314 Part Two Information Technology Infrastructure
This PC has a biometric fin-
gerprint reader for fast yet
secure access to files and
networks. New models of
PCs are starting to use bio-
metric identification to
authenticate users.
stored profile of these characteristics to determine whether there are any dif-
ferences between these characteristics and the stored profile. If the two profiles
match, access is granted. Fingerprint and facial recognition technologies are
just beginning to be used for security applications, with many PC laptops
equipped with fingerprint identification devices and several models with built-
in webcams and face recognition software.
FIREWALLS, INTRUSION DETECTION SYSTEMS, AND
ANTIVIRUS SOFTWARE
Without protection against malware and intruders, connecting to the Internet
would be very dangerous. Firewalls, intrusion detection systems, and antivirus
software have become essential business tools.
Firewalls
Firewalls prevent unauthorized users from accessing private networks. A
firewall is a combination of hardware and software that controls the flow of
incoming and outgoing network traffic. It is generally placed between the
organization’s private internal networks and distrusted external networks, such
as the Internet, although firewalls can also be used to protect one part of a com-
pany’s network from the rest of the network (see Figure 8-5).
The firewall acts like a gatekeeper who examines each user’s credentials
before access is granted to a network. The firewall identifies names, IP
addresses, applications, and other characteristics of incoming traffic. It checks
this information against the access rules that have been programmed into the
system by the network administrator. The firewall prevents unauthorized com-
munication into and out of the network.
In large organizations, the firewall often resides on a specially designated
computer separate from the rest of the network, so no incoming request
directly accesses private network resources. There are a number of firewall
screening technologies, including static packet filtering, stateful inspection,
Network Address Translation, and application proxy filtering. They are
frequently used in combination to provide firewall protection.
Chapter 8 Securing Information Systems 315
FIGURE 8-5 A CORPORATE FIREWALL
The firewall is placed between the firm’s private network and the public Internet or another distrusted network to protect against unautho-
rized traffic.
Packet filtering examines selected fields in the headers of data packets flowing
back and forth between the trusted network and the Internet, examining indi-
vidual packets in isolation. This filtering technology can miss many types of
attacks. Stateful inspection provides additional security by determining whether
packets are part of an ongoing dialogue between a sender and a receiver. It sets
up state tables to track information over multiple packets. Packets are accepted
or rejected based on whether they are part of an approved conversation or
whether they are attempting to establish a legitimate connection.
Network Address Translation (NAT) can provide another layer of protection
when static packet filtering and stateful inspection are employed. NAT conceals
the IP addresses of the organization’s internal host computer(s) to prevent
sniffer programs outside the firewall from ascertaining them and using that
information to penetrate internal systems.
Application proxy filtering examines the application content of packets.
A proxy server stops data packets originating outside the organization, inspects
them, and passes a proxy to the other side of the firewall. If a user outside the
company wants to communicate with a user inside the organization, the
outside user first “talks” to the proxy application and the proxy application
communicates with the firm’s internal computer. Likewise, a computer user
inside the organization goes through the proxy to talk with computers on the
outside.
To create a good firewall, an administrator must maintain detailed internal
rules identifying the people, applications, or addresses that are allowed or
rejected. Firewalls can deter, but not completely prevent, network penetration
by outsiders and should be viewed as one element in an overall security plan.
316 Part Two Information Technology Infrastructure
Intrusion Detection Systems
In addition to firewalls, commercial security vendors now provide intrusion
detection tools and services to protect against suspicious network traffic and
attempts to access files and databases. Intrusion detection systems feature
full-time monitoring tools placed at the most vulnerable points or “hot spots” of
corporate networks to detect and deter intruders continually. The system gen-
erates an alarm if it finds a suspicious or anomalous event. Scanning software
looks for patterns indicative of known methods of computer attacks, such as
bad passwords, checks to see if important files have been removed or modified,
and sends warnings of vandalism or system administration errors. Monitoring
software examines events as they are happening to discover security attacks in
progress. The intrusion detection tool can also be customized to shut down a
particularly sensitive part of a network if it receives unauthorized traffic.
