe in their book,
Enterprise Architecture as Strategy,
Top‐performing companies de#ne how they will do business (an operating model) and design the processes and infra-
structure critical to their current and future operations (enterprise architecture). . . . Then these smart companies exploit
their foundation, embedding new initiatives and using it as a competitive weapon to seize new business opportunities.8
The components of an enterprise architecture typically include four key elements:
• Core business processes: The key enterprise processes that create the capabilities the company uses to exe-
cute its operating model and create market opportunities
• Shared data: The data that drive the core processes
• Linking and automation technologies: The software, hardware, and networking technologies that provide
the links between applications (applications themselves are part of the IT architecture, but the way applica-
tions link together is part of the bigger picture of the enterprise architecture)
• Customer groups: Key customers to be served by the architecture9
One example of an enterprise architecture framework is the TOGAF (The Open Group Architecture Frame-
work).10 TOGAF includes a methodology and set of resources for developing an enterprise architecture. It is based
on the idea of an open architecture, one whose speci”cations are public (as compared to a proprietary architecture
whose speci”cations are not made public). It is based on the U.S. Department of Defense frameworks and has
been developing and continuously evolving since the mid‐1990s. It provides a practical, standardized methodology
(called Architecture Development Methodology) to successfully implement an enterprise architecture for an organi-
zation. Although there is no well‐accepted standard for enterprise architecture, architects who understand and use
TOGAF speak a common language and use the same basic framework and processes to build their company’s IS
architecture. TOGAF is designed to translate strategy into architecture and then into a detailed infrastructure; how-
ever, it supports a much higher level of architecture that includes more components of the enterprise.11
Another example of enterprise architecture frameworks is the Zachman framework, which determines archi-
tectural requirements by providing a broad view that helps guide the analysis of the detailed view. This framework’s
perspectives range from the company’s scope, to its critical models and, “nally, to very detailed representations of
the data, programs, networks, security, and so on. The models it uses are the conceptual business model, the logical
system model, and the physical technical model.12
Enterprise architectures mature as “rms invest resources in technologies that support their strategy. Jeanne
Ross13 theorized that enterprise architecture moves from compartmentalized “silos” to standardized technologies to
enterprisewide software to business modularity. A recent study14 shows a dramatic increase in perceived IT effec-
tiveness as the architecture matures through those four stages.
8 Jeanne W. Ross, Peter Weill, and David C. Robertson, Enterprise Architecture as Strategy (Boston, MA: Harvard Business School Press, 2006), viii–ix.
9 Ibid., 50–52.
10 The Open Group, http://www.opengroup.org.
11 For more information on the TOGAF framework, visit the Open Group’s Web site at www.opengroup.org/togaf/.
12 For more information on the Zachman framework, visit Zachman International’s Web site at www.zachman.com.
13 J. W. Ross, “Creating a Strategic IT Architecture Competency: Learning in Stages,” MIS Quarterly Executive 2, no. 1 (2003), 31–43.
14 Randy V.Bradley, Renée M. E. Pratt, Terry Anthony Byrd, and Lakisha L. Simmons, “The Role of Enterprise Architecture in the Quest for IT Value,”
MIS Quarterly Executive 10, no. 2 (2011), 19–27.
c06.indd 136 11/26/2015 7:23:20 PM
http://www.opengroup.org
http://www.opengroup.org/togaf
http://www.zachman.com
http://www.opengroup.org/togaf
137Virtualization and Cloud Computing
Because enterprise architecture is more about how the company operates than how the technology is designed,
building an EA is a joint exercise to be done with business leaders and IT leaders. IT leaders cannot and should
not do this alone. Because virtually all business processes today involve some component of IT, the idea of trying
to align IT with business processes would merely automate or update processes already in place. Instead, business
processes are designed concurrently with IT systems. The Mohawk case at the beginning of this chapter illustrates
this very well; if Mohawk had simply continued its existing business processes or had made them faster with newer
technology, its pro”tability would have merely continued to decline. They company was able to reverse this trend
only by redesigning or redirecting its business processes, an effort that was enabled by IT.
As Mohawk found, building an enterprise architecture is more than just linking the business processes to IT.
It starts with organizational clarity of vision and strategy and places a high value on consistency in approach as a
means of optimal effectiveness. The consistency manifests itself as some level of standardization—standardization
of processes, deliverables, roles, and/or data. Every EA has elements of all these types of standardization; however,
the degree and proportion of each vary with organizational needs, making it dynamic. A good enterprise architect
understands this and looks for the right blend for each activity the business undertakes. That means that because
organizational groups and individuals are resources for business processes, the organizational design decisions
should be part of the enterprise architecture. However, this is a sophisticated approach, and new enterprise archi-
tects often seek to put more rigid standards in place and do not attempt to tackle the more complex organizational
design issues.
Barclay’s Bank,15 which services more than 48 million customers worldwide, had an IT architecture that
included more than 2,000 applications and spent in excess of £1 billion annually on IT. The resulting complexity
was managed with an EA that speci”ed frameworks, tools, and processes that created a common language and for-
mat. The EA governance model dictated that both business and technology executives sign off on projects to ensure
accountability and ownership. Roadmaps helped clarify the enterprise architecture design and direction, which
informed planning and portfolio management and created a common vision and a repeatable mechanism for future
investments. The EA ensured appropriate linkages between IT investment and business needs.
Virtualization and Cloud Computing
Physical corporate data centers are rapidly being replaced by virtual infrastructure called virtualization. Virtual
infrastructure originally meant one in which software replaced hardware in a way that a “virtual machine” or a
“virtual desktop system” was accessible to provide computing power. Typically, computing capabilities, storage,
and networking are provided by a third party or group of vendors, usually over the Internet or through a private
network. In most virtual architectures, the “ve core components available virtually are servers, storage, backup,
network, and disaster recovery. Virtualizing the desktop is a common virtualization application. In a virtual-
ized desktop, the user’s device locally accesses desktop software on a remote server, essentially separating the
operating system from the applications. Virtualization is a useful way to design architecture because it enables
resources to be shared and allocated as needed by the user and makes maintenance easier because resources are
centralized.
Cloud computing is another term used to describe an architecture based on services provided over the Internet.
It is based on the concept of a virtual infrastructure. Entire computing infrastructures are available “in the cloud.”
Using the cloud to provide infrastructure means that the cloud is essentially a large cluster of virtual servers or
storage devices. This is called infrastructure as a service (IaaS).
In addition to IaaS, software as a service (Saas) and platform as a service (PaaS) are typical services found in
cloud computing. These are described more fully in Chapter 10. Using the cloud for a platform means that the man-
ager will use an environment with the basic software available, such as Web software, applications, database, and
collaboration tools. Using the cloud for an entire application generally means that the software is custom designed
or custom con”gured for the business but resides in the cloud.
15 Adapted from Phil LeClare and Eric Knorr, “The 2010 Enterprise Architecture Awards” (September 10, 2010), http://www.infoworld.com/d/
architecture/the‐2010‐enterprise‐architecture‐awards‐823 (accessed August 27, 2015).
c06.indd 137 11/26/2015 7:23:20 PM
http://www.infoworld.com/d/architecture/the%E2%80%902010%E2%80%90enterprise%E2%80%90architecture%E2%80%90awards%E2%80%90823
138 Architecture and Infrastructure
Consumers of cloud computing purchase capacity on demand and are not generally concerned with the under-
lying technologies. It’s the next step in utility computing, or purchasing any part of the consumers’ storage or
processing infrastructure they need when they need it. Much like the distribution of electricity, the vision of utility
computing is that computing infrastructure would be available when needed in as much quantity as needed. When
the lights and appliances are turned off in a home, the electricity is not consumed. Ultimately, the customer is
billed only for what is used. In utility computing, a company uses a third‐party infrastructure to do their processing
or transactions and pay only for what they use. And as in the case of the electrical utility, the economies of scale
enjoyed by the computing utility enable very attractive “nancial models for their customers. As the cost of connec-
tivity falls, models of cloud computing emerge.
Salesforce.com, Facebook, Gmail, Windows Azure, Apple iTunes, and LinkedIn are examples of applications
in the cloud. Users access LinkedIn through the Web and build networks of business professionals on the site. But
LinkedIn provides additional services, such as linking a user’s blog to her or his pro”le, sharing and storing doc-
uments among group’s members, and accessing applications such as GoodReads to see what network peers are
reading and Tripit to learn about their travel plans.
Bene”ts of virtualization and cloud computing are many. Businesses that embrace a virtual infrastructure can
consolidate physical servers and possibly eliminate many of them, greatly reducing the physical costs of the data
center. Fees can be based on transaction volumes rather than large up‐front investments. There is no separate cost
for upgrade, maintenance, and electricity. Nor is there a need to devote physical space or to guess how many storage
servers are required. Typically, the network is much simpler, too, because the virtual infrastructure mainly requires
Internet connections for all applications and devices.
But the biggest bene”t of virtualization and cloud computing is the speed at which additional capacity, or pro-
visioning, can be done. In a traditional data center, additional capacity is often a matter of purchasing additional
hardware, waiting for its delivery, physically installing it, and ensuring its compatibility with the existing systems.
It can take weeks. In a virtual infrastructure, the nature of the architecture is dynamic by design, making adding
capacity relatively easy and quick.
For example, The New York Times decided to make all public domain articles from 1851 to 1922 available on
the Internet. To do that, the company decided to create PDF “les of all the articles from the original papers in its
archives. This required scanning each column of the story, creating a series of graphic pictures of the scanned
image, and then cobbling them together to create the single PDF for each story. This was a lot of work and required
signi”cant computing power. Once this batch of articles was converted and added to the company’s existing library,
the 11 million New York Times stories from 1851 to 1989 were accessible on the Internet.
The manager of this project had an idea to use the cloud. He selected a service offered by Amazon.com, Amazon
EC2, wrote some code to do the project he envisioned, and tested it on the Amazon servers. He used his credit card
to charge the $240 it cost him to do this conversion. He calculated it would have taken him at least a month to do
the conversion if he used only the few servers available to him in The New York Times network. However, using the
Amazon cloud services, he was able to use a virtual server cluster of 100 servers, and it took just under 24 hours to
process the entire 11 million articles.16
But managers considering virtualization and cloud computing must also understand the risks. First is the
dependence on the third‐party supplier. Building applications that work in the cloud may mean retooling exist-
ing applications for the cloud’s infrastructure. The dominant vendor, as of the writing of this text, is VMware, a
company that offers software for workstations, virtual desktop infrastructures, and servers. However, because there
are no standards for virtual infrastructure, applications running on one vendor’s infrastructure may not port easily
to another vendor’s environment.
Architectures are increasingly providing cloud computing and virtualization as alternatives to in‐house infra-
structures. As coordination costs drop and new platforms in the cloud are introduced, cloud computing utilization
will increase.
16 Galen Gruman, “Early Experiments in Cloud Computing,” InfoWorld (April 7, 2008), http://www.infoworld.com/article/2649759/operating‐systems/
early‐experiments‐in‐cloud‐computing.html (accessed July 28, 2015); Derek Gottfrid, “Self‐Service, Prorated Supercomputing Fun!” (November 1,
2007), http://open.blogs.nytimes.com/2007/11/01/self‐service‐prorated‐super‐computing‐fun/ (accessed July 28, 2015).
c06.indd 138 11/26/2015 7:23:20 PM
http://www.infoworld.com/article/2649759/operating%E2%80%90systems-early%E2%80%90experiments%E2%80%90in%E2%80%90cloud%E2%80%90computing.html
http://open.blogs.nytimes.com/2007/11/01/self%E2%80%90service%E2%80%90prorated%E2%80%90super%E2%80%90computing%E2%80%90fun
139Other Managerial Considerations
Other Managerial Considerations
The infrastructure and architecture framework shown in Figure 6.3 guides the manager toward the design and
implementation of an appropriate infrastructure. De”ning an IT architecture that ful”lls an organization’s needs
today is relatively simple; the problem is that by the time it is installed, those needs can change. The primary rea-
son to base an architecture on an organization’s strategic goals is to allow for inevitable future changes—changes
in the business environment, organization, IT requirements, and technology itself. Considering future impacts
should include analyzing the existing architecture, the strategic time frame, technological advances, and “nancial
constraints.
Understanding Existing Architecture
At the beginning of any project, the “rst step is to assess the current situation. Understanding existing IT architecture
allows the manager to evaluate the IT requirements of an evolving business strategy against current IT capacity. The
architecture, rather than the infrastructure, is the basis for this evaluation because the speci”c technologies used to
build the infrastructure are chosen based on the overall plan, or architecture. As previously discussed, these archi-
tectural plans support the business strategy. Assuming that some overlap is found, the manager can then evaluate
the associated infrastructure and the degree to which it can be utilized going forward.
Relevant questions for managers to ask include the following:
• What IT architecture is already in place?
• Is the company developing the IT architecture from scratch?
• Is the company replacing an existing architecture?
• Does the company need to work within the con”nes of an existing architecture?
• Is the company expanding an existing architecture?
Starting from scratch allows the most #exibility in determining how architecture can enable a new business strat-
egy, and a clean architectural slate generally translates into a clean infrastructure slate. However, planning effec-
tively even when starting from scratch can be a challenge. For example, in a resource‐starved start‐up environment,
it is far too easy to let effective IT planning fall by the wayside. Sometimes the problem is less a shortcoming in IT
management and more one of poorly devised business strategy. A strong business strategy is a prerequisite for IT
architecture design, which is in turn a prerequisite for infrastructure design.
Of course, managers seldom enjoy the relative luxury of starting with a clean IT slate. More often, they must
deal in some way with an existing architecture, infrastructure, and legacy systems already in place. In this case,
they encounter both opportunity—to leverage the existing architecture and infrastructure and their attendant human
resource experience pool—and the challenge of overcoming or working within the old system’s shortcomings. By
implementing the following steps, managers can derive the most value and suffer the least pain when working with
legacy architectures and infrastructures.
1. Objectively analyze the existing architecture and infrastructure: Remember that architecture and infrastruc-
ture are separate entities; managers must assess the capability, capacity, reliability, and expandability of
each.
2. Objectively analyze the strategy served by the existing architecture: What were the strategic goals it was
designed to attain? To what extent do those goals align with current strategic goals?
3. Objectively analyze the ability of the existing architecture and infrastructure to further the current strategic
goals: In what areas is alignment present? What parts of the existing architecture or infrastructure must be
modi”ed? Replaced?
c06.indd 139 11/26/2015 7:23:20 PM
140 Architecture and Infrastructure
Whether managers are facing a fresh start or an existing architecture, they must ensure that the architecture will
satisfy their strategic requirements and that the associated infrastructure is modern and ef”cient. The following
sections describe evaluation criteria including strategic time frame, technical issues (adaptability, scalability, stan-
dardization, maintainability), and “nancial issues.
Assessing Strategic Timeframe
Understanding the life span of an IT infrastructure and architecture is critical. How far into the future does the strat-
egy extend? How long can the architecture and its associated infrastructure ful”ll strategic goals? What issues could
arise and change these assumptions?
Answers to these questions vary widely from industry to industry. Strategic time frames depend on indus-
try‐wide factors such as level of commitment to “xed resources, maturity of the industry, cyclicality, and barriers
to entry. The competitive environment has increased the pace of change to the point that requires any strategic
decision be viewed as temporary.
Architectural longevity depends not only on the strategic planning horizon, but also on the nature of a man-
ager’s reliance on IT and on the speci”c rate of advances affecting the information technologies on which he or
she depends. Today’s architectures must be designed with maximum #exibility and scalability to ensure they can
handle imminent business changes. Imagine the planning horizon for a dot‐com company in an industry in which
Internet technologies and applications are changing daily, if not more often. You might remember the importance
of #exibility and agility to Mohawk’s new business strategy and that the “rm’s IT architecture was created to
support it.
Assessing Technical Issues: Adaptability
With the rapid pace of business, it is no longer possible to build a static information system to support businesses.
Instead, adaptability is a core design principle of every IT architecture and one reason why cloud computing and
virtualization are increasingly popular. A manager may think of technological advances as primarily affecting IT
infrastructure, but the architecture must be able to support any such advance. Can the architecture adapt to emerg-
ing technologies? Can a manager delay the implementation of certain components until he or she can evaluate the
potential of new technologies?
At a minimum, the architecture should be able to handle expected technological advances, such as innovations in
storage capacity and computing power. An exceptional architecture also has the capacity to absorb unexpected tech-
nological leaps. Both hardware and software should be considered when promoting adaptability. For example, new
Web‐based applications that may bene”t the corporation emerge daily. The architecture must be able to integrate
these new technologies without violating the architecture principles or signi”cantly disrupting business operations.
The following are guidelines for planning adaptable IT architecture and infrastructure. At this point, these two
terms are used together because in most IT planning, they are discussed together. These guidelines are derived from
work by Meta Group.17
• Plan for applications and systems that are independent and loosely coupled rather than monolithic: This
approach allows managers to modify or replace only those applications affected by a change in the state of
technology.
• Set clear boundaries between infrastructure components: If one component changes, others are minimally
affected, or if effects are unavoidable, the impact is easily identi”able and quanti”able.
• When designing a network architecture, provide access to all users when it makes sense to do so (i.e., when
security concerns allow it): A robust and consistent network architecture simpli”es training and knowledge
17 Larry R. DeBoever and Richard D. Buchanan, “Three Architectural Sins,” CIO (May 1, 1997), 124, 126.
c06.indd 140 11/26/2015 7:23:20 PM
141Other Managerial Considerations
sharing and provides some resource redundancy. An example is an architecture that allows employees to use
a different server or printer if their local one goes down.
Note that requirements concerning reliability may con#ict with the need for technological adaptability under
certain circumstances. If the architecture requires high reliability, a manager seldom is tempted by bleeding‐edge
technologies. The competitive advantage offered by bleeding‐edge technologies is often eroded by downtime and
problems resulting from pioneering efforts with the technology.
Assessing Technical Issues: Scalability
A large number of other technical issues should also be considered when selecting an architecture or infrastructure.
A frequently used criterion is scalability. To be scalable refers to how well an infrastructure component can adapt
to increased, or in some cases decreased, demands. A scalable network system, for instance, could start with just a
few nodes but could easily be expanded to include thousands of nodes. Scalability is an important technical feature
because it means that an investment can be made in an infrastructure or architecture with con”dence that the “rm
will not outgrow it.
What is the company’s projected growth? What must the architecture do to support it? How will it respond if the
company greatly exceeds its growth goals? What if the projected growth never materializes? These questions help
de”ne scalability needs.
Consider a case in which capacity requirements were poorly anticipated. In early 2007, an ice storm on the
East Coast of the United States forced JetBlue Airlines to scramble to take care of stranded customers, grounded
planes, checked luggage, and canceled #ights. In the aftermath, executives told investors that the computers didn’t
fail. Indeed, they did not fail, but the system failed to scale as needed. The system was set up to accommodate
650 agents and was able to be increased to 950 but no more.18 It is unlikely that JetBlue or its software provider
would have had to do any serious systems redesign to respond to the increase in demand; it simply needed to
increase its infrastructure capacity. Ultimately, recovery from this planning failure cost JetBlue millions and even
more in defending its image, which suffered severe negative word of mouth from the poor service that resulted.
The company subsequently contracted with Verizon to manage its infrastructure as a way of responding to the scal-
ability issue. JetBlue’s plight underscores the importance of analyzing the impact of strategic business decisions
on IT architecture and infrastructure and at least ensuring that a contingency plan exists for potential unexpected
effects of a strategy change.
Assessing Technical Issues: Standardization
Another important feature deals with commonly used standards. Hardware and software that use a common stan-
dard as opposed to a proprietary approach are easier to plug into an existing or future infrastructure or architecture
because interfaces often accompany the standard. For example, many companies use Microsoft Of”ce software,
making it an almost de facto standard. Therefore, a number of additional packages come with translators to the sys-
tems in the Of”ce suite to make it easy to move data between systems.
Assessing Technical Issues: Maintainability
How easy is the infrastructure to maintain? Are replacement parts available? Is service available? Maintainability
is a key technical consideration because the complexity of these systems increases the number of things that can go
wrong, need “xing, or simply need replacing. In addition to availability of parts and service people, maintenance
considerations include issues such as the length of time the system might be out of commission for maintenance,
18 Mel Duvall, “What Really Happened to JetBlue,” http://www.cioinsight.com/c/a/Past‐News/What‐Really‐Happened‐At‐JetBlue www.cioinsight.com
(April 5, 2007) (accessed August 27, 2015).
c06.indd 141 11/26/2015 7:23:20 PM
http://www.cioinsight.com/c/a/Past%E2%80%90News/What%E2%80%90Really%E2%80%90Happened%E2%80%90At%E2%80%90JetBlue
142 Architecture and Infrastructure
how expensive and how local the parts are, and obsolescence. Should a technology become obsolete, costs for parts
and expertise skyrocket. Architectures have different inherent security pro”les.
Assessing Technical Issues: Security
Securing assets in a highly centralized, mainframe architecture means building protection around the centralized
core. Because data and software are stored and executed on the mainframe computer, methods of protecting these
assets revolve around protecting the mainframe itself. Decentralized, server‐based architecture is more dif”cult to
secure due to the dispersion of servers. Security is a matter of protecting every server instead of one centralized
system. A Web‐based SOA architecture that utilizes SaaS and capacity on demand raises a whole new set of secu-
rity issues. The data and applications not only reside on servers in the various vendor systems around the Web, but
also the linking mechanism, the network that ties the Web together, introduces another level of security concerns.
Security is discussed in more detail in Chapter 7.
Assessing Financial and Managerial Issues
Like any business investment, IT infrastructure components should be evaluated based on their expected “nan-
cial value. Unfortunately, payback from IT investments is often dif”cult to quantify; it can come in the form of
increased productivity, increased interoperability with business partners, improved service for customers, or yet
more abstract improvements. This suggests focusing on how IT investments enable business objectives rather than
on their quantitative returns.
Still, some effort can and should be made to quantify the return on infrastructure investments. This effort can be
simpli”ed if a manager works through the following steps with the IT staff.
1. Quantify costs: The easy part is costing out the proposed infrastructure components and estimating the total
investment necessary. Work with the IT staff to identify cost trends in the equipment the company proposes
to acquire. Don’t forget to include installation and training costs in the total.
2. Determine the anticipated life cycles of system components: Experienced IT staff or consultants can
help establish life cycle trends for both a company and an industry to estimate the useful life of various
systems.
3. Quantify bene!ts: The hard part is getting input from all affected user groups as well as the IT group, which
presumably knows most about the equipment’s capabilities. If possible, form a team with representatives
from each of these groups and work together to identify all potential areas in which the new IT system may
bring value.
4. Quantify risks: Assess any risk that might be attributable to delaying acquisition as opposed to paying more
to get the latest technology now.
5. Consider ongoing dollar costs and bene!ts: Examine how the new equipment affects maintenance and
upgrade costs associated with the current infrastructure.
Once this analysis is complete, the manager can calculate the company’s preferred discounted cash #ow (i.e., net
present value or internal rate of return computation) and the payback period. Approaches to evaluating IT invest-
ments are discussed in greater detail in Chapter 8.
Applying these considerations to the “ctitious GiantCo.com company, the last task is to weigh the managerial
considerations against the architectural goals that were used to determine infrastructure requirements. Figure 6.7
shows how these considerations could apply to GiantCo.com’s situation.
Again, note that the criteria evaluated in Figure 6.7 do not address every possible issue for GiantCo.com, but this
example shows a broad sample of the issues that will arise.
c06.indd 142 11/26/2015 7:23:20 PM
143Other Managerial Considerations
FIGURE 6.7 GiantCo.com ’ s managerial considerations.
Criteria Architecture Infrastructure
Strategic time frame Inde# nite: GiantCo.com ’ s strategic goal is to
be able to respond to customer needs.
NA
Technology advances Database technology is fairly stable, but
transaction capacity needs to be assessed
and links with smaller suppliers and
customers veri# ed.
NA
Financial Issues
NPV of investment NA GiantCo.com will analyze NPV of various
hardware and software solutions and
ongoing costs before investing.
Payback analysis GiantCo.com expects the new architecture
to pay for itself within three years.
Speci# c options will be evaluated using
conservative sales growth projections to
see how they match the three‐year goal.
Incidental investments The new architecture represents a moderate
shift in the way GiantCo.com does business
and will require some training and workforce
adjustment.
Training costs for each option will be
analyzed. Redeployment costs for
employees displaced by any outsourcing
must also be considered.
Growth requirements/
scalability
Outsourcing could provide more scalability
than GiantCo.com ’ s current model, which is
constrained by IT capacity. New innovations
will be identi# ed to provide scalability of
volume.
The scalability required of various new
hardware and software components is not
signi# cant, but options will be evaluated
based on their ability to meet scalability
requirements.
Standardization NA GiantCo.com will adopt the MySQL
standard and make it a requirement of all
developers for consistency.
Maintainability The new architecture raises some
maintenance issues, and new product
introductions will mandate constant updates
to the rules of complementary goods.
Various options will be evaluated for their
maintenance and repair costs.
Staff experience The new model will require new skills and
expertise.
Current staff is not familiar with MySQL.
Training and workforce adjustment will be
needed. Some new staff will be hired.
Security GiantCo.com will lock down resources for
traveling personnel.
GiantCo.com will adopt a Pulse Secure VPN
for securely connecting traveling personnel
with network resources.
Social Business Lens: Building Social Mobile Applications
As companies adopt social IT, they are # nding that it is closely intertwined with mobile platforms. Employees want,
and in some cases expect, to be able to access their social IT from their smartphones, tablets, and more. As com-
panies look globally, in some countries the mobile screen is the only screen used.
In 2011, more than one‐third of the U.S. population used the mobile Internet. In 2014, that number grew to such
an extent that 52% of device owners consider smartphones and tablets the most important devices for Internet
access, while only 46% consider desktops and laptops the most important devices. Tablets have surpassed all
other devices in importance.
Social business requires that companies extend their architecture to include mobile functions, called social
mobile . Social mobile functions began to take off with the widespread adoption of smartphones. The # rst devices
combined features of a personal digital assistant with a mobile phone, giving developers the opportunity to link
applications to the Web instantly. RIM ’ s BlackBerry was one of the # rst to give users mobile access to communication
c06.indd 143 11/26/2015 7:23:20 PM
144 Architecture and Infrastructure
tools such as their e‐mail. More recent devices, such as Apple’s iOS, Google’s Android, Microsoft’s Windows Phone,
Nokia’s Symbian, and RIM’s BlackBerry OS, use a mobile operating system.
Initial social mobile apps were social networks either ported to the mobile platform, like LinkedIn and
Facebook, or designed just for the mobile platform, like Foursquare and Gowalla, social network sites linking
community members who “check in” at physical locations and sometimes earn virtual rewards for doing so.
Social mobile applications have extended to many other types of applications as software designers realize the
large market available to them if their applications run on mobile platforms and as device users demand increas-
ing functionality for their mobile devices.
Source: Amy Gahran, “Survey: U.S. Mobile Web Access Growing Fast” (July 8, 2010), http://articles.cnn.com/2010‐07‐08/tech/
mobile.internet.access.pew_1_cell‐phone‐users‐feature‐phones‐mobile‐internet (accessed August 27, 2015); Danyl Bosomworth,
“Mobile Marketing Statistics 2015,” Smart Insights (July 22, 2015), http://www.smartinsights.com/mobile‐marketing/mobile‐
marketing‐analytics/mobile‐marketing‐statistics/ (accessed August 27, 2015).
S U M M A R Y
• Strategy drives architecture, which drives infrastructure. Strategic business goals dictate IT architecture requirements.
These requirements provide an extensible blueprint suggesting which infrastructure components will best facilitate the
realization of the strategic goals.
• Enterprise architecture is the broad design that includes both the information systems architecture and the interrelation-
ships in the enterprise. Often this plan speci”es the logic for the entire organization. It identi”es core processes, how they
work together, how IT systems will support them, and the capabilities necessary to create, execute, and manage them.
• Four con”gurations for IT architecture are centralized, decentralized, SOA (or Web‐based), and software‐de”ned archi-
tectures. Applications are increasingly being offered as services, reducing the cost and maintenance requirements for
clients. Virtualization and cloud computing provide architectures for Web‐based delivery of services.
• The manager’s role is to understand how to plan IT to realize business goals. With this knowledge, he or she can facilitate the
process of translating business goals to IT architecture and then modify the selection of infrastructure components as necessary.
• Frameworks guide the translation from business strategy to IS design. This translation can be simpli”ed by categorizing
components into broad classes (hardware, software, network, data), which make up both IT architecture and infrastructure.
• Enterprise leaders increasingly have requests for new devices that employees want to connect to the corporate network.
The consumerization of IT describes the trend to redesign corporate systems for smartphones, tablets, and other consumer‐
oriented devices.
• While translating strategy into architecture and then infrastructure, it is important to know the state of any existing
architecture and infrastructure, to weigh current against future architectural requirements and strategic time frame, and
to analyze the “nancial consequences of the various systems options under consideration. Systems performance should
be monitored on an ongoing basis.
K E Y T E R M S
applications (p. 129)
architecture (p. 125)
bring‐your‐own‐device
(BYOD) (p. 133)
capacity‐on‐demand (p. 132)
centralized architecture (p. 130)
cloud architecture (p. 132)
cloud computing (p. 137)
consumerization of IT (p. 133)
data center (p. 130)
decentralized architecture (p. 130)
enterprise architecture (p. 136)
infrastructure (p. 125)
mainframe (p. 130)
peer‐to‐peer (p. 132)
platform (p. 129)
reuse (p. 130)
scalable (p. 141)
server‐based architecture (p. 130)
service‐oriented architecture
(SOA) (p. 130)
software‐as‐a‐service (p. 130)
software‐de”ned architecture (p. 130)
standards (p. 141)
system software (p. 129)
TOGAF (p. 136)
utility computing (p. 138)
virtualization (p. 137)
Web‐based architectures (p. 132)
Web services (p. 130)
wireless (mobile)
infrastructures (p. 132)
infrastructures (p. 125)
Zachman framework (p. 136)
c06.indd 144 11/26/2015 7:23:21 PM
http://articles.cnn.com/2010%E2%80%9007%E2%80%9008/tech/mobile.internet.access.pew_1_cell%E2%80%90phone%E2%80%90users%E2%80%90feature%E2%80%90phones%E2%80%90mobile%E2%80%90internet
http://www.smartinsights.com/mobile%E2%80%90marketing/mobile%E2%80%90marketing%E2%80%90analytics/mobile%E2%80%90marketing%E2%80%90statistics
http://www.smartinsights.com/mobile%E2%80%90marketing/mobile%E2%80%90marketing%E2%80%90analytics/mobile%E2%80%90marketing%E2%80%90statistics
http://www.smartinsights.com/mobile%E2%80%90marketing/mobile%E2%80%90marketing%E2%80%90analytics/mobile%E2%80%90marketing%E2%80%90statistics
145Case Study
Enterprise architecture (EA) at American Express was the framework the organization used to align IT and the business. EA
provided a common language for leaders to use to collaborate and transform the business. At American Express , enterprise
architects were the change agents who streamlined processes and designed ways to more effectively do business using IT
resources. In 2011, American Express was named an InfoWorld/Forrester Enterprise Architecture Award recipient for its EA
practices. As American Express leaders considered new payment methods using mobile devices, the EA guided their progress.
Mobile payments were forcing the payments industry to review their practices and signi” cantly transform the way
business was done. The new business environment introduced additional complexity with the addition of new delivery chan-
nels and the need for shorter time‐to‐market of payment products and services. American Express ’ s business strategy for its
payments products focused on delivering a “consistent, global, integrated customer experience based on services running
on a common application platform.”
To achieve this goal, the EA team created reference architectures and road maps for standardized applications across the
” rm. This team then worked with multiple business solution delivery teams to create and manage the common application
architecture and create strategies that facilitated each business ’ s objectives. Each strategy included a road map of initiatives
that included a set of actions, the metrics to evaluate the success of these actions, and the commitments IT and the businesses
made to make it happen. The road map was American Express ’ s way to standardize language, tools, life cycle management
of the applications, and architecture and governance processes. The elements of the road map included technology, reference
architecture, and capabilities for the business.
The next steps for American Express were to extend the road maps to cover the maturing of SOA and to develop new
reference architectures and a new taxonomy to increasingly align IT with the needs of the business. As new technologies
emerged and new ways of doing business over social tools created opportunities for new payment products and services,
American Express expected to continually evolve its EA.
Discussion Questions
1. What are the key components of the architecture American Express has created?
2. Why was it important to standardize so much of the architecture? What are the advantages and disadvantages of a stan-
dard EA for American Express ?
■ CASE STUDY 6‐1 Enterprise Architecture at American Express
D I S C U S S I O N Q U E S T I O N S
1. Think about a company you know well. What would be an example of IT architecture at that company? An example of the
IT infrastructure?
2. What, in your opinion, is the difference between a decentralized architecture and a centralized architecture? What is an
example of a business decision that would be affected by the choice of the architecture?
