IPremier - IT Governance, Disaster Recovery Plan and Risk Factors, Business Process Re-Engineering - Case Study Example

IT Governance Name Course Institution Date Introduction IT Governance is a common phenomenon in the current business world. This concept is all about ensuring the emerging information technological discoveries are in tandem with the organization’s business strategy. This is meant to reduce situations where new discoveries in the field of technology do not fit into the structures within which a business is running its operations (Carey 2009, p. 146). The alignment of business strategies and information technology will make it attainable to achieve the set goals of the entity. IT governance heavily relies on structures and oversight mechanisms to ensure functionality is efficient. Organizations are keen to ensure that maximum benefits are harnessed from IT products. All this must be done in a controlled environment to ensure sustainability especially in the long term. In essence, it is almost impossible to disengage IT governance from organizational leadership and structures (Roger 2013, p. 131). This clearly shows that the board and the management in overall must be part of the team designing IT governance strategies. In the process of designing the various infrastructural structures to accommodate technological innovations, the element of risk is almost inevitable. Therefore, in endorsing the various IT products, returns are balanced with the risk exposure. Supervising, monitoring and controlling is undertaken to ensure that returns are greater than the risks. To a certain extent, the concept of IT governance is intertwined with corporate governance in organizations (Stefan, Anant, Steven & Wim 2014, p. 27). IT governance is viewed as a subset of the wider corporate governance strategy in any given organization. For this reason, the objectives of IT governance are somehow interlinked with the overall objectives of the entity. The organization is keen to ensure that all the expenditure made in boosting its IT function brings the expected value to the entity. Therefore, risks have to be mitigated to ensure that the expected business value is not compromised beyond expected levels. The organizational structures is also designed with adequate provisions for the IT governance strategy. IT Governance Issue in iPremier Different entities are at any given point faced with different IT governance issue. The nature of the issue is what determines the strategies that the organization can employ to address it. From the case study that has been presented, the key IT governance issue in iPremier is Access Denial Attack. In this situation, the company cannot access its data center and other resources as a result of some of attack on its IT. What hits this organization is the attack that leaves its website locked. For this reason, the IT personnel cannot access the website as well as the customers. The calls to the organization’s help desk are a bit frantic and the atmosphere in the IT department is nervous. It is almost clear that the website has been hacked. With this attack, the organization is at the edge of suffering great losses both as a result of reputation dent as well as failure in service delivery to the customers (Room 2006, p. 75). There is a possibility that the hackers are interested in the customer information which they can manipulate for financial gains. While the attack is surprising indeed, it is interesting that the IT department had already noted that their data center was not pretty good. The interview between Bob Turley and Leon reveals this clearly. His conversation with the entire IT department staff makes it obvious that the Qdata that is sourced as the organization’s data center is not delivering value to the entity. Nevertheless, the entity is forced to bear with it in the meantime. This is due to high cost of acquiring a new IT facility to operate as the data center. At the same time, one of the founders of the organization seem to have very close links with the owner of Qdata and this makes it a bit hard for the entity to make a replacement (Werhane & Cording 2002, p. 220). Nevertheless, since the organization has been found in this kind of situation, it is critical to take appropriate measures that will save the organization even in future. Stages of IT governance Planning Phase iPremier is expected to have started its IT governance with planning phase. At this level, there are a number of issues that the entity was supposed to pay more attention in order to ensure success of the strategy. At planning phase, identifying the IT needs of the organization is critical. This is at the basic level where the IT department ought to establish the unique IT needs of the entity. Identifying the needs will help the entity in terms of designing strategies that specifically meet the underlying needs. In this case, the needs of the organization could be quite diverse and could include providing better business value, compliance needs, policy adherence, etc.