09:03 PM

SmartAdvice: Top-Down Strategy

Business commitment, good project management, and an incremental approach can improve your chances for a successful supply-chain-management implementation, The Advisory Council says. Also, control the costs of computer hardware maintenance and avoid the pitfalls of corporate IT-abuse investigations.

Editor's Note: Welcome to SmartAdvice, a weekly column by The Advisory Council (TAC), an advisory service firm. The feature answers three questions of core interest to you, ranging from career advice to enterprise strategies to how to deal with vendors. Submit questions directly to [email protected]

Question A: With the economy picking up, our manufacturing executives are talking about supply-chain management again. What are the critical success factors for a supply-chain-management project?

Our advice: Supply-chain-management implementation is complex. To be a success, comprehensive business commitment and a strong relationship with business partners are essential. As with any complex endeavor, the chances of success are improved by good project management and an incremental approach.

Business-Driven Strategy
Supply-chain management is a customer-centric business strategy that delivers an optimal flow of products and services from source to customer. This adds value for the company by developing efficiencies, reducing costs, and improving customer satisfaction.

Supply-chain management is built on business processes that are complex in and of themselves, including supply-chain planning, supply-chain execution, warehouse management, transportation management, global trade, order management, sourcing, and procurement.

Management Commitment
The critical success factor in implementing supply-chain management is top-management commitment to the concept and business strategy. Analysis of business processes can identify areas where there are gaps that must be filled.

Managing Supplier And Partner Expectations
Supply-chain management is especially complex because its processes involve businesses outside the enterprise. Supply-chain management requires changes in the way people work both in the enterprise and in your network of partners and suppliers. Only the largest and most-powerful companies can force such radical changes on their network. Most companies will have to negotiate with their suppliers to adopt and collaborate.

Managing Internal Expectations
Changing the way your employees do things may be an even tougher sell than changing your external suppliers. People are resistant to change, whether it's the way they answer phones, file papers, or fax documents. A convincing case must be presented, otherwise people will continue doing things as before in spite of the new software.

Managing The Learning Period
Like all IT applications, supply-chain-management software will only process data it's given. It cannot instantly absorb the history of the company. There may be a lag of several months before forecasters and planners start receiving beneficial data. Their expectations need to be managed, otherwise forecasters and planners will stop trusting and using the system.

  • A corporate training and education program should emphasize how the supply-chain-management software can help integrate business processes to make efficient use of time, materials, and capital.

  • An early emphasis on data quality and system management must be supported by adequate resources.

  • A continuous dialogue with the process owners and implementation teams needs to be maintained in order to avoid failure.

  • Active participation and a voice in the project by users should be encouraged.

  • Customer and partner satisfaction metrics should be published to show the benefits of supply-chain management.

Another success factor is picking the right approach for your particular situation. If your analysis of your current supply chain reveals varied and complex business processes, your approach should be to first implement realistic components, then bring together the whole supply-chain-management system over a period of time. If the processes are simple, then a comprehensive implementation may begin at once.

Supply-chain management, if properly implemented, brings enormous benefits, but they come at a significant price and risk. Before approaching a supply-chain-management implementation, the appropriate project and business risks should be studied and managed closely.

Driving Business Value
A supply-chain-management implementation can improve customer and supplier satisfaction, as well as save time and money, factors that significantly increase corporate value.

Advancing Your Career
A successful supply-chain-management implementation should enhance your value to the business and provide you with expertise in new areas that can help advance your career.

- Humayun Beg

Question B: We run our own help desk and asset management and we outsource all hardware maintenance. How can we reduce our overall hardware maintenance costs?

Our advice: Across any platform, be it mainframe, server, or PC, computer hardware maintenance is often viewed by IT management as a necessary evil. Nobody likes to allocate money for failure, repair, or breakage, but everyone realizes that equipment will fail, and when it does it needs to be repaired. Yet one of the areas where a major impact can be made in controlling costs is in computer hardware maintenance.

The perceived value of a maintenance service contract is in providing long-term repair protection at a guaranteed cost. It offers a solution to high repair costs when maintenance is done on a time-and-material basis. It also represents the understanding that service technicians will be available to answer your service call within a given response time.

Maintenance services fall within any of four distinct classifications. The first two are in-warranty repair and out-of-warranty repair. To a maintenance service provider, minimizing in-warranty work (which is usually reimbursed at factory authorized rates) and maximizing out-of-warranty work (at rates set by the service provider) is a key element to maximizing profitability. For the IS department, minimizing the amount of out-of-warranty work done is one major way to control maintenance costs. The third type of maintenance is preventive maintenance, such as the inspection and cleaning of all laser printers every 60 days. The fourth type of maintenance is upgrade maintenance, such as adding memory to PCs.

Your organization can approach the deployment of this maintenance service function in one of two ways: internally with your own personnel or outsourced to a third-party maintenance provider. Companies having a homogeneous installed base of computer hardware may benefit from internalizing hardware maintenance. For most companies, especially for those with more than 1,000 PCs, the best approach to PC hardware maintenance is to go external. That way one doesn't need to maintain a skilled, in-house service staff.