3. From your personal experience, what is an example of software as a service? Of BYOD?
4. Each of the following companies would benefit from either software‐defined architecture or conventional, owned hardware
and software. State which you would advise each of the following fictitious firms (plus the IRS) to adopt and explain why.
a. StableCo is a firm that sells industrial paper shredders. Its business has remained steady for two decades and it has a
strong and diverse customer base.
b. DynamicCo is a fast‐growing six‐year old firm that has relied on three to five key wholesale customers for its entire
existence. However, the list of key customers changes every year, and during two of the years, sales declined sharply.
c. Plastics3000 is an old, stable plastics manufacturing firm that has kept its sales steady in the face of competitors as
the result of an active research and development team that uses advanced software to analyze large amounts of data to
develop new compounds. Once or twice a week, office personnel complain of the network becoming very slow.
d. A downtown Las Vegas casino monitors each slot machine continuously for early detection of malfunctions such as win-
nings or losses trending beyond their threshold limits.
e. CallPerfect provides call center services to pharmacies. Phone calls are routed to the company after hours and messages
are delivered to the pharmacy manager the next morning.
f. At the IRS, tax forms are available online for citizens to complete and file with the IRS electronically by April 15. A call
center routes calls to agents who answer taxpayers ’ questions.
g. At LittlePeople, Inc., a day care center, parents are called using software on the administrator ’ s computer when there is a
weather emergency. The school has averaged 120 families for many years.
c06.indd 145 11/26/2015 7:23:21 PM
146 Architecture and Infrastructure
3. Describe how the new architecture supports the goals and strategy of American Express.
4. What types of future payment products and services should be anticipated and prepared for by the EA group? What is
your vision of how payments might work? If you were advising the CIO of American Express , what would you suggest
his group prepare for?
Source: Adapted from Phil LeClare and Eric Knorr , “ The 2011 Enterprise Architecture Awards ” (September 19, 2011 ), http://www.
infoworld.com/d/enterprise‐architecture/the‐2011‐enterprise‐architecture‐awards‐173372 (accessed August 27, 2015) .
Scientists doing research often need serious computing capability to run simulations and crunch data. Often that meant
working for a large company that could provide the signi” cant investment in information systems infrastructure. But cloud
computing changed all that. Consider the case of biologist Dr. Eric Schadt, a researcher who claims that approaches to
studying the complexity of living systems have failed. Studying one gene at a time doesn ’ t explain what causes diseases,
making it impossible to ” nd the cures sought by the scienti” c and pharmacology communities. Dr. Schadt ’ s vision is to
manage this area of research, and the large amount of data generated, which appears to be too much for any one individual
or company to manage, by creating a human social network. He believes that this organization re# ects the complexity of the
living systems he studies and therefore it ’ s necessary to understand it.
Dr. Schadt cofounded a nonpro” t organization dedicated to biological research using an open‐source sharing of data,
Sage Bionetworks . He deeply believes that sharing is the key to ” nding cures and creating drugs that will combat diseases.
And his company has millions of dollars worth of data from some of the major pharmaceutical companies to use to begin the
research. But by day, he ’ s the Chief Scienti” c Of” cer of a start‐up, Paci” c Biosciences (PacBio), whose technology helps
biologists look at individual molecules of DNA in real time. His job is to work on how to use this technology for PacBio and
to collaborate with others who want to use it for their research. So he travels a lot. But to do his research, he needs access to
the capacity of a supercomputer because the amount of data he needs to use for his research is very large.
With the use of the Web, Dr. Schadt is able to do his work anyplace. Planes are especially favored because he has
signi” cant uninterrupted time. According to one article about him,
He has the same access to supercomputers that every other American with an Internet connection and a credit card has. He
waits till the plane climbs to a cruising altitude, then when allowed to use electronic devices, he uses the plane ’ s WiFi to
get on Amazon .
Dr. Schadt is able to initiate a complex analysis of his data using Amazon ’ s services, which crunch the data while he # ies
across the country. When he lands, the analysis is done and he has the results. This would be equivalent to the computing
power of a scientist working on his company ’ s multimillion‐dollar supercomputer, but in this case, the cost is just a few
hundred dollars.
Companies like Amazon .com have become vendors of extreme computing power. Some have compared the amount of
computing power Dr. Schadt uses while # ying on an airplane to the amount of computing power available to a scientist at
major pharmaceutical companies that have multimillion‐dollar supercomputers. With services like the computing power
available in the cloud, Dr. Schadt may even have more power available to him than that scientist.
Discussion Questions
1. How would you describe the architecture Dr. Schadt uses to do his research?
2. What are the risks Dr. Schadt faces by using Amazon for his supercomputing? What are the benefits?
3. If you were advising a company trying to make a decision about using cloud computing for key business applications,
what would you advise and why?
Source: Adapted from Tom Junod , “ Adventures in Extreme Science ” (March 22, 2011 ), http://www.esquire.com/features/eric‐schadt‐
pro# le‐0411‐4 (accessed August 27, 2015) .
■ CASE STUDY 6‐2 The Case of Extreme Scientists
c06.indd 146 11/26/2015 7:23:21 PM
http://www.infoworld.com/d/enterprise%E2%80%90architecture/the%E2%80%902011%E2%80%90enterprise%E2%80%90architecture%E2%80%90awards%E2%80%90173372
http://www.esquire.com/features/eric%E2%80%90schadt%E2%80%90profile%E2%80%900411%E2%80%904
http://www.esquire.com/features/eric%E2%80%90schadt%E2%80%90profile%E2%80%900411%E2%80%904
http://www.esquire.com/features/eric%E2%80%90schadt%E2%80%90profile%E2%80%900411%E2%80%904
147
7
chapter
I nformation technology (IT) security is one of the top issues of concern to businesses—
hacked systems or stolen data can put a company out of business. General managers must
understand the basics to ensure continuance of operations. This chapter explores managing
security in # ve areas: strategy, infrastructure, policies, training, and investments. Lessons
from some of the largest and most well‐known breaches are covered as well as how they
occurred according to security experts. The chapter also discusses common tools that aim
to secure access, data storage, and data transmission to prevent these breaches and their
advantages and disadvantages. Policies general managers can implement to decrease risk
of security issues and economic damage are presented followed by a discussion of edu-
cation, training, and awareness issues.
Security
During lunchtime on June 6, 2015, a white van pulled in front of the U.S. Of” ce of Personnel
Management in Washington, D.C. A team of three expert hackers entered the front door, displaying
the credentials of three janitors who were bound and gagged back at their of” ce. As the hackers
stood at a supply room door next to a highly secure server room, the target of their attack, one
feigned having to crouch to tie his shoe, the other two stood in the way of the security cameras,
and the crouching bandit used a lock‐picking tool to gain access to the supply room. They ” gured
they had only a few minutes to clip a monitoring device to the network wires that led to the servers
containing security clearance information for millions of employees and past employees. The device
monitored electrical activity right through the insulation and transmitted it to the van.
The hackers closed and relocked the supply room door, exited the building, and re‐entered the
van just as the clock struck 1 p.m . The tallest of the three declared “right on schedule!” and set a
timer for 10 minutes. He tuned his laptop into the monitoring device and the other two did the same.
They watched communications to and from the server, waiting for an employee, any employee,
returning from lunch to log‐in. Monitoring was risky due to random sweeps for rogue wireless con-
nections, so after 10 minutes they would abort the mission.
The three typed frantically at their keyboards but nothing seemed to work for several agonizing
minutes. Ten seconds before their time was up, one of the perpetrators hastily wrote some computer
code and then smiled. He was just in time to reveal a log‐in conversation complete with password.
The hackers set the timer for another 10 minutes, which they had budgeted for the next phase.
The hackers searched frantically for large ” les that might contain the security clearance
information they were hired to obtain. One of them found a large ” le called “SecurClearRecs,” and
the three cursed when they saw that the ” le was larger than anticipated. They immediately typed
commands to upload the ” le through the Internet to a server in Shanghai, China. They kept one
eye on the building and the other eye on the red “progress bar” that indicated “5% complete” for
20 full seconds before it changed to “10% complete.” The time required for each 5% seemed to vary
widely; moving from 15% to 20% took almost an entire minute. They realized it would take the
entire 10 minutes they had allocated or more. They could almost hear their own pulses pounding as
c07.indd 147 11/26/2015 7:31:38 PM
148 Security
they anticipated the million dollar reward that awaited them if they were successful but also dreaded the fact that
their overall budgeted 20 minutes might not be quite enough. Maybe they could chance it and go just a little longer.
A few terror‐”lled minutes past the budgeted 20 minutes, at 90% complete, they saw a guard step outside of the
building and point at the van. Another of”cer joined him, and the pair started walking cautiously toward the van,
trying to talk into his radio. The hackers had wisely jammed police channel communications and #attened the patrol
cars’ tires, but they wanted to avoid physical contact as much as possible. Trouble was certain to loom ahead; one
of the of”cers turned to run back to the building. The tallest hacker jumped into the driver’s seat and started the van.
The hackers looked down at the progress bar, which said “99% complete,” just as an alarm sounded. The remaining
guard began running to the van. Four #at tires would mean a 10‐minute delay waiting for another of”cer from the
security “rm’s headquarters. The hackers waited 5 more seconds for “100% complete” and then screeched away to
a secluded clearing a one‐half mile away in the woods where a blue turbocharged Hyundai Sonata awaited them.
They pushed a red “self‐destruct” button in the van to start a timer, jumped in the Hyundai, and sped down back
roads as distant sirens blared and the van exploded. Two weeks later, on June 20, 2015, an article in Computerworld
stated that “The U.S. government still isn’t saying how much data it fears was stolen.”1
This story is notable for two reasons: (1) It is exactly the type of story that we would all imagine when hearing
about data breaches, largely thanks to big‐budget Hollywood movies. However, (2) the story is almost completely
false; the only true parts are that a large number of private security clearance “les were indeed stolen from the
Of”ce of Personnel Management, and the June 20 article in Computerworld did display the preceding quote.
If managers expect only such “urgent and frantic” physical attacks, they will focus their attention on the wrong
threats. It is important to learn the true story of this very real breach.
Governmental of”cials learned in May 2015 that at least 4 million records likely had been stolen several months
earlier. Subsequent estimates placed the number at 14 million records.2 The records contained much more than
names, addresses, and social security numbers of current and former employees, possibly as far back as the 1980s.
The 127‐page dossier for each person also included information on alcohol and drug use, “nancial, psychological,
employment, and criminal history as well as sensitive personal information about contacts and relatives. There
were even comments from acquaintances, which could include neighbors, enemies, and potential enemies of each
person.3 In short, according to the International Business Times, the stolen information was “invasive enough
to ruin potentially millions of American lives.”4 As a consequence, the Chairman of the U.S. House Oversight
Committee asked for the resignation of the person in charge, the Director of the Of”ce of Personnel Management.5
In reality, the following important issues are true for this case as well as many others:
1. The hackers were far away and did not need any physical contact or any escape plan.
2. They were able to spend an extended period of time—possibly over a year—to carry out their attack.6
3. It took the victim organization months to discover the breach, which enabled the hackers to cover their
tracks. In fact, a 2015 report from consulting “rm Mandiant revealed that the median time that it took in
2014 for “rms to detect a threat group’s presence was 205 days, and the maximum was a whopping 2,982
days (11 years).7
4. The hackers exploited a stolen password, likely obtained by various means described later in this chapter.
1 O’Connor, Fred, “Hackers Had Access to Security Clearance Data for a Year,” Computerworld (June 20, 2015), http://www.computerworld.com/
article/2938654/cybercrime‐hacking/hackers‐had‐access‐to‐security‐clearance‐data‐for‐a‐year.html (last accessed June 22, 2015).
2 Kim Zetter and Andy Greenberg, “Why the OPM Breach Is Such a Security and Privacy Debacle,” Wired (June 11, 2015), http://www.wired.
com/2015/06/opm‐breach‐security‐privacy‐debacle/ (accessed June 22, 2015).
3 Ibid.
4 Jeff Stone “Hacked US Security Clearances Are Giving Beijing Insanely Personal Information about American Citizens” (June 12, 2015), http://www.
ibtimes.com/hacked‐us‐security‐clearances‐are‐giving‐beijing‐insanely‐personal‐information‐about‐1964882 (last accessed August 25, 2015).
5 Erin Kelly, “House Oversight to OPM Chief: ‘Time for You to Go,’” In Brief (June 26, 2015), 2A.
6 “Blackmail Looms after Government Cyber Breaches,” WND.com (June 13, 2015). http://www.wnd.com/2015/06/blackmail‐looms‐after‐government‐
cyber‐breaches/ (accessed June 22, 2015).
7 “M‐Trends: A View from the Front Lines,” Fireeye.com, https://www2.fireeye.com/rs/fireye/images/rpt‐m‐trends‐2015 (last accessed June 24, 2015).
c07.indd 148 11/26/2015 7:31:39 PM
http://www.computerworld.com/article/2938654/cybercrime%E2%80%90hacking/hackers%E2%80%90had%E2%80%90access%E2%80%90to%E2%80%90security%E2%80%90clearance%E2%80%90data%E2%80%90for%E2%80%90a%E2%80%90year.html
http://www.wired.com/2015/06/opm%E2%80%90breach%E2%80%90security%E2%80%90privacy%E2%80%90debacle/%20
http://www.ibtimes.com/hacked%E2%80%90us%E2%80%90security%E2%80%90clearances%E2%80%90are%E2%80%90giving%E2%80%90beijing%E2%80%90insanely%E2%80%90personal%E2%80%90information%E2%80%90about%E2%80%901964882
http://www.wnd.com/2015/06/blackmail%E2%80%90looms%E2%80%90after%E2%80%90government%E2%80%90cyber%E2%80%90breaches
http://www.wnd.com/2015/06/blackmail%E2%80%90looms%E2%80%90after%E2%80%90government%E2%80%90cyber%E2%80%90breaches
http://www.wnd.com/2015/06/blackmail%E2%80%90looms%E2%80%90after%E2%80%90government%E2%80%90cyber%E2%80%90breaches
https://www2.fireeye.com/rs/fireye/images/rpt%E2%80%90m%E2%80%90trends%E2%80%902015
149IT Security Decision Framework
Many other “rms have been victimized, and hundreds of millions of records “lled with personal information
have been stolen just over the last two years. Security consulting “rm FireEye estimates that 97% of all “rms have
been breached.8 Managers must understand how large breaches occur to clarify the picture of what is going on out
in the wild frontier and to protect their own company from similar fates. Only when threats are more fully under-
stood can management begin to formulate and implement effective security plans.
IT Security Decision Framework
The “rst step on the road to an effective security plan is for management to adopt a broad view of security. This
can be done by establishing an information security strategy and then putting the infrastructure (tools) and policies
(tactics) in place that can help the organization realize its strategy. To round out the picture, users need to become
familiar with security, and investments need to be made. The whole security picture can be re#ected in “ve key
information security decisions. Understanding these decisions and who is responsible for them (that is, who has
the decision rights for them) is presented in Figure 7.1. We introduced decision rights in Chapter 3, and we use
the concept to illustrate appropriate roles of business and IT managers in making a company’s security decisions.
FIGURE 7.1 Key information security decisions.
Sources: Adapted from Yu Wu, “What Color is Your Archetype? Governance Patterns for Information Security,” (Ph.D. Dissertation,
University of Central Florida, 2007); Yu Wu and Carol Saunders, “Governing Information Security: Governance Domains and
Decision Rights Allocation Patterns,” Information Resources Management Journal 24, no. 1 (January–March 2011), 28–45.
Information
Security Decision
Who Is
Responsible
Rationale Major Symptoms of Improper
Decision Rights Allocation
Security Strategy Business leaders Business leaders have the knowledge
of the company’s strategies on which
security strategy should be based.
No detailed technical knowledge is
required.
Security is an afterthought and
patched on to processes and
products.
Infrastructure IT leaders (CISO) In‐depth technical knowledge and
expertise are needed.
There is a misspeci#cation of
security and network typologies or
a miscon#guration of infrastructure.
Technical security control is
ineffective.
Security Policy Shared: IT and
business leaders
Technical and security implications
of behaviors and processes need to
be analyzed, and trade‐offs between
security and productivity need to be
made. The particulars of a company’s IT
infrastructure need to be known.
Security policies are written based
on theory and generic templates.
They are unenforceable due to a
mis#t with the company’s speci#c IT
and users.
Security Education,
Training, and
Awareness
Shared: IT and
business leaders
Business buy in and understanding are
needed to design programs. Technical
expertise and knowledge of critical
security issues are needed to build them.
Users are insuf#ciently trained,
bypass security measures, or do
not know how to react properly
when security breaches occur.
Investments Shared: IT and
business leaders
They require #nancial (quantitative)
and qualitative evaluation of business
impacts of security investments.
A business case has to be presented for
rivaling projects. Infrastructure impacts of
funding decisions need to be evaluated.
Under‐ or overinvestment in
information security occurs.
The human or technical security
resources are insuf#cient or
wasted.
8 Bill Whitaker, “What Happens When You Swipe Your Card?” 60 Minutes (November 30, 2014), transcript, http://www.cbsnews.com/news/swiping‐
your‐credit‐card‐and‐hacking‐and‐cybercrime/ (accessed June 24, 2015).
c07.indd 149 11/26/2015 7:31:39 PM
http://www.cbsnews.com/news/swiping%E2%80%90your%E2%80%90credit%E2%80%90card%E2%80%90and%E2%80%90hacking%E2%80%90and%E2%80%90cybercrime
http://www.cbsnews.com/news/swiping%E2%80%90your%E2%80%90credit%E2%80%90card%E2%80%90and%E2%80%90hacking%E2%80%90and%E2%80%90cybercrime
http://www.cbsnews.com/news/swiping%E2%80%90your%E2%80%90credit%E2%80%90card%E2%80%90and%E2%80%90hacking%E2%80%90and%E2%80%90cybercrime
150 Security
1. Information security strategy: A company’s information security strategy is based on such IT principles as
protecting the con”dentiality of customer information, strict compliance with regulations, and maintain-
ing a security baseline that is above the industry benchmark. Security strategy is not a technical decision.
Rather, it should re#ect the company’s mission, overall strategy, business model, and business environment.
Deciding on the security strategy requires decision makers who are knowledgeable about the company’s
strategy and management systems. An organization’s information systems (IS) likely need to provide the
required technical input for supporting the decision.
2. Information security infrastructure: Information security infrastructure decisions involve selecting and
con”guring the right tools. Common objectives are to achieve consistency in protection, economies of
scale, and synergy among the components. Top business executives typically lack the experience or exper-
tise to make these decisions. For these reasons, corporate IT typically is responsible for managing the
dedicated security mechanisms and general IT infrastructure, such as enterprise network devices. Thus,
corporate IT should take the lead and make sure that the technology tools in the infrastructure are correctly
speci”ed and con”gured.
3. Information security policy: Security policies encourage standardization and integration. Following best
practices, they broadly de”ne the scope of and overall expectations for the company’s information security
program. From these security policies, lower‐level tactics are developed to control speci”c security areas
(e.g., Internet use, access control) and/or individual applications (e.g., payroll systems, telecom systems).
Policies must re#ect the delicate balance between the enhanced information security gained from follow-
ing them versus productivity losses and user inconvenience. As security attacks become more sophisti-
cated, obeying security measures to de#ect those attacks places cognitive demands on users. For example,
they may need a different password for every account, and these passwords must often be long and hard to
remember because they must have special characters. Productivity of users is often sacri”ced when they
have to come up with new passwords every month or when they have to spend time judging the legitimacy
of dozens of e‐mails each day. Not surprisingly, both IT and business perspectives are important in setting
policies. Business users must be able to say what they want from the information security program and
how they expect the security function to support their business activities. On the other hand, IT leaders
should be consulted for two reasons: (1) their judgment prevents unrealistic goals for standardization and
integration and (2) policy decisions require the ability to analyze the technical and security implications of
user behaviors and business processes. If either users or IT leaders are not consulted, unenforceable pol-
icies will probably result.
4. Information security education, training, and awareness (SETA): It is very important to make business
users aware of security policies and practices and to provide information security education, training,
and awareness (SETA). Training and awareness programs build a security‐conscious culture. To promote
effectiveness and post‐training retention, training and awareness programs must be linked to the unique
requirements of individual business processes. Business user participation in planning and implementing
training and awareness programs helps gain acceptance of security initiatives. However, IT security person-
nel are in the best position to know critical issues. Thus, both IT security managers and business users must
be actively involved in planning SETA activities.
5. Information security investments: The fear, uncertainty, and doubt (“FUD”) factor once was all that was
needed to get top management to invest in information security. As information security becomes a routine
concern in daily operations, security managers increasingly must justify their budget requests “nancially.
But it is dif”cult to show how important security is until there has been a breach—and even then it is hard to
put a dollar amount on the value of security. As when determining business needs, different units within the
company may have rival or con#icting “wish lists” for information security‐related purchases that bene”t
their unique needs. The IS organization also should have a signi”cant say in these decisions because it is in
the best position to assess whether and how the investments may “t with the company’s current IT infra-
structure and application portfolio. Thus, both IT and business leaders should participate in investment and
prioritization decisions. One way to ensure this joint participation is to use executive committees/councils
c07.indd 150 11/26/2015 7:31:39 PM
151Breaches and How They Occurred
composed of business and IT executives, such as the IT steering committee and budget committee, with the
CIO having overlapping memberships in both. These committees are where IT and business leaders make
business cases for their proposed investments and debate the merit and priorities of the investments. These
decisions about the appropriate level of investment are made with the company’s best interests in mind.
Breaches and How They Occurred
In 2013 and 2014, before the Of”ce of Personnel Management’s attack, the most famous breaches in”ltrated the
systems at EBay (twice), Target, Home Depot, and Anthem Blue Cross. See Figure 7.2 for the magnitude and cause
of each breach.
Password Breaches
It is important to emphasize the damage that can be done by password breaches. As the following descriptions
indicate, trusting and trustworthy users might have no idea they are opening a security hole by clicking on an
attachment, using public WiFi, or following a link to an authentic‐looking site. Executives should not believe that
employees who use their personal laptops away from the of”ce are harmless to the “rm. When employees whose
systems are infected log onto work e‐mail systems or intranets, a hacker can gain access to the “rm.
60 Minutes reported in 2015 that 80% of breaches are conducted by stealing a password.9 There are many ways
to steal a person’s password. One common method is to conduct a successful phishing attack,10 which sends
a person a counterfeit e‐mail that purports to be from a known entity. The e‐mail includes either a virus‐laden
FIGURE 7.2 Well‐known breaches, what was stolen, and how.
Date Detected Company What Was Stolen How
November 2013 Target 40 million debit and credit card account
numbersa
Contractor’s opening of an
e-mail attachment containing a
virus, revealing a passwordb
May 2014 EBay #1 145 million user names, e‐mails, physical
addresses, phone numbers, birth dates,
encrypted passwordsc
Obtaining an employee’s
passwordd
September 2014 EBay #2 Small but unknown Cross‐site scripting
September 2014 Home Depot 56 million credit card numbers
53 million e-mail addresses
Obtaining a vendor’s password
and exploiting an operating
system’s vulnerabilitye
January 2015 Anthem Blue Cross 80 million names, birthdays, e‐mails,
social security numbers, addresses, and
employment data (including income)f
Obtaining passwords of at least
#ve high‐level employeesg
a Brian Krebs, “Target Hackers Broke in Via HVAC Company,” Krebs on Security (February 14, 2014), http://krebsonsecurity.com/2014/02/target‐hackers‐broke‐in‐
via‐hvac‐company/ (accessed June 22, 2015).
b Brian Krebs, “Home Depot: Hackers Stole 53M Email Addresses,” Krebs on Security (November 14, 2014), http://krebsonsecurity.com/2014/11/home‐depot‐
hackers‐stole‐53m‐email‐addreses/ (accessed June 28, 2015).
c Andy Greenberg, “EBay Demonstrates How Not to Respond to a Huge Data Breach, Wired (May 23, 2014), http://www.wired.com/2014/05/ebay‐demonstrates‐
how‐not‐to‐respond‐to‐a‐huge‐data‐breach/(accessed June 22, 2015).
d Bill Whitaker, “What Happens When You Swipe Your Card?” 60 Minutes (November 30, 2014), transcript, http://www.cbsnews.com/news/swiping‐your‐credit‐
card‐and‐hacking‐and‐cybercrime/ (accessed June 24, 2015).
e Ashley Carman, “Windows Vulnerability Identi#ed as Root Cause in Home Depot breach,” SC Magazine (November 10, 2014), http://www.scmagazine.com/
home‐depot‐breach‐caused‐by‐windows‐vulnerability/article/382450/ (accessed June 28, 2015).
f Michael Hiltzik, “Anthem Is Warning Consumers about Its Huge Data Breach. Here’s a Translation,” LA Times (March 6, 2015), http://www.latimes.com/business/
hiltzik/la‐#‐mh‐anthem‐is‐warning‐consumers‐20150306‐column.html#page=1 (accessed June 28, 2015).
g Ibid.
9 Ibid.
10 Brian Honan, “Reactions to the EBay Breach,” http://www.net‐security.org/secworld.php?id=16905 (accessed June 22, 2015).
c07.indd 151 11/26/2015 7:31:39 PM
http://krebsonsecurity.com/2014/02/target%E2%80%90hackers%E2%80%90broke%E2%80%90in%E2%80%90via%E2%80%90hvac%E2%80%90company
http://krebsonsecurity.com/2014/02/target%E2%80%90hackers%E2%80%90broke%E2%80%90in%E2%80%90via%E2%80%90hvac%E2%80%90company
http://krebsonsecurity.com/2014/02/target%E2%80%90hackers%E2%80%90broke%E2%80%90in%E2%80%90via%E2%80%90hvac%E2%80%90company
http://krebsonsecurity.com/2014/11/home%E2%80%90depot%E2%80%90hackers%E2%80%90stole%E2%80%9053m%E2%80%90email%E2%80%90addreses
http://krebsonsecurity.com/2014/11/home%E2%80%90depot%E2%80%90hackers%E2%80%90stole%E2%80%9053m%E2%80%90email%E2%80%90addreses
http://krebsonsecurity.com/2014/11/home%E2%80%90depot%E2%80%90hackers%E2%80%90stole%E2%80%9053m%E2%80%90email%E2%80%90addreses
http://www.wired.com/2014/05/ebay%E2%80%90demonstrates%E2%80%90how%E2%80%90not%E2%80%90to%E2%80%90respond%E2%80%90to%E2%80%90a%E2%80%90huge%E2%80%90data%E2%80%90breach%00%00
http://www.wired.com/2014/05/ebay%E2%80%90demonstrates%E2%80%90how%E2%80%90not%E2%80%90to%E2%80%90respond%E2%80%90to%E2%80%90a%E2%80%90huge%E2%80%90data%E2%80%90breach%00%00
http://www.wired.com/2014/05/ebay%E2%80%90demonstrates%E2%80%90how%E2%80%90not%E2%80%90to%E2%80%90respond%E2%80%90to%E2%80%90a%E2%80%90huge%E2%80%90data%E2%80%90breach%00%00
http://www.cbsnews.com/news/swiping%E2%80%90your%E2%80%90credit%E2%80%90card%E2%80%90and%E2%80%90hacking%E2%80%90and%E2%80%90cybercrime
http://www.cbsnews.com/news/swiping%E2%80%90your%E2%80%90credit%E2%80%90card%E2%80%90and%E2%80%90hacking%E2%80%90and%E2%80%90cybercrime
http://www.cbsnews.com/news/swiping%E2%80%90your%E2%80%90credit%E2%80%90card%E2%80%90and%E2%80%90hacking%E2%80%90and%E2%80%90cybercrime
http://www.scmagazine.com
http://www.latimes.com/business/hiltzik/la%E2%80%90fi%E2%80%90mh%E2%80%90anthem%E2%80%90is%E2%80%90warning%E2%80%90consumers%E2%80%9020150306%E2%80%90column.html%23page=1
http://www.net%E2%80%90security.org/secworld.php?id=16905
152 Security
attachment or a link that invites the user to click and visit a page to either solve a problem or accomplish a task (as
described in detail at the end of this chapter).
The only limit is the phisher’s imagination to create a scenario that would motivate a user to click on a link. The
attachment or link in a phishing message often initiates a key logger, or software that traps keystrokes and stores
them for hackers to inspect later. A key logger can even be hidden on a thumb drive plugged into a public computer
in a hotel’s business center. A key logger might also be triggered by visiting an unfamiliar Web site. Just by click-
ing on a search result, a user might inadvertently download and install the key logging software. Asking the user to
log‐in will reveal his or her user name and password, opening a world of opportunity for the hacker.
Another way to obtain a password is simply to guess it. Experts warn that large breaches can be caused by using
a weak password, such as “123456,” which, incredibly, won again as the most common password of all in 2014.11
Passwords can be troublesome. Creating a strong password that cannot be guessed results in a hard‐to‐remember
string of nonsense characters. The name of a hometown, a team, an employer, or a family member would be among
the “rst guesses of a hacker. Also, even if it is dif”cult to guess, many people use the same password for multiple
purposes, and if one account is breached, all of their other accounts are then wide open. It is challenging to keep
track of dif”cult passwords that are different for every account. Tools such as LastPass, Dashlane, and Sticky
Password allow access with one password to a set of highly complex and impossible‐to‐remember passwords
synchronized across Windows and Mac computers as well as Android and iOS smartphones.12
Yet another way to open a “rm to a large breach is for employees to use an unsecured network at a coffee shop,
hotel, or airport.13 Many users do not realize that, even if the network’s name matches the coffee shop’s name,
someone in the shop might have set up a so‐called evil twin connection WiFi connection and that all incoming
and outgoing Internet traf”c becomes routed through the perpetrator’s system. Without the proper tools or training,
most users can’t validate a public WiFi connection. Once connected, the unwitting users’ keystrokes, including
their user names and passwords, are captured as they shop online, do Internet banking, or log into their company’s
intranet site.14 The only solution might be for companies to establish policies forbidding their employees to use
public WiFi and use their smartphones as their PC’s sole Internet connection even when tempted by free WiFi in
public places.
Other Attack Approaches
Cross‐Site Scripting
As shown in Figure 7.2, a second EBay breach is another important attack for management to understand. It was
discovered in September 2014 by an astute user who nagged EBay to “x the problem for over a year.15 He even
created a surprising YouTube video to show how it worked.16 The damage is unclear, affecting only the users who
clicked on one particular search result that was eventually removed. However, the cause is clear in this case:17
cross‐site scripting (XSS), which involves booby traps that appear to lead users to their goal, but in reality, they
lead to a fraudulent site that requires a log‐in. EBay permits users to install some computer code in their listings to
make their items in EBay search results grab shoppers’ attention. It is intended to allow animation in listings, but
malicious code was inserted instead, designed for a nefarious purpose: to alter the listing’s address to point to a
bogus log‐in screen. Users assumed they needed to log‐in once again for security purposes, but in reality everyone
who “logged‐in” that second time provided the crooks with user names and passwords.
11 Jamie Condliff, “The 25 Most Popular Passwords of 2014: We’re All Doomed,” Gizmodo (January 20, 2015), http://gizmodo.com/the‐25‐most‐
popular‐passwords‐of‐2014‐were‐all‐doomed‐1680596951 (accessed June 22, 2015).
12 Neil J. Rubenking. “The Best Password Managers for 2015,” PC Magazine (June 2, 2015), http://www.pcmag.com/article2/0,2817,2407168,00.asp
(accessed June 25, 2015).
13 Sergio Galindo. “Reactions to the EBay breach,” http://www.net‐security.org/secworld.php?id=16905 (accessed June 22, 2015).
14 Andrew Smith, “Strange Wi‐Fi Spots May Harbor Hackers: ID Thieves May Lurk Behind a Hot Spot with a Friendly Name,” Dallas Morning News
(May 9, 2007), http://cloud‐computing.tmcnet.com/news/2007/05/09/2597106.htm (accessed August 25, 2015).
15 Chris Brook, “A Year Later, XSS Vulnerability Still Exists in EBay,” Threatpost (April 29, 2015), https://threatpost.com/a‐year‐later‐xss‐vulnerability‐
still‐exists‐in‐ebay/112493 (accessed August 27, 2015).
16 Paul Kerr, “Ebay Hacked Proof!” (September 16, 2014), https://www.youtube.com/watch?v=WT5TG_LvZz4&feature=youtu.be (accessed June 22, 2015).