( Weill & Ross 2004, p. 83). At the same time, it will be important to assess the financial strength in relation to acquiring the mechanisms required for meeting the needs of the organization. Acquisition Acquisition is supposed to be based on the needs identified in the planning phase. iPremier was supposed to have given special consideration to the acquisition in order to ensure the IT products sourced meet the needs in the organization. The IT products to be acquired must be very compatible with the various organizational structures as well as IT infrastructure (Roger 2013, p. 130). This will ease the process of integrating such technology into the organization. In addition, iPremier will benefit a lot if the automation and support tools are specified in advance. This will facilitate the overall roll-out plan in the organization. This roll-out scheme can be undertaken in stages to ensure that the operations of the organizations are not interfered with in the process. With such processes adhered to, iPremier would have benefited from a reliable IT system. Delivery When the prior steps have been followed, the concern of this domain is to deliver good services to the entity. This encompasses the security state of the system in the process of delivering value to the business. In the same way, the IT governance strategy ought to have a continuity plan in case an IT tragedy befalls the Support iPremier is expected to put in place support strategies to aid the functionality of the IT governance strategies. This can be in relation to policies and regulations that directly support the functioning of various technologies implemented. Disaster Recovery Plan & Risk Factors Disaster recovery plan is in itself a risk management strategy. This plan enables the organization to resume its key operations following a disaster that may have been caused by human or natural actions. iPremier being an organization that aims to maintain its going-concern proposition, it is critical to design a disaster management plan that will enable it resume operations immediately after a disaster (Carr & Henry 1995, p. 41). This plan must be based on the various risk factors that the organization is exposed to. In the case of iPremier, the entity is more concerned about the security of its data. Considering the size of the customer base, it is basically important to ensure that the information that various customers have entrusted the organization is kept securely. Such information includes the credit card details in the custody of iPremier. This information must be guarded with utmost security measures, failure to which the reputation of the organization will be completely tainted (Evans & Dale 1996, p. 31). Therefore, a disaster recovery plan is a roadmap that the organization uses to ensure that appropriate technologies and tools are put in place to aid in data recovery whenever a tragedy strikes. Risk Factors The exposure to risk varies from one organization to another. The nature of operations being undertaken by an organization ultimately has a bearing on the kind of risk exposure the organization is faced with. Risk factor refers to situations that increase or reduce the likelihood of a risk to take place. In this regard, there are factors that directly or indirectly reduce or increase the risk exposure that iPremier is faced with. All these factors surround the various activities that this entity is involved in. it is based on this information that the organization can design a disaster recovery plan. a. Data Security Data security is a concern to many organizations. The nature of operations as illustrated in the case study about iPremier shows that the company is primarily exposed to data loss or rather insecurity issues. Data insecurity in itself opens a doorway for other issues that the company may reckon with. The fact that iPremier has a wide customer base who uses credit cards is indeed a point of serious concern. The company of this nature has volumes of databases that it manages. Such databases contain critical information about the various aspects of the company. Such information ought to be guarded effectively to ensure that the company does not lose control of its important information (Room 2006, p. 73). With large volumes of data, iPremier is at the risk of authorized access of its data, denial of access, manipulation of its data systems, etc. Therefore, disaster management strategies must put into consideration these factor units in order to manage the related risk appropriately. b. Volatile Nature of Markets The current market environment is quite volatile in nature. The rate at which processes and inventions are changing is too high. Quite often, companies’ products could be rendered obsolete if the various processes are not continuously updated to the expected standards. In the current market, downturns are very common. Some of these are actually brought by the dynamic changes in technology. When new innovations are discovered, it is upon iPremier to ensure they are adopted appropriately. Failure to embrace such technologies when need arises may lead them to be rendered irrelevant in the market (Weill & Ross 2004, p. 93). The company must therefore be constantly informed of the various changes in the market and in relation to technology to ensure that it remains relevant. c. Stiff Competition The industry within which iPremier operates seems to be very competitive. It suffices to say that denial of service attack could have been instigated by competitors. High levels of competition can render an entity irrelevant in the market. In order to deal with competition, iPremier must seek for options that will enable it have a competitive advantage over other players in the industry. The competitive advantage can be gained based on highly-skilled workforce, superior technologies, financial might, good leadership skills, cost management strategies, etc. It is upon the company to design appropriate strategies to ensure it does not succumb to competition. d. Natural Disasters Natural disasters can be quite unpredictable. Such tragedies hit at the time when they are least expected and the impact can be unbearable if no appropriate combat measures are in place. Such