Antivirus and Antispyware Software
Defensive technology plans for both individuals and businesses must include
antivirus protection for every computer. Antivirus software is designed to
check computer systems and drives for the presence of computer viruses.
Often the software eliminates the virus from the infected area. However, most
antivirus software is effective only against viruses already known when the
software was written. To remain effective, the antivirus software must be con-
tinually updated. Antivirus products are available for many different types of
mobile and handheld devices in addition to servers, workstations, and desktop
PCs.
Leading antivirus software vendors, such as McAfee, Symantec, and Trend
Micro, have enhanced their products to include protection against spyware.
Antispyware software tools such as Ad-Aware, Spybot S&D, and Spyware Doctor
are also very helpful.
Unified Threat Management Systems
To help businesses reduce costs and improve manageability, security vendors
have combined into a single appliance various security tools, including fire-
walls, virtual private networks, intrusion detection systems, and Web content
filtering and antispam software. These comprehensive security management
products are called unified threat management (UTM) systems. Although
initially aimed at small and medium-sized businesss, UTM products are avail-
able for all sizes of networks. Leading UTM vendors include Crossbeam,
Fortinent, and Check Point, and networking vendors such as Cisco Systems and
Juniper Networks provide some UTM capabilities in their equipment.
SECURING WIRELESS NETWORKS
Despite its flaws, WEP provides some margin of security if Wi-Fi users remem-
ber to activate it. A simple first step to thwart hackers is to assign a unique
name to your network’s SSID and instruct your router not to broadcast it.
Corporations can further improve Wi-Fi security by using it in conjunction with
virtual private network (VPN) technology when accessing internal corporate
data.
In June 2004, the Wi-Fi Alliance industry trade group finalized the 802.11i
specification (also referred to as Wi-Fi Protected Access 2 or WPA2) that
replaces WEP with stronger security standards. Instead of the static encryption
keys used in WEP, the new standard uses much longer keys that continually
change, making them harder to crack. It also employs an encrypted authentica-
Chapter 8 Securing Information Systems 317
tion system with a central authentication server to ensure that only authorized
users access the network.
ENCRYPTION AND PUBLIC KEY INFRASTRUCTURE
Many businesses use encryption to protect digital information that they store,
physically transfer, or send over the Internet. Encryption is the process of
transforming plain text or data into cipher text that cannot be read by anyone
other than the sender and the intended receiver. Data are encrypted by using a
secret numerical code, called an encryption key, that transforms plain data into
cipher text. The message must be decrypted by the receiver.
Two methods for encrypting network traffic on the Web are SSL and S-HTTP.
Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS)
enable client and server computers to manage encryption and decryption
activities as they communicate with each other during a secure Web session.
Secure Hypertext Transfer Protocol (S-HTTP) is another protocol used for
encrypting data flowing over the Internet, but it is limited to individual
messages, whereas SSL and TLS are designed to establish a secure connection
between two computers.
The capability to generate secure sessions is built into Internet client
browser software and servers. The client and the server negotiate what key and
what level of security to use. Once a secure session is established between the
client and the server, all messages in that session are encrypted.
There are two alternative methods of encryption: symmetric key encryption
and public key encryption. In symmetric key encryption, the sender and
receiver establish a secure Internet session by creating a single encryption key
and sending it to the receiver so both the sender and receiver share the same
key. The strength of the encryption key is measured by its bit length. Today, a
typical key will be 128 bits long (a string of 128 binary digits).