17 Phil Muncaster, “EBay Under Fire After Cross‐Site Scripting Attack,” Infosecurity (undated), http://www.infosecurity‐magazine.com/news/ebay‐
under‐fire‐after‐cross‐site/ (accessed June 22, 2015).
c07.indd 152 11/26/2015 7:31:39 PM
http://gizmodo.com/the%E2%80%9025%E2%80%90most%E2%80%90popular%E2%80%90passwords%E2%80%90of%E2%80%902014%E2%80%90were%E2%80%90all%E2%80%90doomed%E2%80%901680596951
http://gizmodo.com/the%E2%80%9025%E2%80%90most%E2%80%90popular%E2%80%90passwords%E2%80%90of%E2%80%902014%E2%80%90were%E2%80%90all%E2%80%90doomed%E2%80%901680596951
http://gizmodo.com/the%E2%80%9025%E2%80%90most%E2%80%90popular%E2%80%90passwords%E2%80%90of%E2%80%902014%E2%80%90were%E2%80%90all%E2%80%90doomed%E2%80%901680596951
http://www.pcmag.com/article2/0,2817,2407168,00.asp
http://www.net%E2%80%90security.org/secworld.php?id=16905
http://cloud%E2%80%90computing.tmcnet.com/news/2007/05/09/2597106.htm
https://threatpost.com/a%E2%80%90year%E2%80%90later%E2%80%90xss%E2%80%90vulnerability%E2%80%90still%E2%80%90exists%E2%80%90in%E2%80%90ebay/112493
https://threatpost.com/a%E2%80%90year%E2%80%90later%E2%80%90xss%E2%80%90vulnerability%E2%80%90still%E2%80%90exists%E2%80%90in%E2%80%90ebay/112493
https://threatpost.com/a%E2%80%90year%E2%80%90later%E2%80%90xss%E2%80%90vulnerability%E2%80%90still%E2%80%90exists%E2%80%90in%E2%80%90ebay/112493
http://www.infosecurity%E2%80%90magazine.com/news/ebay%E2%80%90under%E2%80%90fire%E2%80%90after%E2%80%90cross%E2%80%90site
http://www.infosecurity%E2%80%90magazine.com/news/ebay%E2%80%90under%E2%80%90fire%E2%80%90after%E2%80%90cross%E2%80%90site
http://www.infosecurity%E2%80%90magazine.com/news/ebay%E2%80%90under%E2%80%90fire%E2%80%90after%E2%80%90cross%E2%80%90site
153Breaches and How They Occurred
Third Parties
Several breaches have involved third parties. The Target attackers broke into the network using credentials stolen
from a heating, ventilation, and air conditioning (HVAC) contractor and installed malware on the retail sales
system. The malware captured and copied the magnetic stripe card data right from the computer’s memory before
the system could encrypt and store it. Why would an HVAC contractor have access? Security expert and blog-
ger Brian Krebs reports that it is common for large retailers to install on their systems temperature and energy‐
monitoring software provided by contractors. HVAC companies need to update and maintain their software, and
are given access to their main systems so they don’t have to endure delays in those updates. Access to the retailing
system enabled the malware to spread to a majority of Target’s cash registers, collecting information from debit and
credit cards and sending it to various drop points in Miami and Brazil to be picked up later by hackers in Eastern
Europe and Russia.18
Home Depot’s story echoed that of Target from a year earlier. Logon credentials were stolen from a vendor
that had access to Home Depot’s system, and the same malware was unleashed to cash registers. Target’s story
motivated Home Depot to update its system but the attack occurred before the company could complete all of the
improvements.19
The attack at Anthem Blue Cross demonstrates that stealing high‐level user names and passwords can pro-
vide quick access to large and important “les. Target and Home Depot hackers had to wait until transactions were
recorded to gain valuable information, which takes several days. But at Anthem, being able to download important
employment and identity information from 80 million people at one pass was easy with the high‐level passwords.
Log‐in credentials of lower‐level employees would involve transaction‐by‐transaction data collection. Therefore,
log‐in accounts of executives need special attention, and their activities should be monitored regularly.
System Logs and Alerts
Early news reports of Target’s hack outraged customers when it was revealed that the newly installed, state‐of‐the‐
art $1.6 million security system detected what was going on. It sent several warnings to the IT department, even
before the “rst “les were transferred, but those alerts were unheeded.20 However, some security experts explain that
there are perhaps hundreds of generic alerts each day, and it is dif”cult to follow up on every one. One expert was
quoted aptly: “it is completely understandable how this happened.”21
The Cost of Breaches
A Ponemon study places the cost of a data breach in 2015 to be at an all‐time high, between $145 and $154 per each
lost or stolen record containing sensitive information.22 If a breach exposes 100 million records, the costs could
escalate to about $15 billion. Many “rms facing such costs would be put in serious jeopardy. The Target breach cost
$61 million in just two months,23 $162 million a year later,24 and potentially billions of dollars in damage control
over the long run.25 The CIO resigned, fourth quarter pro”t fell 46%, and revenue declined 5.3%.26 The Home Depot
18 Brian Krebs, “Target Hackers Broke in Via HVAC Company,” Krebs on Security (February 14, 2014), http://krebsonsecurity.com/2014/02/target‐
hackers‐broke‐in‐via‐hvac‐company/ (accessed June 22, 2015).
19 Shelly Banjo, “Home Depot Hackers Exposed 53 Million Email Addresses,” The Wall Street Journal (November 6, 2014), http://www.wsj.com/
articles/home‐depot‐hackers‐used‐password‐stolen‐from‐vendor‐1415309282 (accessed June 22, 2015).
20 Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack, “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew
It,” Bloomberg Business (March 13, 2014), http://www.bloomberg.com/bw/articles/2014‐03‐13/target‐missed‐alarms‐in‐epic‐hack‐of‐credit‐card‐data
(accessed August 25, 2015).
21 Joel Christie, “Target Ignored High‐Tech Security Sirens Warning Them of a Data Hack Operation BEFORE Cyber‐Criminals in Russia Made Off
with 40 Million Stolen Credit Cards,” http://www.dailymail.co.uk/news/article‐2581314/Target‐ignored‐high‐tech‐security‐sirens‐warning‐data‐hack‐
operation‐BEFORE‐cyber‐criminals‐Russia‐40‐million‐stolen‐credit‐cards.html (last accessed June 24, 2015).
22 Ponemon Institute, “2015 Cost of Data Breach Study,” IBM, http://www‐03.ibm.com/security/data‐breach/ (accessed June 23, 2015).
23 Riley, Elgin, Lawrence, and Matlack, “Missed Alarms and 40 Million Stolen Credit Card Numbers.”
24 PYMNTS@pymnts, “How Much Did the Target, Home Depot Breaches Really Cost?” PYMNTS.com (February 26, 2015), http://www.pymnts.com/
news/2015/target‐home‐depot‐reveal‐full‐breach‐costs/#.VYr_6EZZV34 (accessed June 24, 2015).
25 Christie, “Target Ignored High‐Tech Security Sirens.”
26 Associated Press. “Target’s Tech Boss Resigns as Retailer Overhauls Security in Wake of Massive Payment Card Breach,” Financial Post (March 5,
2014), http://business.financialpost.com/fp‐tech‐desk/cio/target‐cio‐resigns?__lsa=011c‐8001 (accessed August 27, 2015).
c07.indd 153 11/26/2015 7:31:39 PM
http://krebsonsecurity.com/2014/02/target%E2%80%90hackers%E2%80%90broke%E2%80%90in%E2%80%90via%E2%80%90hvac%E2%80%90company
http://krebsonsecurity.com/2014/02/target%E2%80%90hackers%E2%80%90broke%E2%80%90in%E2%80%90via%E2%80%90hvac%E2%80%90company
http://krebsonsecurity.com/2014/02/target%E2%80%90hackers%E2%80%90broke%E2%80%90in%E2%80%90via%E2%80%90hvac%E2%80%90company
http://www.wsj.com
http://www.bloomberg.com/bw/articles/2014%E2%80%9003%E2%80%9013/target%E2%80%90missed%E2%80%90alarms%E2%80%90in%E2%80%90epic%E2%80%90hack%E2%80%90of%E2%80%90credit%E2%80%90card%E2%80%90data
http://www.dailymail.co.uk/news/article%E2%80%902581314/Target%E2%80%90ignored%E2%80%90high%E2%80%90tech%E2%80%90security%E2%80%90sirens%E2%80%90warning%E2%80%90data%E2%80%90hack%E2%80%90operation%E2%80%90BEFORE%E2%80%90cyber%E2%80%90criminals%E2%80%90Rus
http://www.dailymail.co.uk/news/article%E2%80%902581314/Target%E2%80%90ignored%E2%80%90high%E2%80%90tech%E2%80%90security%E2%80%90sirens%E2%80%90warning%E2%80%90data%E2%80%90hack%E2%80%90operation%E2%80%90BEFORE%E2%80%90cyber%E2%80%90criminals%E2%80%90Rus
http://www.dailymail.co.uk/news/article%E2%80%902581314/Target%E2%80%90ignored%E2%80%90high%E2%80%90tech%E2%80%90security%E2%80%90sirens%E2%80%90warning%E2%80%90data%E2%80%90hack%E2%80%90operation%E2%80%90BEFORE%E2%80%90cyber%E2%80%90criminals%E2%80%90Rus
http://www%E2%80%9003.ibm.com/security/data%E2%80%90breach
http://www.pymnts.comnews/2015/target%E2%80%90home%E2%80%90depot%E2%80%90reveal%E2%80%90full%E2%80%90breach%E2%80%90costs/%23.VYr_6EZZV34%20
http://business.financialpost.com/fp%E2%80%90tech%E2%80%90desk/cio/target%E2%80%90cio%E2%80%90resigns?__lsa=011c%E2%80%908001
154 Security
breach cost $33 million (after insurance proceeds of $30 million reduced the initial outlays of $63 million),27 and
the company’s stock price fell 2.1% the day after the breach was announced.28 Sales were not affected, however,
which might indicate that customers have become numb to these announcements.29
The Impossibility of 100% Security
To obtain 100% security for an organization, a “rst step would be to list all of the potential threats, and the second
step would be to obtain tools that would guard against them. However, as in our personal lives, the challenge would
be overwhelming and the solution untenable. To keep ourselves completely safe and injury free, we would need
thick steel walls and air bags around us not only when we drive but also when we run, walk, and even just sit at
home. We would avoid germs by spraying disinfectants on all surfaces, including our own skin before touching
anything. But paradoxes exist that make it impossible to be completely safe: We would want to be high on a hill to
avoid #oods but low in a valley to avoid lightning strikes—an impossible paradox. We learn quickly that it is per-
haps impossible to be 100% safe, 24/7.
Likewise, data stored in a “rm would be easier to protect if they would just “stay still” as well and not be
connected to the Internet. Although some paradoxes exist in locating the data, the security closest to 100% would
be to place them in a remote area, removed from Internet access, and under several locks without any keys at all. In
short, the closest we can get to perfect safety is to make data inaccessible. But this is not feasible.
Just as we accept some degree of risk to our safety even when we move from the living room to the kitchen,
management must accept some level of risk as well when it makes any part of its treasure trove of data accessible
to even a single person inside or outside an organization. Wider data accessibility entails great risk.
Back in 1995, the late L. Dain Gary, former manager of the U.S. Computer Emergency Response Team (CERT)
in Pittsburgh appeared on an episode of 60 Minutes and let the public in on a unpleasant fact with a sobering state-
ment: “You cannot make a computer secure. You can reduce the risk, but you can’t guarantee security.”30 Because of
the futility of seeking 100% security, many companies take out insurance policies to mitigate the “nancial impacts
of a breach. It is important to also consider the so‐called “Poulsen’s law” that states that information is secure when
it costs more to get it than it’s worth.31 This is a good rule to remember, and the role of management is to work with
the IT function to make it harder to break in than it is worth.
And stolen information is worth a lot. A security expert reported that in 2014, stolen credit cards sold for bet-
ween $1 and $50 each, depending on the type of card (e.g., platinum, silver, suggesting its credit limit) and expira-
tion date. Of the 40 million Target credit card numbers stolen, about 2 million (5%) were sold at an average price
of $20, yielding $4 million to the hackers. A member of a street gang who bought one of those credit cards for $20
was likely to yield $400 in purchases of gift cards and electronics.32
Further, a complete identity‐theft “kit” containing not only a card but social security number and medical
information is worth far more—between $100 and $1,000 each on the black market.33 The value is high because
identity‐theft information can be used to open new credit cards again and again, generating quite a bit of revenue.
The hackers do not keep stolen credit cards or identity theft information for their own use, given the stagger-
ing volume they acquire. They quickly sell them online to others all over the world who use them before they are
27 PYMNTS@pymnts, “How Much Did the Target, Home Depot Breaches Really Cost?”
28 Hiroko Tabuchi, “Home Depot Posts a Strong 3rd Quarter Despite a Data Breach Disclosure,” The New York Times (November 18, 2014), http://www.
nytimes.com/2014/11/19/business/home‐depot‐reports‐strong‐third‐quarter‐growth‐despite‐data‐breach‐disclosure.html (accessed June 23, 2015).
29 Anne D’Innocenzio, “4 Reasons Shoppers Will Shrug Off Home Depot Hack,” USA Today (September 11, 2014), http://www.usatoday.com/story/
money/business/2014/09/11/4‐reasons‐shoppers‐will‐shrug‐off‐home‐depot‐hack/15460461/ (accessed June 23, 2015).
30 60 Minutes, “E‐Systems” (February 26, 1995).
31 “Anything Made by a Man Can Be Hacked,” DSL Reports (March 6, 2006), http://www.dslreports.com/forum/remark,15623829 (accessed September
15, 2015).
32 Whitaker, “What Happens When You Swipe Your Card?”
33 Tim Greene, “Anthem Hack: Personal Data Stolen Sells for 10x Price of Stolen Credit Card Numbers,” Networkworld (February 6, 2015), http://www.
networkworld.com/article/2880366/security0/anthem‐hack‐personal‐data‐stolen‐sells‐for‐10x‐price‐of‐stolen‐credit‐card‐numbers.html (accessed June
24, 2015).
c07.indd 154 11/26/2015 7:31:39 PM
http://www.nytimes.com/2014/11/19/business/home%E2%80%90depot%E2%80%90reports%E2%80%90strong%E2%80%90third%E2%80%90quarter%E2%80%90growth%E2%80%90despite%E2%80%90data%E2%80%90breach%E2%80%90disclosure.html%20
http://www.usatoday.com/story/money/business/2014/09/11/4%E2%80%90reasons%E2%80%90shoppers%E2%80%90will%E2%80%90shrug%E2%80%90off%E2%80%90home%E2%80%90depot%E2%80%90hack/15460461
http://www.dslreports.com/forum/remark
http://www.networkworld.com/article/2880366/security0/anthem%E2%80%90hack%E2%80%90personal%E2%80%90data%E2%80%90stolen%E2%80%90sells%E2%80%90for%E2%80%9010x%E2%80%90price%E2%80%90of%E2%80%90stolen%E2%80%90credit%E2%80%90card%E2%80%90numbers.html
155What Should Management Do?
reported as stolen. Those cards even come with a return policy in case they are declined, because the black market
shops need to maintain their reputations. However, the guarantees come with a warning that they run out after only
a few hours.34
One “nal discouraging word is important. A study by the Software Engineering Institute in 2002 revealed that
over time, the knowledge needed by an intruder for an attack reached an all‐time low whereas the potential impact
of the intruders’ attack reached an all‐time high.35 The intruders’ tools have not only become more sophisticated
but also have actually become user friendly. Automated tools can be purchased on the Deep Web, which is a part
of the Internet that is reputed to be 400 times larger than the public Web. The Deep Web includes unindexed Web
sites that are accessible only by a browser named “Tor,” which guarantees anonymity and provides access to sites
offering both legal and illegal items. Examples of illegal items offered are passports, citizenship, and even murders
for hire.36 Also for sale are tools that can scan for vulnerable systems, exploit the weaknesses found, and even gen-
erate viruses. Payment could reach hundreds of thousands of dollars, usually made through Bitcoin, an electronic
currency that is dif”cult to track.
The outlook is certainly grim, but some of the clues in the stories told here can provide some prescriptions for
management.
What Should Management Do?
Five critical elements to build security described earlier include security strategy, infrastructure, policies, training,
and investments. Security strategy needs to come “rst, and top management must determine the general strategy as
well as investments that are needed. Infrastructure, policy, and training decisions have to be made in more detail,
and these three areas will now be discussed. Fortunately, general managers can easily understand key issues for
each of these elements and participate fully in design and implementation of the resulting security plans.
Infrastructure
Hackers have signi”cant tools to breach security barriers as previously described. In this rapidly escalating cyber
war, management must use its own set of technologies and specialists to reduce risk and increase security. Many
“rms employ a chief information security of”cer (CISO), described in Chapter 8, to keep abreast of new threats that
emerge and manage the policies and education necessary to reduce risk. In other “rms, this responsibility falls to
the CIO or simply the facilities security staff. Even with specialists, managers need to have a broad understanding
of these tools to communicate effectively with them.
Tools can be divided into two categories: those that provide protection from access by undesired intruders and
those that provide protection for storage and transmission. See Figure 7.3 for a list of common system tools to pre-
vent access and their advantages and disadvantages and Figure 7.4 for a list of common storage and transmission
tools and their advantages and disadvantages.
Passwords are by far the most popular security tool even though they have proven to be the cause of most
breaches. Some security specialists claim that passwords are obsolete and should be discontinued.37 Also, all access
protection tools have the disadvantage of requiring an additional access method if it fails. For instance, because
users often forget a password, “rms need to make additional investments to create an automated resetting mecha-
nism through an alternate method, such as an e‐mail to a known address or a text message to a mobile phone.
34 Aaron Sankin, “Inside the Black Markets for Your Stolen Credit Cards,” The Kernel (September 28, 2014), http://kernelmag.dailydot.com/issue‐
sections/features‐issue‐sections/10362/inside‐the‐black‐markets‐for‐your‐stolen‐credit‐cards/ (accessed August 27, 2015).
35 Howard F. Lipson, “Tracking and Tracing Cyber‐Attacks: Technical Challenges and Global Policy Issues,” Special Report CMU/SEI‐2002‐SR‐009,
http://www.sei.cmu.edu/reports/02sr009 (accessed August 27, 2015).
36 Nyshka Chandran, “From Drugs to Killers: Exploring the Deep Web,” CNBC Technology (June, 2015), http://www.cnbc.com/id/102782903 (accessed
June 25, 2015).
37 Justin Balthrop, “Passwords Are Obsolete,” Medium.com (April 12, 2014), https://medium.com/@ninjudd/passwords‐are‐obsolete‐9ed56d483eb
(accessed June 24, 2015).
c07.indd 155 11/26/2015 7:31:39 PM
http://kernelmag.dailydot.com/issue%E2%80%90sections/features%E2%80%90issue%E2%80%90sections/10362/inside%E2%80%90the%E2%80%90black%E2%80%90markets%E2%80%90for%E2%80%90your%E2%80%90stolen%E2%80%90credit%E2%80%90cards
http://kernelmag.dailydot.com/issue%E2%80%90sections/features%E2%80%90issue%E2%80%90sections/10362/inside%E2%80%90the%E2%80%90black%E2%80%90markets%E2%80%90for%E2%80%90your%E2%80%90stolen%E2%80%90credit%E2%80%90cards
http://kernelmag.dailydot.com/issue%E2%80%90sections/features%E2%80%90issue%E2%80%90sections/10362/inside%E2%80%90the%E2%80%90black%E2%80%90markets%E2%80%90for%E2%80%90your%E2%80%90stolen%E2%80%90credit%E2%80%90cards
http://www.sei.cmu.edu/reports/02sr009
http://www.cnbc.com/id/102782903
https://medium.com/@ninjudd/passwords%E2%80%90are%E2%80%90obsolete%E2%80%909ed56d483eb
156 Security
FIGURE 7.3 Common system access security tools and their advantages and disadvantages.
Access Tool Concept Ubiquity Notable Advantages Notable Disadvantages
Physical locks Physically protect
computing
resources
Very high • They are excellent as
long as the lock is highly
secure and guarded
• Few criminals can access
physical devices
• Many popular locks can be
picked with tools sold online
• Most information resources do
not require physical access
• Users often lose keys or
combinations
Passwords Invent a set of
characters known
only by the user
Very high • They have very high
acceptance and
familiarity
• They are easy to use
unless forgotten
• Mature best practices
replace forgotten
passwords (no longer a
need to call the help line
to reset)
• They prove to be poor by
themselves
• They are sometimes forgotten
• They are sometimes derived
from key loggers or social
engineering
• They can be guessed by “brute
force” software
Biometrics Scan a body
characteristic, such
as #ngerprint,
voice, iris, head, or
hand geometry
Medium
overall;
popularized
by iPhone
• It is somewhat better than
passwords
• It can be very reliable
(e.g., iris scanning)
• It cannot be forgotten
• It cannot be derived from
key loggers or social
engineering
• It can be quite
inexpensive (e.g.,
voice, #ngerprint)
• It can present false positives
and false negatives (e.g., voice;
facial recognition)
• It can be relatively expensive
and intrusive techniques (e.g.,
iris scanning)
• It is possible to change
characteristics over time,
such as voice
• It can result in lost limbs
• It can create “loopholes” such
as using a photo of a face or
#ngerprint on paper
Challenge
questions
Prompt with a
follow‐up question
such as “model of
#rst car?”
Medium
overall;
very high in
banking
• The answers are usually
not forgotten
• Shuf$ing through several
different questions can
enhance security
• Some answers can be derived
from social network sites
• Some answers can be derived
by those who know the user
• Spelling inconsistencies can be
a nuisance
Token Use small
electronic
device that
generates a new
supplementary
passkey at
frequent intervals
Low overall;
very high in
highly secure
environments
• Even if passkey is stolen,
the system is still secure
when the passkey
changes
• Access requires physical
possession of token device
• If the device is lost, access is
lost until a new one is obtained
• Alternative access control (e.g.,
password) is essential if token
device is stolen
Text message Send a text
message with a
passkey
Medium • Even if a password is
stolen, the system is still
secure
• Mobile phone saturation
is very high; no additional
equipment is needed
• It is very useful when
password is forgotten
• It requires mobile phone from
all users
• Home phone option requires
text to speech hardware/
software
• Alternative access control (e.g.,
password) is essential if mobile
device is stolen
c07.indd 156 11/26/2015 7:31:39 PM
157What Should Management Do?
FIGURE 7.4 Common storage and transmission security tools.
FIGURE 7.3 (Continued)
Access Tool Concept Ubiquity Notable Advantages Notable Disadvantages
Multifactor
authentication
Couple two or
more access
techniques, for
instance
• Passwords and
tokens
• Biometrics
and follow‐up
questions
• Passwords and
text messaging
Medium
overall;
very high
in banking
and other
high‐security
environments
• It enhances security
greatly
• Even if a password is
stolen, the system is still
secure
• It requires an additional access
authentication technique if one
or more of the techniques fails
• Users might be tempted to
use an easy password, which
removes the advantage of a
second factor
Storage and/or
Transmission Tool
Concept Ubiquity Notable Advantages Notable Disadvantages
Antivirus/
antispyware
Software scans incoming
data and evaluates the
periodic state of the
whole system to detect
threats of secret software
that can either destroy
data or inform a server
of your activity
Very high • Products block known
threats very effectively
• Products have a large
database and can detect
hundreds of thousands
of patterns that reveal a
virus
• Some products reveal a
limited set of zero‐day
threats (brand‐new
outbreaks) by tracking
suspicious behavior
• Products sometimes
slow down the device
• Products are not as
effective for a clever
zero-day threat
(brand‐new outbreak)
Firewall Software and sometimes
hardware‐based #lter
prevent or allow outside
traf#c from accessing the
network
High • Is $exible and can
prevent traf#c from a
particular user, device,
method, or geography
• It can #lter only known
threats
• It can have well‐known
“holes”
System logs They keep track of
system activity, such as
successful or failed login
attempts, #le alterations,
#le copying, #le deletion,
or software installation
Very high • If an irregularity occurs,
the IP address of the
attacker could be
discovered
• The extent of the
irregularity can be
estimated
• Some anonymizing
software can hide the
true IP address of the
attacker
• Some attackers erase
or disable the logs
• Logs can be huge
and dif#cult to wade
through
• Some #rms fail to
inspect logs regularly
System alerts System detects unusual
activity, such as scores
of unsuccessful log‐in
attempts, log‐ins from
countries without any
branches, alterations of
#les, or copying of #les
High • They can aid in combing
through logs more
quickly
• Administrators can be
alerted to an irregularity
while it is occurring
• Many breaches can be
detected this waya (high
sensitivity)
• Many #rms receive
hundreds of alerts each
day
• It is dif#cult to discern
real attacks from false
alarms (low selectivity)
c07.indd 157 11/26/2015 7:31:40 PM
158 Security
A study in the United Kingdom found that 39% of IT professionals admit that passwords are the only IT security
measure in their “rms, and one‐third believes that biometrics are likely to be used in “ve years.38 There is a general
trend toward multifactor authentication, or the use of two or more authorization methods to gain access. Exam-
ples are use of a password followed by a passkey sent to a mobile phone as a text message or a password followed
by a challenge question. Between 2013 and 2014, the organizations around the world using multifactor authenti-
cation increased from 30% to 37%, and this number continues to increase rapidly.39
Fears of making passwords intrusive or lowering convenience are likely to factor into IT’s reluctance to adopt
multifactor authentication. For instance, in Apple’s “I’m a Mac” campaign in 2008, Apple poked fun at Micro-
soft Vista’s “Cancel or Allow” messages,40 emphasizing the diminished convenience caused by security warnings.
Security and convenience are indeed generally at odds with each other,41 but our current state of convenience is
untenable over the long run, and the days of single‐factor authentication using a password are undoubtedly going
to become a distant memory.
Not only access controls are important, but also the way that information is stored and transmitted requires
security tools. Figure 7.4 provides a representative list of those tools. Although these tools are likely to help limit
security problems, managers also need to provide a strong security policy as described in the next section.
Storage and/or
Transmission Tool
Concept Ubiquity Notable Advantages Notable Disadvantages
Encryption System follows a
complex formula, using
a unique key (set of
characters) to convert
plain text into what
looks like unreadable
nonsense and then to
decode back to plain
text when presented
with the decoding key
Very high • It is very dif#cult to use or
read a stolen computer
#le without the key
• Long and complex keys
would take years of
computer time to break
• The key can be
unnecessary if access
password is known
• If the key is not strong,
hackers can uncover it
by trial and error
WEP/WPA
(wired equivalent
privacy and
wireless protected
access)
Encryption is used in a
wireless network
Very high • It is same as encryption
• Nearly all modern user
devices have capabilities
• It provides a secure
connection between the
user’s device and the
WiFi router
• It is same as encryption
• Some older devices
might not be able to
be connected
• WEP is not secure yet
is still provided for
compatibility
Virtual private
network
Software provides
a trusted, encrypted
connection between
your site and a particular
server
Medium • Trusted connection works
as if you are connected
at your of#ce; it is useful
for mobile workers
• Eavesdroppers cannot
easily decrypt VPN
communications
• If the device is stolen
while connected, the
hacker has access to all
resources
• It sometimes slows
the connection or
complicates use
a Vinod Khosia, “Behavioral Analysis Could Have Prevented the Anthem Breach,” Forbes.com (February 24, 2015), http://www.
forbes.com/sites/frontline/2015/02/24/behavioral‐analysis‐could‐have‐prevented‐the‐anthem‐breach/ (accessed June 28, 2015).
FIGURE 7.4 (Continued)
38 SecureAuth, “The Password’s Pulse Beats On. Hackers Still One Step away from Your Information,” SecureAuth.com (March 18, 2015), https://www.
secureauth.com/Company/News/March‐2015/The‐Password%E2%80%99s‐Pulse‐Beats‐On‐Hackers‐Still‐One‐St.aspx (accessed June 24, 2015).
39 SafeNet, “More Enterprises Plan to Strengthen Access Security with Multi‐Factor Authentication,” SafeNet Survey Report (May 21, 2014), http://
www.safenet‐inc.com/news/2014/authentication‐survey‐2014‐reveals‐more‐enterprises‐adopting‐multi‐factor‐authentication/ (accessed June 24, 2015).
40 Renee Quinn, “Comparative Advertising: Mac vs. PC,” IP Watchdog (November 16, 2008), http://www.ipwatchdog.com/2008/11/16/comparative‐
advertising‐mac‐vs‐pc/id=268/ (accessed June 24, 2015).
41 David Jeffers, “Why Convenience Is the Enemy of Security,” PC World (June 18, 2012), http://www.pcworld.com/article/257793/why_convenience_
is_the_enemy_of_security.html (accessed June 25, 2015).
c07.indd 158 11/26/2015 7:31:40 PM
http://www.forbes.com/sites/frontline/2015/02/24/behavioral%E2%80%90analysis%E2%80%90could%E2%80%90have%E2%80%90prevented%E2%80%90the%E2%80%90anthem%E2%80%90breach/
https://www.secureauth.com/Company/News/March%E2%80%902015/The%E2%80%90Password%E2%80%99s%E2%80%90Pulse%E2%80%90Beats%E2%80%90On%E2%80%90Hackers%E2%80%90Still%E2%80%90One%E2%80%90St.aspx%20
http://www.safenet%E2%80%90inc.com/news/2014/authentication%E2%80%90survey%E2%80%902014%E2%80%90reveals%E2%80%90more%E2%80%90enterprises%E2%80%90adopting%E2%80%90multi%E2%80%90factor%E2%80%90authentication
http://www.safenet%E2%80%90inc.com/news/2014/authentication%E2%80%90survey%E2%80%902014%E2%80%90reveals%E2%80%90more%E2%80%90enterprises%E2%80%90adopting%E2%80%90multi%E2%80%90factor%E2%80%90authentication
http://www.ipwatchdog.com/2008/11/16/comparative%E2%80%90advertising%E2%80%90mac%E2%80%90vs%E2%80%90pc/id=268
http://www.ipwatchdog.com/2008/11/16/comparative%E2%80%90advertising%E2%80%90mac%E2%80%90vs%E2%80%90pc/id=268
http://www.ipwatchdog.com/2008/11/16/comparative%E2%80%90advertising%E2%80%90mac%E2%80%90vs%E2%80%90pc/id=268
http://www.pcworld.com/article/257793/why_convenience_s_the_enemy_of_security.html
159What Should Management Do?
Security Policy
Management needs to approach security in a way that expresses its importance and instructs users on what they
need to do to achieve safety. Without sound management policy, access and storage technologies will be useless. If
employees write their passwords on sticky notes and put them near their workstations, passwords will be ineffective
from the start. Figure 7.5 provides a list of management policy tactics to prevent security weaknesses.
Several of these policy areas are quite interesting. For instance, some managed security services provider (MSSP)
“rms offer the services of white hat hackers who break into a “rm’s systems to help it uncover weaknesses. White
hat hackers lie in sharp contrast to black hat hackers, who break in for their own gain or to wreak havoc on a “rm.
Grey hat hackers test organizational systems without any authorization and notify a company when they “nd a
weakness. Although they can be helpful, what they do is nevertheless illegal.
Another interesting area is that of social media. We are still in the early stages of understanding the impacts of
being on social media for employees and “rms themselves. Companies continue to set up policies about accept-
able behavior on social media including the appropriateness of sharing company secrets, security procedures, and
FIGURE 7.5 Commonly used management security policies.
Policy Concept Notable Advantages Notable Disadvantages
Perform security
updates promptly
Make sure all security
updates are applied as
soon as possible
• Most operating systems
have automatic updates
• Sometimes the added
security causes some older
applications to “break”
• There is an option to prevent
automatic updates
Separate unrelated
networks
Disconnect distinct and
unrelated parts of the
network. For instance,
Target’s HVAC system
should have been
disconnected from the
#nancial system
• Protect one part of the
system when the other
part is attacked
• Sometimes there are
connections that are
unknown or unexpected
• Each requires different log‐in
credentials, complicating its
usage
Keep passwords secret Forbid users from sharing
passwords
• If everyone complies,
any activities on the site
will be traceable to one
user’s access
• It will be harder if the user
is on the road and needs
an assistant to help with
something
Perform mobile device
management
Provide a BYOD (bring
your own device) policy
on permitted products
and required connection
methods
• It will prevent, or at least
allow IT to trace, potential
security problems
• It will restrict users to apps
they might not wish to use
• It might restrict users to
certain devices they might
not desire to use
Data policies Require disposal of e-mails
and other documents of a
certain age
• Data that are not owned
cannot be stolen
• Legal liability is
dramatically reduced by
destroying memos and
e-mails that can be taken
out of context
• Workers might be unable
to refer back to the details
of a previous successful
assignment for guidance
Social media
management
Provide rules about what
can be disclosed on social
media, who can Tweet, and
how employees can identify
themselves
• It will prevent
misrepresentation and
confusion
• It will limit liability by
avoiding errors
• It might appear restrictive to
workers
• It might appear to be
meddling in workers’
personal use of social media
Managed security
services providers
(MSSP)
Consultants who bring their
expertise and checklists,
most often to medium and
large enterprises
• It can help build a
comprehensive
security plan
• It can be too expensive for a
very small company
• It can provide a bewildering
set of options
c07.indd 159 11/26/2015 7:31:40 PM
160 Security
personal information that could be linked back to a company. Given the large size of some “rms, it is dif”cult to
control personal behavior. But lacking policy, devastating impacts of uncontrolled behavior can be high.
Education, Training, and Awareness
Users’ behavior cannot be expected to change unless they are aware of security policy and tools, understand them,
and know what to do. Merely dictating rules to employees and providing the required tools will not guarantee
compliance. Security education, training, and awareness (SETA) can provide well‐rounded preparation to users.
Because 50%–75% of security incidents originate from within an organization, researchers have found that SETA
was effective in reducing IS misuse and that severity of punishment was more potent than certainty of punishment if
users were caught. As one might expect, the researchers also found that monitoring behavior was quite important.42
Each component of SETA is discussed next.
Awareness
Although awareness comes at the end of the SETA acronym, it is an important “rst step merely to let users know
that security is a complex but important issue and that there are consequences when policies are not followed. Users
must see the importance of the security policies and the need to use the appropriate tools. Awareness includes an
explanation of what might occur if users are relaxed about security, such as in the cases discussed in this chapter.
Awareness creates attitudes, and researchers note that attitudes are important in predicting compliance. Impor-
tantly, users’ feelings of ef”cacy (ability to comply) and normative beliefs (social pressure to comply) are both
important for forming favorable attitudes toward compliance,43 suggesting that the awareness stage is crucial for
security success. Managers should be cautious not to overwhelm users all at once; this is where education programs
can help.
Education and Training
Education provides frameworks, reveals concepts, and builds understanding. Training usually provides procedures
to follow and practice in following them. For example, 69% of company breaches have been discovered by out-
siders, not insiders.44 In some cases, customers complain of irregularities in their accounts, such as unauthorized
charges. However, it takes time for that information to reach the breached “rm, if ever, as the unsettling recent
60 Minutes interview revealed; after hacking, Visa and MasterCard do not reveal which retailer was involved.
Further, in the case of Home Depot, it took Brian Krebs to notify the “rm after seeing credit cards for sale on Deep
Web sites. He says he did some “detective work” and tracked the stolen cards to Home Depot.45
Apparently, insiders do not always notice signals that might indicate a problem. Some of that can be alleviated
through education. Users need to be educated about the potential for different types of suspicious activities, such
as strange cars parked with the motor running, which might indicate tapping into a company’s WiFi, or strangers
standing near active equipment, which might indicate surveillance or potential invasive action. Employees must be
trained to make sure active equipment is watched and suspicious activity reported. Training also instructs on power-
ing down equipment, logging users out of systems, closing browser windows, and frequently updating passwords.