disasters may include fire, floods, etc. This may leave a lot of data centers destroyed and other important assets lost. The disaster recovery plan must factor in this kind of risk factors. e. Laws & Regulations In any given state, laws and regulations are prone to changing. The environment and other related factors provoke the legislature to draft pieces of legislations aimed at addressing the issues at hand. In the process of doing so, this process may not augur well with some organizations. It is possible that laws can be drafted which have negative impact on the operations of iPremier. Such laws may include taxation and other statutory levies (Carr & Henry 1995, p. 48). These may have a direct negative impact on the operation of the company. Risk Reduction Measures at iPremier The effectiveness of risk management strategies is evaluated on the basis of how they assist in the time of tragedy. In the case of iPremier, the level of preparedness of the company is quite unfortunate. From the manner in which events are seen to be unfolding, it becomes clear that the company’s risk reduction strategies failed (Carey 2009, p. 160). The IT administrator has been completely locked from accessing the company’s website and the various calls being made do not seem to be bearing the required fruits. The various experts being contacted after the event seem not be so sure of how to address this issue at hand. The manner which the operations of the organization have been disconnected shows that risk reduction strategies used are inferior. Even the calls to the Qdata center are not bringing forth the anticipated feedback. The whole company is in disarray. Customers are calling the help desk, but seemingly no help is coming forth. In overall, the risk reduction strategies that might have been put in place at iPremier failed completely and therefore it is upon the organization to redesign new disaster management strategies. Data Breaches Since 2009 Data security breaches are very common in the current era. From the studies that have been undertaken in this area, all sectors are exposed. It is upon individual organizations to design methods of curbing these breaches. With the growth in technology, the risk is becoming more likely to take place than before. The following three cases are examples of data breaches that have taken place since 2009: One of the data breaches in the recent involved Epsilon Company which took place in March 2011. The full impact of this particular data breach was felt when names and emails of customers were exposed. These details were saved in more than 108 retail store and other financial institutions. A lot of customer information was stolen in the process. The danger behind this is when the perpetrators use the stolen information to design better and strategic phishing attacks on other entities. This kind of breach was so massive and it is estimated to have cost the company approximately $4million dollars. Besides, it cost the organization in terms of rebuilding its image and reputation after the event. In that process, the information of millions of customers was actually exposed. Nevertheless, the company currently holds roughly 40 billion emails on annual basis. A lot continues to be done in order to guarantee the security of these emails. The second example of data breach took place also in March 2011. This involved a company known as RSA Security. In the process of this data breach, the direct consequence was the loss of about 40 million employee records. The breach involved collaborative efforts from two hacker groups and some government agencies. The hackers managed to penetrate the company’s network pretending to be some trustworthy source. Reportedly, the company spent $66 million on remediation. Considering this is a security firm, such an attack reveals a lot of details. It clearly shows that hackers are becoming more ruthless in their attack. The hackers sent numerous phishing attacks against RSA employees. Many stakeholders were shocked at the processes that led to the information loss. The last example of the data security breach took place between July and August 2011. It involved ES Tsoft Company. The consequence of the breach is loss of information of about 35 million people. These were mainly the South Koreans. This clearly shows that the breach affected a huge portion of the South Korean population. The attackers are reported to have successfully uploaded a malware into the server of the software company. The attackers successfully stole names, user IDs, birthdays, password, gender, telephone numbers, emails and other personal details. iPremier Business Process Re-engineering After what iPremier has gone through in relation to denial of service attack, it is important for the company to redesign its processes in order to ensure that nothing of this kind happens in future. Business engineering process entails rearranging management systems, processes, organizational structures, culture in order to boost overall performance (Al-Mashari, Majed, Zahir & Mohamed 2001, p. 444). This represents a shift away from the normal way of handling processes and operations with the key objective of enhancing efficiency. In the case of iPremier, it is timely for the company to have an insource system to handle its data. This is after the tragic failure of Qdata to provide adequate services during the time of the attack on iPremier website. It is therefore timely for the company to own its data center. In relation to the decision by the company to have an insource data center, it is important to understand some current trends in the technological