CHAPTER 6
Managerial Considerations
This chapter covers topics where an astute managerial policy, choice, or a question at the right time can reduce risk and improve overall performance for businesses requiring both traditional processes and information systems. Some of you may have jumped ahead to this chapter because you feel that you are already familiar with what business information processes are. While that may be true for some, many will find it useful to review at least some of the topics in the preceding chapters if parts of the following discussion are unfamiliar.
Author note: Most of the suggestions and management approaches discussed in this chapter are not appropriate for a micromanagement environment. The levels of detail, ranges of technical skill, and frequent periods of continuous attention to information processes necessitate delegating the responsibility for such work as far down the command chain as possible. This is particularly true when dealing with security strategies and ensuring information accuracy. My experience in several high-tech industries is that micromanagers dealing with large amounts of information are only successful if their groups are small and the manager works longer hours than do any of their subordinates. Not a great situation to be in for the manager and not an effective situation for the company the manager works for.
In the early days of IT solutions, many businesses were vertically integrated, that is, they owned and had direct control of most aspects of their business. Most of them only operated within a national environment. As a result, the amount of data to be processed was not excessive and the need for widespread communication abilities was also small. Most SMBs did not even have any computing or information processing resources other than handheld calculators, cash registers, typewriters, and a team of file clerks, accountants, bookkeepers, and secretaries; all using pens, pencils, and paper.
Today, many standalone desktop systems are more powerful and store more information than those early mainframes. As a result, many smaller businesses have found a group of desktop systems to be more than adequate for their internal information needs. However, as their demand grows and as they begin to use outside subcontractors to perform parts of their business, rely more on outside vendors for their materials, and use the Internet for advertising and communication with customers their internal IT systems become overloaded. Larger enterprise organizations experience much of the same results for much of the same reasons, but on a much larger scale. All businesses, regardless of their size, need the ability to handle an ever-increasing amount of information to remain competitive.
The range of solutions and strategies for dealing with this problem can be grouped into three categories of choices:
•Expanding a business’s internal IT capability by adding equipment and technical staff to support it.
•Using one or more of the many cloud computing service packages available. These packages can be as comprehensive as an ERP solution or as simple as one that just handles a company’s database.
•Using a combination of internal IT expansion and online use of individual cloud computing applications.
Expanding internal IT capability has been the primary choice for large enterprise companies because they already have a substantial IT investment and sufficient technical staff resources. This strategy is not as attractive for smaller businesses who have limited financial resources and insufficient technical staff to execute it. In fact, many of them have agreements with an outside vendor to supply them with technical support on an as-needed basis.
Using cloud computing service packages can be a good choice for a business just starting up because their processes are still being defined and it significantly reduces the capital investment in IT equipment required. For established SMBs with established processes and some existing investment in IT hardware and technical staff, this choice requires much more consideration. Like choosing and implementing an ERP or other management software solution, cloud computing applications should match up as closely as possible with a business’s current processes and hardware.
Some General Guidelines and Questions to Ask
My general guidelines are that there is no free lunch in business decisions and employees usually perform according to how they think they will be rewarded. If you do not have an understanding regarding how a supply chain partner or service provider makes a profit, you should make an effort to find out for both your benefit and theirs. The best business contracts are those where each participant feels that they receive something worthwhile from the relationship. The same rule applies to employee relationships. If you do not understand what motivates employees to do a good job other than keep collecting a paycheck, you should find out. Be clear about what you expect them to do and make sure your reward systems are consistent with those expectations.
Shouldn’t this be obvious? Yes, but in my personal experience I have encountered too many managers who really do not know these simple truths or choose to ignore them. Is the above easy to do? No, but it is necessary for a business to be successful. Besides, as I often told my business students, “Managers are usually expected to solve more difficult problems and ask tougher questions. How else could one justify their higher salaries?”