The problem with all symmetric encryption schemes is that the key itself
must be shared somehow among the senders and receivers, which exposes the
key to outsiders who might just be able to intercept and decrypt the key. A
more secure form of encryption called public key encryption uses two keys:
one shared (or public) and one totally private as shown in Figure 8-6. The keys
are mathematically related so that data encrypted with one key can be
decrypted using only the other key. To send and receive messages, communi-
FIGURE 8-6 PUBLIC KEY ENCRYPTION
A public key encryption system can be viewed as a series of public and private keys that lock data when they are transmitted and unlock
the data when they are received. The sender locates the recipient’s public key in a directory and uses it to encrypt a message. The message
is sent in encrypted form over the Internet or a private network. When the encrypted message arrives, the recipient uses his or her private
key to decrypt the data and read the message.
318 Part Two Information Technology Infrastructure
cators first create separate pairs of private and public keys. The public key is
kept in a directory and the private key must be kept secret. The sender
encrypts a message with the recipient’s public key. On receiving the message,
the recipient uses his or her private key to decrypt it.
Digital certificates are data files used to establish the identity of users and
electronic assets for protection of online transactions (see Figure 8-7). A digital
certificate system uses a trusted third party, known as a certificate authority
(CA, or certification authority), to validate a user’s identity. There are many
CAs in the United States and around the world, including VeriSign, IdenTrust,
and Australia’s KeyPost.
The CA verifies a digital certificate user’s identity offline. This information
is put into a CA server, which generates an encrypted digital certificate
containing owner identification information and a copy of the owner’s public
key. The certificate authenticates that the public key belongs to the desig-
nated owner. The CA makes its own public key available publicly either in
print or perhaps on the Internet. The recipient of an encrypted message uses
the CA’s public key to decode the digital certificate attached to the message,
verifies it was issued by the CA, and then obtains the sender’s public key and
identification information contained in the certificate. Using this information,
the recipient can send an encrypted reply. The digital certificate system
would enable, for example, a credit card user and a merchant to validate that
their digital certificates were issued by an authorized and trusted third party
before they exchange data. Public key infrastructure (PKI), the use of pub-
lic key cryptography working with a CA, is now widely used in e-commerce.
ENSURING SYSTEM AVAILABILITY
As companies increasingly rely on digital networks for revenue and operations,
they need to take additional steps to ensure that their systems and applications
FIGURE 8-7 DIGITAL CERTIFICATES
Digital certificates help establish the identity of people or electronic assets. They protect online
transactions by providing secure, encrypted, online communication.
Chapter 8 Securing Information Systems 319
are always available. Firms such as those in the airline and financial services
industries with critical applications requiring online transaction processing
have traditionally used fault-tolerant computer systems for many years to
ensure 100-percent availability. In online transaction processing, transac-
tions entered online are immediately processed by the computer.
Multitudinous changes to databases, reporting, and requests for information
occur each instant.
Fault-tolerant computer systems contain redundant hardware, software,
and power supply components that create an environment that provides
continuous, uninterrupted service. Fault-tolerant computers use special soft-
ware routines or self-checking logic built into their circuitry to detect hardware
failures and automatically switch to a backup device. Parts from these comput-
ers can be removed and repaired without disruption to the computer system.
Fault tolerance should be distinguished from high-availability computing.
Both fault tolerance and high-availability computing try to minimize downtime.
Downtime refers to periods of time in which a system is not operational.
However, high-availability computing helps firms recover quickly from a
system crash, whereas fault tolerance promises continuous availability and the
elimination of recovery time altogether.
High-availability computing environments are a minimum requirement for
firms with heavy e-commerce processing or for firms that depend on digital
networks for their internal operations. High-availability computing requires
backup servers, distribution of processing across multiple servers, high-capacity
storage, and good disaster recovery and business continuity plans. The firm’s
computing platform must be extremely robust with scalable processing power,
storage, and bandwidth.
Researchers are exploring ways to make computing systems recover even
more rapidly when mishaps occur, an approach called recovery-oriented
computing. This work includes designing systems that recover quickly, and
implementing capabilities and tools to help operators pinpoint the sources of
faults in multi-component systems and easily correct their mistakes.
