The management process begins with an understanding of the organization’s business. Until this is achieved, any attempt to determine organizational need will be at best misleading and at worst disastrous. Once the overall objectives and environment of the business have been established, establishing the needs becomes a comparatively easy task. The organization’s needs may be determined by identifying and examining the key activities whose effective performance can make or break the organization. These key activities must themselves be monitored and therefore ambitious performance objectives must be established early in the planning process. For every performance objective there will be a range of threats which, if fulfilled, will either reduce the effectiveness or totally negate the objective. These must be assessed in a formal risk assessment to determine the appropriate corporate coping strategy. The coping or control strategies must be determined by management and the appropriate controls themselves selected. The actual controls must be implemented and monitored and there should exist controls to ensure this happens. Controls, once implemented, must be effective in performance and periodically management must evaluate and review performance with this in mind.
1. UNDERSTANDING THE ORGANIZATION’S BUSINESS
This is a combination of a theoretical approach utilizing literature searches on the organization and its functions on the business press, if possible, combined with a reading of annual reports in order to obtain the whole picture.
This theory will be combined with a more practical approach involving interviewing staff in order to both evaluate their understanding of the business as well as to confirm the auditor’s understanding. Site visits to observe the operation of specific business functions will also assist. Further information and confirmation may be derived by comparing the current understandings to those in effect during previous reviews.
2. ESTABLISHING THE NEEDS
Once the overall objectives and environment of the business have been established, the overall needs must be determined. A study of the organizational mission statement permits the general performance objectives to be derived. Management should have established strategic plans and objectives in order to ensure these are achieved. By interviewing executive management, employees, and perhaps even customers and suppliers, the business needs for the successful accomplishment of the objectives may be determined.
3. IDENTIFYING KEY ACTIVITIES
The major products and services provided to meet the business objectives need to be identified. Once again this will involve determining the level of management’s understanding of customer needs and sizes, the competition and their probable response patterns, as well as their understanding of which are their own key performance areas (KPAs). The KPAs are those activities that will make or break those activities.
4. ESTABLISH PERFORMANCE OBJECTIVES
For each KPA, Performance Objectives must be established. This involves seeking core activity targets that are both achievable and stretching. Key Performance Indicators (KPIs) will be required to measure performance appropriately. The risks and threats that could lead to non/under-achievement must be assessed including both external and internal threats.
5. DECIDE THE CONTROL STRATEGIES
Once the full risk analysis is complete, management is in a position to decide what activities must be ensured, which risks must be managed, and which transferred. This, in turn, will dictate which risks can be cost-effectively prevented, which must be detected, and how a materialized risk can be corrected.
Business risks must be prioritized and trade-offs will be required because control measures are commonly contradictory, so that efficiency may trade-off against effectiveness.
6. IMPLEMENT AND MONITOR THE CONTROLS
For controls to be effective, they must be monitored and wishing them into existence will not accomplish the fact. Controls result from the planned and thoughtful intervention of management to achieve a specific end.
Monitoring may take several forms including self-assessment, the use of regular audits, and the introduction of continuous improvement programs. Controls must be frequently reviewed for ongoing relevance as well as for their effectiveness and must be modified and adapted where required.
INFORMATION RESOURCE MANAGEMENT
Information Resource Management is based upon five fundamentals:
1. Information Management. Information is valuable and must be managed as such. In many organizations, information does not appear on the balance sheet or asset register and is thus seen as something that, while important, is not really valuable.
2. Technology Management. Technology Management addresses the whole aspect of the value of technology to the firm. This includes the impact and effect on other resources as well as the gaining of strategic advantage by judicious use of the appropriate technology.
3. Distributed Management. Where systems are located can have a significant impact on systems effectiveness as well as internal control and thought must be given to the maintaining of an adequate system of managerial control.
4. Functional Management. Like other functional areas, IS must be directed and controlled in order to ensure the effective, efficient, and economic use of what is, after all, an expensive resource.
5. Strategic Management. IS holds the potential to gain and maintain major competitive advantage for the organization. Used appropriately, IS can raise the barriers of entry to competition, gain exclusivity for the information holder, and generally keep the organization ahead of the pack.