In the following set of suggested questions that a manager should always be asking, a number of different topics can be used to fill in the blank underlined part of the questions. Within the context of this monograph, we should use the following topics: communications, data storage, information, data input, data retrieval, supply chain, and customer.
•What are our _______ expenses?
•How secure are our _______ processes?
•How reliable are our _______ processes?
•What parts of our _______ processes are the most critical?
•What parts of our _______ processes have the most variability?
•Which of our _______ processes needs the most improvement?
•What are the potential risks related to our _______ processes?
Preventing Problems and Improving Performance
One important part of good management is preventing problems before they occur and minimizing any consequential damage if they should occur. Some effective actions that should be done in this regard before you need them are:
•Establishing clear policies regarding what should and should not be done. This includes any appropriate boundary conditions or other constraints.
•Designing processes to minimize errors.
•Developing plans to respond quickly to problems.
•Training employees regularly regarding policies and execution of response plans, stressing that it is their responsibility to follow policies for the best interests of everyone.
•Reviewing policies as part of the business’s planning processes to keep the policies up-to-date, discard ones no longer needed, and develop new ones needed to meet new challenges.
Another important part of good management is establishing practices and developing strategies that will reduce operating costs, increase revenue, and improve the quality and value of the product or service offered by the business. While the above management responsibilities apply to all parts of a business, we will concentrate here on those aspects associated with the use of information within a business. Areas of consideration include:
•Information handling policies
•Protection of critical business data
•Cyber security considerations
•Data standardization and customization
•Information cost factors
Information Handling Policies
Many of the issues that managers encounter are related in some form to the information required or provided by the business. Incorrect or insufficient information can lead to the wrong business decision, cause a manufacturing line to fail, expose the business to liability risks, and mislead customers. Conflicting information confuses employees and customers, diverts resources to resolve these conflicts, and delays the ability of the business to respond to a problem or make a final decision. Unauthorized access to information can compromise the company’s ability to operate, provide competitors with proprietary information, and erode customer trust in the business protecting their private information. The loss of information or an interruption in the access to it can be damaging to the company depending on the extent and duration of such losses or interruptions and the importance of real-time access.
Not often mentioned is the inappropriate use of information resources during work hours, particularly the Internet, by employees. Dealing with such use will consume more and more of a manager’s time in companies that do not clearly define policy regarding such use and the penalties if an employee does not follow the policy. The need for such a policy increases with the increasing use of online resources by businesses. This trend has resulted in ready Internet access at most employee workstations. An additional serious security concern is that any inappropriate use on those workstations often becomes part of a business’s electronics transactions record.
An equally important area of concern that requires a clear management policy is the potential misuse of customer information by employees who have access to that database as part of their job assignment. Such misuse can be as small as getting the home phone number of an attractive fellow employee, more serious such as checking up on a spouse’s daily phone calls for a friend, or clearly criminal such as stealing a customer’s credit information for personal use or sale to another. It is a slippery slope to decide how serious each breach of consumer privacy is; this is an area where judgment calls should be avoided by establishing a zero-tolerance policy regarding the misuse of customer data. For example, employees are clearly told that any misuse of such data will result in employee termination and possible criminal prosecution.
More and more businesses are allowing employees to use their personal electronic devices at work, a strategy often referred to by the term BYOD, an acronym for “bring your own device.” This has some advantages in that an employee whose job only requires access to the Internet now does not require the business to supply him or her a terminal or other access device and the employee can use a device he or she is already familiar with. The trade-off is an increased security risk since many employees are not as careful regarding the content on their personal phone as they should be and their phone passwords are generally easier to break if they use one at all. As the BYOD strategy becomes more widely used, it becomes all the more important for a business to establish a clear policy for employees to follow regarding the safe use of their phone and any flash drive storage devices at work. This policy must include clear definitions of the penalties for failing to comply with the requirements of the policy.