arena that play a critical role. One of such trends is cloud computing discoveries. Companies in the current business environment do not struggle with storing data, but rather access such information easily using cloud computing (Evans & Dale 1996, p. 32). Therefore, with such considerations, companies are sensitive when it comes to storage of its data. An effective data center involves a careful consideration on how and where data center services are sourced. What is important in the case of iPremier is for it to strengthen its in-house IT department. In addition, the company simply needs to ensure its infrastructural foundation is firm to easily host the insource data center. Key Objectives of Business Process Re-engineering To enhance delivery of value to customers To increase the speed of service and product delivery To ensure flexibility in the system to allow necessary adjustments To ensure quality of products is not compromised To increase overall productivities Steps of Business Process Re-engineering i. Business diagnosis & measurement: the first step basically involves diagnosing problematic areas in the organization. through this process, various aspects like delays, mistakes and customer complaints are identified. Therefore, this is an information-seeking step which helps provide information that will be used in designing the plan. ii. Selection of processes for change and modeling: this step involves checking for processes that can be feasibly be changed. This will warrant selection of characteristics that meet organizational goals. Therefore, the key issue at this level is to ensure that the various changes that have been proposed are aligning with the strategic goals of the organization. iii. Technical design of the solution: this step involves the various network connections and the teams involved. At this level, redesigned and remodeled to meet the set objectives. iv. Workforce adjustment & training: this involve training the workforce with appropriate skills as they relate to the new roles. The training must be in connection with the new tools and working resources that the employees will be using in their new capacities. Ensure the relevance of the training in order to ensure effectiveness. v. Management of change & employee employment: this will enable in creating an appropriate platform upon which change can be undertaken. This will work towards reducing resistance from employees. This step must highlight the positives about the change in order to facilitate the process. vi. Introduction of new processes into business operations: this is where the organization will allow the new processes that have been chosen to start functioning. The organization must understand the eminent need for the shift. In order to make it efficient, timelines on the various processes’ implementation must be clearly set. vii. Continuous improvement: the business process reengineering must be continuously monitored and appropriate improvements made in order to guarantee efficiency. Conclusion iPremier Company has provided a very informative case study that is rich with issues that are affecting the current businesses. Unethical businesses practices especially in relation to data security have been quite common. Organizations are tasked to continuously improve their security measures in order to ensure confidentiality. The cost of losing some of the confidential information can be insurmountable. The study has clearly demonstrated how organizations have spent millions of dollars for remediation. Restoring the image and reputation of an organization after horrific data loss can be such a difficult task. In order to ensure that companies remain committed to winning the war against data insecurity, business processes must be reengineered on a continuous basis. All organizations must design business reengineering strategies aimed at ensuring the various processes are upgraded appropriately so seal any loophole that can be exploited by hackers. References Al-Mashari, Majed, Zahir, I. & Mohamed, Z 2001, "Business process reengineering: a survey of international experience." Business Process Management Journal, December 2001, pp. 437-455. Carey, P 2009, Data Protection: A Practical Guide to UK & EU Law, OUP Oxford, Oxford, pp. 119-187. Carr, D.K. & Henry, J 1995, Best Practices in Reengineering: What Works and What Doesn't in the Reengineering Process, McGraw-Hill, New York, pp. 35-56. Evans, S. & Dale, B.G 1996, The engineer availability process: A study of predictive process, Business Process Re-engineering & Management Journal, Vol. 2, Issue. 3, pp. 26-38. Haes, DS. & Grembergen, WV 2009, "Exploring the relationship between IT governance practices and business/IT alignment through extreme case analysis in Belgian mid‐to‐ large size financial enterprises", Journal of Enterprise Information Management, Vol. 22 Issue. 5, pp.615 – 637. Roger S. D 2013, Research on IT Governance, Risk, and Value: Challenges and Opportunities, Journal of Information Systems: Spring 2013, Vol. 27, No. 1, pp. 129-135. Room, S 2006, Data Protection and Compliance in Context, BSC, Swindon, UK, pp. 65-85. Stefan, B., Anant, J., Steven, H. & Wim, G 2014, Understanding the Association between IT Governance Maturity & IT Governance Disclosure, International Journal of IT/Business Alignment and Governance, Vol. 5, Issue. 1, pp. 16-33. Weill, P. & Ross, JW 2004, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Harvard Business School, Massachusetts, pp. 88-116. Werhane, P.H. & Cording, M. 2002, Ethical Issues in Business: a philosophical approach. 7th.edn., Prentice Hall, New York, p. 212-238. Read More