In a recent alarming situation, a security researcher claimed on Twitter to have tapped into the avionics system
through the entertainment system on an airplane, causing the plane to go into a brief, unscheduled climb. While
on the plane, the person bent over and wiggled and squeezed the under‐seat electronic box’s cover to pry it off.46
The person then attached a modi”ed Ethernet cable to an open port in the entertainment equipment below two
passenger seats. Although pilots were able to quickly take over in this situation, the FBI took his Tweet seriously.
42 John D’Arcy, Anat Hovav, and Dennis Galletta, “Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence
Approach,” Information Systems Research 20, no. 1 (March 2009), 79–98.
43 Burcu Bulgurcu, Hasan Cavusoglu, and Izak Benbasat, “Information Security Policy Compliance: An Empirical Study of Rationality‐Based Beliefs
and Information Security Awareness,” MIS Quarterly 34, no. 3 (2010), 523–48.
44 Mandiant, “M‐Trends 2015: A View from the Front Lines,” https://www2.fireeye.com/rs/fireye/images/rpt‐m‐trends‐2015 (accessed June 24,
2015).
45 Whitaker, “What Happens When You Swipe Your Card?”
46 Kim Zetter, “Is It Possible for Passengers to Hack Commercial Aircraft?” Wired (May 26, 2015), http://www.wired.com/2015/05/possible‐passengers‐
hack‐commercial‐aircraft/ (accessed June 25, 2015).
c07.indd 160 11/26/2015 7:31:40 PM
https://www2.fireeye.com/rs/fireye/images/rpt%E2%80%90m%E2%80%90trends%E2%80%902015
http://www.wired.com/2015/05/possible%E2%80%90passengers%E2%80%90hack%E2%80%90commercial%E2%80%90aircraft
http://www.wired.com/2015/05/possible%E2%80%90passengers%E2%80%90hack%E2%80%90commercial%E2%80%90aircraft
http://www.wired.com/2015/05/possible%E2%80%90passengers%E2%80%90hack%E2%80%90commercial%E2%80%90aircraft
161What Should Management Do?
Agents seized the plane’s equipment to investigate his claims and found evidence that boxes under his seat and
under the seat in front of him on one of his #ights had indeed been tampered with.47 Had #ight attendants been edu-
cated that this was the possible action of a hacker and been trained to notice passengers preoccupied with something
below the seat, the hack might have been stopped earlier. See Figure 7.6 for a list of areas for education and training
along with possible activities for each.
New employee onboarding processes include education in security policies including vulnerabilities and the
tools and practices used to avoid problems. Types and levels of passwords or other access tools should be described
to employees. “Dos” and “Don’ts” of social media should be presented in a well‐organized manner so they are
understood. And these policies must be reinforced at regular intervals to ensure compliance.
The goal of education is to avoid the consequences of phishing by helping individuals identify ways to recognize
these scams. There are certain “classic” signs of a phishing message:
• An e‐mail or bank account is closed, and the user needs to click to log‐in and reactivate it.
• An e‐mail inbox is too full, and the user is asked to click to increase storage.
• The user just won a contest or lottery and is asked to click to claim the prize.
• A user just inherited a fortune or will receive a commission to administer an inheritance after clicking to
claim it.
• A product delivery failed, and the user needs to click to retry.
• An odd or unexpected Web address shows up when hovering a mouse pointer over a link in an e‐mail.
• A familiar name in the “from” box is followed by an odd e‐mail address.
• Poor grammar and spelling are in a note that purports to be from a large company.
• Goods or services are offered at an impossibly low price.
• An attachment is executable, often with an extension such of ZIP, EXE, or BAT.
FIGURE 7.6 Major areas for education and training, with examples.
Subject Sample Educational Activities Sample Training Activities
Access tools Advantages and limitations of passwords
Why passwords should be complex and long
How often passwords should be changed
Strengths of multifactor authentication
How to choose a password
How to change your password
How to use multifactor authentication
How to use a password manager
Bringing your own
devices (BYOD)
Why there are rules
What the rules are
How to follow the rules
What to do if something goes wrong
Social media Why there are rules
Examples of issues that have occurred in the past
How those issues could have been avoided
What to do in particular situations on
social media
What to do if you need help or
clari#cation on an issue
Vigilance What signals you might see under certain situations
(warning messages; phishing e‐mails; customer
complaints)
What physical intrusions look like
What the signals mean
Which pieces of equipment have ports (USB, ethernet)
Where and how to look for warning
signs
What to do when you see the various
signals (for instance, a number to call
or way to shut down)
How to protect your laptop when
traveling
47 Even Perez, “FBI: Hacker Claimed to Have Taken Over Flight’s Engine Controls,” CNN.com (May 18, 2015), http://www.cnn.com/2015/05/17/us/
fbi‐hacker‐flight‐computer‐systems/ (accessed June 25, 2015).
c07.indd 161 11/26/2015 7:31:40 PM
http://www.cnn.com/2015/05/17/us/fbi%E2%80%90hacker%E2%80%90flight%E2%80%90computer%E2%80%90systems/
162 Security
Even if the signals are not present, security experts recommend not to click on any link or open any attachment
in an e‐mail unless it was requested and expected from a known source. Unexpected e‐mail, even from a known
source could breed viruses because of any one of the following: (1) The e‐mail might not really be from the known
source, and someone is spoo#ng (counterfeiting) the address, (2) the e‐mail might be from a known source’s com-
puter but the e‐mail had a virus, which will infect the recipient’s computer, or (3) the e‐mail might have been sent
from a familiar person who doesn’t know that a virus is attached. Opening the attachment or clicking the link would
likely infect the recipient’s computer and continue the spread of the virus to her or his contacts.
An actual phishing message received by one of the authors of this text on November 21, 2014, had the subject
header of “PAYMENT OF A CONTRACT/INHERITANCE FUNDS” (all caps in the original), and the “rst sen-
tence was “We have expected receiving you in the of!ce, but no one has ever head from you” (italics added to high-
light errors). Another recent phishing message (Figure 7.7) was more believable, but had some minor grammatical
issues. Some messages are nearly #awless, looking identical to genuine ones from the named company, and making
it critical to suspect every link or attachment in any e‐mail.
Education programs describe phishing and spoo”ng and how to guard against clicking on dangerous links.
Users must understand that opening a virus‐laden Web page or “le leads to “catching” the virus. Education pro-
grams might also include the different types of threats and include training on how to avoid scams, the loading of
key‐logging software on unsuspecting users’ systems, and the breach of security measures already put in place.
Training would demonstrate how to examine a link, what cues to evaluate, and what to do if a site is suspicious.
S U M M A R Y
• Five key IT security decisions focus on security strategy, infrastructure, policies, training, and investments.
• Perpetrators (hackers) most often work from a great distance, over long periods of time, and not by accessing data center
buildings in person.
• Of breaches, 80% are enabled by stolen passwords. Those passwords are obtained from phishing messages, cross‐site
scripting, weak passwords, key loggers, and evil‐twin connections.
• The statistics are staggering: It takes 205 days for the average breach to be detected, and the longest breach recorded
took 11 years to detect. The message is that hackers have plenty of time to “gure out how to steal “les. Also, 97% of all
“rms have been hacked, and the average cost of a data breach is estimated to range from $145–$154 per stolen record
containing sensitive information. Many breaches involve tens of millions of records.
Paypal customer View online
We Need Your Help
Dear Customer,
We need your help resolving an issue with your account. To give us time to work together on
this, we’ve temporarily Iimited what you can do with your account until the issue is resolved.
We understand it may be frustrating not to have full access to your PayPaI account. We want
to work with you to get your account back to normal as quickly as possible.
Why my PayPaI™ account is Iimited?
We recently noticed a pattern of account activity that, in our experience, is usually high risk.
For more information, see Restricted Activities identified in our User Agreement.
What can I do to resolve the problem?
It’s usually pretty easy to take care of things like this. Most of the time, we just need you to
verify your account. Click the link below
Please mark this email as “Not Spam” to enable link, if this email appears in your spam or junk mail .
Verify your Account
FIGURE 7.7 Actual phishing message received February 21, 2015.
c07.indd 162 11/26/2015 7:31:40 PM
163Case Study
• Perfect security of data and digital assets is not possible. However, there are best practices for reducing risks by using
tools, implementing tactics (policies) and providing training (and education).
• Infrastructure technologies can limit access to authorized people and protect data storage and transmission.
• Policies need to be created to cover the need to install updates, separate unrelated networks, keep passwords secret, manage
mobile devices, destroy data at the proper time, manage social media, and properly use managed security services providers.
• SETA refers to security education, training, and awareness, each of which has a specialized purpose.
On June 22, 2015, LOT , the state‐owned Polish airline had to ground at least 10 national and international # ights because
hackers breached the network at Warsaw ’ s Chopin airport and intercepted the # ight plans that pilots need before taking off.
The grounding affected about 1,400 passengers and lasted over ” ve hours before the problem was solved. A month earlier,
United Airlines was reported to have experienced the same problem in the United States, and pilots reported bogus # ight
plans repeatedly popping up on the system.
A consultant explained that the radio network that carried # ight plans did not need authentication and was designed to
trust the communications. A committee was then set up to develop a proposed standard for # ight plan security.
Fortunately, the # ight plan did not control the plane, and a pilot had to accept and enter the plan. A strange result, such as
heading to a distant city in the wrong direction, would not be entered or accepted. Even if the bogus plan were entered and
accepted by the pilot, there was no danger of collision or crash because of the fraudulent plans.
Any changes received to the plan while in # ight had to be con” rmed with air traf” c controllers, who analyzed the new
plan for safety. Alarms would also indicate a possible collision.
■ CASE STUDY 7-1 The Aircraft Communications Addressing and Reporting System (ACARS)
K E Y T E R M S
antivirus/antispyware (p. 157)
biometrics (p. 156)
black hat hacker (p. 159)
challenge question (p. 158)
cross‐site scripting ( XSS ) (p. 152)
deep Web (p. 155)
encryption (p. 158)
evil twin connection (p. 152)
” rewall (p. 157)
grey hat hacker (p. 159)
key logger (p. 152)
mobile device management (p. 159)
multifactor authentication (p. 158)
phishing attack (p. 151)
security education training and
awareness ( SETA ) (p. 150)
social media management (p. 159)
spoo” ng (p. 162)
token (p. 156)
weak password (p. 152)
white hat hacker (p. 159)
zero‐day threat (p. 157)
D I S C U S S I O N Q U E S T I O N S
1. Did you change your shopping habits after hearing of the widespread breaches at Target , Home Depot , and dozens of other
stores during 2013–2015? Why or why not?
2. Evaluate your password habits and describe a plan for new ones. Explain why you chose the new habits and how they reduce
the risk of compromising your system ’ s security.
3. Across all access tools listed in Figure 7.3 which have the most compelling advantages? What are the most concerning
weaknesses? Provide support for your choices.
4. What is the likely future of access tools? Will they continue to be useful security measures? In your discussion, predict what
you believe is the future of passwords.
5. What is an evil twin WiFi connection? What should you do to increase your security in a coffee shop the next time you want
to connect?
6. Name three commonly used management security policy areas and describe an example policy for each area.
7. Create an outline for a training session to help your team avoid phishing. What would you include in that training session?
What are some typical signs that an e‐mail might be fraudulent?
c07.indd 163 11/26/2015 7:31:40 PM
164 Security
The Tech section in Forbes magazine reported that the “criminals won” in the Sony pictures breach. An anonymous threat
posted on an obscure site warned that people who watch the to‐be‐released movie The Interview would be “doomed” to a
“bitter fate” and recalled the tragic events of September 11. The threat said that the movie inappropriately made light of
North Korean of” cials.
As a result of the threat, ” ve large theater chains in the United States and Canada canceled plans to include the ” lm on
their screens. Ultimately, Sony had no choice but to cancel the theater release of the ” lm for reasons that are both economic
and legal. The former was due to a lack of revenue given the small number of remaining theaters that might go ahead and
run the ” lm. The latter was driven by what would happen if an attack was carried out. A Steve Carell project that featured
North Korea was also canceled.
The Guardian reported that a group named the Guardians of Peace retaliated against Sony . They hacked into Sony ’ s
systems and stole over 100 terabytes of ” les, including unreleased movies, social security numbers for thousands of Sony
employees, and internal e‐mails, some of which show embarrassing conversations between Sony employees. The hackers
began distributing the ” les in various locations online, making them free for the taking.
The of” cials of that government denied any involvement in the hack but said that it might have been a “righteous deed”
of those who support the government.
North Korean of” cials demanded some changes to the movie, including taming down a death scene of its leader. Sony
initially refused but then decided to go ahead and edit the scene. The movie eventually opened without incident on a limited
basis in some cinemas on Christmas Day and then was made available via online rental.
According to the Mirror in the United Kingdom, neither the Department of Homeland Security nor the FBI could ” nd
evidence that the violence was a credible threat, but the FBI believed North Korea was behind the hacking. In turn, North
Korea claimed that the U.S. government was responsible for creation of the movie.
Discussion Questions
1. Setting aside the political issues between North Korea and the United States, is there a reasonable way to respond to an
anonymous threat found on the Internet somewhere? What elements would you require before canceling the film if you
were CEO of Sony ? If you were CEO of a chain of theaters?
2. What access and data protection controls would you recommend Sony use to provide better security for unreleased
digital films and e‐mails?
3. If you were a hacker, what approach would you have used to break into Sony ’ s system? What do you think the most
important SETA elements would be to prevent future hacker attacks against Sony or other media firms?
Sources: Dave Lewis , “ Sony Pictures: The Data Breach and How the Criminals Won ,” Forbes Tech (December 17, 2014 ), http://www.
forbes.com/sites/davelewis/2014/12/17/sony‐pictures‐how‐the‐criminal‐hackers‐won/ (accessed June 25, 2015) ; Oliver Laughland , “ The
Interview: Film at Center of Shocking Data Breach Scandal Opens in LA ,” The Guardian (December 12, 2014 ) http://www.theguardian.
com/# lm/2014/dec/12/the‐interview‐sony‐data‐hack (accessed June 25, 2015) ; and Anthony Bond , “ Sony Hack: The Interview WILL Be
Released Despite Huge Cyber Attack Against Film Maker ,” Mirror (December 23, 2014 ), http://www.mirror.co.uk/news/world‐news/
sony‐hack‐interview‐released‐despite‐4868965 (accessed June 25, 2015) .
■ CASE STUDY 7-2 Sony Pictures: The Criminals Won
Discussion Questions
1. Which of the two aircraft breaches is more serious: the breach described here or the breach created by the hacker
(described earlier in the chapter) who took control of a plane ’ s throttle briefly through the entertainment system and
then tweeted about it? Why?
2. Which of the access controls and storage/transmission controls would be most helpful for the ACARS problem? The
entertainment system problem? Why?
3. If password control is used to solve the ACARS weakness, what might hackers do next?
Sources: Kim Zetter , “ All Airlines Have The Security Hole That Grounded Polish Planes ,” Wired (June 22, 2015 ), http://www.wired.
com/2015/06/airlines‐security‐hole‐grounded‐polish‐planes/ (accessed August 25, 2015) ; and “ Hackers Ground 1,400 Passengers at
Warsaw in Attack on Airline ’ s Computers ,” The Guardian (June 21, 2015 ), http://www.theguardian.com/business/2015/jun/21/hackers‐
1400‐passengers‐warsaw‐lot (accessed June 26, 2015) .
c07.indd 164 11/26/2015 7:31:41 PM
http://www.wired.com/2015/06/airlines%E2%80%90security%E2%80%90hole%E2%80%90grounded%E2%80%90polish%E2%80%90planes/
http://www.theguardian.com/business/2015/jun/21/hackers%E2%80%901400%E2%80%90passengers%E2%80%90warsaw%E2%80%90lot
http://www.theguardian.com/business/2015/jun/21/hackers%E2%80%901400%E2%80%90passengers%E2%80%90warsaw%E2%80%90lot
http://www.forbes.com/sites/davelewis/2014/12/17/sony%E2%80%90pictures%E2%80%90how%E2%80%90the%E2%80%90criminal%E2%80%90hackers%E2%80%90won
http://www.theguardian.com/fi%20lm/2014/dec/12/the%E2%80%90interview%E2%80%90sony%E2%80%90data%E2%80%90hack
http://www.mirror.co.uk/news/world%E2%80%90newssony%E2%80%90hack%E2%80%90interview%E2%80%90released%E2%80%90despite%E2%80%904868965
165
8
chapter
This chapter explores the business of information technology (IT) and the customers it
serves. Beginning with the introduction of a maturity model to understand the balancing
act between the supply and business demand for information systems (IS), the chapter
describes key IT organization activities and relates them to one of three maturity levels. The
chapter continues with a discussion about the work done by the IT organization and how
the leadership within the IT organization ensures that activities are conducted ef# ciently and
effectively, both domestically and globally. We then examine business processes within the
IT department, including building a business case, managing the IT portfolio, and valuing
and monitoring IT investments. The remainder of the chapter focuses on funding models
and total cost of ownership.
The Business of
Information Technology
After several months in the job of chief information of” cer (CIO) of Alcoa ’ s Industrial Chemicals
Business, Kevin Horner received a wake‐up call from the president of the business: 1
We chose you because you were the best of the IT group, and you are doing a great job complet-
ing IT projects and managing the IT organization. But I am afraid that you don ’ t know the business of
your business. You haven ’ t thoroughly answered my repeated questions about how much IT costs the
business! Furthermore, you can ’ t communicate with the people running the business in words they
understand!
As a high‐achieving math major in college with minors in computer science and business, Horner
was quite savvy about his craft and did not expect to hear these remarks. When he protested that
the structure of the ” nancial information in European and Asian subsidiaries made it really dif” cult
to ” nd the answer, his boss ’ s response surprised him: “If it wasn ’ t a hard problem, I wouldn ’ t need
you here!”
Interpreting this unpleasant meeting as his being “under review” for possible ouster, Horner
saw this as a wake‐up call to the true meaning of being a C‐level executive. He had found some
answers about cost issues, but many of the ” nancial numbers were “buried”—inextricably inter-
twined in general categories of ” nancial statements in Europe and Asia. He had some early results,
but managing the IT group took most of his time and effort.
Further, his early presentations were heavy with technical details and were often met with glazed
eyes and yawns. Horner reported that he began to realize that this audience did not want to hear
about the technology. “They certainly wanted me to handle technology issues, but they wanted me
to communicate with them in words they understood . . . people, time, money and the possibilities
technology created for them in their businesses. Most importantly they wanted me to help them to
use IT to grow the business at either the top line (sales) or bottom line (net income).”
1 This story and all the quotes are based on a personal interview with Kevin Horner and one of our authors, March 23, 2015.
c08.indd 165 11/26/2015 6:27:59 PM
166 The Business of Information Technology
Horner embarked on a re‐energized mission to answer all of the president’s concerns in a more complete way,
and that mission ultimately paid handsome dividends both to him and Alcoa. If success can be measured by promo-
tions, he went far beyond redeeming himself. After “ve years as CIO of Alcoa Chemical, he had many promotions
until he ultimately became CIO of Alcoa Global. In 2011, he took an opportunity to become chief executive of”cer
(CEO) of Mastech, a $100 million publicly traded IT staf”ng “rm where he remains.
How did he achieve such resounding success? The “rst thing he did was to partner with the CFO to understand
the “nancials of the business. The CFO was able to determine how to peel back the layers of accounting numbers
and truly wrestle the IT costs from the general accounting categorizations where they comfortably hid. Within
60 days, the president and his management team had their answers.
But Horner did not stop at a good, solid set of internal cost numbers, a remarkable achievement in and of itself.
Rather than only gaze inside the “rm, he found it most helpful to use the Hackett Group, an external benchmarking
consulting “rm, to compare his costs against those of similar “rms. This analysis was most helpful for the lead-
ership of the business because after “nding that the company was high on some key IT costs, the leaders all saw
the writing on the wall for the next mission: Find ways to reduce costs but continue to provide improved services.
Two key examples of how Horner addressed those needs will help explain his early success. He accompa-
nied salespeople on actual sales calls to see exactly how the overall supply chain process worked. Then with that
information as a base, he was able to have the business provide reliable product information to customers, acceler-
ating delivery of the products customers needed without creating excessive inventory buffers.
Horner also worked with procurement of”cials to renegotiate contracts for the highest‐cost elements within the
company’s IT spending. For example, two very costly areas included telecommunications costs (including cell
phones) and PCs. He found two important cost‐savings opportunities: eliminate unnecessary services and nego-
tiate many small separate contracts as a larger unit, raising the business’s bargaining power. As contracts would
come up for renewal, a joint team from IT and procurement spearheaded an intense process to streamline costs,
focusing on the highest cost elements “rst. These contract negotiations led to another bene”t: standardization,
which enabled further savings by simplifying items such as interconnectivity between segments of the business,
and PC and mobile phone support.
The lessons learned in Horner’s initial CIO role in the chemicals business transferred naturally into his next role
as CIO of Alcoa Europe, which was a collection of historical Alcoa businesses and locations along with several
newly acquired companies representing what Horner called “kind of a $3B ‘start‐up’ company.” He knew immedi-
ately that he had to get a clear picture of the IT business in Europe from several perspectives—technology, applica-
tions, people, vendors, cost, and “quick wins,” which solved problems for his business leadership colleagues. This
time Horner didn’t need the questions from the business president to guide him: He had to quickly assess talent
in his team, determine total IT cost in the business, assist the management team to move to Europe from a struc-
ture focusing on legal entity driven reporting and reporting “nances in a new structure that aligned with corporate
Alcoa and uni”ed pan‐European business units. As a result of his business‐focused thrusts, within 24 months, the
entire uni”ed structure was created and implemented; legal entity “scal reporting was maintained; a shared service
function for “nance, accounting, HR, and procurement plus the technology to operate it was implemented; Y2K
remediation was completed; and European IT costs were reduced by 25%.
What does this experience demonstrate? It shows that there are common denominators that every business leader
understands: people, time, and money. When a business leader wants to invest capital to produce more product or
a new product, that investment is scrutinized for cost and bene”t. Horner says that a CIO should make sure IT is
not the exception to that rule. “Don’t talk about ERP or mobile apps, talk about what is going to happen to the
business . . . [and] to people, time, and money when you have the ERP or the mobile app,” he says. “Getting the
cost side of the IT organization in order represents table stakes for the CIO,” implying that you would wear out
your welcome by focusing inward. Rather than focusing only on managing the technologies and IT people and
describing new investments and initiatives by using “techy” jargon, a CIO should take a business viewpoint. If you
follow that advice, you will not only be welcome at the table but also will thrive. This demonstrates the Business of
Information Technology, the title of this chapter.
In this chapter, issues related to the business side of IT are explored. We begin by looking at key activities
managers can expect of their IT organization and, probably just as importantly, what the IT organization does not
c08.indd 166 11/26/2015 6:27:59 PM
167Organizing to Respond to Business: A Maturity Model
provide. The chapter continues with a discussion of key business processes within the IT organization, such as
building a business case, managing an IT portfolio, and valuing and monitoring IT investments. This is followed
by a discussion of ways of funding the IT department and an exploration of several ways to calculate the cost of
IT investments, including total cost of ownership and activity‐based costing. These topics are critical for the IT
manager to understand, but a general manager must also understand how the business of IT works to successfully
propose, plan, manage, and use information systems.
Organizing to Respond to Business: A Maturity Model
The Alcoa situation just discussed reveals that IT leaders must make sure they have the right resources and organi-
zation to respond to business needs. It is not enough to focus inward on managing personnel, software, and equip-
ment, which can seem like a full‐time responsibility. IT managers must go beyond internal matters and partner
with their business colleagues. Responding to business demands adds substantially to IT managers’ responsibilities
because it requires them not only to manage the complexity within the IT function, but also to go well beyond what
seem to be the boundaries of IT and understand intricacies of their business partners.
Merlyn’s business‐IT maturity model in Figure 8.1 provides characteristics of how engaged the IT function
can be with the rest of the organization at three unique levels of maturity. At Level 1, representing an immature IT
organization, IT managers maintain an inward focus. They merely react to speci”c needs that are brought to their
attention, often in an environment that emphasizes cost reduction. As the IT organization matures to Level 2, the
focus shifts to business processes, and IT personnel search for solutions to business problems. Level 3 represents
IT managers as business partners who search for ideas that provide value to the organization and value relationships
both inside and outside not only the IT organization but also the “rm. They seek ideas that provide not only new
revenue but also help identify new opportunities that rede”ne the business.
This model illustrates that for IT to provide the most value to the business, IT managers and business managers
must recognize their mutual dependency and ensure that business capability has the technology support needed
for success. This model does not comment on the type of technology used but on the way the business organi-
zation approaches its use of IT. For example, in Level 3, business leaders see IT’s role as a business partner that
they can include in high‐level meetings that explore new lines of business. Compare this approach with lower
levels of maturity. At Level 2, the focus would instead be on creating an effective business process, which has a
much more limited scope and impact. At Level 1, where the business demand for IT is primarily all about cost
FIGURE 8.1 Business‐IT maturity model.
Source: Adapted from Vaughan Merlyn, http://vaughanmerlyn.com/2014/04/01/the‐disciplines‐of‐business‐it‐engagement/
(accessed April 22, 2015).
Maturity Level Nature of the Level Engagement Characteristics
Level 3 IT as business partner • Proactive
• Outside‐in
• Relationship centric
• Focused on business growth
• Framed on a context of business
value
Level 2 IT as solutions provider • Active
• Process centric
• Focused on solutions
• Framed in a context of projects
Level 1 IT as order taker • Reactive
• Inside‐out
• Technology centric
• Framed in a context of cost
c08.indd 167 11/26/2015 6:27:59 PM
http://vaughanmerlyn.com/2014/04/01/the%E2%80%90disciplines%E2%80%90of%E2%80%90business%E2%80%90it%E2%80%90engagement
168 The Business of Information Technology
savings and foundation systems, the IT function might be seen more as a necessary evil that needs to be pushed
into a corner rather than expanded to #ex organizational muscles. When the maturity of the IT organization rises
to Level 3, it is able not only to keep up with business demands but also to enhance the business in ways that were
not envisioned before.
This chapter describes the complex, multifaceted tasks for which an IT organization takes responsibility and
how IT is organized. The chapter describes both the internal and external issues that must be handled by IT leaders
and the personnel responsible for them. The description is presented in a context of how the IT organization must
make it a priority to partner with business leaders. Because running the business of IT requires funding, we also
explore how to fund IT projects to support business and how to cover the operational costs.
Understanding the IT Organization
Consider the analogy of a ship to help explain the purpose of an IT organization and how it functions. A ship trans-
ports people and cargo to a particular destination in much the same way that an IT organization directs itself toward
the strategic goals set by the larger enterprise. All ships navigate waters, but different ships have different structures,
giving them unique capabilities such as transporting people versus cargo. Even among similar categories, ships
have different features, such as those con”gured to transport a cargo of “nished products versus one con”gured to
transport a cargo of oil. All IT organizations provide services to their businesses, but based on the skills and capa-
bilities of their people, the organizational focus of their management, and their state of maturity, they, too, differ
in what they can do and how they work with the businesses. Sometimes the IT organization must navigate peril-
ous waters or storms to reach port. For both the IT organization and the ship, the key is to perform more capably
than any competitors. It means doing the right things at the right time and in the right way to propel the enterprise
through the rough waters of business.
Different “rms need to do different things when it comes to IT. Because “rms have different goals, they need to
act in different ways and as a result, there are differences in the IT activities that are provided. But even if two “rms
have similar goals, the “rms’ size, organization structure, and level of maturity might affect what the IT organiza-
tion in each “rm is expected to do.
What a Manager Can Expect from the IT Organization
We look at the IT organization from the perspective of the customer of the IT organization, the general manager, or
“user,” of the systems. What can a manager expect from the IT organization? Just as IT leaders bene”t from under-
standing their business partners, a general manager bene”ts from understanding what the IT organization does.
Managers must learn what to expect from the IT organization so they can plan and implement business strategy
accordingly. Although the nature of the activities may vary in each IT organization depending upon its overall goal, a
manager typically can expect some level of support in 14 core activities: (1) developing and maintaining information
systems, (2) managing supplier relationships, (3) managing data, information, and knowledge, (4) managing Internet
and network services, (5) managing human resources, (6) operating the data center, (7) providing general support,
(8) planning for business discontinuities, (9) innovating current processes, (10) establishing architecture platforms
and standards, (11) promoting enterprise security, (12) anticipating new technologies, (13) participating in setting
and implementing strategic goals, and (14) integrating social IT.2 These activities are brie#y described in Figure 8.2.
Although the activities could be found at any maturity level, we indicate in Figure 8.2 the level where they are
especially important. Recall that Level 1 focuses on cost savings and ef”ciency of business operations; Level 2
takes a process view, provides services of an integrated nature across the organization, and supports decision mak-
ing to maximize business effectiveness; and Level 3 focuses on innovation and support of business strategy. This
progression implies that the scope of activities in the IT organization expands with increased IT maturity.
2 Eight activities are described by John F. Rockart, Michael J. Earl, and Jeanne W. Ross, “Eight Imperatives for the New IT Organization,” Sloan
Management Review (Fall 1996), 52–53. Six activities have been added to their eight imperatives.
c08.indd 168 11/26/2015 6:27:59 PM
169What a Manager Can Expect from the IT Organization
FIGURE 8.2 IT organization activities and related level of maturity.
Activity Description Maturity Level
Developing and
maintaining systems
• Together with business users, analyze needs, design, write, and test the
software
• Identify, acquire, and install outside software packages to #ll business
needs
• Correct system errors or enhance the system to respond to changing
business and legal environments
1
Managing supplier
relationships
• Maximize the bene#t of supplier relationships to the enterprise and
pre‐empt problems that might occur
1
Managing data,
information, and
knowledge
• Collect and store data created and captured by the enterprise (Level 1)
• Manage enterprise information and knowledge (Level 2)
1, 2
Managing Internet and
network systems
• Develop and maintain Internet access and capabilities
• Manage private networks, telephone systems, and wireless
technologies
• Design, build, and maintain the network architecture and infrastructure
1, 2 (depending
on nature of
network)
Managing human
resources
• Hire, train, and maintain good staff performers; #re poor performers
• Work with enterprise HR personnel to learn up‐to‐date regulations and
practices
1
Operating the data
center
• Operate and maintain large mainframe computers, rows of servers, or
other hardware on which the company’s systems are built
• Provide connections between the #rm’s systems and cloud services
1
Providing general
support
• Manage diverse help desk activities
• Collect and record support information
• Assign appropriate personnel to support cases
• Follow up with vendors as needed
• Follow up with business contacts with updates or solutions
1
Planning for business
discontinuities
• Develop and implement business continuity plan
• Make preparations to counter physical or electronic attacks, hacking
attempts, weather disasters, and other events that could cripple the
enterprise
1
Innovating current
processes
• Work with managers to innovate processes that can bene#t from
technological solutions
• Explore modi#cations that can reduce costs, improve service, or
connect with customers
• Design systems that facilitate new ways of doing business
2
Establishing architecture
platforms and standards
• Develop, maintain, and communicate standards
• Maintain consistency and integrity of the #rm’s data
2
Promoting enterprise
security
• Maintain the integrity of the enterprise infrastructure
• Develop and implement enterprise information security policies,
strategy, and controls
• Identify, prioritize, and guard against threats to the enterprise’s
information assets
• Work with business units to enhance security of operational practices
• Train employees to raise awareness, importance, and understanding of
security risks
• Participate in discussions about security investments
2
Anticipating new
technologies
• Scout new technology trends and help the business integrate them
into planning and operations
• Assess the costs and bene#ts of new technologies for the enterprise
• With business partners, prioritize the most promising opportunities on
strategic and operational grounds, and schedule their implementation
• Limit investments in technologies that are incompatible with current or
planned systems or that quickly become obsolete
3
c08.indd 169 11/26/2015 6:27:59 PM
170 The Business of Information Technology
The IT organization can be expected to be responsible for most, if not all, of the activities listed in Figure 8.2.
However, instead of actually performing the activities, the IT organization increasingly identi”es and then works
with vendors who provide them. More traditional activities such as data center operations, network management,
and system development and maintenance (including application design, development, and maintenance) have
been outsourced to vendors for decades. More recently, enterprises are outsourcing providers to perform more
newly acquired IT activities such as process management (alternatively called business process outsourcing). In our
increasingly #at world, many companies are successfully drawing from labor supplies in other parts of the world
to meet the business demand that they can’t handle internally in their own IT organization. Managing the sourcing
relationships and global labor supply is so important that a whole chapter (i.e., Chapter 10) is devoted to discussing
these sourcing issues in greater depth.
What the IT Organization Does Not Do
This chapter presents core activities for which the IT organization is typically responsible. It is enlightening to
examine tasks that should not be performed by the organization. Clear examples include core business functions,
such as selling, manufacturing, and accounting, and few functional managers would attempt to delegate these tasks
to IT professionals. However, some functional managers inadvertently delegate key operational decisions to the IT
organization. For example, when general managers ask the IT professional to build an information system for their
organization and do not become active partners in the design of that system, they are in effect turning over control
of their business operations. Likewise, asking an IT professional to implement a software package or app without
partnering with that professional to ensure that the package meets both current and future needs is ceding control.