Protection of Critical Business Data
Every business has some data that are critical to that business’s success and needs to be protected from access by unauthorized users. Such data can include proprietary operating information such as the recipe for a restaurant’s signature dish, steps in an assembly process for assembling ultrasonic arrays, and manufacturing production plans. Other examples of critical information are a list of preferred customers, customer credit information, control programs for an oil refinery or electrical utility, or the design data for an upcoming new product.
In today’s world of ever-increasing use of the Internet for communications and business transactions, my first and most important advice is to keep critical information off of the Internet if at all possible. This includes not discussing the details of such information in e-mails! Now, do not get the wrong impression here, I am not a Luddite trying to get businesses to avoid the use of the Internet. Quite to the contrary, this book’s primary purpose is to inform business about the operational and competitive advantages the Internet environment can provide enterprise corporations and SMBs integrating their management of information and processes. My message is that one needs to be aware of some of the associated disadvantages, the key one being that no information can be considered to be entirely secure on the Internet.
So, what can a manager do to protect critical information and still use the Internet? More general cyber security strategies will be discussed later. For the moment, let’s just discuss process changes and other policies to improve the security of critical information. First, try to limit authorized access to as few users as possible. Make a practice of encrypting such information with strong authorization passwords. Some of the information such as new product design data, proprietary recipes, and preferred customer lists can be stored separately, either internally or using a separate data storage service. Establish a strong policy of not letting employees download such information onto flash drives or personal devices neither for the purpose of taking it on a business trip nor for working at home. This is particularly important if your business has a BYOD policy that allows personal laptop or tablet computers to be used at work.
Particular care must be taken regarding the storage of individual customer credit and financial information. If at all possible, this information should be encrypted and kept separate from other POS data related to a business’s customers. A number of businesses have had to notify customers in recent years that their personal identification and credit information was at risk because one of their employees lost or had their laptop or smartphone stolen with that information on it. To make it worse, in several cases the information was not encrypted and the device did not even have a password. Of course, the affected businesses said they were improving their procedures for protecting such data in the future, that response was of little solace to the customers affected by the breaches in their data security.
Critical control programs such as those controlling nuclear energy facilities, electrical transmission networks, oil refineries, and railroad traffic can be redesigned to minimize their exposure to unauthorized access or manipulated input data from external sensors and monitoring locations. As my former judo sensei said to our class, “The best defense is to not be there in the first place!” Some suggestions include hardwired control boards, boards using read-only memory for command routines, intermediate servers and Big Data analysis methods to process and verify external sensor and monitoring data, adapting control approaches currently used in commercial aviation where three redundant computers are used to process inputs for aircraft control, and dedicated communication networks isolated from the Internet for the most critical control functions. If there is a strong need to monitor the status of such facilities using the Internet, that information can be reported by the control system using a one-way communication link to an Internet monitor for further analysis.
Avoid using critical business information in cloud computing applications if at all possible. Such services have more than one business as customers and hence, a large number of individual users. This provides an equally large number of backdoor opportunities for hackers to break into some part of the cloud service’s network of servers. That said, many cloud providers have more secure systems than many SMBs.
Cyber Security Considerations
This section focuses on security considerations that are more lock-and-key oriented as opposed to business security policies and process security procedures. Because it is difficult in many instances to separate these security approaches into actions that can be managed independently there will be some overlap with the discussions in other sections of this chapter. For this reason, information security is a cross-functional responsibility requiring each part of an organization to work together to ensure the safest result. To this end, there are five general security risk areas to consider:
•Management vulnerabilities
•Hardware (infrastructure) vulnerabilities
•Software and password vulnerabilities
•Employee vulnerabilities
•Disposal of data vulnerabilities
•Internet vulnerabilities
We have already mentioned the need for the parts of an organization to work together regarding cyber security. This is easier if a business develops an integrated management approach for information and other business processes, the primary focus of this book. Otherwise, potential conflicts in how security is handled in different functions can create opportunities for unauthorized users to break into your information vault. Managers concerned about cyber security need to recognize that the biggest security risk to a business is not considering first how the information necessary to the business can be intentionally or unintentionally corrupted, misused, lost, stolen, or otherwise made unusable. This means keeping managers and employees informed about potential security threats within and outside of the business.