Controlling Network Traffic: Deep Packet Inspection
Have you ever tried to use your campus network and found it was very slow? It
may be because your fellow students are using the network to download music or
watch YouTube. Bandwith-consuming applications such as file-sharing programs,
Internet phone service, and online video are able to clog and slow down corporate
networks, degrading performance. For example, Ball Sate University in Muncie,
Indiana, found its network had slowed because a small minority of students were
using peer-to-peer file-sharing programs to download movies and music.
A technology called deep packet inspection (DPI) helps solve this
problem. DPI examines data files and sorts out low-priority online material
while assigning higher priority to business-critical files. Based on the priorities
established by a network’s operators, it decides whether a specific data packet
can continue to its destination or should be blocked or delayed while more
important traffic proceeds. Using a DPI system from Allot Communications,
Ball State was able to cap the amount of file-sharing traffic and assign it a much
lower priority. Ball State’s preferred network traffic speeded up.
Security Outsourcing
Many companies, especially small businesses, lack the resources or expertise to
provide a secure high-availability computing environment on their own. They
can outsource many security functions to managed security service
320 Part Two Information Technology Infrastructure
providers (MSSPs) that monitor network activity and perform vulnerability
testing and intrusion detection. SecureWorks, BT Managed Security Solutions
Group, and Symantec are leading providers of MSSP services.
SECURITY ISSUES FOR CLOUD COMPUTING AND THE
MOBILE DIGITAL PLATFORM
Although cloud computing and the emerging mobile digital platform have the
potential to deliver powerful benefits, they pose new challenges to system
security and reliability. We now describe some of these challenges and how
they should be addressed.
Security in the Cloud
When processing takes place in the cloud, accountability and responsibility for
protection of sensitive data still reside with the company owning that data.
Understanding how the cloud computing provider organizes its services and
manages the data is critical. The Interactive Session on Technology details
some of the cloud security issues that should be addressed.
Cloud users need to confirm that regardless of where their data are stored or
transferred, they are protected at a level that meets their corporate require-
ments. They should stipulate that the cloud provider store and process data in
specific jurisdictions according to the privacy rules of those jurisdictions. Cloud
clients should find how the cloud provider segregates their corporate data from
those of other companies and ask for proof that encryption mechanisms are
sound. It’s also important to know how the cloud provider will respond if a
disaster strikes, whether the provider will be able to completely restore your
data, and how long this should take. Cloud users should also ask whether cloud
providers will submit to external audits and security certifications. These kinds
of controls can be written into the service level agreement (SLA) before to
signing with a cloud provider.
Securing Mobile Platforms
If mobile devices are performing many of the functions of computers, they
need to be secured like desktops and laptops against malware, theft, accidental
loss, unauthorized access, and hacking attempts. Mobile devices accessing
corporate systems and data require special protection.
Companies should make sure that their corporate security policy includes
mobile devices, with additional details on how mobile devices should be sup-
ported, protected, and used. They will need tools to authorize all devices in use; to
maintain accurate inventory records on all mobile devices, users, and applications;
to control updates to applications; and to lock down lost devices so they can’t be
compromised. Firms should develop guidelines stipulating approved mobile plat-
forms and software applications as well as the required software and procedures
for remote access of corporate systems. Companies will need to ensure that all
smartphones are up to date with the latest security patches and antivirus/anti-
spam software, and they should encrypt communication whenever possible.
