Archive for the ‘IT Governance’ Category

Round-table discussion: Effective social networking in the public sector

Saturday, February 23rd, 2013

I was invited to facilitate a round-table discussion on effective social networking in the public sector for CPA Australia at their International Public Sector Convention on 21st February 2013. These notes derived from that session.  I have formatted this discussion as an article, and it is available h here for download:  20130221 Roundtable Notes.pdf.  Please feel free to provide feedback or discuss this topic further in the comments below.


Social networking has gained enormous traction in recent years, changing business models and the ways humans interact.

However, social networking is more than just using a particular tool or medium. This roundtable discussion held at the CPA Australia International Public Sector Convention on 21st February 2013 aimed to discuss the long-term value of online social networking and explore how it can be applied to generate lasting benefits across the public sector.

The facilitator was Micheal Axelsen, of Applied Insight Pty Ltd, and the participants were representatives from the public sector. This discussion took place at the Brisbane Convention Centre.

Funny toy or useful?

It was apparent from our discussion that people are still not entirely sure what exactly online social networking is, and whether it is ‘too risky’ or not.


It was noted that collaboration is easily done using tools such as Facebook in comparison with the sometimes-slow bureaucratic processes for developing internet sites.

We did note some benefits – for example, we can keep in touch with people by ‘loose connections’ rather than lose touch when people change jobs.

Online social networking replaces chat groups or email lists, in many ways. Online social networking though is faster and more immediate.

Risks that may arise from the use of online social networking include:

  • Legal
  • Reputation
  • Cyber
  • Privacy and identity theft
  • Records management
  • Technology

Although we recognised those risks, awareness of the risks when online social networking is important to ensuring effective social networking.

Risky business?

Online social networking – the younger generation just ‘gets it’. But they too can be lax and not think through all the risks.

Users do need to be ‘savvy and sophisticated’ users. Not all people in all places are aware of what they can and can’t do with material on online social networking. A nightmare for auditors!

It’s not the tool that is evil, though – it is how the tool is used. The opportunity for fraud exists and the means by which online social networking can be used can be ‘really mind-boggling’ – particularly the social media tools. People still are not aware of the risk of fraud that can occur through social media.

Change for the better?

There are still definite benefits. Online social networking can be a real tool for finding out information.

One participant noted that they now find out more information from Facebook and Twitter than they do from television. For instance – weather awareness and information that more traditional channels are ‘slower’ to distribute.

So as an information awareness tool and gathering tool, online social networking has real benefits. Particularly product search and product help is a definite positive of online social networking.

For example, obtaining very quick recommendations for a service or product via twitter or Facebook can result very quickly, and if you receive 15 recommendations for the one service (for example, a restaurant), then you probably have had your choice made for you.

Sometimes participants felt that they have had quicker and better responses online to problems with products, although this varied between organisations.

We did consider though whether there may be a ‘regression to the mean’ in relation to how companies deal with issues raised through social media.

It may soon be only those Facebook posts with 300 likes that get a company’s attention, and then later only posts with 1,000 likes. Eventually, the extra resource expended on customer monitoring on online social networking will become part of ‘business as usual’ and the response will return to long-term trends.


Unlike a phone call or a letter, however, we did note that, with online social networking, complaints and discussions take place in a public place. For that reason organisations will likely place a higher priority on that for some time to come.

We recognised that online social networking is another channel, and this complicates our communication channels. The world is more complex than a PO Box and a phone, and this complexity means that agencies need to respond. Unfortunately, the ‘simple’ world of the past has most likely disappeared.

In twenty years’ time, online social networking will continue on, it will be the new norm. But new technologies will be developed, and the technologies will mature.

The need to critically appraise the information and comments made on online social networking by users is important. People need to assess quickly the credibility of the source making the comment, and also consider the number and sources of information. There are trolls on the internet but there are self-correcting mechanisms to filter these things out. It is an ‘ongoing war’ and the ‘wisdom of the crowds’ can help with this. Nevertheless, this takes time and effort to sort through the ‘chaff’, and some ‘walled off’ communities can be credible resources.