Management
A management-related vulnerability in many smaller businesses is allowing the establishment of a number of distributed databases with different access protocols. This situation can also exist in some large enterprise organizations despite their wider use of cyber security solutions and greater knowledge of security risks. Some ways to reduce this vulnerability are discussed in the following section regarding data standardization and customization.
My years of experience of being both a contributor and a manager of groups working on information technologies and software development has made it clear that for every clever person who develops a better way to protect and secure digital data, there is at least one equally clever person who is working on a method for circumventing that protection. How many people and technical resources are working on cracking a given digital data safe and how long it takes before one of them succeeds is only a function of the level of desire for the information inside. It should be pointed out that this observation applies to nearly every security protection situation—state secrets, government witness protection, bank deposit boxes, and so forth. All one has to do to find some real-life examples is to listen to a few evening newscasts every week.
Hardware
Most hardware security solutions rely on using some software component to operate a hardware access device—fingerprint readers, retinal scanners, program keys, and so forth. The ultimate hardware security solution is to isolate the information system completely within an environment that requires physical entry to use the system.1 Such solutions are generally impractical in today’s Internet-connected world with a few notable exceptions discussed previously in the critical business data section of this chapter.
Internet access introduces a new hardware security risk, the network connections. Both hard-wired and wireless connections can be tapped in much the same way as old telephones in the J. Edgar Hoover days of the FBI. Digital data streams make it more difficult to listen in their content, much more so if the information is encrypted. But this data transmission environment is changing rapidly. For example, the same advances in technology that now makes real-time video conversations and streaming movie content applications possible also makes it easier to listen in on unencrypted data and to break the code of encrypted data faster. A number of small businesses using wireless networks to connect their internal systems to printers, data servers, and Internet modems have failed to activate the password protection for such networks or are still using the default password for network. This situation is even more common in residential areas. Some residential wireless network users do not use any passwords and are ignorant of how far the range of their wireless modems and routers can be.2
One area that deserves some consideration is disposing of hardware that has grown obsolete or that is no longer needed. We will talk about the aspects of what a business should do regarding such disposition of their equipment later in this section. However, what sometimes falls between the cracks is the return of rented equipment, particularly large publically shared printers and copiers. The hard drives and other memory devices used in network printers and copiers to allow them to spool the jobs can retain copies of the most recent information submitted to them. More modern versions are careful to erase those copies periodically, but some older equipment may not and their data can be retrieved later by the rental company or the next user. Hence, it is best that a policy is established regarding rental equipment return to ensure that critical data is erased securely before the equipment leaves your business.
Software and Passwords
Software access security solutions typically involve some form of password. The major problem with passwords is that the harder they are to break, the less convenient they are for the authorized user. Most users prefer a password easy to remember and type in correctly, for example, their daughter’s name and birth date. That choice makes it much easier for an unauthorized user to determine what their password is, particularly in this age of Big Data when our personal information is available in scattered form all over the Internet—a reference to their favorite daughter on their Facebook page, a tweet wishing her Happy Birthday on Twitter, a full spelling of her name entered in a genealogy search engine, and so forth. Big Data analytic methods are useful to hackers too!
Okay, so you strongly encourage your employees to create stronger passwords. Keep in mind that when the passwords are long and contain hard-to-remember character sequences a new security risk will often occur. Employees will be tempted to store a reminder on a card or Post-it® note somewhere convenient in their workplace, making it easier for a visitor or passerby to obtain one or more passwords with the associated employee name since many workplace areas have nametags for their respective users. One way to help employees remember a long password without making a note of it is select a mnemonic such as the title of this book and numbers indicating which letters are used from each word, for example, 6r3n2fsdn. Also avoid a practice by some businesses to assign passwords created by using random character generators or distribute new password sets using e-mails or other electronic means. If your company policy is to change passwords periodically, require each employee to change their individual password themselves and provide them with one of the many password strength analyzers3 to check the strength of their choice.