Once the decision is made, the next step in reducing hardware-maintenance costs is to consider integrating several maintenance-related systems into a hardware-maintenance-management system. These systems include help-desk, asset-management, and call-management systems. The integration of two additional subsystems, the company's purchase-order system and office operations system, is also necessary to achieve optimum maintenance cost savings. How does this help lower costs? When a service support call comes in, an automated help-desk system should not only reference the caller's previous call history (through the call-management system) but also be able to list the technology hardware configuration (through a link to the asset-tracking system) and be able to reference the complete past maintenance history on the PC hardware and whether any preventive maintenance needs to be scheduled.

With the proper integration of a help desk, automated asset management, and call-management systems, IT management has the necessary tools to understand the company's technology infrastructure. The more familiar you are with the dynamics of your technology hardware base, the better you can manage and reduce your maintenance costs.

- Stephen Rood

Question C: We're considering setting up our own IT-abuse investigations group. What issues should we consider in making this decision?

Our advice: Electronic discovery and forensic analysis of Internet traffic dominates the landscape in both the public and private sectors. While public-sector law enforcement has benefited immensely from federally subsidized training during the last decade, the same isn't true for the private sector. As a result, corporate staffs tasked with investigating policy violations within their organizations seldom have formal investigative training in forensic techniques, especially identifying and analyzing computer-based evidence. As you can imagine, the likelihood that their efforts will fail is in direct relation to the number of things done wrong. In some cases, these missteps only result in a blown investigation; in other cases, they can result in significant lawsuits initiated by employees who allege their careers have been harmed in some manner by irresponsible actions. The top 25 reasons corporate IT-abuse investigations fail are:

  • Telling your executive VP such investigations can be done quickly and inexpensively.
  • Not having corporate counsel sign-off on the equivalent of an in-house search warrant before searching network accounts and cubes or offices for evidence (both electronic and nonelectronic).

  • Conducting searches without a solid understanding of where employees do, and do not, have an expectation of privacy.

  • Misidentifying your policy violator and interviewing the wrong employee (during which you may imply they are a pervert or at the very least dishonest).

  • Allowing IT staff to "assist" with the technical aspects of the investigation. (Remember what happens when the fox gets to guard the hen house?)

  • Allowing investigations and analysis of E-mail and Internet activity to be used for witch hunts.

  • Not realizing that forensic standards for law enforcement and forensic standards for corporate investigators are significantly different.

  • Treating every investigation like it will be going to federal prosecution.

  • Not using an eyewitness or pinhole camera to tie your policy violator to the keyboard in question at the time of the original incident or when the incident reoccurs.

  • Failure to personally interview the policy violator, victim, complainant, witnesses, and peers in the incident under investigation.

  • Allowing human resources to participate in the technical investigation before the employee interview. (Can you say leak?)

  • Failure to follow a reasonable "chain of custody" procedure when handling evidence.

  • Not being able to describe/define the process used to discover and acquire evidence to senior management in terms they can understand.

  • Improper storage of evidence (not under monitored lock and key).

  • Allowing unauthorized employees to examine the computer or evidence discovered such that allegations of evidence tampering can be made.

  • Not understanding the types and locations of potential logs containing evidence that are produced by security controls within your infrastructure.

  • Not understanding how easy it is to spoof MAC and IP addresses.

  • Analyzing the original evidence. (Use duplicate copies for this whenever possible.)

  • Not verifying who had access to computers where evidence has been discovered.

  • Failing to perform a complete virus/Trojan check on the evidence prior to analysis (avoiding the "someone else caused it" argument).

  • Not verifying that the timestamps of computers involved are accurate, making event correlation difficult to impossible.

  • Being unable to pay attention to boring, minute details (the ones that often end up cracking the case).

  • Deviating from accepted procedures while handling or examining evidence.

  • Not documenting ongoing discovery and analysis activities in a detailed log.

  • Being unable to get a signed, handwritten confession from your policy violator.

-- Bill Spernow

Humayun Beg, TAC Thought Leader, has more than 18 years of extensive experience in business IT management, technology deployment, and risk management. He has significant experience in all aspects of systems management, software development, and project management and has held key positions in directing major IT initiatives and projects.

Stephen Rood, TAC Expert, has more than 24 years of experience in the IT field, specializing in developing and implementing strategic technology plans for organizations, as well as in senior project-management and help-desk operations review. His consulting experience has included being the chief technology planner in designing and then implementing a state-of-the-art emergency 911 call center for the city of Newark, N.J., and managing technology refreshes for a major nonprofit entertainment organization and for a large regional food broker. He's the author of the book "Computer Hardware Maintenance: An IS/IT Manager's Guide," which presents a model for hardware maintenance cost containment. He's a senior consultant with Strategic Technology in Scarsdale, N.Y.

Bill Spernow, TAC Expert, has more than 20 years of experience successfully mitigating internal and external events that threaten IT infrastructures. A Certified Information Systems Security Professional, he specializes in developing and implementing policies, procedures, security controls, and security-awareness training programs that not only work, but make sense to all involved. He also is a guest instructor for the Federal Law Enforcement Training Center and the University of New Haven.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
More Insights
Copyright © 2021 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service