Partnerships between the general managers and IT professionals are also important for a number of other
decisions. For instance, IT professionals should not have the sole responsibility for deciding which business pro-
jects receive IT dollars. Giving carte blanche to the IT professional would mean that the IT organization decides
what is important to the business units. If IT professionals try to respond to every request from their business
counterparts, they would likely face a backlog of delayed initiatives and become overwhelmed. Business partners
participate in prioritizing IT projects to ensure that resources are applied appropriately. Similarly, IT professionals
should not solely decide the acceptable level of IT services or security. Because senior managers run the business,
they are the ones who must decide on the level of service and security that should be delivered by the IT organiza-
tion.3 These are examples of decisions that should be made jointly with business counterparts. Perfection comes at a
price that many business leaders may be unwilling to pay. Not every system needs to have gold‐plated functionality,
and not every system needs to be forti”ed from every conceivable danger.
Activity Description Maturity Level
Participating in setting
and implementing
strategic goals
• Enable business managers to achieve strategic goals by acting as
educators or consultants
• Advise managers on best practices within IT
• Work with managers to develop IT‐enhanced solutions to business
problems
• Serve as partners in moving the enterprise forward
3
Integrating the use of
social IT
• Leverage the use of social IT to transform the business
• Adapt social IT from personal to business use
• Encourage engagement, collaboration, and innovation in customer‐,
supplier‐, and employee‐directed applications
• Manage the data resulting from social IT to provide business insights
3
FIGURE 8.2 (Continued)
3 J. W. Ross and P. Weill, “Six IT Decisions Your IT People Shouldn’t Make,” Harvard Business Review 80, no. 11 (November 2002), 84–95. (2002), 1–8.
c08.indd 170 11/26/2015 6:27:59 PM
171Chief Information Of”cer
As discussed in Chapter 2, the senior management team, including the CIO, sets business strategy. However, in
many organizations, the general manager delegates critical technology decisions to the IT professional alone, and
this can lead to technology decisions that might hinder business opportunities. The strategy formulation process is
a joint process including business and IT professionals. The role for the IT professional in the discussion of strategy
includes such things as suggesting technologies and applications that enable it, identifying limits to the technol-
ogies and applications under consideration, reporting on best practices and new technologies that might enhance
opportunities of the “rm, and consulting all those involved with setting the strategic direction to make sure they
properly consider the role and impact of IT on the decisions they make. The IT organization does not set business
strategy. It does, however, participate in the discussions and partner with the business to ensure that IT can provide
the infrastructure, applications, and support necessary for the successful implementation of the business strategy.
The IT organization can also provide ideas of new business capabilities afforded by new technologies. In that sense,
IT leaders must be part of key business strategy discussions.
Chief Information Of”cer
If an IT organization is like a ship, the chief information of”cer is like the captain. The chief information of#cer
(CIO) is the most senior executive in the enterprise responsible for technology vision and leadership for designing,
developing, implementing, and managing IT initiatives for the enterprise to operate effectively in a constantly
changing and intensely competitive marketplace. The CIO is an executive who manages IT resources to implement
enterprise strategy and who works with the executive team in strategy formulation processes.
CIOs are a unique breed. They have a strong understanding of the business and of the technology. In many organi-
zations, they take on roles that span both of these areas. One recently coined term is business technology strategist,
the strategic business leader who uses technology as the core tool in creating competitive advantage and aligning
business and IT strategies.4 The CIO, as the most senior IT professional in the corporate hierarchy, must champion the
IT organization by promoting IT as a strategic tool for growth and innovation. The title CIO signals to both the orga-
nization and to outside observers that this executive is a strategic IT thinker and is responsible for linking IS strategy
with the business strategy. In other words, CIOs must know the business vision and understand how the IT function
contributes to making this vision happen. This means that CIOs must work effectively not only in the technical arena
but also in the overall business management arena. They need the technical ability to plan, conceive, build, and
implement multiple IT projects on time and within budget. However, their technical skills must be balanced against
business skills such as the ability to realize the bene”ts and manage the costs and risks associated with IT, to articulate
and advocate for a management vision of IT, and to mesh well with the existing management structure.
Just as the chief “nancial of”cer (CFO) is somewhat involved in operational management of the “nancial activ-
ities of the organization, the CIO is involved with operational issues related to IT. More often than not, CIOs are
asked to perform strategic tasks at some part of their day and operational tasks at other times. Some of their oper-
ational activities include identifying and managing the introduction of new technologies into the “rm, negotiating
partnership relationships with key suppliers, setting purchasing and supplier policies, and managing the overall
IT budget. Actual day‐to‐day management of the data center, IT infrastructure, application development projects,
vendor portfolio, and other operational issues are typically not handled directly by the CIO but by one of the man-
agers in the IT organization. Ultimately, whether they directly function as operational managers or as leaders with
oversight of other operational managers, the CIO must assume responsibility for all the activities described in
Figure 8.2 that the IT organization is charged to perform.
Where the CIO “ts within an enterprise is often a source of controversy. In the early days of the CIO position,
when it was predominantly responsible for controlling costs (Level 1), the position reported to the CFO. Because
the CIO was rarely involved in enterprise governance or in discussions of business strategy, this reporting struc-
ture worked. However, as IT became a source for competitive advantage in the marketplace, reporting to the CFO
proved too limiting. Con#icts arose because the CFO misunderstood the vision for IT or saw only the costs of
technology. They also arose because management still saw the CIO’s primary responsibility as providing services
4 M. Carter, V. Grover, and J. B. Thatcher, “The Emerging CIO Role of Business Technology Strategist,” MIS Quarterly Executive 10, no. 1 (2011), 19–29.
c08.indd 171 11/26/2015 6:28:00 PM
172 The Business of Information Technology
whose costs had to be controlled. More recently, CIOs often report directly to the CEO, president, or other execu-
tive manager. This elevated reporting relationship not only signals that the role of IT is critical to the enterprise and
indicates Level 3 maturity but also makes it easier to implement strategic IT initiatives.
Some organizations choose not to have a CIO. These organizations do not believe that a CIO is necessary, in
part because technology is highly integrated into virtually every aspect of the business and no single of”cer need
provide oversight. These “rms typically hire an individual to be responsible for running the computer systems and
possibly to manage many of the activities described later in this chapter. But they signal that this person is not a
strategist by giving him or her the title of data processing manager, director of information systems, or some other
name that clearly differentiates this person from other top of”cers in the company. Using the words chief and of!cer
usually implies a strategic focus, and some organizations that do not see the value of having an IT person on their
executive team choose not to use these words.
Although the CIO’s role is to guide the enterprise toward the future, this responsibility is frequently too great
to accomplish alone. Many organizations recognize that certain strategic areas of the IT organization require more
focused guidance. This recognition led to the creation of new positions, such as the chief knowledge of”cer (CKO),
chief technology of”cer (CTO), chief telecommunications of”cer (also CTO), chief network of”cer (CNO), chief
information security of”cer (CISO), chief privacy of”cer (CPO), chief resource of”cer (CRO), chief mobility
of”cer (CMO), and chief social media of”cer (CSMO). See Figure 8.3 for a list of the different responsibilities for
each position that, with the occasional exception of the CTO, typically is subordinate to the CIO. Together, these
of”cers form a management team that leads the IT organization.
Many large corporations take the concept of CIO one step further and identify the CIO of a business unit. This
is someone who has responsibilities similar to those of a corporate CIO, but the scope is the business unit and there
is not as much concern about de”ning corporate standards and policies to ensure consistency across the business
units. The business unit CIO is responsible for aligning the IT investment portfolio with the business unit’s strategy.
Typically, the business unit CIO has dual reporting responsibility to both the corporate CIO and the president of the
business unit. At IBM, the CIO is a manager from a business unit who serves a two‐ to three‐year term.5
FIGURE 8.3 The CIO’s lieutenants.
Title Responsibility
Chief technology of#cer (CTO) Track emerging technologies; advise on technology adoption; design
and manage IT architecture
Chief knowledge of#cer (CKO) Create knowledge management infrastructure; build a knowledge
culture; make corporate knowledge payoff
Chief data of#cer (CDO) Create and maintain the de#nition, storage, and retirement of data in the
#rm; streamline access to the data; reduce data redundancy
Chief analytics of#cer (CAO) Take advantage of data analysis opportunities, often used for
understanding customers, transactions, markets, or trends
Chief telecommunications of#cer (CTO) Manage phones, networks, and other communications technology
across the entire enterprise
Chief network of#cer (CNO) Build and maintain internal and external networks
Chief resource of#cer (CRO) Manage outsourcing relationships
Chief information security of#cer (CISO) Ensure that information management practices are consistent with
security requirements
Chief privacy of#cer (CPO) Establish and enforce processes and practices to meet privacy concerns
of customers, employees, and vendors
Chief mobility of#cer (CMO) Oversee and ensure the viable use of mobile platforms and apps
Chief social media of#cer (CSMO) Maintain a social IT perspective that results in effectively implementing
social media
5 Ann Majchrzak, Luba Cherbakov, and Blake Ives, “Harnessing the Power of the Crowds with Corporate Social Networking Tools: How IBM Does It,”
MIS Quarterly Executive 8, no. 2 (2009), 103–8.
c08.indd 172 11/26/2015 6:28:00 PM
173Building a Business Case
Building a Business Case
In order to meet demand, the IT organization is often charged with providing solutions. Businesses managers often
turn to IT for good solutions, but IT projects end up competing with those of other managers in tight economic
times when there clearly aren’t enough budget resources to cover them all. After all, there is often no shortage of
other business investments such as new production machinery for higher product quality and lower costs or funding
for product research and development on product innovations. Thus, managers need to show that the solution they
want would be not only a good IT investment but also a good business investment.
To gain support and a “go‐ahead” decision, every manager must often create a business case. Similar to a legal
case, a business case is a structured document that lays out all the relevant information needed to make a go/no‐go
decision. The business case for an IT project is also a way to establish priorities for investing in different projects,
an opportunity to identify how IT and the business can deliver new bene”ts, gain commitment from business man-
agers, and create a basis for monitoring the investment.6
The components of a business case vary from corporation to corporation, depending on the priorities and
decision‐making environment. However, there are several primary elements of any business case (see Figure 8.4).
Critical to the business case is the identi”cation of both costs and bene”ts, both in “nancial and non”nancial terms.
In building, it is particularly important for the business case to describe the bene”ts to be gained with the
acceptance of the project the case is selling. Ward, Daniel, and Peppard7 suggested a framework for identifying and
describing both “nancial and non”nancial bene”ts (Figure 8.5). The “rst step in this framework is to identify each
bene”t as innovation (allowing the organization to do new things), improvement (allowing the organization to do
FIGURE 8.4 Components of a business case.
Section or Component Description
Executive summary One‐ or two‐page description of the overall business case document
summarizing key points
Overview and introduction Brief business background, the current business situation, a clear statement of
the business problem or opportunity, and a recommended solution at a high
level
Assumptions and rationale Issues driving the proposal (e.g., operational, human resources, environmental,
competitive, industry or market trends, or #nancial)
Project summary High‐level and detailed descriptions of the project: scope, objectives, contacts,
resource plan, key metrics, implementation plan, and key success factors
Financial discussion and analysis Overall summary followed by projected costs/revenues/bene#ts, #nancial
metrics, #nancial model, cash $ow statement, underlying assumptions, and total
cost of ownership (TCO) analysis
Bene#ts and business impacts Summary of business impacts followed by details on non#nancial matters
such as new business, transformation, innovations, competitive responses,
organizational, supply chain, and human resource impacts
Schedule and milestones Entire schedule for the project with milestones and expected metrics at each
stage; if appropriate, can include a marketing plan and schedule
Risk and contingency analysis Analysis of risks and ways to manage those risks, sensitivity analysis of
scenarios, and interdependencies and the impact they will have on potential
outcomes
Conclusion and recommendation Primary recommendation and conclusions
Appendices Backup materials not directly provided in the body of the document, such as
detailed #nancial investment analysis, marketing materials, and competitors’
literature.
6 John Ward, Elizabeth Daniel, and Joe Peppard, “Building Better Business Cases for IT Investments,” MIS Quarterly Executive 7, no. 1 (March 2008),
1–15.
7 Ibid.
c08.indd 173 11/26/2015 6:28:00 PM
174 The Business of Information Technology
things better), or cessation (stopping things). Then the bene”ts can be classi”ed by degree of explicitness or the
ability to assign a value to the bene”t. As shown in Figure 8.6, bene”ts fall into one of these categories:
• Financial: There is a way to express the bene”t in “nancial terms. These are the metrics that are most easily
used to judge the go/no‐go decision because “nancial terms are universal across all business decisions. An
example is improvement in pro”t.
• Quanti!able: There is a way to measure the size or magnitude of the bene”t, but “nancial bene”ts are not
directly determinable. For example, a “rm might expect a 20% increase in customer retention, but to deter-
mine the “nancial bene”t of resulting increased sales, it would require an analysis of what items they would
buy. Most business cases revolve around quanti”able bene”ts, so it is important to ensure the collection of a
comprehensive list of quanti”able bene”ts and any associated costs.
• Measurable: There is a way to measure the bene”t, but it is not necessarily connectable to any organiza-
tional outcome. Management must ensure alignment with the business strategy. For example, many organi-
zations collect satisfaction or web engagement data and are able to detect improvements.
• Observable: They can be detected only by opinion or judgment. These are the subjective, intangible, soft,
or qualitative bene”ts. Things seem better but no measures are available. For example, customers might be
expected to be happier or less argumentative.
Type of Business Change
Innovation
(do new things)
High
Degree of
Explicitness
Low
Financial benefits Financial value can be calculated by applying a cost/price
or other valid financial formula to a quantifiable benefit.
Improvement
(do things better)
Cessation
(stop doing things)
Quantifiable benefits There is sufficient evidence to forecast how much
improvement/benefit should result from the changes.
Measurable benefits Although this aspect of performance is currently measured
or an approximate measure could be implemented, it is not
possible to estimate how much performance will improve
when changes are implemented.
Observable benefits By using agreed criteria, specific individuals or groups will
use their experience or judgment to decide the extent the
benefit will be realized.
FIGURE 8.5 Classi”cation framework for bene”ts in a business case.
Source: Adapted from John Ward, Elizabeth Daniel, and Joe Peppard, “Building Better Business Cases for IT Investments,”
MIS Quarterly Executive 7, no. 1 (March 2008), 1–15.
FIGURE 8.6 Bene”t examples for a business case.
Bene#ts Innovation: Chat Function and
Customer Support Forum
Improvement: Remodeled
Facebook Page
Cessation: Reduce Phone
Support by 90%
Financial Fewer returns; higher sales Sales from redemption of
special coupons by new
customers
Overall costs reduced
Quanti#able Shorter customer wait time Number of new customers Wait time for phone lines
Measurable Higher customer satisfaction scores Number of “shares” by new
customers
Overall customer service
satisfaction scores
Observable Fewer complaints Supportive comments on the
page
Decrease in verbal
complaints by phone‐in
customers
c08.indd 174 11/26/2015 6:28:00 PM
175IT Portfolio Management
Consider the example of a small manufacturing “rm that hopes to differentiate itself with excellent customer
service but that has customers who are confused from time to time, an expanding customer support department,
long customer wait time, and growing dissatisfaction. The “rm identi”ed a potential three‐pronged social network
project that included a remodeled Facebook page, a new chat function, and a new customer support forum. The
project would be funded from reducing the phone support department by 90%. See Figure 8.6 for examples from a
potential bene”t analysis for the social network project.
Of course, the bene”t analysis is only part of the story because costs and risks need to be considered as well.
Projected costs would include purchase of hardware and software, consulting help, internal costs, training costs,
and other new expenditures. There would also be technical risks, “nancial risks, and organizational risks. Technical
risks could include complexity in usage of the new chat and customer support forum and incomplete statistics from
the Facebook page. Examples of “nancial risks would be a lack of accuracy in estimating costs, overestimates
of usage, and overly optimistic call center reduction. Organizational risks would include inadequate monitoring
of the new functionality or inability to recruit knowledgeable monitors for the chat function, support forum, and
Facebook page.
IT Portfolio Management
Managing the set of systems and programs in an IT organization is similar to managing resources in a “nancial
organization. There are different types of IT investments or projects, and together they form the business’s IT port-
folio. IT portfolio management refers to “evaluating new and existing applications collectively on an ongoing
basis to determine which applications provide value to the business in order to support decisions to replace, retire,
or further invest in applications across the enterprise.”8 This process requires thinking about IT systems as a cohe-
sive set of core assets, not as a discontinuous stream of one‐off (one‐time only), targeted investments as often has
been the case in the past. IT portfolio management involves continually deciding on the right mix of investments
from funding, management, and staf”ng perspectives. The overall goal of IT portfolio management is for the
company to fund and invest in the most valuable initiatives that, taken together as a whole, generate maximum
bene”ts for it.
Professor Peter Weill and colleagues at MIT’s Center for Information Systems Research (CISR) describe four
asset classes of IT investments that typically make up the company’s IT portfolio:9
• Transactional systems: Streamline or cut costs on the way business is done (equivalent to Level 1 in the
Business Maturity Model)
• Infrastructure systems: Provide the base foundation of shared IT services used for multiple applications
such as servers, networks, tablets, or smartphones (equivalent to Level 2 in the Business Maturity Model)
• Informational systems: Provide information used to control, manage, communicate, analyze, or collaborate
(equivalent to Level 2 in the Business Maturity Model)
• Strategic systems: Gain competitive advantage in the marketplace (equivalent to Level 3 in the Business
Maturity Model)
In analyzing the composition of any single company’s IT portfolio, one can “nd a pro”le of the relative investment
made in each IT asset class. Weill’s study found that the average “rm allocates 46% of its total IT investment each
year to infrastructure and only 25% of its total IT investment in transactional systems. Weill also found that “rms
in diverse industries allocate their IT resources differently.10
8 James D. McKeen and Heather A. Smith, “Developments in Practice XXXIV: Application Portfolio Management,” Communications of the Association
for Information Systems 26, no. 9 (2010), http://aisel.aisnet.org/cais/vol26/iss1/9 (accessed September 4, 2015).
9 Peter Weill and Marianne Broadbent, Leveraging the New Infrastructure: How Market Leaders Capitalize on Information Technology (Cambridge,
MA: Harvard Business School Press, June 1998). © MIT Sloan Center for Information Systems Research 2005–12. Used with permission. For more
information, see http://cisr.mit.edu.
10 Ibid.
c08.indd 175 11/26/2015 6:28:00 PM
http://aisel.aisnet.org/cais/vol26/iss1/9
http://cisr.mit.edu
176 The Business of Information Technology
Weill’s work also suggests that a different balance between IT investments is needed for a cost‐focused strategy
compared to an agility‐focused strategy. A company with a cost‐focused strategy would seek an IT portfolio that
helps lower costs as the primary business objective. In that case, Weill’s work suggests that on average, 27% of the
IT investments are made in transactional investments, suggesting higher use of applications that automate processes
and typically lower operational costs.11 On the other hand, a company with an agility focus would be more likely to
invest a higher percent of its IT portfolio in infrastructure (e.g., 51% on average) and less in transactional systems
(e.g., 24% on average). The infrastructure investment would create a platform that would likely be used to more
quickly and nimbly create solutions needed by the business whereas the transactional systems might lock in the
current processes and take more effort and time to change.
From the portfolio management perspective, potential new systems are evaluated on their own merits and com-
pared against other systems in the prospective portfolio. Often applications can’t stand alone and require integration
with other applications, some of which would need to be acquired or developed. A complete picture is required for
a fair comparison of portfolio alternatives. Portfolio management helps prioritize IT investments across multiple
decision criteria, including value to the business, urgency, and “nancial return. Just like an individual or company’s
investment portfolio is aligned with its objectives, the IT portfolio must be aligned with the business strategy.
Valuing IT Investments
New IT investments are often justi”ed by the business managers proposing them in terms of monetary costs and
bene”ts. The monetary costs and bene”ts are important but are not the only considerations in making IT investments.
Soft bene”ts, such as the ability to make future decisions, are often part of the business case for IT investments, mak-
ing the measurement of the investment’s payback (length of time to recoup the cost) dif”cult.
Several unique factors of the IT organization make it very challenging to determine the value from IT invest-
ments. First, the systems are complex, and calculating the costs is an art, not a science. Second, because many IT
investments are for infrastructure, calculating a payback period may be more complex than other types of capital
investments. Third, many times the payback cannot be calculated because the investment is a necessity rather than
a choice without any tangible payback. For example, upgrading to a newer version of software may be required
because the older version simply is no longer supported. Many managers do not want to have to upgrade just
because the vendor insists that an upgrade is necessary. Instead, managers may resist IT spending on the grounds
that the investment adds no incremental value. These factors and more fuel a long‐running debate about the value
of IT investments. IT managers need to learn to express bene”ts in a businesslike manner such as return on
investment (ROI) or increased customer satisfaction.
IT managers, like the business managers who propose IT projects, are expected to understand and even try to
calculate the true return on these projects. Measuring this return is dif”cult, however. To illustrate, consider the
relative ease with which a manager might analyze whether the enterprise should build a new plant. The “rst step
would be to estimate the costs of construction. The plant capacity dictates project production levels. Demand var-
ies, and construction costs frequently overrun, but the manager can “nd suf”cient information to make a decision
about whether to build. Most of the time, the bene”ts of investing in IT are less tangible than those of building
a plant because the IT cannot be felt and touched like a physical building can be. Such bene”ts might include
tighter systems integration, faster response time, more accurate data, and more leverage to adopt future tech-
nologies, among others. How can a manager quantify these intangibles? He or she should also consider many
indirect, or downstream, bene”ts and costs, such as changes in how people behave, where staff report, and how
tasks are assigned. In fact, it may be impossible to pinpoint who will bene”t from an IT investment when making
the decision.12
Despite the dif”culty, the task of evaluating IT investments is necessary. Knowing which approaches to use
and when to use them are important “rst steps. A number of “nancial valuation approaches are summarized in
Figure 8.7. Managers should choose based on the attributes of the project. For example, ROI or payback analysis
11 Ibid.
12 John C. Ford, “Evaluating Investment in IT,” Australian Accountant (December 1994), 3.
c08.indd 176 11/26/2015 6:28:00 PM
177Monitoring IT Investments
can be used when detailed analysis is not required, as when a project is short lived and its costs and bene”ts are clear.
When the project lasts long enough that the time value of money becomes a factor, net present value (NPV) and
economic value added (EVA) are better approaches. EVA is particularly appropriate for capital‐intensive projects.
Both IT and business managers may encounter a number of pitfalls when analyzing return on investment. First,
some situations are heavy in soft bene”ts and light in projected “nancial bene”ts. That is, increased customer sat-
isfaction might not result in actual “nancial in#ows.
Second, it is dif”cult to reconcile projects of diverse size, bene”ts, and timing in light of a “xed budget avail-
able for new projects. The budget might contain enough funding for only one large project with moderate but quick
return, and then there is no room for other smaller projects with higher but slower return.
Third, circumstances may alter the way managers make estimates. For instance, in a software implementation,
if experience shows that it usually takes 20% longer than budgeted to build a system, managers might begin to rou-
tinely add 20% to future estimates when preparing schedules and budgets to account for the uncertainty.
Fourth, managers can fall into “analysis paralysis.” Reaching a precise valuation may take longer than is rea-
sonable to make an investment decision. Because a single right valuation may not exist, “close enough” usually
suf”ces. Experience and an eye to the risks of an incorrect valuation help decide when to stop analyzing.
Finally, even when the numbers say a project is not worthwhile, the investment may be necessary to remain
competitive. For example, UPS faced little choice but to invest heavily in IT. At the time, FedEx had made IT a
competitive advantage and was winning the overnight delivery war. More recently, companies are “nding that they
must re‐invest in their applications in order to make them work on mobile devices.
Monitoring IT Investments
An old adage says: “If you can’t measure it, you can’t manage it.” Management’s role is to ensure that the money
spent on IT results in value for the organization. Therefore, a common, accepted set of metrics must be created, and
those metrics must be monitored and communicated to senior management and customers of the IT department.
These metrics are often “nancial in nature (i.e., ROI, NPV). But “nancial measurement is only one category of
measures used to manage IT investments. Other IT metrics include logs of errors encountered by users, end‐user
surveys, user turnaround time, logs of computer and communication up‐/downtime, system response time, and
percentage of projects completed on time and/or within budget. An example of a business‐focused method is the
extent to which the technology innovation improves the number of contacts with external customers, increases sales
revenue, and generates new business leads.
FIGURE 8.7 Financial valuation methods.
Valuation Method Description
Return on investment (ROI) Excess of return over the investment is calculated as ROI = (Revenue − Investment)/
Investment.
Net present value (NPV) Accounting for the time value of money, the NPV discounts cash $ows from future
periods as being worth less than immediate cash $ows. Discounting is performed
by using a present value factor, which is 1/(1 + Discount rate).years
Economic value added (EVA) The amount of bene#t of an investment that exceeds the costs of the capital used
for investments. It is sometimes implemented #rmwide as net operating pro#t after
taxes (Capital × Cost of capital).
Payback period This is a simple and popular method that, assuming there are regular or irregular
#nancial bene#ts of an investment, computes how long a #rm estimates it must wait
until it breaks even on the investment (all costs are #nally recouped).
Internal rate of return (IRR) Like an interest rate, IRR represents the rate that is earned on an investment. The rate
is compared to a target that is determined by corporate policy.
Weighted scoring methods Costs and revenues are weighted based on their strategic importance, level of
accuracy or con#dence, and comparable investment opportunities.
c08.indd 177 11/26/2015 6:28:00 PM
178 The Business of Information Technology
The Balanced Scorecard
Deciding on appropriate measures is half of the equation for effective IT organizations. The other half of the
equation is ensuring that those measures are accurately communicated to the business. Two methods for communi-
cating these metrics are scorecards and dashboards.
Financial measures may be the language of stockholders, but managers understand that such measures can
be misleading if used as the sole means of making management decisions. One methodology used to solve this
problem, created by Robert Kaplan and David Norton and “rst described in the Harvard Business Review in 1992,
is the balanced scorecard, which focuses attention on the organization’s value drivers (which include, but are not
limited to, “nancial performance).13 Companies use this scorecard to assess the full impact of their corporate strat-
egies on their customers and work force as well as their “nancial performance.
The balanced scorecard methodology allows managers to look at the business from four perspectives: customer,
internal business, innovation/learning, and “nancial. For each perspective, the goals and measures are designed to
answer these basic questions:
• How do customers see us? (customer perspective)
• At what must we excel? (internal business perspective)
• Can we continue to improve and create value? (innovation and learning perspective)
• How do we look to shareholders? (“nancial perspective)
Figure 8.8 graphically shows the relationship of these perspectives.
Financial Perspective
Goals Measures
Goals Measures
Goals Measures
Goals Measures
Customer Perspective
Learning Perspective
Internal Perspective
FIGURE 8.8 The balanced scorecard perspectives.
Source: Based on R. Kaplan and D. Norton, “The Balanced Scorecard—Measures That Drive Performance,” Harvard Business
Review (January–February 1992), 72.
13 For more detail, see R. Kaplan and D. Norton, “The Balanced Scorecard—Measures That Drive Performance,” Harvard Business Review 70, no. 1,
(January–February 1992), 71–79.
c08.indd 178 11/26/2015 6:28:00 PM
179Monitoring IT Investments
Since the introduction of the balanced scorecard, many people have modi”ed it or adapted it to apply to their
particular organization. Managers of information technology “nd the concept of a scorecard useful in managing
and communicating the value of the IT department.
Applying the categories of the balanced scorecard to IT might mean interpreting them more broadly than origi-
nally conceived by Kaplan and Norton. For example, the original scorecard speaks of the customer perspective, but
for the IT scorecard, the customer might be a user within the company, not an external customer of the company.
The questions asked when using this methodology within the IT department are summarized in Figure 8.9.
David Norton comments, “[D]on’t start with an emphasis on metrics—start with your strategy and use metrics
to make it understandable and measurable (that is, to communicate it to those expected to make it happen and to
manage it).”14 He “nds the balanced scorecard to be the most effective management framework for achieving orga-
nizational alignment and strategic success.
FirstEnergy, a multibillion‐dollar utility company, is a good example of how the IS scorecard can be used. One
of its strategic, albeit non”nancial, goals was to create “raving fans” among its customers. The MIS group inter-
preted “raving fans” to mean satis”ed internal customers. It used three metrics to measure the performance toward
this goal:15
• Percentage of projects completed on time and on budget
• Percentage of projects released to the customer by agreed‐on delivery date
• End‐of‐project customer satisfaction survey results
A scorecard used within the IT organization helps senior IT managers understand their organization’s performance
and measure it in a way that supports its business strategy. The IT scorecard is linked to the corporate scorecard
and ensures that the measures used by IT are those that support the corporate goals. At DuPont Engineering, the
balanced scorecard methodology forces every action to be linked to a corporate goal, which helps promote align-
ment and eliminate projects with little potential impact. The conversations between IT and the business focus on
strategic goals, the merits of the project at hand, and the actual impact rather than on technology and capabilities.16
FIGURE 8.9 Balanced scorecard applied to IT departments.
Source: Adapted from R. Kaplan and D. Norton, “The Balanced Scorecard—Measures That Drive Performance,” Harvard Business
Review (January–February 1992), 72.
Dimension Description Example of IT Measures
Customer perspective How do customers see us?
Measures that re$ect factors that really
matter to customers
Impact of IT projects on users, impact
of IT’s reputation among users, and
user‐de#ned operational metrics
Internal business perspective What must we excel at?
Measures of what the company must do
internally to meet customer expectations
IT process metrics, project comple-
tion rates, and system operational
performance metrics
Learning perspective Can we continue to improve and create
value?
Measures of the company’s ability to inno-
vative, improve, and learn
IT R&D, new technology introduction
success rate, training metrics
Financial perspective How do we look to shareholders?
Measures to indicate contribution of activ-
ities to the bottom line
IT project ROI, NPV, IRR, cost/bene#t,
TCO, ABC
14 “Ask the Source: Interview with David Norton,” cio.com (July 25, 2002) (accessed February 22, 2003).
15 Adapted from Eric Berkman, “How to Use the Balanced Scorecard,” CIO Magazine 15, no. 15 (May 15, 2002), 1–4.
16 Ibid; also Hall of Fame Organizations: Dupont, http://www.thepalladiumgroup.com/about/hof/Pages/HofViewer.aspx?MID=27 (accessed February 19,
2012).
c08.indd 179 11/26/2015 6:28:00 PM
http://www.thepalladiumgroup.com/about/hof/Pages/HofViewer.aspx?MID=27
180 The Business of Information Technology
IT Dashboards
Scorecards provide summary information gathered over a period of time. Another common IT management mon-
itoring tool is the IT dashboard, which provides a snapshot of metrics at any given point in time. Much like the
dashboard of an automobile or airplane, the IT dashboard summarizes key metrics for senior managers in a manner
that provides quick identi”cation of the status of the organization. Like scorecards, dashboards are useful outside
the IT department and are often found in executive of”ces as a tool for keeping current on critical measures of the
organization. This section focuses on the use of these tools within the IT department. The contents of a dashboard
depend on what is important to management, but in most cases graphical representations provide quick, at‐a‐glance
results. Dashboards are often quite colorful, but as Figure 8.10 illustrates, they can be very useful even without
using color.
IT dashboards are also used in an IT department, which provide frequently updated information on areas of
interest such as the status of projects of various sizes or operational systems of various types. For example, a dash-
board used by General Motors (GM) North America’s IT leadership team monitors project status.17 Because senior
managers question the overall health of a project rather than the details, the dashboard they designed provides red,
yellow, or green highlights for rapid comprehension. A green highlight means that the project is progressing as
planned and performance is within acceptable limits. A yellow highlight means at least one key target has been
missed. A red highlight means the project is signi”cantly behind and needs some attention or resources to get back
on track.
CURRENT INVENTORY
30%
Widgets
Items
23%
Stuff
6%
Parts
22%
Objects
19%
WEBSITE E-COMMERCE
PURCHASES 6,200
7,800
900
0% 100%
MARKET SHARE
BY COMPETITOR
Brand W
Brand X
Brand Y
Brand Z
55%
24%
17%
4%
COMPETITOR SPEND
Brand
W
Brand
X
Brand
Y
Brand
Z
$122
$6
$150
$24
$37
$2
$34
$17
$5$8$3
PROFIT BY CHANNEL
Affiliates
Email
Website
In-Store
Social
55%
20%
13%
10%
2%
REVENUE PER PRODUCT
ALL
VIC
NSW
QLD Widgets
Items
Parts
Widgets
Items
Parts
Widgets
Items
Parts
Widgets
Items
Parts
BRAND AWARENESS
Brisbane
Cairns
0.7
Sydney
Melbourne
Perth
Darwin
ADVERTISING SPEND BY
CHANNEL THIS MONTH
COMPANY TOP-LINE REVENUE
$23,044,000
$23,044,000
$25,220,000
$21,998,000
NOV
2012
APR
2013
SEP
2013
FIGURE 8.10 Example of an executive dashboard.
Source: http://www.datalabs.com.au/business‐intelligence‐dashboards/.