When there is a need for a frequent confidential conversation or exchange of information between an individual user and an institution, an exchange of passwords before full access is granted provides another level of security. An example is a client checking on the status of his or her bank account. The client enters the account ID and personal password. Once the password and account number have been verified, the bank replies with an image or other descriptor that the client chose when setting up the account. This tells the client that they are connected to the correct website. The client then enters a second password to gain full access. The security level can be enhanced further by the bank randomly picking one of several questions for the client to answer and comparing that answer to the answers supplied by the client for each question when they set up the account.
This process is important for a business serving customers. It ensures the security of their interaction with customers and also prevents a customer from being connected to another site because of an URL entry error or jeopardizing their account security by replying to a fake site in an e-mail message that pretends to be from their bank. The fake site may obtain their first password but when unable to reply with the second password entry page alerts the client to not go further and to change their entry password the next time they use the real bank site.
Employee
Often the greatest security risk is an employee who is unaware of how their daily actions can affect the safety of the company’s data. Some common examples are:
•Not taking the same security precautions on their personal equipment at work as they do using the company’s equipment.
•Being lax about updating passwords regularly and using an easy-to-crack password when they do.
•Connecting to insecure sites on the Internet using company assets.
•Loading music and apps from personal flash drives for use on company systems.
•Giving out passwords and other security information in response to e-mail and telephone queries from unverified users, a process used by potential intruders called “phishing.”
•Interacting with their personal social media accounts during working hours or using company equipment to do it, or both.
•Not being careful about discarding information.
•Printing or copying data, particularly the more critical data discussed in the previous section, on publically shared printers and copiers.
While it is unrealistic to think you can take steps to eliminate all of these employee threats, particularly since new possibilities are being discovered every day, establishing clear policies to prevent security breaches and corruption of information and regularly reviewing them with employees is a good place to start.
Disposal
Most businesses have developed a good policy for securely disposing of paper documentation when it is no longer needed, this is particularly important when scanning in documents for dematerialization. Some documents such as contracts and deeds will need to be retained in paper form for a long time; some other original documents may still need to be kept for a specified time to comply with regulation retention requirements. A policy is also needed for disposing of electronic documents and other data. There are more things to consider since a digital file can exist in a number of places—workstation drives, different internal servers, on a cloud computing service, various cassettes and floppy disks (yes, there are still some around), CDs, DVDs, laptops, smartphones, tablets, cameras, various forms of flash drives, and the Internet.
There are two major disposal considerations: What to do with the hardware memory device, and how to more securely erase a given file? The hardware part of a data disposal policy is easier to define. The safest strategy is to physically destroy the storage medium, particularly magnetic media such as hard drives, floppy disks, tapes, and data cassettes. Just drilling holes in these devices is not enough to destroy all of the data since there will be enough of the recorded surface left to recover the information not drilled away. I have seen the data on some seriously damaged hard drives recovered even after flooding and some heat damage. Such drives are remarkably robust. If the covers are removed so that each individual magnetic surface can be accessed separately for demagnetization, that process should be adequate. Trying to demagnetize an assembled stack of magnetic disks will not reach all of the areas on the disk surfaces unless the magnetic fields involved are very powerful. Plastic media such as CDs, DVDs, and Blu-Ray Disks should preferably be incinerated after shredding just like paper documents. The advice here is to use a trusted destruction service.