For example, LinkedIn makes a considerable effort to ensure the credibility of participants in conversations through moderated membership of groups.

Government agencies can use online social networking to access the communities that they deal with. Facebook pages, for example, allow an agency to talk one on one with their community, and obtain immediacy in their response.

This capability is used to varying effect. Some agencies have had fairly aggressive relationships with their communities whereas others have had more positive experiences. Monitoring online social networking can be used to provide information for policy development, particularly with respect to the targeted communities.

For example, overall the Queensland Police Service presence on Facebook has been considered a major success in their sometimes-difficult dealings with the public. This was a focussed and strategic use of social media.


Brand recognition on twitter and the maintenance of the brand is important. However, you have to understand the risks and mitigate the risks – you have many more stakeholders. Brand recognition will be important for agencies that need to self-promote to obtain their funding.

Targeted delivery of information via online social networking can be more effective, as well. For example, Generation Y (or perhaps the younger Generation X) that are heavily into social media can be accessed through social media rather than the traditional media. Engagement through traditional media may be diminishing.

Social media is just another channel to communicate; whereas people from one generation might write a letter to the editor, those from another generation might tweet about the issue or use activist sites such as ‘GetUp!’.

As generational change happens, agencies and organisations will need to educate and adapt to meet the needs of their communities.

There are opportunities to keep in touch with organisational alumni – particularly for the recruitment of new staff – but unfortunately not much is being done in this area at the moment. There is a lot of untapped potential there.

Concluding thoughts

People are still not entirely sure of online social networking, and whether its risks are worthwhile. Some benefits can be obtained by using online social networking in the public sector, but by no means has it been universally adopted.

Participants felt that the public sector is definitely lagging behind in the use of online social networking compared to the private sector. As generational change occurs, particularly for health, change will be needed.

Although our discussion centred on risks, several themes did emerge, including:

  • More understanding of what online social networking is is still needed.
  • User awareness of the risks of participating in online social networking still needs to mature.
  • Agency communities (for example, QPS Media on Facebook) can increase community engagement, but they might just as equally cause difficulties with the community.
  • Maturity will reduce this complexity, and as the novelty diminishes the tools will be embedded.
  • Targeted delivery via online social networking of information can be more effective and engaging than traditional media.
  • Informing policy response via community engagement can be particularly helpful for public sector agencies.

In the long term, the world has changed to be more complex.

Overall the discussion was lively and the risks and benefits were debated intelligently and in an informed way. Online social networking clearly has a long way to go in terms of maturing across the public sector, but the potential perhaps can be summarised as ‘promising, but beware the risks!’

Of droughts, and flooding rains, of businesses and broken business continuity plans.

Sunday, February 20th, 2011

Well, this is a blog entry, and I have a thing for bad business poetry.  In Brizvegas, as you may have heard, we’ve had droughts a-plenty until the last two years, and then the flooding rains that just created a seeping, growing, black mess that crept stealthily towards everyone’s place of business or abode.

Well, that might seem a little melodramatic, but you know what?  It’s not.  We’re all affected here in Brizvegas, even in little ways such as losing our carparks (my wife doesn’t think that’s so little) or daycare centre (my daughter, yes, same attitude as her mother).  My house was perfectly fine, halfway up Mount Cootha, but I went for a ride on my pushbike to see how my daughter’s daycare centre was faring.  As I rounded a corner and ran into deep, black water quite some time before I rather thought I would.  Squealing on the brakes, I thought to myself, ‘That’s not good!’

I also came to the realisation that my five-year old daughter was not going back to daycare tomorrow.

And so from my back deck, all seemed fine as I looked over the tall trees of Mt Coot-tha, but at the same time some people were cut off from food and petrol – friends of mine were refused service after the floods because they ‘looked grotty’. Well, how would you look after 5 days without power or a shower?