17 Adapted from Tracy Mayor, “Red Light, Green Light,” CIO Magazine 15, no. 1 (October 1, 2001), 108.
c08.indd 180 11/26/2015 6:28:01 PM
http://www.datalabs.com.au/business%E2%80%90intelligence%E2%80%90dashboards%00%00
181Monitoring IT Investments
At GM, each project is tracked and rated monthly. GM uses four dashboard criteria: (1) performance to
budget, (2) performance to schedule, (3) delivery of business results, and (4) risk. At the beginning of a project,
these metrics are de”ned and acceptable levels set. The project manager assigns a color status monthly based
on the de”ned criteria, and the results are reported in a spreadsheet. When managers look at the dashboard, they
can immediately tell whether projects are on schedule based on the amount of green, yellow, or red highlights
on the dashboard. They can then drill down into yellow or red metrics to get the projects back on track. The
dashboard provides an easy way to identify where their attention should be focused. The director of IT opera-
tions explains, “Red means I need more money, people or better business buy‐in. . . . The dashboard provides an
early warning system that allows IT managers to identify and correct problems before they become big enough
to derail a project.”18
There are really four types of IT dashboards.19 Portfolio dashboards like GM’s help senior IT leaders manage
IT projects. These dashboards show senior IT leaders the status, problems, milestones, progress, expenses, and
other metrics related to speci”c projects. Business‐IT dashboards show relevant business metrics and link them to
the IT systems that support them. The metrics on the balanced scorecard provide a sample of the type of metrics
followed by this dashboard. A service dashboard is geared toward the internal IS department, showing important
metrics about the IS such as up time, throughput, service tickets, progress on bug “xes, help desk satisfaction, and
so on. The fourth type is an improvement dashboard, which monitors the three to “ve key improvement goals for
the IT group. Like the portfolio dashboard, the metrics to be monitored are based on the projects undertaken, but
unlike the other dashboards, this one is geared toward monitoring progress toward important goals of the IT orga-
nization itself.
In order to increase its transparency, the U.S. government created an IT dashboard Web site20 in 2009. This
Web site, which was built in six weeks, displays the status of each IT project (termed an “investment”) currently
under development within the U.S. government. This dashboard provides status information by project and agency
and offers the ability to drill down for details. For each project, it provides color‐coded (i.e., green, yellow, and
red) performance metrics for cost, schedule, and CIO evaluation along with a project history. For each agency,
it provides an agency rating and count of projects in each color grouping. For example, in September 2015, one
could click the “Portfolio” button for a list of departments and their overall ratings.21 Across all projects, pie charts
revealed green, yellow, and red counts of 575, 129, and 34, respectively. The Department of Homeland Security
(DHS) had average project rating of 3.9 out of 5 over 89 projects.
Clicking on the DHS name allowed drilling down for detail about its projects, and clicking on each project
provided 2015 spending along with ratings and commentary.22 For instance, the $163.5 million “FEMA—Infra-
structure” project had a very low rating of 2.0 out of 5. A narrative and graphical rating history23 allows the user to
understand the problems and when they occurred. The FEMA—Infrastructure evaluation score fell in April 2013,
largely because the project was over budget and behind schedule. It is apparent that the increased transparency pro-
vides increased accountability for managing the investments.24
Dashboards are built on the information contained in the other applications, databases, and analytical systems
of the organization (see Chapter 12 for a more complete discussion of business intelligence and business ana-
lytics). Refer to Figure 8.11 for the architecture of a sample dashboard for Western Digital, a $3‐billion global
designer and manufacturer of high‐performance hard drives for PCs, networks, storage devices, and entertainment
systems.25
18 Ibid.
19 Adapted from Chris Curran, “The 4 Types of CIO Dashboards,” CIO.com (June 15, 2009), http://www.ciodashboard.com/metrics‐and‐measurement/
the‐4‐types‐of‐cio‐dashboards/ (accessed April 9, 2012).
20 See https://itdashboard.gov/ (accessed September 4, 2015).
21 http://www.itdashboard.gov/portfolios (accessed September 4, 2015).
22 https://itdashboard.gov/portfolios/agency=024 (accessed September 4, 2015).
23 https://itdashboard.gov/investment?buscid=163 (accessed September 4, 2015).
24 U.S. government IT Dashboards, http://www.itdashboard.gov/portfolios (accessed on accessed April 23, 2015).
25 Robert Houghton, O. A. El Sawy, P. Gray, C. Donegan, and A. Joshi, “Vigilant Information Systems for Managing Enterprises in Dynamic Supply
Chains: Real‐Time Dashboards at Western Digital,” MISQE 3, no. 1 (March 2004), 19–35.
c08.indd 181 11/26/2015 6:28:01 PM
http://www.ciodashboard.com/metrics%E2%80%90and%E2%80%90measurement/the%E2%80%904%E2%80%90types%E2%80%90of%E2%80%90cio%E2%80%90dashboards/
https://itdashboard.gov
http://www.itdashboard.gov/portfolios
https://itdashboard.gov/portfolios/agency=024
https://itdashboard.gov/investment?buscid=163
http://www.itdashboard.gov/portfolios
182 The Business of Information Technology
Funding IT Resources
Who pays for IT? The users? The IT organization? Headquarters? Certain costs are associated with designing,
developing, delivering, and maintaining the IT systems. How are these costs recovered? The three main funding
methods are chargeback, allocation, and corporate budget. Both chargeback and allocation methods distribute the
costs back to the businesses, departments, or individuals within the company. This distribution of costs is used so
that managers can understand the costs associated with running their organization or for tax reasons when the costs
associated with each business must be paid for by the appropriate business unit. Corporate budgeting, on the other
hand, is a completely different funding method in which IT costs are not linked directly with any speci”c user or
business unit; costs are recovered using corporate coffers.
Chargeback
With a chargeback funding method, IT costs are recovered by charging individuals, departments, or business
units based on actual usage and cost. The IT organization collects usage data on each system it runs. Rates for
usage are calculated based on the actual cost to the IT group to run the system and billed out on a regular basis.
For example, a PC might be billed at $100/month, which includes the cost of maintaining the system, any soft-
ware license fees for the standard con”guration, e‐mail, network access, a usage fee for the help desk, and other
related services. Each department receives a monthly bill showing the number of units it has, such as PCs, printers,
or servers, multiplied by the charge for each unit. Services such as mainframe processing time and special project
consulting help can also be included. When the IT organization wants to recover administrative and overhead costs
using a chargeback system, these costs are built into rates charged for each service.
Corporate Dashboards
Planning/Forecasting
Revenue Positions
Inventory Positions
BMIS
(financial
performance)
ERP Logistics
Point of
Sale
Supplier
Quality
System
Raw Data
Drive Cost, Customer Order, Customer Payment, Test Data, Build Data, etc…..
Mfg.
Execution
System
Marginal
Monitoring
System
Failure
Analysis
System
QIS
(product
performance)
Mitec Reporting
(factory performance)
Factory Dashboard
Component Inventory
Line Utilization
Yield
Dashboards
Highly Summarized
Key Metric Driven
Visualization and Alertness
Business Intelligence
Cross Application Query/Data Mining
Statistical Analysis
Functional Applications
Transaction Based
Standard Reporting
Highly Focused
Raw Data
Feeds Transaction System
FIGURE 8.11 Example architecture of a dashboard.
Source: Robert Houghton, O. A. El Sawy, P. Gray, C. Donegan, and A. Joshi, “Vigilant Information Systems for Managing Enter-
prises in Dynamic Supply Chains: Real‐Time Dashboards at Western Digital,” MIS Quarterly Executive 3, no. 1 (March 2004).
c08.indd 182 11/26/2015 6:28:02 PM
183Funding IT Resources
Chargeback systems are popular because they are viewed as the most equitable way to recover IT costs. Costs
are distributed based on usage or consumption of resources, ensuring that the largest portion of the costs is paid
for by the group or individual who consumes the most. Chargeback systems can also provide managers a “menu”
of options for managing and controlling their IT costs. For example, a manager may decide to select tablets rather
than laptops because the unit charge is less expensive. The chargeback system gives managers the details they need
to understand both what IT resources they use and how to account for IT consumption in the cost of their products
and services. Because the departments get a regular bill, they know exactly what their costs are.
Creating and managing a chargeback system, however, is a costly endeavor itself. IT organizations must build
systems to collect details that might not be needed for anything other than the bills they generate. For example, if
PCs are the basis for charging for network time, the network connect time per PC must be collected, stored, and
analyzed each billing cycle. The data collection quickly becomes large and complex, which often results in com-
plicated, dif”cult‐to‐understand bills. In addition, picking the charging criteria is challenging. For example, it is
relatively easy to count the number of PCs located in a particular business unit, but is that number a good measure
of the network resources used? It might be more accurate to charge based on units of network time used, but how
would that be captured and calculated? Chargeback methods are most appropriate when there is a wide variation in
usage among users or when actual costs need to be accounted for by the business units.
Allocation
To simplify the cost recovery process, an allocation system can be used. An allocation funding method recovers
costs based on something other than usage, such as revenues, log‐in accounts, or head count (number of employees)
in each business unit or department. For example, suppose the total spending for IT for a year is $1 million for a
company with 10,000 employees. A business unit with 1,000 employees might be responsible for 10%, or $100,000,
of the total IT costs. Of course, with this type of allocation system, it does not matter whether these employees even
use the IT; the department is still charged the same amount.
The allocation mechanism is simpler than the chargeback method to implement and apply each month. Actual
usage does not need to be captured. The rate charged is often “xed at the beginning of the year. Allocation offers
two main advantages. First, the level of detail required to calculate the allocations is much less, which reduces
record keeping expenses. Second, the charges from the IT organization are predictable. Unlike the chargeback
mechanism, where each bill opens up an opportunity for discussion about the charges incurred, the allocation
mechanism seems to generate far less frequent arguments from the business units. Often, quite a bit of discussion
takes place at the beginning of the year when rates and allocation bases are set, but less discussion occurs each
month because the managers understand and expect the bill.
Two major complaints are made about allocation systems. First is the free‐rider problem: A large user of IT ser-
vices pays the same amount as a small user when the charges are not based on usage. Second, deciding the basis for
allocating the costs is an issue. Choosing the number of employees over the number of desktops or other basis is
a management decision, and whichever basis is chosen, someone will likely pay more than his or her actual usage
would imply. Allocation mechanisms work well when a corporate directive requires the use of this method and
when the units agree on the basis for dividing the costs.
Often when an allocation process is used, a follow‐up process is needed at the end of the “scal year to compare
the total IT expenses against the total IT funds recovered from the business units, and any extra funds are given back
to the business. Sometimes this process is called a “true‐up” process because true expenses are balanced against
payments made. In some cases, additional funds are needed; however, IT managers try to avoid asking for funds
to make up for shortfalls in their budget. The true‐up process is needed because the actual cost of the information
system is dif”cult to predict at the beginning of the year. Cost changes over the year because hardware, software,
or support costs #uctuate in the marketplace and because IT managers, like all managers, work constantly on
improving ef”ciency and productivity, resulting in lower costs. In an allocation process that charges a “xed rate for
each service for the year, a true‐up process allows IT managers to pass along any additional savings to their business
counterparts. Business managers often prefer the predictability of their monthly IT bills along with a true‐up pro-
cess over the relative unpredictability of being charged actual costs each month.
c08.indd 183 11/26/2015 6:28:02 PM
184 The Business of Information Technology
Corporate Budget
An entirely different way to pay for IT costs is to simply consider them all to be corporate overhead and pay for
them directly out of the corporate budget. With the corporate budget funding method, the costs fall to the corpo-
rate bottom line, rather than levying charges on speci”c users or business units.
Corporate budgeting is a relatively simple method for funding IT costs. It requires no calculation of prices of the IT
systems. And because bills are not generated on a regular cycle to the businesses, concerns are raised less often by the
business managers. IT managers control the entire budget, giving them control of the use of those funds and, ultimately,
more input into what systems are created, how they are managed, and when they are retired. This funding method also
encourages the use of new technologies because learners are not charged for exploration and inef”cient system use.
As with the other methods, certain drawbacks come with using the corporate budget. First, all IT expenditures
are subjected to the same process as all other corporate expenditures, namely, the budgeting process. In many com-
panies, this process is one of the most stressful events of the year: Everyone has projects to be done, and everyone
is competing for scarce funds. If the business units are not billed in some way for their usage, many companies
“nd that the units do not control their usage. Getting a bill for services motivates the individual business manager
to reconsider his or her usage of those services. Finally, if the business units are not footing the bill, the IT group
may feel less accountable to them, which may result in an IT organization that is less end‐user or customer oriented.
Figure 8.12 summarizes the advantages and disadvantages of these methods.
How Much Does IT Cost?
The three major IT funding approaches in the preceding discussion are designed to recover the costs of building
and maintaining the information systems in an enterprise. The goal is to simply cover the costs, not to generate a
pro”t (although some IT organizations are actually pro”t centers for their corporation). The most basic method for
calculating the costs of a system is to add the costs of all the components, including hardware, software, network,
and the people involved. IT organizations calculate the initial costs and ongoing maintenance costs in just this way.
Activity‐Based Costing
Another method for calculating costs is known as activity‐based costing (ABC). Traditional accounting methods
account for direct and indirect costs. Direct costs are those that can be clearly linked to a particular process or
product, such as the components used to manufacture the product and the assembler’s wages for time spent building
FIGURE 8.12 Comparison of IT funding methods.
Funding Method Description Why Do It? Why Not Do It?
Chargeback Charges are calculated based
on actual usage.
It is the fairest method for
recovering costs based on
actual usage. IT users can
see exactly what their usage
costs are.
IT department must collect
details on usage, which can
be expensive and dif#cult.
IT must be prepared to
defend the charges, which
takes time and resources.
Allocation Total expected IT expen ditures
are divided by agreed upon
basis such as number of login
IDs, number of employees, or
number of workstations.
It requires less bookkeeping
for IT because rate is set once
per #scal year, and basis is
well understood. Monthly
costs for the business units
are predictable.
IT department must
defend allocation rates; it
may charge a low‐usage
department more than its
usage would indicate is fair.
Corporate Budget Corporate allocates
funds to IT at annual
budget session.
There is no billing to the
business units. IT exercises more
control over what projects are
done. It is good for encouraging
the use of new technologies.
It competes with all other
budgeted items for funds;
users might draw on
excessive resources, lacking
any incentive to economize.
c08.indd 184 11/26/2015 6:28:02 PM
185How Much Does IT Cost?
the product. Indirect costs are the overhead costs, which include everything from the electric bill, the salary of
administrative managers, and the expenses of the administrative function to the wages of the supervisor over-
seeing the assembler, the cost of running the factory, and the maintenance of machinery used for multiple products.
Further, depending on the funding method used by the enterprise, indirect costs are allocated or absorbed elsewhere
in the pricing model. The allocation process can be cumbersome and complex and often is a source of trouble for
many organizations. The alternative to the traditional approach is ABC.
Activity‐based costing calculates costs by counting the actual activities that go into making a speci”c product
or delivering a speci”c service. Activities are processes, functions, or tasks that occur over time and produce recog-
nized results. They consume assigned resources to produce products and services. Activities are useful in costing
because they are the common denominator between business process improvement and information improvement
across departments.
Rather than allocate the total indirect cost of a system across a range of services according to an allocation for-
mula, ABC calculates the amount of time that system supported a particular activity and allocates only that cost to
that activity. For example, an accountant would look at the enterprise resource planning (ERP) system and divide
its cost over the activities it supports by calculating how much of the system is used by each activity. Product A
might take up one‐twelfth of an ERP system’s capacity to control the manufacturing activities needed to make it,
so it would be allocated one‐twelfth of the system’s costs. The help desk might take up a whole server, so the entire
server’s cost would be allocated to that activity. In the end, the costs are put in buckets that re#ect the products and
services of the business rather than the organization structure or the processes of any given department. In effect,
ABC is the process of charging all costs to “pro”t centers” instead of to “cost centers.”
Jonathan Bush, CEO of management services company Athenahealth, did activity‐based costing for Children’s
Hospital in Boston. When he found that it cost the hospital about $120 to admit a patient, he recommended a solu-
tion of using the information received from the primary care doctor. He argues, “Your primary‐care doctor has
already created 90% of that information to see you for your regular visit. Why wouldn’t the hospital give the doctor
$100 if it was costing them $120 to do it themselves?”26 The ABC approach allowed the hospital to realize the cost
of running the hospital systems to perform the activity and to compare it with the cost of an alternative source that
turned out to be cheaper. But until the thorny issues of electronic medical records are sorted out, the doctors and the
hospitals will likely continue to create their own records.
Total Cost of Ownership
When a system is proposed and a business case is created to justify the investment, summing up the initial outlay
and the maintenance cost does not provide an entirely accurate total system cost. In fact, if only the initial and main-
tenance costs are considered, the decision is often made on incomplete information. Other costs are involved, and
a time value of money affects the total cost. One technique used to calculate a more accurate cost that includes all
associated costs is total cost of ownership (TCO). It has become the industry standard. Gartner Group introduced
TCO in the late 1980s when PC‐based IT infrastructures began gaining popularity.27 Other IT experts have since
modi”ed the concept, and this section synthesizes the latest and best thinking about TCO.
TCO looks beyond initial capital investments to include costs associated with technical support, administration,
training, and system retirement. Often, the initial cost is an inadequate predictor of the additional costs necessary
to successfully implement the system. TCO techniques estimate annual costs per user for each potential infrastruc-
ture choice; these costs are then totaled. Careful estimates of TCO provide the best investment numbers to compare
with “nancial return numbers when analyzing the net returns on various IT options. The alternative, an analysis
without TCO, can result in an “apples and oranges” comparison. Consider a decision about printers. The initial cost
of a laser printer may be much less than an inkjet printer, but when considering the cost of toner and ink over the
expected lifetime of the printers, the total cost of ownership of the laser printer is much lower. A similar analysis of
a larger IT system clari”es similar alternatives and comparisons.
26 David Lidsky, “#43 Athenahealth,” fastcompany.com (February 17, 2010), http://www.fastcompany.com/mic/2010/profile/athenahealth (accessed
January 30, 2012).
27 M. Gartenberg, “Beyond the Numbers: Common TCO Myths Revealed,” Gartner Group Research Note: Technology (March 2, 1998).
c08.indd 185 11/26/2015 6:28:02 PM
http://www.fastcompany.com/mic/2010/profile/athenahealth
186 The Business of Information Technology
A major IT investment is for infrastructure. The hardware, software, network, and data framework can be used
to organize the TCO components the manager needs to evaluate each infrastructure option. Hardware, software,
and networking units can include the obvious equipment and packages but also “invisible” signi”cant items such
as technical support, administration, training, and disposal costs can easily be overlooked. “Soft” data costs can
include removable media such as thumb drives or portable hard drives, as well as on‐site and off‐site storage.
Even if managers can’t get a completely accurate “gure of costs, they can be more aware of areas where costs
can be cut. More or less detail can be used in each area as needed by the business environment. The manager can
adapt this framework for use with varying IT infrastructures.
TCO Component Breakdown
TCO is sometimes dif”cult for managers to fully comprehend. To clarify how the TCO framework is used, this
section examines the hardware category in more detail. For shared components, such as servers and printers, TCO
estimates should be computed per component and then divided among all users who access them.
For more complex situations, such as when only certain groups of users possess certain components, it is wise to
segment the hardware analysis by platform. For example, in an organization in which every employee possesses a
desktop computer that accesses a server and half the employees also possess stand‐alone laptops that do not access
a server, one TCO table could be built for desktop and server hardware and another for laptop hardware. Each table
would include software, network, and data costs associated only with its speci”c platforms.
Soft costs, such as technical support, administration, and training, are easier to estimate than they may “rst appear.
For example, as Figure 8.13 depicts, technical support costs include areas such as phone support, troubleshooting, hot
swaps, and repairs. These and all other costs are summed and divided by the number of devices to derive an amount
per unit, which is when added to the initial cost of a device, and re#ects a truer sense of cost of ownership, or TCO.
The “nal soft cost, informal support, may be harder to determine, but it is important nonetheless. Informal
support comprises the sometimes highly complex networks that develop among co‐workers through which many
problems are “xed and much training takes place without the involvement of any of”cial support staff. In many
circumstances, these activities can prove more ef”cient and effective than working through of”cial channels. Still,
managers want to analyze the costs of informal support for two reasons:
1. The costs—both in salary and in opportunity—of a nonsupport employee providing informal support
may prove signi”cantly higher than analogous costs for a formal support employee. For example, it costs
much more in both dollars per hour and forgone management activity for a midlevel manager to help a line
employee troubleshoot an e‐mail problem than it would for a formal support employee to provide the same
service.
2. The quantity of informal support activity in an organization provides an indirect measure of the ef”ciency
of its IT support organization. The formal support organization should respond with suf”cient promptness
and thoroughness to discourage all but the briefest informal support transactions.
Various IT infrastructure options affect informal support activities differently. For example, a more user‐friendly
systems interface may alleviate the need for much informal support, justifying a slightly higher software expendi-
ture. Similarly, an investment in support management software may be justi”ed if it reduces the need for informal
support. Web‐based applications change the equation even further. Those companies that use a vendor‐supplied
Web‐based application may “nd that support activities are provided by the vendor or the applications are written in
such a way as to minimize or eliminate support entirely.
TCO as a Management Tool
This discussion focused on TCO as a tool for evaluating which infrastructure components to choose, but TCO
also can help managers understand how infrastructure costs break down. Research has consistently shown that the
labor costs associated with an IT infrastructure far outweigh the actual capital investment costs. TCO provides the
c08.indd 186 11/26/2015 6:28:02 PM
187Summary
fullest picture of where managers spend their IT dollars. Like other benchmarks, TCO results can be evaluated
over time against industry standards (much TCO target data for various IT infrastructure choices are available
from industry research “rms). Even without comparison data, the numbers that emerge from TCO studies assist in
making decisions about budgeting, resource allocation, and organizational structure.
However, like the ABC approach, the cost of implementing TCO can be a detriment to the program’s overall suc-
cess. Both ABC and TCO are complex approaches that may require signi”cant effort to determine the costs to use
in the calculations. Managers must weigh the bene”ts of using these approaches with the costs of obtaining reliable
data necessary to make their use successful.
S U M M A R Y
• IT organizations can be expected to anticipate new technologies, participate in setting and implementing strategic
goals, innovate current processes, develop and maintain information systems, manage supplier relationships, estab-
lish architecture platforms and standards, promote enterprise security, plan for business discontinuities, manage data/
information/knowledge, manage Internet and network services, manage human resources, operate the data center, pro-
vide general support, and integrate social IT.
• IT activities can reveal the group’s level of maturity. The most mature IT organizations are proactive and partner with
business executives.
• The chief information of”cer (CIO) is a high‐level IS of”cer who oversees many important organizational activities. The
CIO must display both technical and business skills. The role requires both strategic and operational skills.
• A business case is a tool used to support a decision or a proposal of a new investment. It is a document containing a
project description, “nancial analysis, marketing analysis, and all other relevant documentation to assist managers in
making a go/no‐go decision.
• Bene”ts articulated in a business case can be categorized as observable, measurable, quanti”able, and “nancial. These
bene”ts are often for innovations, improvements, or cessation.
• The portfolio of IT investments must be carefully evaluated and managed.
• The investments may be valued using such methods as return on investment (ROI), net present value (NPV), economic
value added (EVA), payback period, internal rate of return (IRR), and weighted scoring.
• Bene”ts derived from IT investments are sometimes dif”cult to quantify and to observe or are long range in scope.
FIGURE 8.13 Soft cost considerations.
Soft Cost Areas Example Components of Cost Source
Technical support Hardware phone support Call center
In‐person hardware troubleshooting IT operations
Hardware hot swaps IT operations
Physical hardware repair IT operations
Total cost of technical support
Administration Hardware setup System administrator
Hardware upgrades/modi#cations System administrator
New hardware evaluation IT operations
Total cost of administration
Training New employee training IT operations
Ongoing administrator training Hardware vendor
Total cost of training
Total soft costs for hardware
c08.indd 187 11/26/2015 6:28:02 PM
188 The Business of Information Technology
• Monitoring and communicating the status and bene”ts of IT is often done through the use of balanced scorecards and IT
dashboards.
• IT is funded using one of three methods: chargeback, allocation, or corporate budget.
• Chargeback systems are viewed as the most equitable method of IT cost recovery because costs are distributed based on
usage. Creating an accounting system to record the information necessary to do a chargeback system can be expensive
and time consuming and usually has no other useful application.
• Allocation systems provide a simpler method to recover costs because they do not involve recording system usage to
allocate costs. However, allocation systems can sometimes penalize groups with low usage.
• The corporate budget method does not allocate costs at all. Instead, the CIO seeks and receives a budget from the corpo-
rate overhead account. This method of funding IT does not require any usage record keeping but is also most likely to be
abused if the users perceive it to be “free.”
• Activity‐based costing (ABC) is another technique to group costs into a meaningful bucket. Costs are accounted for
based on the activity, product, or service they support. ABC is useful for allocating large overhead expenses.
• Total cost of ownership (TCO) is a technique used to understand all the costs beyond the initial investment costs associ-
ated with owning and operating an information system. It is most useful as a tool to help evaluate which infrastructure
components to choose and to help understand how infrastructure costs occur.
K E Y T E R M S
activity‐based costing (ABC) (p. 185)
allocation funding method (p. 183)
balanced scorecard (p. 178)
business case (p. 173)
business‐IT maturity model (p. 167)
business technology strategist (p. 171)
chargeback funding method (p. 182)
chief information of”cer
(CIO) (p. 171)
corporate budget funding
method (p. 184)
dashboard (p. 180)
economic value added (EVA) (p. 177)
IT portfolio management (p. 175)
net present value (NPV) (p. 177)
payback period (p. 176)
return on investment (ROI) (p. 176)
total cost of ownership (TCO) (p. 185)
D I S C U S S I O N Q U E S T I O N S
1. Using an organization with which you are familiar, describe the role of the most senior IS professional. Is that person a
strategist or an operational manager?
2. What advantages does a CIO bring to a business? What might be the disadvantages of having a CIO?
3. Under what conditions would you recommend using each of these funding methods to pay for information systems expenses:
allocation, chargeback, and corporate budget?
4. In the following table are comparative typical IT portfolio profiles for different business strategies from Weill and Broad-
bent’s study.28 Explain why infrastructure investments are higher and transactional and informational investments are lower
for a firm with an agility focus than a firm with a cost focus. Also, how would you explain the similar values for strategic
investments among the three profiles?
Transactional
Investments
Infrastructure
Investments
Informational
Investments
Strategic
Investments
Average #rm 25% 46% 18% 11%
Cost focus 27% 44% 18% 11%
Agility focus 24% 51% 15% 10%
5. Describe the conditions under which ROI, payback period, NPV, and EVA are most appropriately applied to information
systems investments.
28 Weill and Broadbent, Leveraging The New Infrastructure.
c08.indd 188 11/26/2015 6:28:02 PM
189Case Study
KLM Airlines , headquartered in the Netherlands, is one of the world ’ s leading international airlines. Following its merger
with Air France in 2004, KLM employs 33,000 people worldwide (1,000 of whom work in the IT function) and operates
about 200 planes. 29
Following the 9/11 terrorist attack in 2001, the challenging business environment for airlines caused KLM ’ s CEO to
appoint a new CIO from the operations area, clearly outside of the IT area, to make a structural break from the past. Three
priorities included examining outsourcing IT, creating a board of business and IT representatives, and fashioning a process
for governance of IT that is shared between the IT function and business units.
The result of the ensuing efforts over several years was to create four levels of committee governance: An executive
committee kept an eye on matching the business strategy with IT strategies; A business/IT board, which was composed
of the CEO, CIO, and all business unit executive vice presidents, was formed to manage the portfolio and budget; an
IT management team worked on tactical planning for the business/IT board; and ” nally, the CIO/information services
management team planned and managed IT operations. KLM also established a set of key principles and practices
and developed a standard business case template that had to be used whenever requesting an investment greater than
150,000 euros.
KLM experienced ” ve bene” ts attributed to the governance structure: reduced IT costs per kilometer # own, increased
capacity for IT innovation, better alignment of investments to business goals, increased trust between functional units and
the IT organization, and a mind‐set of the value of IT.
■ CASE STUDY 8‐1 KLM Airlines
6. A new inventory management system for ABC Company could be developed at a cost of $260,000. The estimated net
operating costs and estimated net benefits over six years of operation would be:
Year Estimated Net Operating Costs Estimated Net Bene# ts
0 $260,000 $0
1 7,000 42,000
2 9,400 78,000
3 11,000 82,000
4 14,000 115,000
5 15,000 120,000
6 25,000 140,000
a. What would the payback period be for this investment? Would it be a good or bad investment? Why?
b. What is the ROI for this investment?
c. Assuming a 15% discount rate, what is this investment ’ s NPV?
7. Compare and contrast the IT scorecard and dashboard approaches. Which, if either, would be most useful to you as a general
manager? Please explain.
8. TCO is one way to account for costs associated with a specific infrastructure. This method does not include additional costs
such as disposal costs—the costs to dispose of the system when it is no longer of use. What other additional costs might be
of importance in making total cost calculations?
9. Check out the U.S. government IT dashboard site at http://www.itdashboard.gov/portfolios. Based upon the site:
a. Describe the portfolio for the Department of Justice.
b. Which investments, if any, appear to be in trouble in the Department of Justice? Based on the information that is provided,
can you estimate the status of those projects? Is there any additional information that you think a manager would like to
see about the status of the project?
29 Adapted from Steven De Haes , Dirk Gemke , John Thorp , and Wim Van Grembergen , “ KLM ’ s Enterprise Governance of IT Journey: From Managing
IT Costs to Managing Business Value ,” MIS Quarterly Executive 10 , no. 3 ( 2011 ), 109 – 20 .
c08.indd 189 11/26/2015 6:28:03 PM
http://www.itdashboard.gov/portfolios
190 The Business of Information Technology
Discussion Questions
1. What is likely to have led to increased trust for the IT organization?
2. What might explain an item that is seemingly quite unrelated to IT (costs per kilometer flown) decreased as a result of
the new CIO structure?
3. What maturity level did KLM appear to exhibit (a) in 2000 and (b) in 2011? Why?
4. Why do you think that KLM requires its employees to use a standard business case template when they want to make
an investment?
Sources: Adapted from Steven De Haes , Dirk Gemke , John Thorp , and Wim Van Grembergen , “ KLM ’ s Enterprise Governance
of IT Journey: From Managing IT Costs to Managing Business Value ,” MIS Quarterly Executive 10 , no. 3 ( 2011 ), 109 – 20 , and “Analyz-
ing IT Value Management at KLM Through the Lens of Val IT,” http://www.isaca.org/JOURNAL/ARCHIVES/2011/VOLUME‐5/Pages/
Analyzing‐IT‐Value‐Management‐at‐KLM‐Through‐the‐Lens‐of‐Val‐IT.aspx (accessed May 30, 2015).
BIOCO is a pro” table and growing medium‐sized biopharmaceutical company located in the southeast United States.
It develops, produces, and markets vaccines and antibody‐based pharmaceutical products. As part of the company ’ s strate-
gic transformation, BIOCO ’ s CEO introduced a top‐down, strategy‐driven management process called the “BIOCO Way.”
The CEO has a strong conviction that the success of a company starts with a clear vision of what the company wants to be
and a corporate strategy that re# ects that vision. In the BIOCO Way, the corporate vision and strategy are translated into a
long‐term corporate strategic plan, which in turn is used to generate the corporate strategy map. To measure progress against
the strategy map, a cascade of balanced scorecards (corporate, division/department) are developed and used. As a result of
the full integration of the levels of balanced scorecards into the planning process, the BIOCO Way emphasizes how the
strategies and related tactics should be carried out and measured at all levels. The CEO is a strong champion of balanced
scorecards and is considered an in‐house guru for the method.
Each year, BIOCO managers at the corporate and department levels review performance and assess the appropriateness
of their respective balanced scorecards for the prior year. Based on the results of the performance reviews and a short‐term
execution plan for the upcoming year, strategic initiatives are added, modi” ed, or removed, and the metrics in the scorecards
are adjusted accordingly. The CIO thinks that the balanced scorecards help the departments look beyond their own opera-
tions, and the vice president thinks they mobilize everyone in the company by setting up tangible goals that are clearly linked
to the overall goals of the company. The CIO thinks the scorecard enhances communications because it “provides a focal
point and common language around the key value drivers of the organization,” and it helps IT understand other business
areas. To overcome cultural differences among the departments, he added culture as a ” fth perspective in the scorecards.
Discussion Questions
1. What benefits has BIOCO realized from its use of balanced scorecards?
2. Do you think the BIOCO Way was useful in helping the IT department align its goals with that of the company? Why
or why not?
3. Do you think that the BIOCO approach could be implemented successfully in large companies? Why or why not? If so,
what, if any, adjustments need to be made?
4. BIOCO recently was sold and now has a new CEO. Do you think the BIOCO Way will be as successful under the new
CEO? Why or why not?
Sources: Q. Hu and C. D. Huang , “ Using the Balanced Scorecard to Achieve Sustained IT‐Business Alignment: A Case Study ,”
Communications of the Association for Information Systems 17 , no. 1 ( 2006 ) ; Organized Change Consultancy, ”Examples of Companies
Using the Balanced Scorecard” (2010), https://www.organizedchange.com/examplesofcompaniesusingthebalancedscorecard.htm
(accessed May 30, 2015).