The alternate strategy is to completely erase the data on the storage medium so that it can be safely used by someone else. Flash memory can usually be safely reused by reformatting the memory two or so times. Plastic media devices like CDs and DVDs are generally not amenable to secure erasure processes and are better destroyed. Magnetic media are a different situation. First, when you erase a file on a magnetic media, the file information is not erased. Only the reference to where it is stored on the media is erased and the associated data area is made available for future storage use. Until that area is overwritten several times by other data that original is still retrievable by an expert who can access all of the information on a disk without having to have a directory to find it.4
Because the magnetic material can retain a vestigial image of the data previously stored in a location, that image, although it gets fainter, can remain for a number of following write cycles and can be retrieved by a recovery expert. Therefore, to securely erase data, a business needs a software program that will erase the data directly, not just its reference in the disk’s file directory, and do that erasure several times using random data sequences each time. Given the time and effort it takes to do this process for the large-capacity drives of today, it would be less expensive to just destroy the existing drive and install a new drive for the next computer user.
Erasing a single file or a small group of files is easier, particularly if these files are stored locally with a business. Using the multiple overwrite erasure available as part of a number of security software packages accomplishes the job provided that the disposal check lists account for all of the instances where the files are stored. This includes employee personal devices and flashdrives and the routine backups containing those files.
Erasing files on the Internet completely and securely is generally an exercise in futility, particularly if any of those files has even a remote possibility of having been accessed via CRM, e-retail transactions, attached to e-mail messages, social media postings, or search engines. Social media sites often let users easily delete information from their postings, but the data are usually still there somewhere in the database that the social network service uses to sell data to its customers. Cloud computing use is somewhat easier to ensure total erasure as long as one considers that it is unlikely erasing a file in a cloud storage server will also include its erasure in older backups by the cloud service provider. How files are erased is a question a business needs to ask of a potential cloud service solution. Storing a file on any Internet site is as close to guaranteeing immortality for that information as one can get.
Internet
Ah! Where to start? Like all big cities where there are parts of town where it is more dangerous to be, the Internet has its dark side too. Among all of the wonders, useful things, and other advantages for businesses, there is an army of con artists, vandals, thieves, and organizations wanting to use those advantages too. Like a visitor to a big city, a business must develop a level of caution, or “online smarts” if you prefer, to use the Internet safely. Many of the same common sense rules apply.
If an online service or product offering appears to be too good to be true, it probably isn’t and at least deserves more checking and validation before accepting any of its claims. Another rule and a favorite of mine is “There is no free lunch!” Users are offered all sorts of free services, news, entertainment, videos, investment advice, sports updates, and subscriptions; all they have to do is sign up, agree to a few rules, approve the usage license agreement, and they are good to go!
At this point, some of you are probably asking what has this to do with business. The answer is “plenty!” Some of those users are likely to be your employees. If your business uses the Internet for business activities, the realistic view is that at some time during a work day one or more of your employees will take a couple of minutes out to check their Facebook page, send a Happy Birthday! e-mail to a friend or relative, order an item, and so forth. In short, they may use one of those free sign-up services above. All of the security risks that a user would encounter accessing those services from their home computer also exist at work. Furthermore, many businesses are taking advantage of many of those same services for business reasons.
Search engines, social networks, instructional videos, free webinars provided by vendors (free training, just sign up and tell something about your business and interest in our product), and ordering office supplies are just a few of the many examples.
To be fair, most of the “free” services offered businesses do not have any evil intent. Most of them are either collecting data for their own use to improve their products, understand needs of their marketplace better, identify trends or changes in demand, or to assemble data sets to sell to others for their own. The problem is that some collection methods are more intrusive than others and hence pose greater security risks. Users have no way to know the extent of information being collected unless they read the licensing agreements for the services very carefully and carefully fill out their preferences during installation. Be honest, how many of you have actually done that?
The use of social networks for business reasons has several advantages, but also the same information collection risks discussed in the previous paragraph. The advantages are often significant depending on the type of business you are in and the customer audience you sell to. Having a Twitter account, for example, can provide immediate feedback from the customers of a services business about what it is doing well and what needs improving, avoiding the delays and expenses of external customer surveys. Having a Facebook account allows a business to communicate information about new products, changes to current products, and FAQ answers to its customers with opportunities to receive feedback about that communication quickly. Of course, what your company posts and what customers say on those social networks can easily become available to your competitors. Keep in mind that all of the social networks make their money accumulating and selling data to others. A related caution is that any information entered on the Internet never really goes away, even when you think you have taken every step to delete it. There is always a previous backup of your data somewhere.