It was an odd flood, bright sunny day, and yet still I noticed the Lexus dealership madly moving cars, and the people at the Brumby’s bakery madly moving flour to the only bakery down the road that wasn’t flooded (it appears they rather had some trouble finding the key, and saved the flour only just in time or the western suburbs would have had to start eating crushed up gumleaves spiced with mud. And then having to drink the wooded Chardonnay left in the wine rack – oh the humanity!)

But the point (and there is one!) is that we precisely do not know what will ever happen to our homes or places of business.  Some of us thought we were really very safe at the time.  That idea’s comforting, but not always true (I can see a mountain full of trees from my back deck – so one day bushfires are on the cards).

Here’s a video I took of a house normally way, way above the river:

All of us banana-benders are looking at each other now, after inland tsunamis, floods-that-weren’t-supposed-to-happen, and Cyclone Yasi, and saying that if we had a blizzard come down Queen Street we’d let loose a suitable expletive and get down to it.

So how do you as a business prepare for these things?

Well, fortunately we do have best practice approaches available such as COBIT and ITIL.  A year or so ago, when I was lecturing at QUT in IT Governance, I asked the students to use COBIT’s framework to help with the development of a business continuity plan.  This is what it, rather drily, says:

DS4.2 IT Continuity Plans: Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans should be based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recovery capability of all critical IT services. They should also cover usage guidelines, roles and responsibilities, procedures, communication processes, and the testing approach.

The exercise for the student was to take a look around their bedroom and work out what they might lose, what they could afford to lose, and how they might get back on deck.  I seem to recall one student came up with a contingency plan that involved explaining to his lecturer how he didn’t need to submit the assignment that week – I believe I may have said he needed to improve that excuse for his risk register.

Anyway, business continuity plans are things that are really hard if you don’t know where to start.  So I took that reasonably vague statement above from ITGI’s COBIT and turned it into something like the below.  Feel free to borrow it as a template if you like for your business.  It’s not great, it’s not fantastic, but it’s a start, and at least you get thinking about what you need to do in the event of problems like droughts, flooding rains, bushfires, cyclones, blizzards, alien invasion, or inland tsunamis.  Try adapting this for your purposes:

And so I’m going to leave this blog entry right about here, now that I’ve gotten to use some great phrases like ‘a seeping growing black mess’ (seriously, anyone who saw that floodwater will agree that it was pretty yuck).  Readers, please take a look or download the example business continuity plan – a BCP doesn’t need to be hard, it just needs to work.  In fact, if it’s big and hard and ugly, it’s likely it’ll never work.  ‘Keep it Simple, Silly’ is the appropriate rule of thumb.  It’s a good start for some businesses, possibly not for others.

But please don’t find yourself caught on the hop and having to remove those files from the basement where they’re stored to the top floor of your building in your pyjamas and best thongs, like some people I’ve heard of.  Or the people at the Lexus dealership, who were frantic because they couldn’t find the keys to the four wheel drive blocking the driveway.

PS:  I hope I rickrolled somebody in one of those links up above…

Academic submission to a conference on Information Systems.

Tuesday, December 7th, 2010

The past week or so of my professional life (it’s all a blur) has been taken up with writing a paper for submission to an upcoming conference.  If you’ve ever wondered about the process, it’s been painful.  If you are interested, read on to read the abstract of what is now a 12 page paper (it started out at 16 pages – cutting down is annoying).

If you aren’t interested – move along, nothing to see here.

Abstract (I’ll leave the title out as it’s A: long and B: it’s meant to be a double-blind review.  Suffice to say it’s about auditing and accounting standard reforms, BIS and IT audit).

Information systems are key components of the internal control system that ensure the business entity complies with the requirements of the financial reporting regulatory framework. This regulatory framework consists primarily of accounting and auditing standards. As the regulatory framework changes, so too do the functional requirements of information systems. Compliance with the regulatory framework is essential to the long-term business success.