■ CASE STUDY 8‐2 Balanced Scorecards at BIOCO
c08.indd 190 11/26/2015 6:28:03 PM
http://www.isaca.org/JOURNAL/ARCHIVES/2011/VOLUME%E2%80%905/Pages/Analyzing%E2%80%90IT%E2%80%90Value%E2%80%90Management%E2%80%90at%E2%80%90KLM%E2%80%90Through%E2%80%90the%E2%80%90Lens%E2%80%90of%E2%80%90Val%E2%80%90IT.aspx
http://www.isaca.org/JOURNAL/ARCHIVES/2011/VOLUME%E2%80%905/Pages/Analyzing%E2%80%90IT%E2%80%90Value%E2%80%90Management%E2%80%90at%E2%80%90KLM%E2%80%90Through%E2%80%90the%E2%80%90Lens%E2%80%90of%E2%80%90Val%E2%80%90IT.aspx
https://www.organizedchange.com/examplesofcompaniesusingthebalancedscorecard.htm
191
9
chapter
1 http://www.intel.com/content/dam/www/public/us/en/documents/reports/2012‐2013‐intel‐it‐performance‐report (accessed
September 1, 2015).
2 http://www.intel.com/content/www/us/en/it‐management/intel‐it‐best‐practices/intel‐it‐annual‐performance‐report‐2014‐15‐
paper.html (accessed September 1, 2015).
Governance structures de# ne the way decisions are made in an organization. This chapter
explores four models of governance based on the location of decision making in organiza-
tion structure (centralized, decentralized, and federal), decision rights, digital ecosystems,
and control, considering frameworks from the Committee of Sponsoring Organizations of
the Treadway Commission (COSO), Control Objectives for Information and related Tech-
nology (COBIT), and Information Technology Infrastructure Library (ITIL). Examples and strat-
egies for implementation are discussed.
Governance of the
Information Systems
Organization
Intel ’ s information technology (IT) performance reports for 2013 1 and 2015 2 boast about how the
company increased its storage capacity from 25 petabytes in 2010 to 106 petabytes in 2014, and over
the same interval raised the number of handheld devices from 19,400 to 53,700. Intel also exploited
other highly visible opportunities of using predictive data analytics. It reduced the amount of time
required to detect data threats from two weeks in 2013 to 20 minutes in 2014. Finally, Intel enjoyed
a revenue increase of $351 million from advanced analytics in the areas of sales leads, supply,
demand, and pricing.
An outsider might assume that Intel stepped up spending and IT investments to accomplish these
goals. However, it actually reduced the number of data centers from 91 in 2010 to 61 in 2014 and
reduced IT spending from 2.64% to 2.30% of revenue during that same ” ve‐year interval.
How did Intel accomplish these and other laudable goals? Its approach was the result of 23 years
of evolution of its strategy that began by creating a centralized IT organization in 1992 with control
resting in IT. Intel has come a long way from its original governance structure, which was centered
on mainframes and wide‐area networks. Later, in 2003, Intel initiated its “Protect Era” in response
to two events: the then‐new Sarbanes–Oxley legislation and a virus that had infected Intel ’ s internal
networks through an employee ’ s home‐based network connection. The company ’ s “Protect Era”
was led by IT and locked down resources to such an extent that employees had to devise risky policy
workarounds to be able to complete some of their tasks. Data could be used only within a particular
functional area, not shared among areas.
Intel ’ s current “Protect to Enable Era” in information governance began in 2009 after man-
agers found that its overly restrictive policies on bring your own device (BYOD) had frustrated its
employees who saw those policies as both expensive and detrimental to innovation over the long
run. This led Intel to discover that consumerization is a powerful force. That six‐syllable mouthful
describes the increasingly powerful tools available in the consumer space that can impact the corpo-
rate space. Mobility has been the major breakthrough in consumerization, and the increasing use of
c09.indd 191 11/26/2015 7:33:25 PM
http://www.intel.com/content/dam/www/public/us/en/documents/reports/2012%E2%80%902013%E2%80%90intel%E2%80%90it%E2%80%90performance%E2%80%90report
http://www.intel.com/content/www/us/en/it%E2%80%90management/intel%E2%80%90it%E2%80%90best%E2%80%90practices/intel%E2%80%90it%E2%80%90annual%E2%80%90performance%E2%80%90report%E2%80%902014%E2%80%9015%E2%80%90paper.html
http://www.intel.com/content/www/us/en/it%E2%80%90management/intel%E2%80%90it%E2%80%90best%E2%80%90practices/intel%E2%80%90it%E2%80%90annual%E2%80%90performance%E2%80%90report%E2%80%902014%E2%80%9015%E2%80%90paper.html
192 Governance of the Information Systems Organization
smartphones, tablets, and smaller/more powerful laptops coupled with Web‐based applications that offer everything
from free business productivity tools, such as Google Docs to sharing applications like YouTube and SlideShare
and to social tools such as Twitter and LinkedIn, have created a new IT environment.
Intel found that cloud services, desktop applications, social networking, mobile devices, and the management
policies surrounding them had changed the business of IT. BYOD forced IT leaders at Intel and many other “rms to
re‐evaluate how IT services are offered. Intel’s traditional command and control mentality—with IT leaders making
all technology decisions—no longer could work. The consumerization of technology changed Intel’s management
approach3 from “How do we stop it?” to “How do we work with this?”
Intel’s governance structure also resulted in a lost opportunity to exploit data and analytics (described in
Chapter 13). Because information was restricted to the particular department in which it was generated, Intel could
not explore connections between manufacturing decisions and consumer reactions or between social media trends
and product design decisions. A new approach to governance was clearly needed, and Protect to Enable has ad-
dressed those needs.
More recently, Intel has extended the governance framework’s reach by its new six‐pronged focus on social net-
working, mobile devices, analytics, cloud technologies, Internet of Things, and security. Intel reports that it has now
moved to the top of a three‐tiered pyramid of IT leadership of (1) developing programs and delivering services, (2)
contributing business value, and (3) transforming the company.
How does a governance framework provide these bene”ts? Intel now uses information governance boards that
include representatives from a variety of its functions, including marketing, manufacturing, product design, human
resources (HR), legal, business development, internal audit, and IT. Sharing the governance with business units is
one of “ve key success factors, according to an analysis of the Intel case.4 Intel reports that they have moved beyond
categorizing challenges as IT problems or business problems. They assert that only integrated solutions work to
“disrupt instead of being disrupted.”5
Although each information systems (IS) organization is unique in many ways, all have elements in common. The
focus of this chapter is to introduce managers to issues related to the way decisions about IT are made in the organi-
zation. These issues should re#ect the typical activities of an IS organization that were discussed in Chapter 8. The
current chapter examines governance of the IS organization as it relates to decisions about IT issues.
IT Governance
Expectations (or more speci”cally, what managers should and should not expect from the IS organization) are at
the heart of IT governance. Governance in the context of business enterprises is all about making decisions that
de”ne expectations, grant authority, or ensure performance. In other words, governance is about aligning behavior
with business goals through empowerment and monitoring. Empowerment comes from granting the right to make
decisions, and monitoring comes from evaluating performance. As noted in Chapter 3, a decision right is an impor-
tant organizational design variable because it indicates who in the organization has the responsibility to initiate,
supply information for, approve, implement, and control various types of decisions.
Four perspectives of IT governance are described here. The “rst, a traditional perspective of IT governance,
focuses on how decision rights can be distributed to facilitate centralized, decentralized, or hybrid modes of
decision making. In this view of governance, the organization structure plays a major role. The second focuses on
the interaction between accountability and allocation of decision rights to executives, business unit leaders, or IT
leaders. The third focuses on an “ecosystem” that re#ects the signi”cant impacts of the large variety of resources
available from individuals, organizational units, and outside service providers. The “nal perspective, control struc-
tures developed in response to important legislation, also provides governance guidelines to “rms.
3 Paul P. Tallon, James E. Short, and Malcolm Harkins, “The Evolution of Information Governance at Intel,” MIS Quarterly Executive 12, no. 4 (2013),
189–98.
4 Ibid.
5 http://www.intel.com/content/www/us/en/it‐management/intel‐it‐best‐practices/intel‐it‐annual‐performance‐report‐2014‐15‐paper.html, 20 (accessed
September 3, 2015).
c09.indd 192 11/26/2015 7:33:25 PM
http://www.intel.com/content/www/us/en/it%E2%80%90management/intel%E2%80%90it%E2%80%90best%E2%80%90practices/intel%E2%80%90it%E2%80%90annual%E2%80%90performance%E2%80%90report%E2%80%902014%E2%80%9015%E2%80%90paper.html
193IT Governance
Centralized versus Decentralized Organizational Structures
Companies’ organizational strategies exist along a continuum from centralization to decentralization. At one end
of the continuum, centralized IS organizations bring together all staff, hardware, software, data, and processing
into a single location. Decentralized IS organizations scatter these components across different locations to
address local business needs. These two approaches do not refer to IT architectures but to decision‐making frame-
works. A combination, or hybrid, of the two is called federalism, found in the middle (see Figure 9.1). Enterprises
of all shapes and sizes can be found at any point along the continuum. Over time, however, each enterprise may
gravitate toward one end of the continuum or the other, and often reorganization is in reality a change toward one
end to the other.
Centralization and decentralization trends have evolved through the “ve eras of information usage (see
Chapter 2, Figure 2.1). In the 1960s, mainframes dictated a centralized approach to IS because the mainframe
resided in one physical location. Centralized decision making, purchasing, maintenance, and staff kept these early
computing behemoths running. The 1970s remained centralized due in part to the constraints of mainframe com-
puting, although minicomputers planted early seeds for decentralizing. In the 1980s the advent of the personal
computer (PC), which allowed computing power to spread beyond the raised‐#oor, super‐cooled rooms of main-
frames, provided further fuel for decentralization. Users especially liked the shift to decentralization because it put
them more in control and increased their agility. However, the pressures for secure networks and massive corpo-
rate databases in the 1990s shifted some organizations back to a more centralized approach. Yet, the increasingly
global nature of many businesses makes complete centralization impossible. The most recent global survey found
that 70.6% of the participating organizations were centralized in terms of IT, 13.5% were decentralized, and 12.7%
were federated.6 Although the high percentage of centralized companies in the sample may seem surprising, the
study suggested that with the increasing appreciation for governance found in companies with high levels of gov-
ernance maturity comes the need for control that is made possible in the centralized structure.
The survey also found that two‐thirds of responding enterprises had governance activities for enterprise IT
(GEIT). These companies indicated that the main driver for GEIT activities is to ensure that IT functionality aligns
with business needs, and, like Intel’s “ndings, the most commonly experienced outcomes were improvements in
management of IT‐related risk and communication and relationships between business and IT. Good governance
therefore can increase the transparency of IT supply and demand and help in assigning priorities for IT projects
and services.
What are the most important considerations in deciding how much to centralize or decentralize? Figure 9.2
shows some advantages and disadvantages of each approach.
Consider two competing parcel delivery companies, UPS and FedEx, in the year that they both reported
spending about $1 billion on IT. UPS’s IT strategy focused on delivering ef”ciencies to meet the business demands
of consistency and reliability. UPS’s centralized, standardized IT environment supported dependable customer
service at a relatively low price. In contrast, FedEx chose a decentralized IT strategy that allowed it to focus on
#exibility in meeting business demands generated from targeting various customer segments. The higher costs of
the decentralized approach to IT management were offset by the bene”ts of localized innovation and customer
responsiveness.7
Decentralization Federalism Centralization
FIGURE 9.1 Organizational continuum.
6 IT Governance Institute, “Global Status Report on the Governance of Enterprise IT (GEIT)” (2011), 49, http://www.isaca.org/Knowledge‐Center/
Research/Documents/Global‐Status‐Report‐GEIT‐10Jan2011‐Research (accessed February 27, 2011).
7 J. W. Ross and P. Weill, “Six IT Decisions Your IT People Shouldn’t Make,” Harvard Business Review (November 2002), 1–8.
c09.indd 193 11/26/2015 7:33:26 PM
http://www.isaca.org/Knowledge%E2%80%90Center/Research/Documents/Global%E2%80%90Status%E2%80%90Report%E2%80%90GEIT%E2%80%9010Jan2011%E2%80%90Research %20
194 Governance of the Information Systems Organization
FIGURE 9.2 Advantages and disadvantages of organizational approaches.
Approach Advantages Disadvantages Companies Adopting
Centralized • Global standards; common data
• “One voice” for negotiating
supplier contracts
• Greater leverage in deploying
strategic IT initiatives
• Economies of scale and a shared
cost structure
• Access to large capacity
• Improved recruitment and
training of IT professionals
• Improved control of security and
databases
• Consistent with centralized
enterprise structure
• Technology may not meet local
needs
• Slow support for strategic
initiatives
• Schism between business and IT
organization
• “Us versus them” mentality when
technology problems occur
• Lack of business unit control over
overhead costs
Zara, UPSa
Decentralized • Technology customized to local
business needs
• Close partnership between IT and
business units
• Greater $exibility
• Reduced telecommunication
costs
• Consistency with decentralized
enterprise structure
• Business unit control of overhead
costs
• Dif#culty in maintaining global
standards and consistent data
• Higher infrastructure costs
• Dif#culty in negotiating
preferential supplier agreements
• Loss of control
• Duplication of staff and data
VeriFone, FedExb
a J. W. Ross and P. Weill, “Six IT Decisions Your IT People Shouldn’t Make,” Harvard Business Review (November 2002), 1–8.
b Ibid.
Zara, the global retail and apparel manufacturer introduced in Chapter 2, also used a centralized approach, which
differs from other clothing chains. The head of IS, who was not a CIO, reported directly to the deputy general
manager, who was two levels below the CEO.8 This way of structuring the IS department was consistent with the
organization’s predominantly centralized structure. It was also well suited to organizational processing about which
most administrative decisions were made in the headquarters at Lacoruńa, Spain. The users did not require a lot of
hand‐holding with regard to the point‐of‐sale (POS) systems in the stores. For these reasons, a centralized approach
was a good “t for Zara. The store managers, however, did retain some decision rights about which products to order.
Thus, Zara was not totally at the centralization end of the continuum. In contrast, Verifone, which we discuss in
Chapter 4, needs a decentralized structure for its globally distributed employees.
Companies adopt a strategy based on lessons learned from earlier years of centralization and decentralization.
Most companies want to achieve the advantages derived from both organizational paradigms. This desire leads
to federalism,9 a structuring approach that distributes power, hardware, software, data, and personnel between a
central IS group and IS in business units. Many companies adopt a form of federal IT yet still count themselves
as either decentralized or centralized, depending on their position on the continuum. Organizations such as Home
Depot and the U.S. Department of Veteran Affairs recognize the advantages of a more hybrid approach and actively
seek to bene”t from adopting a federal structure. See Figure 9.3 for the interrelationship of these approaches.
Archetypes of Accountability and Decision Rights
Sometimes the centralized/decentralized/federal approaches to governance are not “ne‐tuned enough to help
managers deal with the many contingencies facing today’s organizations. This issue is addressed by a framework
8 Andrew McAfee, Vincent Dessain, and Anders Sjman, “Zara: IT for Fast Fashion,” Harvard Business School Case 9‐604‐081 (September 6, 2007).
9 John F. Rockart, Michael J. Earl, and Jeanne W. Ross, “Eight Imperatives for the New IT Organization,” Sloan Management Review (Fall 1996), 52–53.
c09.indd 194 11/26/2015 7:33:26 PM
195IT Governance
Federal IT
Centralized IT Decentralized IT
The federal IT attempts
to capture the benefits of
centralized and decentralized
organizations while eliminating
the drawbacks of each.
• Unresponsive
• No Business
Unit Ownership
of Systems
• No Business
Unit Control of
Central Overhead
Costs
• Doesn’t Meet
Every Business
Unit’s Needs
• Economies
of Scale
• Control of
Standards
• Critical
Mass of
Skills
• IT Vision and
Leadership
• Groupwide IT
Strategy and
Architecture
• Strategic
control
• Synergy
• Users Control
IT Priorities
• Business
Units Have
Ownership
• Responsive
to Business
Unit’s Needs
• Excessive Overall
Costs to Group
• Variable
Standards of IS
Competence
• Reinvention of
Wheels
• No Synergy and
Integration
FIGURE 9.3 Federal IT.
Source: Michael J. Earl, “Information Management: The Organizational Dimension,” The Role of the Corporate IT Function in the
Federal IT Organization, ed. S. L. Hodgkinson (New York: Oxford University Press, 1996), Figure 12.1. By permission of Oxford
University Press, Inc.
10 Peter Weill and Jeanne W. Ross, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results (Cambridge, MA: Harvard
Business School Press, 2004); Peter Weill, “Don’t Just Lead, Govern: How Top‐Performing Firms Govern IT,” MIS Quarterly Executive 3, no. 1 (2004),
1–17. The quote is on page 3.
11 P. Weill, “Don’t Just Lead, Govern: How Top‐Performing Firms Govern IT,” MIS Quarterly Executive 3, no. 1 (2004).
developed by Peter Weill and Jeanne Ross. They de”ne IT governance as “specifying the decision rights and
accountability framework to encourage desirable behavior in using IT.”10 IT governance is not about what decisions
are actually made but rather about who is making them (i.e., who holds the decision rights) and how the decision
makers are held accountable for them.
It is important to match the manager’s decision rights with his or her accountability for a decision. Figure 9.4
indicates what happens when there is a mismatch. Where the CIO has a high level of decision rights and account-
ability, the “rm is likely to be at maturity Level 3 (which was introduced in Chapter 8). Where both the decision
rights and accountability are low, the company is likely to be at Level 1. Mismatches result in either an oversupply
of IT resources or the inability of IT to meet business demand.
Good IT governance provides a structure to make good decisions. It can also limit the negative impact of orga-
nizational politics in IT‐related decisions. IT governance has two major components: (1) assignment of decision‐
making authority and responsibility and (2) decision‐making mechanisms (e.g., steering committees, review boards,
policies). When it comes speci”cally to IT governance, Weill and his colleagues proposed “ve generally applicable
categories of IT decisions: IT principles, IT architecture, IT infrastructure strategies, business application needs,
and IT investment and prioritization.11 A description of these decision categories with an example of major IS activ-
ities affected by them is provided in Figure 9.5.
Weill and Ross’s study of 256 enterprises shows that a de”ning trait of high‐performing companies is the use
of proper decision right allocation patterns for each of the “ve major categories of IT decisions. They use six
political archetypes with highly descriptive names (business monarchy, IT monarchy, feudal, federal, IT duopoly,
and anarchy) to label the combinations of people who either input information or have decision rights for the key
c09.indd 195 11/26/2015 7:33:26 PM
196 Governance of the Information Systems Organization
FIGURE 9.5 Five major categories of IT decisions.
Source: Adapted from P. Weill, “Don’t Just Lead, Govern: How Top‐Performing Firms Govern IT,” MIS Quarterly Executive 3, no. 1
(2004), 4, Figure 2.
Category Description Examples of Affected IS Activities
IT principles How to determine IT assets that are
needed
Participating in setting strategic direction
IT architecture How to structure IT assets Establishing architecture and standards
IT infrastructure strategies How to build IT assets Managing Internet and network services,
data, human resources, mobile computing
Business application needs How to acquire, implement, and
maintain IT (insource or outsource)
Developing and maintaining information
systems
IT investment and prioritization How much to invest and where to
invest in IT assets
Anticipating new technologies
FIGURE 9.4 IS Decision rights accountability gap.
Source: Adapted from V. Grover, R. M. Henry, and J. B. Thatcher, “Fix IT‐Business Relationships through Better Decision Rights,”
Communications of the ACM 50, no. 12 (December 2007), 82, Figure 1.
Accountability
Low High
Decision Rights High Technocentric gap
• There is danger of overspending on
IT, creating an oversupply
• IT assets may not be utilized to meet
business demand
• Business group might become
frustrated with IT group
Strategic norm (Level 3 balance)
• IT is viewed as competent
• IT is viewed as strategic to business
Low Support norm (Level 1 balance)
• It works for organizations where IT is
viewed as a support function
• Its focus is on business ef#ciency
Business gap
• Cost considerations dominate IT decision
• IT assets may not utilize internal
competencies to meet business demand
• IT group might cause frustration for
business group
IT decisions.12 An archetype is a pattern resulting from allocation of decision rights. Decisions can be made at
several levels in the organization: top executives, IT executives, or business unit executives. Figure 9.6 summarizes
the level and function for the allocation of decision rights in each archetype.
For each decision category, the organization adopts an archetype as the means to obtain inputs for decisions and
to assign accountability for them. Although there is little variation in the selection of archetypes regarding who
provides information for decision making, there is signi”cant variation across organizations in terms of archetypes
selected for decision right allocation. For instance, the duopoly is used by the largest portion (36%) of organiza-
tions for IT principles decisions whereas the IT monarchy is the most popular for IT architecture and infrastructure
decisions (i.e., 73% and 59%, respectively).13
There is no one best arrangement for the allocation of decision rights. Rather, the most appropriate arrangement
depends on a number of factors, including the type of performance indicator. Some common performance indica-
tors are asset utilization, pro”t, or growth.
12 Peter Weill and Jeanne W. Ross, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results (Cambridge, MA: Harvard
Business School Press, 2004).
13 Weill and Ross, IT Governance.
c09.indd 196 11/26/2015 7:33:26 PM
197IT Governance
Emergent Governance—The Digital Ecosystem
New consumer technologies challenge a “top‐down” governance approach for making all decisions in a planned
and methodical manner. The best‐laid plans are often derailed. Intel’s decree to lock down data and strictly control
devices used by employees grew so dif”cult that it impeded the company’s ability to not only compete but also
to ful”ll everyday tasks. Sometimes the best plans aren’t even prescribed far in advance; in some situations, they
simply emerge. For instance, social networking was ignored by many “rms in its early days because they failed to
recognize its impact. Most “rms now realize that social networking needs not only recognition but also strategic
investments.
There are many freely available and widely used apps, Web sites, social networks, smartphones, and other IT
assets; it would be foolish to try to invent something identical in house, so “rms often exploit them. Using a variety
of such assets implies that governance might need to be more #exible and follow patterns of adaptation much like
biological ecosystems, forming an interrelated set of interacting species.14 Just as a species cannot ignore preda-
tors, prey, and complementary species, an information systems department cannot ignore new technologies and
information assets that emerge suddenly and unexpectedly. One interesting de”nition of digital ecosystem regards
those systems as self‐interested, self‐organizing, and autonomous digital entities.15
A simple example can be useful. Before YouTube, “rms had to “nd their own way to provide digital video
content to customers on the Web. Some used animations that were available in special image formats whereas
others had to choose between requiring a download of a video “le that they hoped would be playable on a user’s
computer or streaming a “le to users who had to also install a particular streaming player that was compatible with
the streaming video. Providing that content widely was not generally considered to be feasible or even desirable.
With YouTube, “rms can now simply use a link or even embed the video into their own Web site. Coupling this
FIGURE 9.6 IT governance archetypes.
Source: P. Weill, “Don’t Just Lead, Govern: How Top‐Performing Firms Govern IT,” MIS Quarterly Executive 3, no. 1 (2004), 5,
Figure 3.
Decision rights or inputs rights for a particular IT decision are held by:
CxO
Level
Execs
Corp. IT
and/or
Business
Unit IT
Business
Unit Leaders
or Process
Owners
Business
Monarchy
A group of, or individual, business executives (i.e., CxOs).
Includes committees comprised of senior business
executives (may include CIO). Excludes IT executives
acting independently.
✓
IT monarchy Individuals or groups of IT executives. ✓
Feudal Business unit leaders, key process owners or their
delegates. ✓
Federal C level executives and at least one other business group
(e.g., CxO and BU leaders)—IT executives may be an
additional participant. Equivalent to a country and its states
working together.
✓
✓
✓
✓ ✓
IT duopoly IT executives and one other group
(e.g., CxO or BU leaders).
✓ ✓
✓ ✓
Anarchy Each individual user.
14 Maja Hadzic and Elizabeth Chang, “Application of Digital Ecosystem Design Methodology within the Health Domain,” IEEE Transactions on
Systems, Man and Cybernetics, Part A: Systems and Humans 40, no. 4 (2010): 779–88.
15 Rahnuma Kazi and Ralph Deters, “Mobile Event‐Oriented Digital Ecosystem,” Digital Ecosystems Technologies (DEST), 2012 6th IEEE International
Conference (2012).
c09.indd 197 11/26/2015 7:33:27 PM
198 Governance of the Information Systems Organization
new simplicity with an ability to display a map from Google Maps forms new and very useful interdependencies
between these digital assets.
In recent years, mobile computing, GPS, and social media have indeed presented new, unexpected challenges
and opportunities as described earlier. However, other technological developments have also provided digital eco-
system opportunities, such as cloud computing, the Internet of Things (IoT), radio frequency ID (RFID), and smart
cards. Interconnecting “rms with each other allows connectivity in new, unpredictable, and very helpful ways.
A good example in the health care arena is an electronic medical record (EMR).16 An EMR is “lled with a variety
of information about a patient (for instance, patient demographics, appointments, medications, medical history,
billing records). Not only can a doctor’s computer pick out the relevant information about a patient to use but also
a pharmacy can identify potential drug interactions and a laboratory can be informed of certain medical conditions
when processing a specimen. In addition, both the pharmacy process and the insurance company can bill for the
medication and the appointment.
Some or all of these functions could have been in the original plans for EMRs, but others might occur to enter-
prising designers along the way. For instance, a bank that is administering the patient’s #exible spending account
can be provided medical billing information for properly disbursing funds. Also, a tax authority might be provided
billing information from the EMR to verify deductible expenses. Each party would be privy only to the relevant
information for it, and the rest would be kept con”dential.
A smartphone provides another example of how a digital ecosystem can form between applications, “rms, and
digital entities. Even just the junction of identity, date, location, preference, and relationship information can pro-
vide real‐time driving directions, invitations to nearby events, alerts about nearby friends, personalized advertising,
and chatter on social network alerts. Many of these uses were not even imagined 15 years ago, and it is hard to
imagine the possible new connections and uses that will occur in another 15 years. For instance, new ecosystem
connections will be made possible when the IoT places more technology into automobiles. A self‐driving car could
actually react independently to an urgent situation with a family member and safely make a split‐second decision to
change course before all of the information is fully comprehended by the occupant (formerly called the “driver”).
Individual devices and applications that are dif”cult to imagine today might be combined in new ways on the road,
in the home, and at the of”ce.
Strong governance implications emerge from ecosystems. The symbiotic multi”rm and adaptive situations
cannot be completely planned or orchestrated by a single entity. Much of the decision making exists outside the
“rm, and, therefore, complete plans no longer can be made in a single boardroom. Along with the good news of
synergies between with and among various “apps” and devices, there is the potential danger of changes to the
information passed between them or even the complete failure of an outside entity. Imagine what hotels would
need to do if Google Maps would disappear altogether. Further, what would need to be done with location‐based
ads if predictions come true that one or more of the GPS satellites would fail17 and are also vulnerable to attack?18
Fortunately, most ecosystems have adopted stringent standards for data exchange, and the most useful ones are
quite successful. The likelihood of a permanent failure of Google Maps is quite remote for the foreseeable future.
Even if Google were to divest the app, a new “rm would likely be able to maintain the tightly speci”ed connec-
tions. IT governance is perhaps most vulnerable to an inability to imagine strategic potential from new devices,
applications, and connections. A “rm should explore whether plans can be changed in mid‐year. Can competitors
become allies? Can business processes be changed quickly? Can new capabilities that might be contrary to previous
activities or directions be enabled? Firms in the future will probably need to answer all of these questions in the
af”rmative for their ultimate survival.
To summarize the three governance frameworks, see Figure 9.7 for the main concept and potential best practice
of each framework.
16 Hadzic and Chang, “Application of Digital Ecosystem Design Methodology within the Health Domain.”
17 “GPS System Close to Breakdown,” http://www.theguardian.com/technology/2009/may/19/gps‐close‐to‐breakdown (accessed September 4, 2015).
18 “Global Positioning System Is a Single Point of Failure,” http://www.afcea.org/content/?q=global‐positioning‐system%E2%80%A8‐single‐point‐
failure (accessed September 4, 2015).
c09.indd 198 11/26/2015 7:33:27 PM
http://www.theguardian.com/technology/2009/may/19/gps%E2%80%90close%E2%80%90to%E2%80%90breakdown
http://www.afcea.org/content/?q=global%E2%80%90positioning%E2%80%90system%E2%80%A8%E2%80%90single%E2%80%90point%E2%80%90failure
http://www.afcea.org/content/?q=global%E2%80%90positioning%E2%80%90system%E2%80%A8%E2%80%90single%E2%80%90point%E2%80%90failure
http://www.afcea.org/content/?q=global%E2%80%90positioning%E2%80%90system%E2%80%A8%E2%80%90single%E2%80%90point%E2%80%90failure
199Decision‐Making Mechanisms
Decision‐Making Mechanisms
Many different types of mechanisms can be created to ensure good IT governance. Policies are useful for de”ning
the process of making a decision under certain situations. However, when the environment is complex, policies are
often too rigid. In a recent worldwide study of IT governance, almost 60% of the respondents relied on policies
and standards for governance, making it the most popular mechanism for governance.19 A second method, a review
board, or committee that is formally designated to approve, monitor, and review speci”c topics, can be an effective
governance mechanism. For example, Twila Day, CIO of Sysco, established an architecture review board to look
at new technologies and processes.20
A third mechanism that is used very frequently for IT decisions is the IT steering committee, also called an
IT governance council. Such a committee is composed of key stakeholders or experts who provide guidance on
important IT issues. Steering committees work especially well with the federal archetype, which calls for joint
participation of IT and business leaders in the decision‐making process. Steering committees can be geared toward
different levels of decision making. The highest level of steering committees report to the board of directors or the
CEO and are often composed of top‐level executives and the CIO. At this level, the steering committee provides
strategic direction and funding authority for major IT projects and ensures that adequate resources be allocated to
the IS organization for achieving strategic goals.
Committees with lower‐level players typically are involved with allocating scarce resources effectively and ef”-
ciently. Lower‐level steering committees provide a forum for business leaders to present their IT needs and to offer
input and direction about the support they receive from IT operations.
Either level may have working groups to help increase the steering committee’s effectiveness and to measure
the performance of the IS organization. The assessment of performance differs for each group. For example, the
lower‐level committee likely would include more details and would focus on the progress of the various projects
and adherence to the budget. The higher‐level committee would focus on the performance of the CIO and the ability
of the IS organization to contribute to the company’s achievement of its strategic goals.
Although an organization may have both levels of steering committees, it is more likely to have one or the other.
If the IS organization is viewed as being critical for the organization to achieve its strategic goals, the “rm’s C‐level
executives are likely to be on the committee. Otherwise, the steering committee tends to be larger so that it can
have widespread representation from the various business units. In this case, the steering committee is an excellent
mechanism for helping the business units realize the competing bene”ts of proposed IT projects and develop an
approach for allocating among the project requests.
FIGURE 9.7 Three governance frameworks.
Governance Framework Main Concept Possible Best Practice
Centralization‐Decentralization Decisions can be made by a central authority or by
autonomous individuals or groups in an organization.
Use a hybrid, federal
approach.
Decision archetypes Patterns based upon allocating decision rights and
accountability are speci#ed.
Tailor the archetype to
the situation.
Digital ecosystems Members of the ecosystem contribute their strengths,
giving the whole ecosystem a complete set of capabilities
that can impact decision making and operations.
Build $exibility and
adaptability into
governance.
19 IT Governance Institute, “Global Status Report on the Governance of Enterprise IT (GEIT)” (2011), 49, http://www.isaca.org/Knowledge‐Center/
Research/Documents/Global‐Status‐Report‐GEIT‐10Jan2011‐Research (accessed February 27, 2011).
20 Martha Heller, “How to Make Time for Strategy,” CIO.com (April 22, 2010), http://www.cio.com/article/591719/How_to_Make_Time_for_Strategy
(accessed January 16, 2012).
c09.indd 199 11/26/2015 7:33:27 PM
http://www.isaca.org/Knowledge%E2%80%90Center/Research/Documents/Global%E2%80%90Status%E2%80%90Report%E2%80%90GEIT%E2%80%9010Jan2011%E2%80%90Research
http://www.cio.com/article/591719/How_to_Make_Time_for_Strategy
200 Governance of the Information Systems Organization
For example, when Hilton Worldwide’s CIO started working on a project to create a new loyalty program,
he and the business sponsor of the project convened a lower‐level steering committee made up of people from
IT, marketing, HR, “nance, and other departments. They discussed change management and business issues that
arose as they designed the system to be used in 85 countries in over ten brands in the Hilton portfolio. The project
went very smoothly. But earlier, another project to outsource the hotel help desk had not gone as well. The CIO
learned from both experiences that there is no such thing as too much communication and created weekly steering
committee meetings for each project. The CIO is quoted as saying, “E‐mail is great for scheduling meetings, but
it’s the steering committees where we are working through really dif”cult issues together, and making promises and
keeping promises, where the foundations of trust are established.”21
Governance Frameworks for Control Decisions
The framework described previously focuses on which department is responsible for decisions. More recently, gov-
ernance frameworks have been employed speci”cally to de”ne responsibility for control decisions. They are being
implemented to help ward off future accounting “ascos. These frameworks focus on processes and risks associated
with them.