While the author is not a big fan of social networking sites because of the limited control over what information is collected and distributed by these sites, they do have a place in today’s global environment and deserve consideration as part of a business’s information processes. At the least, it is recommended that a business set up accounts in its official name on these sites to prevent other users from using their name for a fake site in an effort to collect information or to post misleading or disparaging information. If the business does not want to commit a person to update those accounts regularly, they can post enough information on their front pages to direct customers to more secure sites for the information or technical support they want.
Finally, let’s discuss those “free” sites and tempting online ads that intend your business harm or want to steal your information. First defense is to not click on any site or ad from any company, organization, or individual you do not recognize. There are several software security suites for businesses that can verify whether or not a website appears to be legitimate. Install these features in your business’s e-mail and browser applications and also use them to screen search engine results before selecting any of the search answers for further information. Remember the rule “That if it appears to be too good to be true, it probably isn’t” when you are tempted by an ad with an attractive business claim like “cut your costs in half in just 30 days!” Evil doers use such ads as an electronic Trojan horse to get by your security software in an attempt to slip some malware that will either damage your software or lie quietly in wait to collect passwords or perform other mischief. There is an ongoing battle between the software security companies and the malware designers where the security software defenses are slightly behind the creativity of the malware designer.
Data Standardization, Errors, and Customization
The importance of standardizing data collection and storage processes as much as possible cannot be overemphasized. In any business, there will be some necessary exceptions to this strategy, but they need to be managed as carefully. We are not talking about just individual process management here but the overall information strategy for the business. Interwoven with this strategy is the major influence it can have on reducing information processing costs.
A key component of many information management applications is a central database, which is one virtual or physical location for storing the daily operational and financial data for the business. In reality, it is likely to be physically distributed over a number of hardware systems, particularly if it is handled by a cloud computing solution. Therefore, the definition of central here implies that the data storage capacity is managed by a single system.
One of the advantages of this strategy is that information errors caused by duplicate entries of the same information in different formats are eliminated. For example, Ken Shaw in one database, Kenneth Shaw in another, and Shaw, K. in a third, but all referring to the same person, are now replaced by one entry, Kenneth Shaw. Now this problem could be solved by developing some pretty strict rules regarding how a customer’s name is entered in different company databases, but that approach ignores the fact that a given name still needs to be entered several times (costs money to do), and the probability of an entry error still exists in proportion to the number of entry points (although lower because of the rules). It also ignores the added cost of performing multiple data entries and maintaining three separate databases.
One centrally managed database also avoids the errors caused by different database formats, that is, the shipping database lists customer address information first and the financial database lists the customer’s credit information first. In this case, we could use computing power to collect and correlate information from different places, but that takes a person with the database skills to program the computer and knowledge of all of the differences in the databases to obtain an accurate and useful result (this also costs money to do). Backups of a business’s data are inherently easier to do when the data storage is managed centrally. Backup storage and handling costs are also reduced.
An exception to the centralized database strategy may be required for custom data only required by one function in a business or for business critical data that a business may not feel comfortable storing in a cloud-based storage system. In such cases, it is unlikely that these sets of data will have much in common with the other information used by the business. As such, they can be managed in a separate database close to their point-of-use and with enhanced security if required. In cases where there is substantial overlap with information stored in the centralized database, the costs of maintaining and securing a duplicate data set need to be compared with the costs of expanding the centralized database and possibly increasing the security risk because of its broader exposure to unauthorized access.