This paper is a report of a  review of the effect of Australian reforms to auditing standards (the ‘audit risk’ and ‘black-letter law’ reforms) and accounting standards (the ‘A-IFRS’ reforms) upon business information systems and information systems audit. This analysis is verified with audit professionals and the final results reported as an exploratory study. The results identify seven significant computer-based registers for businesses to manage in complying with the financial regulatory framework, and identifies the significant relationships between accounting and auditing standards and information systems audit.

The audit and accounting profession requires a deep understanding of the implications of the financial reporting regulatory framework for business information systems design and the role of information systems audit. This paper provides a valuable contribution to this professional need through considered analysis  of the auditing and accounting standards.

Keywords: IFRS, ISA, IS Audit, business information systems

This research is a part of the output of my Australian Research Council Project.

Data management strategies

Wednesday, September 2nd, 2009

On 14th October 2009, I will be presenting at CPA Congress in Melbourne to the topic ‘Data Management Strategies’.  Apparently CPA Australia didn’t like my originally suggested title ‘The devil is in the detail – which is why the Lord of the Nine Hells should never be your DBA’, which I blogged about earlier.  I think the new title is rather bland, don’t you.

The session overview is below:

Micheal Axelsen FCPA Director
Applied Insights Pty Ltd

As accountants, we prepare the information that a business uses to make its important decisions. Sometimes though, the data we use seems to be impossible to track down – and when we do find it, who knows whether it’s actually useful or not?

In this entertaining presentation, Micheal looks at some of the practical pitfalls and case studies of working with data – from rampant spreadsheets to the DBA nightmare – that Micheal has seen, with practical advice you can use to help your business escape its database nightmare.

Anyway, it promises to be fun, although it would have been much more fun if I could have brought theology into the debate of DBAs vs rational people.

Image from Flickr User Lessio. Some Rights Reserved.

The devil is in the detail – which is why the Lord of the Nine Hells should never be your DBA

Thursday, June 4th, 2009

Maybe he knows where the bodies are buried...CPA Australia have asked me to present at their conference in Melbourne in October. They didn’t want to do Carbon Pollution Reduction Scheme – that’s already been well-covered apparently. I did suggest that I could relate some case studies from the field about data governance – you know, how to get databases right and so on. I decided that I would try for the entertainment factor – after all, I have seen quite a few fun things in my time, and embellishment never hurt 🙂 – and so I have written an outline for ‘The devil is in the detail – which is why the Lord of the Nine Hells should never be your database administrator’.

Seminar overview:

A successful business knows about its business environment to deliver consistently good services or products to its customers at a reasonable price. Accountants prepare the information that provides the feedback to the business on how it is travelling.

Unfortunately, getting that information right is quite a trick! Some of the information is locked away in limbo; we know it exists but how do we get to it? And no, ‘it’s in the database’ is not really all that helpful. Is the information we rely on actually all that accurate?

In this entertaining presentation, Micheal Axelsen explores the steps and some of the pitfalls you can take to achieve good governance of your data so that the information you prepare for the business is as right as you can get it (and meets compliance requirements!).

On this journey we take a look at some of the practical pitfalls and case studies of working with data that Micheal has seen in fifteen years of working and consulting to industry and commerce, with practical advice you can use to help your business escape its database hell.

Short overview:

As accountants, we prepare the information that a business uses to make its important decisions. Sometimes, though, the data we use seems to be impossible to track down – and when we do find it, who knows whether it’s actually useful or not?

In this entertaining presentation, Micheal looks at some of the practical pitfalls and case studies of working with data – from rampant spreadsheets to the DBA from Hell – that Micheal has seen, with practical advice you can use to help your business escape its database hell.

Does anyone care to leave feedback for me? Would you go to such a session? Or is it trying too hard to try and make databases entertaining… Still, this stuff is what I live for – which is a sad indictment of the times, I suppose, or at least of my sense of humour.

Image from Flickr User Lessio. Some Rights Reserved.

Technorati : , , , , , , , , , , : , , , , , , , , , ,
Zooomr : , , , , , , , , , ,
Flickr : , , , , , , , , , ,