ENSURING SOFTWARE QUALITY
In addition to implementing effective security and controls, organizations can
improve system quality and reliability by employing software metrics and
rigorous software testing. Software metrics are objective assessments of the
system in the form of quantified measurements. Ongoing use of metrics allows
Chapter 8 Securing Information Systems 321
INTERACTIVE SESSION: TECHNOLOGY
HOW SECURE IS THE CLOUD? strict processes and guidelines for managing its data
centers. “We know our data are in the U.S. and we
New York-based investment banking and financial have a report on the very data centers that we’re
services firm Cowen and Co. has moved its global talking about, “ says Flax.
sales systems to the cloud using Salesforce.com. So
far, Cowen’s CIO Daniel Flax is pleased. Using cloud Another alternative is to use a cloud provider that
services has helped the company lower upfront tech- give subscribers the option to choose where their
nology costs, decrease downtime and support addi- cloud computing work takes place. For example,
tional services. But he’s trying to come to grips with Terremark Worldwide Inc. is giving its subscriber
cloud security issues.Cloud computing is indeed Agora Games the option to choose where its
cloudy, and this lack of transparency is troubling to applications run. Terremark has a Miami facility but
many. is adding other locations. In the past, Agora had no
say over where Terremark hosted its applications
One of the biggest risks of cloud computing is that and data.
it is highly distributed. Cloud applications and appli-
cation mash-ups reside in virtual libraries in large Even if your data are totally secure in the cloud,
remote data centers and server farms that supply you may not be able to prove it. Some cloud
business services and data management for multiple providers don’t meet current compliance require-
corporate clients. To save money and keep costs low, ments regarding security, and some of those
cloud computing providers often distribute work to providers, such as Amazon, have asserted that they
data centers around the globe where work can be don’t intend to meet those rules and won’t allow
accomplished most efficiently. When you use the compliance auditors on-site.
cloud, you may not know precisely where your data
are being hosted, and you might not even know the There are laws restricting where companies can
country where they are being stored. send and store some types of information—person-
ally identifiable information in the European Union
The dispersed nature of cloud computing makes it (EU), government work in the United Sates or appli-
difficult to track unauthorized activity. Virtually all cations that employ certain encryption algorithms.
cloud providers use encryption, such as Secure Companies required to meet these regulations
Sockets Layer, to secure the data they handle while involving protected data either in the United States
the data are being transmitted. But if the data are or the EU won’t be able to use public cloud providers.
stored on devices that also store other companies’
data, it’s important to ensure these stored data are Some of these regulations call for proof that
encrypted as well. systems are securely managed, which may require
confirmation from an independent audit. Large
Indian Harvest Specialtifoods, a Bemidji, providers are unlikely to allow another company’s
Minnesota-based company that distributes rice, auditors to inspect their data centers. Microsoft found
grains, and legumes to restaurants worldwide, relies a way to deal with this problem that may be helpful.
on cloud software provider NetSuite to ensure that its The company reduced 26 different types of audits to
data sent to the cloud are fully protected. Mike a list of 200 necessary controls for meeting compli-
Mullin, Indian Harvest’s IT director, feels that using ance standards that were applied to its data center
SSL (Secure Sockets Layer) to encrypt the data gives environments and services. Microsoft does not give
him some level of confidence that the data are every customer or auditor access to its data centers,
secure. He also points out that his company and but its compliance framework allows auditors to order
other users of cloud services need to pay attention to from a menu of tests and receive the results.
their own security practices, especially access
controls. “Your side of the infrastructure is just as Companies expect their systems to be running
vulnerable, if not more vulnerable, than the 24/7, but cloud providers haven’t always been able to
provider’s side,” he observes. provide this level of service. Millions of customers of
Salesforce.com suffered a 38-minute outage in early
One way to deal with these problems is to use a January 2009 and others several years earlier. The
cloud vendor that is a public company, which is January 2009 outage locked more than 900,000
required by law to disclose how it manages informa- subscribers out of crucial applications and data
tion. Salesforce.com meets this requirement, with
322 Part Two Information Technology Infrastructure Mirrorforce technology, a mirroring system that cre-
ates a duplicate database in a separate location and
needed to transact business with customers. More synchronizes the data instantaneously. If one data-
than 300,000 customers using Intuit’s online network base is disabled, the other takes over. Salesforce.com
of small business aplications were unable to access added two data centers on the East and West coasts
these services for two days in June 2010 following a in addition to its Silicon Valley facility. The company
power outage. distributed processing for its larger customers among
these centers to balance its database load.
