Multiple Criteria Analysis for Evaluation of Information System Risk

1
Multiple Criteria Analysis for Evaluation of
Information System Risk

• David L. Olson
• University of Nebraska
• Desheng Wu
• University of Toronto

2
Information Systems Risk

• Physical
• Flood, fire, etc.
• Intrusion
• Hackers, malicious invasion, disgruntled
  employees
• Function
• Inaccurate data
• Not providing needed data
• ERM contributions
• More anticipatory Focus on potential risks,
  solutions
• COSO process framework

3
IT ERM

• Enterprise Risk Management
• IT perspectives
• Enterprise Risk Management, Olson Wu, World
  Scientific (2008)
• New Frontiers in Enterprise Risk Management,
  Olson Wu, eds. (contributions from 27 others)
• Includes three addressing IT
• Sarbanes-Oxley impact Chang, Choy, Cooper, Lin
• IT outsourcing evaluation Cao Leggio
• IT outsourcing risk in China Wu, Olson, Wu
• Enterprise Systems a major IT focus

4
History of ERP

• Extension of materials resource planning,
  accounting
• Integrate a firms computing for reporting,
  planning, control common architecture
• Multifunctional, Integrated, Modular
• In 1990 industry about 1 billion
• SAP, Baan, PeopleSoft, JDEdwards, Oracle, others
• Rapid growth in late 1990s
• Some relation to Y2K fears, but not the main
  reason
• Mergers in early 2000s
• Peoplesoft bought JDEdwards
• Oracle bought Peoplesoft

5
History of ERP

• SAP All-comprehensive in theory, apply
  best-practices
• Very intrusive, very expensive, require massive
  changes in operations
• If changes a core business competency, dont
• While theory centralized, many implementations
  modular
• PeopleSoft human resources
• Finance Accounting a common first module

6
Reasons for Implementing ERPmeasured on 1-5
scale (5 best)Mabert, Soni Venkataramanan,
Production Inventory Management Journal 4120,
(2000) 52-58

7
Implementation Time RequiredMabert et al. (2000)

• 6 months or less 9
• 7 to 12 months 25
• 13 to 18 months 24
• 19 to 24 months 21
• 25 to 36 months 11
• 37 to 48 months 6
• Over 48 months 2
• Rate of technology change makes 18 month IT
  projects dubious
• although ERP a major system, longer times
  appropriate

8
System Cost Mabert et al. (2000)
9
Cost Component of total implementation Mabert
et al. (2000)
10
Cost Impact Mabert et al. (2000)

• Also affects operations
• Intent was to lower operations cost
• Initially, often the reverse
• Often use data warehouse system
• Very efficient data storage
• Very expensive

11
Alternative ERP Options
12
Outsourcing RiskBryson Sullivan, Business
Process Management Journal 96, (2003), 705-721
13
ERP System Risk AssessmentMcCarthy, Financial
Executive 174 (2001), 45-48

• Total life cycle costs
• Software upgrades (including hardware impact)
• Integration, implementation, testing, maintenance
• Providing users functionality, technical support
• Hardware (servers)
• Disaster recovery
• Electrical service (including building
  modifications)
• STAFFING

14
Multiple Criteria Analysis

• measure value vj of alternative j
• identify what is important (hierarchy)
• identify RELATIVE importance (weights wk)
• identify how well each alternative does on each
  criterion (score sjk)
• can be linear vj ? wk sjk
• or nonlinear vj ?(1Kkjsjk) - 1/K

15
Total Costs of Alternatives
16
Relative Scores by Criteriacould be objectively,
subjectively based
17
Worst Best Measures by Criteria
18
Criterion Weight DevelopmentFirst sort Second
give best 100 Third give worst 10
19
Value Calculation
20
Conclusions

• ERM has become a paramount topic
• IT risk is important
• ERP is the most costly, recently most common form
  of IT
• We have reviewed some of the salient risks
• In IT
• In ERP
• Reviewed a methodology to select among options

21
(No Transcript)
22
Supply Chain Perspective of ERM

• Historical vertical integration
• Standard Oil, US Steel, Alcoa
• Traditional military
• Control all aspects of the supply chain
• Contemporary
• Cooperative effort
• Common standards
• High competition
• Specialization
• Internet
• Service oriented architecture

23
Supply Chain Problems

• Land Rover
• Key supplier insolvent, laid off 1000
• Dole 1998
• Hurricane Mitch hit banana plantations
• Ford
• 9/11/2001 suspended air delivery, closed 5 plants
• 1997 Indonesian Rupiah devalued 50
• Blocked out of US supply chains
• Jakarta public transport reduced operations, high
  repair parts
• Li Fung shifted production from Indonesia to
  other Asian sources

24
More Problems

• Taiwan earthquake 1999
• Dell Apple supply chains short components a few
  weeks
• Apple had shortages
• Dell avoided problems through price incentives on
  alternatives
• Philips semiconductor plant in New Mexico burnt
  2000
• Ericsson lost sales revenue
• Nokia had designed modular components, obtained
  alternative chips

25
Supply Chain Risk Sources

• Giunipero, Aly Eltantawy 2004
• Political events
• Product availability
• Distance from source
• Industry capacity
• Demand fluctuation
• Technology change
• Labor market change
• Financial instability
• Management turnover

26
Robust StrategiesTang 2006

• Postponement standardization, commonality,
  modular design
• Strategic stock safety stock for strategic
  items only
• Flexible supply base avoid sole sourcing
• Economic supply incentives subsidize key items,
  such as flu vaccine
• Flexible transportation multi-carrier systems,
  alliances
• Dynamic pricing promotion yield management
• Dynamic assortment planning influence demand
• Silent product rollover slow product
  introduction - Zara

27
Supply Chain Risks Outsourcing
28
Continued
29
Early Supplier InvolvementRisk to Core

• Vertical cooperation design concept
• Reduce development time
• Better product quality
• Improved costs
• RISKS sequencing, shortages, incapable suppliers
• ROLLS ROYCE Aerospace
• New product development 3-4 years
• ESI 1999
• SUPPLY COST REDUCTION
• Reduced threat of excessive costs, easier to
  handle changes
• Reduced legal liabilities, fewer quality problems
• Less supplier capacity constraints, shorter
  development time

30
Vendor RiskRisk to Suppliers

• Disintermediation US gas stations
• Motokov UK Ltd.
• European importer/distributor in agricultural
  market, tires
• Selected by Italian agricultural machinery
  manufacturer Landini to market Zetor tractors
• For 3 ½ years, exclusive UK distributor
• Then Landini formed an internal distributor
• Tires
• Mid-1990s dropped Matador Tyres for a Czech tire
  company
• 1995 Czech company went under, back to Matador
• 2002 Matador dumped Motokov
• Zetor Tractors (Czech)
• Production halted after dropped Communism

31
Risk Management Tools

• Simulation (Beneda 2005)
• Monte Carlo Crystal Ball
• Multiple criteria optimization (Dash Kajiji
  2005)
• Goal programming - tradeoffs
• SYSTEMS FAILURE METHOD
• Information Systems Project Management
• INFORMATION TECHNOLOGY

32
Monte Carlo Simulation
33
China vendor price distribution
34
Taiwan vendor price distribution
35
Simulation Output
36
MCDM Weights
37
Scores
38
Values
39
Balanced Scorecard
40
Conclusions

• Outsourcing provides competitive access
• Broader opportunities
• Demonstrate 3 tools
• Monte Carlo simulation
• Evaluate probabilistic elements
• MCDM
• Consider multiple criteria
• Select vendor by decision maker preference
• Balanced Scorecard
• Measure effectiveness of selected vendor