Governmental agencies are often notorious for the lack of standardization in databases that later depend on each other. To be fair, when these individual databases were first set up each agency generally expected to operate on their own. Hence, there was little incentive to work with other agencies regarding some ground rules for data that might need to be shared. Many of those databases were set up using paper documents and physical filing systems. Some agencies began converting these paper systems to digital form over the past two decades but in general still kept to their original database structure. Today, these different paper-based and digital databases are one of the major causes of governmental inefficiency. While most agencies now recognize this problem, it is difficult for them to find the funding to correct the situation.
For example, many different land descriptions are used to describe the same physical location on our globe by planning commissions, county recorders, county tax assessors, title companies, mortgage companies, utility companies, county road departments, and environmental agencies. Correlating the property owners and tax assessment changes to a new wetlands proposal is frequently an exercise in frustration and often dependent on someone’s personal knowledge of the area involved to clean up the confusion. Even the geographical description can be confusing when some surveyors refer to locations by referencing the owners of the adjacent properties at the time of the survey. In the future, when a legal description of the property is needed for a mortgage application, it is likely that the ownership of one or more of the referenced properties will have changed and the surveying description will be unclear. To get an updated description, the mortgage applicant has to search back through records maintained by another department using different physical descriptors.5 Of course, the description could have been less sensitive to ownership changes by requiring that the physical description be based only on geographical coordinates, directions, distances and USGS benchmarks.
Information Cost Factors
Most managers, especially those managers in IT functions, are aware of the information processing costs associated with purchasing, operating, and maintaining computer systems, storage devices, input/output devices, network configurations, and backup systems for internal business use. Given that knowledge they are able to compare those costs on a one-to-one basis with the costs for outside services performing the same function. The danger here is using just that knowledge to determine whether or not a business would possibly benefit from outsourcing its information processes and data storage.
The problem is that there are a number of hidden information processing costs that are not included in these considerations and that can be significantly altered for better or worse by a decision to change. This is more likely to occur in companies that manage their information processes separately from their other business processes. A poor choice here could turn out to be another example of a common experience in many companies where the improvement executed by one function ends up degrading overall business performance. So, what are the costs to look for? Here are some areas to check out, not only in IT, but also in other processes in the company, even those that do not appear at first glance to have any information processing content.
•Information input processes.
∘How many data entry stations are needed?
∘How many stations would a cloud solution provide?
∘How many paper entry processes are there?
∘Could they be dematerialized?
∘If so, how many more data entry stations would be needed?
∘Could we get customers to do more of the entries?
∘If so, what equipment would be required?
•Information output processes
∘How many data output stations are needed?
∘How many printing processes are there?
∘Could they be dematerialized?
∘If so, what would be needed?
∘Could we get customers to do more of the printing?
∘If so, what process changes would be required?
•What are our backup costs?
•How many databases do we have?
∘Are they on separate servers?
∘How much of the information is duplicated? How many times or how many locations?
•What is our input information error rate?
∘What does it cost us to correct such errors?
∘What are the rate and costs for a cloud solution?
•What is our output information error rate?
∘What does it cost us to correct such errors?
∘What are the rate and costs for a cloud solution?
•What new information is needed by our business?
∘How do we collect it?
∘Where will we store it?
∘Who will use it?
∘What will it cost?
•What is our system uptime?
∘What does it cost us when it is down?
∘What is the cloud solution uptime?
•What are our office software costs?
∘How many users are there?
∘How many applications are required?
•What are the cloud office software costs?
∘How many users will it support at the same time?
∘Does it provide the same features?
∘What are the effects on our database, if any?
To be fair, smaller businesses are likely to not have some of the answers to the above questions. Often, it is because they do not yet have the resources to provide the answers, sometimes they have already chosen an outside support solution, and frequently it is because they are not sure how to measure or calculate the values asked for. If so, it is a good idea to begin acquiring such data. This will enable a business to be better prepared when it needs to consider changes or improvements in its information processing methods and resources.
For some ideas on how to measure some of these costs and associated performance measures, the book by Hubbard6 may provide some ideas to those interested as to how to start.