Agreements for services such as Amazon EC2 and
Microsoft Azure state that these companies are not Sources: Seth Fineberg, “A Shadow on the Cloud?” Information
going to be held liable for data losses or fines or Management, August, 2010; Ellen Messmer, “Secrecy of Cloud
other legal penalties when companies use their Computing Providers Raises IT Security Risks,” IT World, July 13,
services. Both vendors offer guidance on how to use 2010; John Edwards, “Cutting Through the Fog of Cloud Security,”
their cloud platforms securely, and they may still be Computerworld, February 23, 2009; Wayne Rash, “Is Cloud
able to protect data better than some companies’ Computing Secure? Prove It,” eWeek, September 21, 2009; Robert
home-grown facilities. Lemos, ”Five Lessons from Microsoft on Cloud Security,”
Computerworld, August 25, 2009; and Mike Fratto, “Cloud Control,”
Salesforce.com had been building up and Information Week, January 26, 2009.
redesigning its infrastructure to ensure better
service. The company invested $50 million in
CASE STUDY QUESTIONS MIS IN ACTION
1. What security and control problems are described Go to www.trust.salesforce.com, then answer the
in this case? following questions:
2. What people, organization, and technology factors 1. Click on Security and describe Salesforce.com’s
contribute to these problems? security provisions. How helpful are these?
3. How secure is cloud computing? Explain your 2. Click on Best Practices and describe what
answer. subscribing companies can do to tighten security.
How helpful are these guidelines?
4. If you were in charge of your company’s informa-
tion systems department, what issues would you 3. If you ran a business, would you feel confident
want to clarify with prospective vendors? about using Salesforce.com’s on-demand service?
Why or why not?
5. Would you entrust your corporate systems to a
cloud computing provider? Why or why not?
the information systems department and end users to jointly measure the
performance of the system and identify problems as they occur. Examples of
software metrics include the number of transactions that can be processed in a
specified unit of time, online response time, the number of payroll checks
printed per hour, and the number of known bugs per hundred lines of program
code. For metrics to be successful, they must be carefully designed, formal,
objective, and used consistently.
Early, regular, and thorough testing will contribute significantly to system
quality. Many view testing as a way to prove the correctness of work they have
done. In fact, we know that all sizable software is riddled with errors, and we
must test to uncover these errors.
Good testing begins before a software program is even written by using a
walkthrough—a review of a specification or design document by a small group
of people carefully selected based on the skills needed for the particular objec-
tives being tested. Once developers start writing software programs, coding
walkthroughs also can be used to review program code. However, code must
Chapter 8 Securing Information Systems 323
be tested by computer runs. When errors are discovered, the source is found
and eliminated through a process called debugging. You can find out more
about the various stages of testing required to put an information system into
operation in Chapter 13. Our Learning Tracks also contain descriptions of
methodologies for developing software programs that also contribute to
software quality.
8.5 HANDS-ON MIS PROJECTS
The projects in this section give you hands-on experience analyzing security
vulnerabilities, using spreadsheet software for risk analysis, and using Web
tools to research security outsourcing services.
Management Decision Problems
1. K2 Network operates online game sites used by about 16 million people in over
100 countries. Players are allowed to enter a game for free, but must buy digital
“assets” from K2, such as swords to fight dragons, if they want to be deeply
involved. The games can accommodate millions of players at once and are
played simultaneously by people all over the world. Prepare a security analysis
for this Internet-based business. What kinds of threats should it anticipate?
What would be their impact on the business? What steps can it take to prevent
damage to its Web sites and continuing operations?
