Emerging Issues in Information Systems Integration Risk

It is interesting to contemplate business risk and business benefit in today’s commercial world. If we think about how the world has changed over the past thirty years (I am of course referring to information systems – and am completely ignoring other somewhat less momentous issues such as the end of the cold war, the rise of Islamic extremism, and the invention of Viagra), there originally were computer mainframes that the well-heeled business could put in place to process transactions. The diagram below gives a flavour of the history here:


Mainframes were heavily customised – heck, at the beginning each one was a custom job. So they were heavily customised, had a long life to get anything like ROI out of them, and were expensive to maintain.

The rise of end-user computing – aka the rise of the PC – put computing in the hands of the masses, but those masses didn’t have too many options to customise their computers given that most programs were off-the-shelf unless you were a dab hand at Pascal.

Client-server architectures, and the rise of enterprise computing, lead to fairly extensive customisation of systems, but in hindsight they were not nearly as complex as modern systems and were less integrated (it was still considered novel to integrate information from two databases into a data warehouse).

Todays’ internet computing, though, is all about reliance upon the information systems and their inter-dependence. It is increasingly difficult to change one information system without affecting others – this is particularly the case for core information systems such as accounting information systems or human resource information systems.

This has all occurred at a time when business, due to competitive pressures and the impact of globalisation, is increasingly turning to automation and information tools to ‘produce the goods’. Increasing reliance on information systems, and increased customisation, results in increasing business risk:

So despite the maturity of the information industry (e.g. with the development of common approaches, architectures, and ubiquitous development tools), the forces of evil are being brought to bear due to the requirement to have ‘business on-demand’ (a resurgent long-term reliance upon the vendor, increased customisation of business processes and software, and the use of a wide range of software development tools to undertake these tasks).

These factors are leading to increased systems integration risk, and the only solution that seems to exist at this time is to promote the use of methodologies, standard enterprise tools, and, as always, to document, document, document your customisations. And of course, as I often say to clients, have a Bex and a good lie down before seriously thinking about customising an off-the-shelf system. Having high information systems risks due to a customisation of a system to achieve business benefits is somewhat disconcerting; to have a high level of information system risks for customisations that did not achieve their supposed benefits is a more disturbing outcome.

(PS – BDO Kendalls is running an Emerging Issues in Risk Management Seminar on 8 November 2005 – see you there).

SAP: Just Look at me Now…

I have had the opportunity over the last couple of weeks to take a look at what SAP calls its “MySAP All-in-One” solution. All-in-One is essentially the MySAP software combined with the skills, expertise and intellectual property of the business partner/software vendor (disclaimer: my firm, BDO Kendalls, sells, supports and implements the MySAP software, although I don’t personally benefit from the thing).

A few years ago I would have told my clients to run screaming in the other direction (or at least think very, very carefully before proceeding with any ERP, including SAP – particularly after the experience of the Queensland government with SAP). In fact, I once had a good hearty laugh when SAP tendered for a software solution I was advising on – the client’s budget didn’t cover Stage 1.

However, it would seem that the lesson has been learnt, and MySAP’s focus is on delivering business solutions in the context of the customisation required. Time was, a salesperson would glibly state, “yes, that’s possible, just do the customisation” – and somehow completely omitting the phrase “but I don’t know that that’s a particularly smart thing to do because it’s really expensive and adds bugs and makes upgrades difficult and…”.

Of course the difficulties were not always, I think, due to “good” salespeople. Some of my best friends are salespeople. Businesses at one time felt that it was worth the effort to change software to meet their business processes – but neglected to adjust the projected cost by the requisite risk factor.

At any rate, if you are an SME thinking about the possible benefits an ERP can bring, you could do far worse than check out MySAP All-in-One. It’s a rapidly shrinking market since Peoplesoft bought JD Edwards and Oracle bought Peoplesoft – but that’s the way of the world.

Information Systems In The Old School Yard

In another life, I worked for independent schools (Anglican Church Grammar School and St Margaret’s Anglican Girls’ School), and in so doing I came to a good appreciation of what schools try to do with what they’ve got available (i.e. a lot with not much). In my post-school career, I have had occasion to visit schools and evaluate how the schools organise and run their information technology.

Each quarter my firm (BDO Kendalls) publishes a newsletter specifically to the education sector. In the autumn edition, I was asked to write an article entitled “Maximising Education Technology“, and so here it is, published in all its glory.

As always, feedback welcome.

Information Systems, Security, and Fraud

I note that John Halliday (a colleague at BDO Kendalls – Director IS Audit) has written an overview article on information systems security and fraud. This is a good short article raising the link between IS security, governance structures, and organisational fraud. John is promising a series of articles in this newsletter, so I am sure there is more to come here.

From what I understand, this article also dovetails nicely with a seminar that was run on 18th April 2005.