Sarbanes–Oxley Act of 2002
In response to rogue accounting activity by major global corporations such as Enron and WorldCom and their
accounting “rms, such as Arthur Andersen, the Sarbanes–Oxley Act (SoX) was enacted in the United States
in 2002 to increase regulatory visibility and accountability of public companies and their “nancial health. The
U.S. government wanted to assure the investing public that they could rely on “nancial markets to deliver valid
performance data and accurate stock valuation. All corporations that fall under the jurisdiction of the U.S. Securities
and Exchange Commission are subject to SoX requirements. This includes not only U.S. and foreign companies
that are traded on U.S. exchanges but also those entities that make up a signi”cant part of a U.S. company’s “nan-
cial reporting. Within “ve years of SoX’s passage, 15,000 U.S. companies, 1,200 non‐U.S.‐based companies. and
over 1,400 accounting “rms in 76 countries have been affected by SoX.22
According to SoX, CFOs and CEOs must personally certify and be accountable for their “rms’ “nancial records
and accounting (Section 302), auditors must certify the underlying controls and processes that are used to compile
the “nancial results of a company (Section 404), and companies must provide real‐time disclosures of any events
that may affect their stock price or “nancial performance within a 48‐hour period (Section 409). Penalties for fail-
ing to comply range from monetary “nes to a 20‐year jail term.
A comprehensive Public Company Accounting Oversight Board (PCAOB) review of 2,800 engagements of the
largest audit “rms found hundreds of cases involving audit failures, suggesting that improvements could be made in
audit “rm performance as well as the PCAOB’s process for assessing and reporting on engagements. However, the
review reported that SoX has been successful in increasing corporate focus on a strong ethical culture in publicly
owned companies.23
Although SoX was not originally aimed at IT departments, it soon became clear that IT played a major role in
raising the accuracy of “nancial data. Consequently, in 2004 and 2005, there was a #urry of activity as IT managers
21 Adapted from “Candid Talk Trumps the Blame Game,” CIO.com (November 2011), http://www.cio.com/article/693018/Candid_Talk_Trumps_the_
Blame_Game (accessed September 4, 2015); “How CIOs Build Bridges with Other C‐Level Execs,” CIO.com (November 2011), http://www.cio.com/
article/2402725/relationship‐building‐networking/how‐cios‐build‐bridges‐with‐other‐c‐level‐execs.html (accessed September 4, 2015).
22 These figures were derived from the Public Company Accounting Oversight Board (PCAOB) as reported in Ashley Braganza and Arnoud Franken,
“SoX, Compliance, and Power Relationships,” Communications of the ACM 50, no. 9 (September 2007), 97–102.
23 Curtis Vershoor, “Has SoX Been Successful,” September 5, 2012, http://www.accountingweb.com/article/has‐sox‐been‐successful/219796 (accessed
March 27, 2015).
c09.indd 200 11/26/2015 7:33:27 PM
http://www.cio.com/article/693018/Candid_Talk_Trumps_the_Blame_Game
http://www.cio.com/article/2402725/relationship%E2%80%90building%E2%80%90networking/how%E2%80%90cios%E2%80%90build%E2%80%90bridges%E2%80%90with%E2%80%90other%E2%80%90c%E2%80%90level%E2%80%90execs.html
http://www.accountingweb.com/article/has%E2%80%90sox%E2%80%90been%E2%80%90successful/219796
201Governance Frameworks for Control Decisions
identi”ed controls, determined design effectiveness, and validated operational controls through testing. Five IT
control weaknesses repeatedly were uncovered by auditors:24
1. Failure to segregate duties within applications, set up new accounts, and terminate old ones in a timely
manner.
2. Lack of proper oversight for making application changes, including appointing a person to make a change
and another to perform quality assurance on it.
3. Inadequate review of audit logs to ensure that systems are running smoothly and that there is an audit of the
audit log.
4. Failure to identify abnormal transactions in a timely manner.
5. Lack of understanding of key system con”gurations.
Although SoX’s focus is on “nancial controls, many auditors encouraged (forced) IT managers to extend their
focus to organizational controls and risks in business processes. This means that IT managers must assess the level
of controls needed to mitigate potential risks in organizational business processes. As companies move beyond
SoX certi”cation into maintaining compliance, IT managers must be involved in ongoing and consistent risk
identi”cation, actively recognize and monitor changes to the IS organization and environment that may affect SoX
compliance, and continuously improve IS process maturity. It is likely that managers will turn to software to auto-
mate many of the needed controls.
Frameworks for Implementing SoX
COSO
The Enron and WorldCom major “nancial scandals were not the “rst. In the wake of “nancial scandals in the
mid‐1980s, the Treadway Commission (or National Commission on Fraudulent Financial Reporting) was created.
Its head, James Treadway, had previously served as commissioner of the SEC. The members of the Treadway
Commission came from “ve highly esteemed accounting organizations: Financial Executives International (FEI),
American Accounting Association (AAA), American Institute of Certi”ed Public Accountants (AICPA), Institute
of Internal Auditors (IIA), and Institute of Management Accountants (IMA). These organizations became known as
the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The commission created three
control objectives for management and auditors that focused on addressing risks to internal control. These control
objectives deal with:
• Operations: To help the company maintain and improve its operating effectiveness and protect the assets of
shareholders
• Compliance: To ensure that the company is in compliance with relevant laws and regulations
• Financial reporting: To ensure that the company’s “nancial statements are produced in accordance with
generally accepted accounting principles (GAAP). SoX is focused on this control objective.
To make sure a company meets its control objectives, COSO established “ve essential control components for
managers and auditors: (1) create a control environment that addresses the overall culture of the company; (2) assess
the most critical risks to internal controls; (3) create control structures that outline important processes and guide-
lines; (4) provide clear information about employees’ responsibilities and procedures to be followed; and (5) mon-
itor internal controls. The Sarbanes–Oxley Act requires public companies to de”ne their control framework and
speci”cally recommends COSO as that business framework for general accounting controls. It is not IT speci”c.
24 Ben Worthen, “The Top Five IT Control Weaknesses” (July 1, 2005), http://www.cio.com/article/2448687/project‐management/the‐top‐five‐it‐ control‐
weaknesses.html (accessed September 4, 2015).
c09.indd 201 11/26/2015 7:33:27 PM
http://www.cio.com/article/2448687/project%E2%80%90management/the%E2%80%90top%E2%80%90five%E2%80%90it%E2%80%90control%E2%80%90weaknesses.html
http://www.cio.com/article/2448687/project%E2%80%90management/the%E2%80%90top%E2%80%90five%E2%80%90it%E2%80%90control%E2%80%90weaknesses.html
http://www.cio.com/article/2448687/project%E2%80%90management/the%E2%80%90top%E2%80%90five%E2%80%90it%E2%80%90control%E2%80%90weaknesses.html
202 Governance of the Information Systems Organization
COBIT
Control Objectives for Information and Related Technology (COBIT) COBIT (Control Objectives for
Information and Related Technology) is an IT governance framework that is consistent with COSO controls, and
also a governance tool to ensure that IT provides the systematic rigor needed for the strong internal controls and
Sarbanes–Oxley compliance. It provides a framework for linking IT processes, IT resources, and IT information to
a company’s strategies and objectives. As a governance framework, it provides guidelines about who in the organi-
zation should make decisions about IT processes, resources, and information.
Information Systems Audit & Control Association (ISACA) issued COBIT in 1996. COBIT consists of several
overlapping sets of guidance with multiple components, which almost form a cascade of process goals, metrics,
and practices. At the highest level, key areas of risks are de”ned in four major domains: planning and organization,
acquisition and implementation, delivery and support, and monitoring and evaluating. When implementing a COBIT
framework, a company determines the processes that are the most susceptible to the risks that it judiciously chooses to
manage. There are far too many risks for a company to try to manage all of them.
Once the company identi”es processes that it is going to manage, it sets up a control objective and then more
speci”c key goal indicators. As with any control system, metrics called key performance indicators (KPIs) need
to be established to enable measurement of progress in meeting the goals. Then activities to achieve the KPIs are
selected. These activities, or critical success factors, are the steps that need to be followed to successfully provide
controls for a selected process. When a company wants to compare itself with other organizations, it uses a well‐
de”ned maturity model. The components of COBIT and examples of each component are provided in Figure 9.8.
One advantage of COBIT is that it is well suited to organizations focused on risk management and mitigation.
Another advantage is that it is very detailed. However, this high level of detail unfortunately can serve as a dis-
advantage in the sense that it makes COBIT very costly and time consuming to implement. Yet, despite the costs,
companies are starting to realize bene”ts from its implementation. As a governance framework, it designates clear
ownership and responsibility for key organizational processes in such a way that is understood by all organizational
FIGURE 9.8 Components of COBIT and their examples.
Source: Adapted from Hugh Taylor, The Joy of SoX (Indianapolis, IN: Wiley, 2006).
Component Description Example
Domain One of four major areas of risk: plan and organize
(PO), acquire and implement (AI), deliver and
support (DS), and monitor and evaluate (ME);
each domain consists of multiple processes
Deliver and support (or DS)
Control objective Focus on control of a process associated with risk;
can be 34 processes
DS (deliver and support) objective
#11—Manage data: ensures delivery of
complete, accurate, and valid data to the
business
Key goal
indicator
Speci#c measures of the extent to which the
goals of the system have been met in regard to
a control objective
A measured reduction in the data preparation
process and tasks
Key performance
indicator
Actual, highly speci#c measures for measuring
accomplishment of a goal
Percent of data input errors (Note:
percentage should decrease over speci#ed
periods of time)
Critical success
factor
Description of the steps that a company must
take to accomplish a control objective; can be
318 critical success factors
Data entry requirements clearly stated,
enforced, and supported by automated
techniques at all levels, including database
and #le interfaces
Maturity model A uniquely de#ned six‐point ranking of a
company’s readiness for each control objective
made in comparison with other companies in the
industry
Level 0: Data not recognized as corporate
resources and assets; no assigned data
ownership or individual accountability for
data integrity and reliability; data quality and
security poor or nonexistent
c09.indd 202 11/26/2015 7:33:27 PM
203Governance Frameworks for Control Decisions
stakeholders. Consistent with the Information Systems Strategy Triangle discussed in Chapter 1, COBIT provides
a formal framework for aligning IS strategy with the business strategy. It does so by using a governance framework
and focusing on risks of internal control and associated processes to recognize who is responsible for important
control decisions. Finally, COBIT makes possible the ful”llment of the COSO requirements for the IT control envi-
ronment that is encouraged by the Sarbanes–Oxley Act.
Other Control Frameworks
Although COBIT is the most common set of IT control guidelines for SoX, it is by no means the only control frame-
work. Others include those provided by the International Standards Organization (ISO), as well as the Information
Technology Infrastructure Library (ITIL). A set of concepts and techniques for managing information tech-
nology infrastructure, development, and operations, ITIL was developed in the United Kingdom. It is a widely
recognized framework for IT service management and operations management that has been adopted around the
globe. ITIL 2011 has “ve distinct volumes: service strategy; service design; service transition; service operation;
and continual service improvement.
IS and the Implementation of Sarbanes–Oxley Act Compliance
Because of the level of detail, the involvement of the IS department and the CIO in implementing SoX—most nota-
bly Section 404, which deals with management’s assessment of internal controls—is considerable. Although the IS
department typically plays a major role in SoX compliance, it often lacks formal authority. Thus, the CIO needs to
tread carefully when working with auditors, the CFO, the CEO, and business leaders. Braganza and Franken pro-
vide six tactics that CIOs can use in working effectively in these relationships. These strategies include knowledge
building, knowledge deployment, innovation directive, mobilization, standardization, and subsidy. Figure 9.9 pro-
vides a de”nition for each of these tactics, along with examples of activities to enact them.
FIGURE 9.9 CIO tactics for implementing SoX compliance.
Tactic De#nition Examples of Activities
Knowledge
building
Establish a knowledge base to
implement SoX
Acquire technical knowledge about SoX and Section 404
Knowledge
deployment
Disseminate knowledge about SoX
and develop an understanding of
this knowledge by management
and other organizational members
Move IT staff with knowledge of 404 to parts of the
organization that are less knowledgeable; create a central
repository of 404 knowledge; absorb 404 requirements from
external bodies; conduct training programs to spread an
understanding of SoX
Innovation
directive
Organize for implementing SoX and
announce the approach
Issue instructions that encourage the adoption of 404
compliance practices; publish reports of each unit’s progress
toward implementation; deploy drivers for implementation;
direct implementation from top down and/or bottom up
Mobilization Persuade decentralized players and
subsidiaries to participate in SoX
implementation
Create a positive impression of SoX (and 404)
implementation; conduct promotional and awareness
campaigns
Standardization Negotiate agreements between
organizational members to facilitate
the SoX implementation
Use mandatory controls, often embedded within the
technology; indicate formal levels of compliance required;
establish #rmwide standards of control; create an
overarching corporate compliance architecture
Subsidy Fund the implementers’ costs during
the SoX implementation and the
users’ costs during its deployment
and use
Centralize template development; develop Web‐based
resources; train IT staff for implementing 404; fund
short‐term skill gaps; track implementation; target funds
during implementation for speci#c IT‐related 404 goals
Source: Adapted from Ashley Braganza and Arnoud Franken, “SoX, Compliance, and Power Relationships,” Communications of
the ACM 50, no. 9 (September 2007), 97–102.
c09.indd 203 11/26/2015 7:33:27 PM
204 Governance of the Information Systems Organization
The extent to which a CIO could use these various tactics depends on the power that he or she holds relating to
the SoX implementation. Those few CIOs who are given carte blanche by their CEOs to implement SoX compli-
ance can employ compelling activities, such as subsidy, standardization, and innovation directives. Those CIOs can
establish standards and enforce their compliance, creating an overarching corporate compliance architecture. They
can direct the SoX implementation from top down and put Section 404 implementation drivers in place. If, on the
other hand, the CEO does not vest the CIO with the considerable power to employ such tactics, the CIO may need
to take more of a persuasive stance and focus on training programs and building an electronic knowledge database
of SoX documents. In this case, it is especially important to sell the CIO and CFO on the importance of complying
with prescribed procedures and methods. In either situation, the CIO needs to acquire and manage the considerable
IT resources to make SoX compliance a reality.
These new guidelines sound reasonable enough, but they are much more stringent than the previous set of
guidelines they replaced. Instagram deleted not only thousands of accounts, which mostly involved spam and fake
id entities, but also others that the company deemed inappropriate. According to some sources, the crowd was not
happy. A mass campaign to stop following Instagram ’ s own of” cial Instagram account followed, and that account
lost 30% of its followers. Does the crowd govern the content or the company?
Social Business Lens: Governing the Content
Since the beginning of social applications like Facebook, Twitter , and Instagram , there has been a debate about
who gets to decide on what ’ s allowed to be posted. Should the users decide? Should the application company
decide? This debate still rages today.
One perspective is that the users own and manage their content. Aside from the legal issues, which are dis-
cussed in Chapter 13 of this text, users have control over what they post and what they block from their pages on
most social media. Most social networks have controls that allow users to block others from posting on their page,
but it ’ s not the default in most cases. For example, when a user tags another Facebook user in a post or photo, the
content then also shows up on the tagged person ’ s timeline. Even though a control can be set to minimize this,
some have found it troublesome that items can be placed in their timeline in this manner. Most users feel that they
should have control of their content on their social media page.
Now ratchet this up to the group level. Should the “crowd” decide what is appropriate to put on a social media
site or should the company decide? The crowd has a say in some manner; members of the community can vote
or “like” a post and in some cases, content with the most votes rises to the top for others to see.
But the social media company also has a say in what content is appropriate. Again, aside from content that
crosses legal boundaries, which of course vary country by country, some companies have taken a stronger stance.
For example, Instagram removed a number of users from its Web site for not following instructions. Its Web site
plainly stated two new policies:
We want Instagram to continue to be an authentic and safe place for inspiration and expression. Help us foster this
community. Post only your own photos and videos and always follow the law. Respect everyone on Instagram, don ’ t
spam people or post nudity. *
We want . . . to maintain the best possible experience on Instagram , so spam, fake accounts and other people and posts
that don ’ t follow our Community Guidelines may be removed from Instagram . †
* From Instagram ’ s Community Guidelines, https://help.instagram.com/477434105621119/ (accessed May 22, 2015).
† From Instagram ’ s Help Center, https://help.instagram.com/309501049246773 (accessed May 22, 2015).
Sources: “Chaos Ensues As Instagram Deletes Millions of Accounts,” http://www.businessinsider.com/chaos‐ensues‐as‐instagram‐deletes‐
millions‐of‐accounts‐2014‐12#ixzz3MJXUmhlm (accessed September 4, 2015); and Instagram company website, www.instagram.com;
“Instagram Users Report Mass Deletion of Profiles for ‘ violating ’ Terms of Service,” http://tech.firstpost.com/news‐analysis/instagram‐
users‐report‐mass‐deletion‐of‐profiles‐for‐violating‐terms‐of‐service‐86660.html (accessed September 4, 2015); “Instagram Deletes
Millions of Accounts in Spam Purge,” http://www.bbc.com/news/technology‐30548463 (accessed September 4, 2015).
c09.indd 204 11/26/2015 7:33:27 PM
https://help.instagram.com/477434105621119
https://help.instagram.com/309501049246773
http://www.businessinsider.com/chaos%E2%80%90ensues%E2%80%90as%E2%80%90instagram%E2%80%90deletes%E2%80%90millions%E2%80%90of%E2%80%90accounts%E2%80%902014%E2%80%9012%23ixzz3MJXUmhlm
http://www.businessinsider.com/chaos%E2%80%90ensues%E2%80%90as%E2%80%90instagram%E2%80%90deletes%E2%80%90millions%E2%80%90of%E2%80%90accounts%E2%80%902014%E2%80%9012%23ixzz3MJXUmhlm
http://www.businessinsider.com/chaos%E2%80%90ensues%E2%80%90as%E2%80%90instagram%E2%80%90deletes%E2%80%90millions%E2%80%90of%E2%80%90accounts%E2%80%902014%E2%80%9012%23ixzz3MJXUmhlm
http://www.instagram.com
http://tech.firstpost.com/news%E2%80%90analysis/instagram%E2%80%90users%E2%80%90report%E2%80%90mass%E2%80%90deletion%E2%80%90of%E2%80%90profiles%E2%80%90for%E2%80%90violating%E2%80%90terms%E2%80%90of%E2%80%90service%E2%80%9086660.html
http://tech.firstpost.com/news%E2%80%90analysis/instagram%E2%80%90users%E2%80%90report%E2%80%90mass%E2%80%90deletion%E2%80%90of%E2%80%90profiles%E2%80%90for%E2%80%90violating%E2%80%90terms%E2%80%90of%E2%80%90service%E2%80%9086660.html
http://tech.firstpost.com/news%E2%80%90analysis/instagram%E2%80%90users%E2%80%90report%E2%80%90mass%E2%80%90deletion%E2%80%90of%E2%80%90profiles%E2%80%90for%E2%80%90violating%E2%80%90terms%E2%80%90of%E2%80%90service%E2%80%9086660.html
http://www.bbc.com/news/technology%E2%80%9030548463
205
S U M M A R Y
• Alternative approaches to governance of information systems organization are possible. One approach is based on where
IS decisions are made in the organization ’ s structure. Centralized IS organizations place IT staff, hardware, software,
and data in one location to promote control and ef” ciency. At the other end of the continuum, decentralized IS organiza-
tions with distributed resources can best meet the needs of local users. Federalism in IS organizations is in the middle of
the centralization/decentralization continuum.
• A second governance approach involves decision rights. In this approach, IT governance speci” es how to allocate decision
rights in such a way as to encourage desirable behavior in the use of IT. The allocation of decision rights can be broken
down into six archetypes (business monarchy, IT monarchy, feudal, federal, IT duopoly, and anarchy). High‐performing
companies use the proper decision rights allocation patterns for each of the ” ve major categories of IT decisions.
• A third governance approach recognizes the power of combining complementary technologies in ways that were not
predicted or controlled by an organization. This so‐called digital ecosystem represents formal recognition of a ” rm ’ s
healthy adaptation and synergistic adoption to new hardware, applications, and connections with customers, employees,
and other ” rms. Much of this has been driven by consumerization of technology.
• A fourth governance approach is based on controls. The Sarbanes–Oxley Act (2002) was enacted to improve organiza-
tions ’ internal controls. COBIT is an IT governance framework based on control that can be used to promote IT‐related
internal controls and Sarbanes–Oxley compliance.
K E Y T E R M S
archetype (p. 196)
centralized IS organizations (p. 193)
COBIT (Control Objectives for
Information and Related
Technology) (p. 202)
Consumerization (p. 191)
decentralized IS organizations (p. 193)
digital ecosystem (p. 197)
federalism (p. 194)
governance (p. 192)
Information Technology Infrastructure
Library ( ITIL ) (p. 203)
IT governance (p. 195)
review board (p. 199)
Sarbanes–Oxley Act ( SoX ) (p. 200)
steering committee (p. 199)
D I S C U S S I O N Q U E S T I O N S
1. The debate about centralization and decentralization is heating up again with the advent of BYOD and the increasing use of
the Web. Why does the Internet make this debate topical?
2. Why is the discussion of decision rights among managers in a firm important?
3. Why can an IT governance archetype be good for one type of IS decision but not for another?
University of the Southeast 25 was (and still is) one of the largest universities in the United States. It had been growing rap-
idly; that growth was spurred, in part, by information technology. The university embraced lecture capture technologies that
allowed lectures to be streamed to students in a classroom, in dorm rooms, on the grass near the main campus central foun-
tain, and at a variety of other places of the students ’ choosing whenever they chose to watch. This made it possible to have
sections of classes with over 1,000 students without having to build physical classrooms with enough seats to accommodate
each person enrolled. It also made it possible to offer classes that were streamed to students at remote campuses. Each stu-
dent was charged a technology fee (i.e., $5.16 for undergraduates and $13.85 for graduates per credit hour each semester),
which was administered by the Information Technologies and Resources (IT&R) Of” ce to help fund the costs of providing
IT to students and faculty.
■ CASE STUDY 9‐1 IT Governance at University of the Southeast
25 The name University of the Southeast is made up but the school and situation were real.
Case Study
c09.indd 205 11/26/2015 7:33:27 PM
206 Governance of the Information Systems Organization
IT&R was responsible for providing computer services, technologies, and telecommunications across the campus
(Computer Services and Technology), helping faculty with their instructional delivery and multimedia support (Of” ce of
Instructional Resources), helping faculty develop and deliver Web‐based and lecture capture courses (Center for Distributed
Learning), and the library. The IT&R Of” ce developed IT‐related policies with very little input from the faculty and was
responsible for deciding and implementing decisions concerning IT architecture and infrastructure. IT&R worked with the
university president and other top administrators in making IT investment decisions. IT&R staff also worked with the vari-
ous colleges, administrative of” ces, and an advisory board in making decisions about applications that needed to be devel-
oped. However, faculty were not consulted at all when the lecture capture system was selected.
As was often the case at large universities, many decision rights on a wide range of issues had been allocated to the
colleges. The College of Business Administration had its own server and Technology Support Department (TSD). A recent
survey of faculty and staff in the college indicated a high level of satisfaction with the TSD but far less satisfaction with the
services provided by the university‐level IT&R. Some college respondents indicated their displeasure about IT&R ’ s support
of the technology for the lecture capture courses, help desk, and classroom technologies.
The problems with the technology support for lecture capture software were particularly troublesome. The software
would not authenticate students who had paid to enroll in some lecture capture courses, making it impossible for them to
download the lectures even though they were registered in the course. Further, some university‐af” liated housing did not
have adequate network bandwidth to allow students to download the lectures. When problems occurred—which they did on
a daily basis—the IT&R help desk often referred the students to instructors who could not resolve their problems. One fac-
ulty member who was teaching a lecture class with 1,400 students exclaimed, “It is utter chaos for me when something goes
wrong with the system and hundreds of my students are trying to call, see or email me in panic to get me to ” x something
that I can ’ t ” x.”
To ” x some of these issues, the CIO argued that all e‐mail accounts should be placed on one central server. This would
allow the IT&R greater control and make maintenance easier and more ef” cient. It also would considerably improve se-
curity. But it was not ideal for the faculty. A faculty meeting about e‐mail revealed some concerns with this move. First,
faculty wanted e‐mails sent to the central university server to be forwarded to their accounts on their other university‐based
servers (i.e., the college, department, or institute servers) but found that this was impossible to do so. Second, faculty wanted
to retain their control over archiving e‐mails. Third, faculty wanted to have control over their preferred e‐mail address. In
some cases, the faculty e‐mail addresses that they had used for a decade had been changed in the printed university directory
to the e‐mail address on the central university server without their knowledge. This meant that faculty did not receive (or
even know about) messages sent to them via the address on the university server. They could not change the printed e‐mail
address in the university directory to the address on the college server that they had been using or forward the mail sent to
the central server to a different account.
The IT&R spokesman said that having a centralized server for e‐mail accounts was more secure, reliable and ef” cient.
He said that faculty shouldn ’ t have control over their preferred e‐mail address, even if it were on a campus server, because of
the identity management problems that it would create. A frustrated faculty member at the meeting asked the IT&R spokes-
man to describe one time when issues about ease of use and functionality of the system by the user were weighted more than
security in decisions about e‐mail. The IT&R spokesman could not think of an example.
Discussion Questions
1. Describe the IT governance system that was in place at the University of the Southeast using both decision rights and
structure as the bases of governance.
2. The CIO wanted to implement a centralized IT governance system. As demonstrated in this case, what are the advan-
tages of a centralized IT governance system? What are the disadvantages?
3. In your opinion, what assignment of decision rights would be best for University of the Southeast? Please explain.
c09.indd 206 11/26/2015 7:33:28 PM
207Case Study
“The customer is in control of the data and can share with dealers, crop consultants, and anyone in their network of trust-
ed advisers; securely, from any internet enabled device,” says Chris Batdorf, a marketing manager at John Deere . 26 The
MyJohnDeere project was designed with the realization that there was synergy in linking together disparate sources of
information into this “platform.” 27
Who would be interested in using this application? You might expect that John Deere customers and employees would be
the only parties. But according to Accenture , a multinational management consulting, technology services, and outsourcing
company, John Deere realized that there was value in opening access to its system to farmers, ranchers, landowners, banks,
and government workers. The platform is useful for all those people because it integrates information about equipment, pro-
duction data, and farm operations and helps users improve their pro” tability. 28
A farmer described how the John Deere Operations Center allowed him to upload a treasure trove of data about planting,
spraying, fertilizing, and harvesting. He said that he accessed that information later not only to diagnose problems about
the equipment but also to make decisions about the use of land and personnel. He said that he can send that information to
consultants for real‐time recommendations on what to change even while he was harvesting. 29
A platform such as MyJohnDeere could introduce new capabilities that can provide strategic value to customers, other
” rms, and, of course, its host. According to Accenture, the platform integrated the Internet of Things with social, mobile,
analytics, and cloud technology. The combination encouraged the development of new applications over time and repre-
sented a recent pivotal technology trend. Such a platform provided reusable components that can evolve over time. 30
Discussion Questions
1. What governance approach did John Deere appear to have adopted? Did it fit the profile of an “old” heavy industry
player?
2. What difficulties do you think an “old” heavy industry player such as John Deere encountered internally when proposing
to develop the MyJohnDeere platform?
3. What difficulties do you believe John Deere faced externally among the proposed users?
4. How do you think John Deere might have overcome those internal and external difficulties?
5. What other parties might have been interested in obtaining the information in John Deere ’ s cloud? What might they
have done with it?
Sources: Adapted from John Deere press release , “ The MyJohnDeere Operations Center—New Tools to Manage Data ” (August 21,
2014 ), https://www.deere.com/en_US/corporate/our_company/news_and_media/press_releases/2014/agriculture/2014aug21_mjd_
operations_center.page (accessed September 4, 2015) ; Cindy Zimmerman , “ MyJohnDeere Operations Center Connectivity ” (March 2,
2015 ) ; http://precision.agwired.com/2015/03/02/myjohndeere‐operations‐center‐connectivity/ (accessed September 4, 2015) ; and
William Lesieur , “ Proliferating Digital Ecosystems through ‘The Platform (R)evolution ’ —Accenture Technology Vision 2015 ,” http://
www.accenture.com/us‐en/blogs/technology‐blog/archive/2015/01/26/proliferating‐digital‐ecosystems‐through‐the‐platform‐
%28R%29evolution‐acn‐technology‐vision‐2015.aspx (accessed September 4, 2015) .
■ CASE STUDY 9‐2 The “MyJohnDeere” Platform
26 https://www.deere.com/en_US/corporate/our_company/news_and_media/press_releases/2014/agriculture/2014aug21_mjd_operations_center.page
(accessed September 4, 2015).
27 http://www.accenture.com/us‐en/blogs/technology‐blog/archive/2015/01/26/proliferating‐digital‐ecosystems‐through‐the‐platform‐%28R%29
evolution‐acn‐technology‐vision‐2015.aspx (accessed September 4, 2015).
28 Ibid.
29 http://precision.agwired.com/2015/03/02/myjohndeere‐operations‐center‐connectivity/ (accessed September 4, 2015).
30 http://www.accenture.com (accessed September 4, 2015).
c09.indd 207 11/26/2015 7:33:28 PM
https://www.deere.com/en_US/corporate/our_company/news_and_media/press_releases/2014/agriculture/2014aug21_mjd_
http://precision.agwired.com/2015/03/02/myjohndeere%E2%80%90operations%E2%80%90center%E2%80%90connectivity
http://www.accenture.com/us%E2%80%90en/blogs/technology%E2%80%90blog/archive/2015/01/26/proliferating%E2%80%90digital%E2%80%90ecosystems%E2%80%90through%E2%80%90the%E2%80%90platform%E2%80%90(R)evolution%E2%80%90
http://www.accenture.com/us%E2%80%90en/blogs/technology%E2%80%90blog/archive/2015/01/26/proliferating%E2%80%90digital%E2%80%90ecosystems%E2%80%90through%E2%80%90the%E2%80%90platform%E2%80%90(R)evolution%E2%80%90
http://www.accenture.com/us%E2%80%90en/blogs/technology%E2%80%90blog/archive/2015/01/26/proliferating%E2%80%90digital%E2%80%90ecosystems%E2%80%90through%E2%80%90the%E2%80%90platform%E2%80%90(R)evolution%E2%80%90
https://www.deere.com/en_US/corporate/our_company/news_and_media/press_releases/2014/agriculture/2014aug21_mjd_operations_center.page
http://www.accenture.com/us%E2%80%90en/blogs/technology%E2%80%90blog/archive/2015/01/26/proliferating%E2%80%90digital%E2%80%90ecosystems%E2%80%90through%E2%80%90the%E2%80%90platform%E2%80%90(R)
http://precision.agwired.com/2015/03/02/myjohndeere%E2%80%90operations%E2%80%90center%E2%80%90connectivity
http://www.accenture.com
208
10
chapter Information Systems
Sourcing
After 13 years, Kellwood, an American apparel maker, ended its soups‐to‐nuts IS outsourcing
arrangement with EDS . The primary focus of the original outsourcing contract was to integrate
12 individually acquired units with different systems into one system. Kellwood had been satis-
” ed enough with EDS ’ s performance to renegotiate the contract in 2002 and 2008, even though
at each renegotiation point, Kellwood had considered bringing the IS operations back in house,
or backsourcing. The 2008 contract iteration resulted in a more # exible $105 million contract that
EDS estimated would save Kellwood $2 million in the ” rst year and $9 million over the remaining
contract years. But the situation at Kellwood had changed drastically. In 2008, Kellwood had been
purchased by Sun Capital Partners and taken private. The chief operating of” cer (COO), who was
facing a mountain of debt and possibly bankruptcy, wanted to consolidate and bring the operations
back in house to give some order to the current situation and reduce costs. Kellwood was suffering
from a lack of IS standardization as a result of its many acquisitions. The chief information of” cer
(CIO) recognized the importance of IS standardization and costs, but she was concerned that the
transition from outsourcing to insourcing would cause serious disruption to IS service levels and
project deadlines if it went poorly. Kellwood hired a third‐party consultant to help it explore the
issues and decided that backsourcing would save money and respond to changes caused by both the
market and internal forces. Kellwood decided to backsource and started the process in late 2009. It
carefully planned for the transition, and the implementation went smoothly. By performing stream-
lined operations in house, it was able to report an impressive $3.6 million savings, or about 17% of
annual IS expenses after the ” rst year. 1
The Kellwood case demonstrates a series of decisions made in relation to sourcing. Both the
decision to outsource IS operations and then to bring them back in house were based on a series of
This chapter is organized around decisions in the Sourcing Decision Cycle. The # rst question
regarding information systems (IS) in the cycle relates to the decision to make (insource) or
buy (outsource) them. This chapter ’ s focus is on issues related to outsourcing whereas issues
related to insourcing are discussed in other chapters of this book. Discussed are the critical
decisions in the Sourcing Decision Cycle: how and where (cloud computing, onshoring,
offshoring). When the choice is offshoring, the next decision is where abroad (farshoring,
nearshoring, or captive centers). Explored next in this chapter is the # nal decision in the
cycle, keep as is or change in which case the current arrangements are assessed and modi-
# cations are made to the outsourcing arrangement, a new outsourcing provider is selected,
or the operations and services are backsourced, or brought back in house. Risks and strat-
egies to mitigate risks are discussed at each stage of the cycle.
1 For more information see Stephanie Overby, “Company Saves Millions by Ending Outsourcing Deal,” CIO.com, http://www.cio.
com/article/549463/Company_Saves_Millions_By_Ending_IT_Outsourcing_Deal?page=1&taxonomyId=3195 (accessed January
31, 2012); B. Bacheldor, “Kellwood Stayed on Top of Its Outsourcing All the Way to the End,” CIO.com, http://blogs.cio.com/
beth_bacheldor/kellwood_stayed_ on_top_of_its_outsourcing_all_the_way_to_the_end?page=0 (accessed February 10, 2012).
c10.indd 208 11/26/2015 6:32:09 PM
http://www.cio.com/artic