2. A survey of your firm’s information technology infrastructure has produced the
following security analysis statistics:
SECURITY VULNERABILITIES BY TYPE OF COMPUTING PLATFORM
PLATFORM NUMBER OF HIGH RISK MEDIUM LOW TOTAL
COMPUTERS RISK RISK VULNERABILITIES
Windows Server (corporate applications) 11
Windows 7 Enterprise (high-level administrators) 1 56 37 19
Linux (e-mail and printing services) 3 3 242 87
Sun Solaris (Unix) (E-commerce and Web servers) 1 12 154 98
Windows 7 Enterprise user desktops and laptops 2 14 299 78
with office productivity tools that can also be linked to 195 16 1,237
the corporate network running corporate applications
and intranet
High risk vulnerabilities include non-authorized users accessing applica-
tions, guessable passwords, user names matching the password, active user
accounts with missing passwords, and the existence of unauthorized programs
in application systems.
Medium risk vulnerabilities include the ability of users to shut down the
system without being logged on, passwords and screen saver settings that were
324 Part Two Information Technology Infrastructure
not established for PCs, and outdated versions of software still being stored on
hard drives.
Low risk vulnerabilities include the inability of users to change their
passwords, user passwords that have not been changed periodically, and pass-
words that were smaller than the minimum size specified by the company.
• Calculate the total number of vulnerabilities for each platform. What is the
potential impact of the security problems for each computing platform on
the organization?
• If you only have one information systems specialist in charge of security,
which platforms should you address first in trying to eliminate these vulnera-
bilities? Second? Third? Last? Why?
• Identify the types of control problems illustrated by these vulnerabilities and
explain the measures that should be taken to solve them.
• What does your firm risk by ignoring the security vulnerabilities identified?
Improving Decision Making: Using Spreadsheet
Software to Perform a Security Risk Assessment
Software skills: Spreadsheet formulas and charts
Business skills: Risk assessment
This project uses spreadsheet software to calculate anticipated annual losses
from various security threats identified for a small company.
Mercer Paints is a small but highly regarded paint manufacturing company
located in Alabama. The company has a network in place linking many of its
business operations. Although the firm believes that its security is adequate, the
recent addition of a Web site has become an open invitation to hackers.
Management requested a risk assessment. The risk assessment identified a
number of potential exposures. These exposures, their associated probabilities,
and average losses are summarized in the following table.
MERCER PAINTS RISK ASSESSMENT
EXPOSURE PROBABILITY OF OCCURRENCE AVERAGE LOSS
Malware attack 60% $75,000
Data loss 12% $70,000
Embezzlement 3% $30,000
User errors 95% $25,000
$90,000
Threats from hackers 95% $5,000
Improper use by employees 5% $300,000
Power failure 15%
• In addition to the potential exposures listed, you should identify at least
three other potential threats to Mercer Paints, assign probabilities, and
estimate a loss range.
• Use spreadsheet software and the risk assessment data to calculate the
expected annual loss for each exposure.
• Present your findings in the form of a chart. Which control points have the
greatest vulnerability? What recommendations would you make to Mercer
Paints? Prepare a written report that summarizes your findings and
recommendations.
Chapter 8 Securing Information Systems 325
Improving Decision Making: Evaluating Security
Outsourcing Services
Software skills: Web browser and presentation software
Business skills: Evaluating business outsourcing services
Businesses today have a choice of whether to outsource the security function or
maintain their own internal staff for this purpose. This project will help
develop your Internet skills in using the Web to research and evaluate security
outsourcing services.
As an information systems expert in your firm, you have been asked to help
management decide whether to outsource security or keep the security
function within the firm. Search the Web to find information to help you
decide whether to outsource security and to locate security outsourcing
services.
• Present a brief summary of the arguments for and against outsourcing
computer security for your company.
• Select two firms that offer computer security outsourcing services, and
compare them and their services.
• Prepare an electronic presentation for management summarizing your
findings. Your presentation should make the case on whether or not your
company should outsource computer security. If you believe your
company should outsource, the presentation should identify which
security outsourcing service should be selected and justify your selection.
LEARNING TRACK MODULES
The following Learning Tracks provide content relevant to topics covered in
this chapter:
1. The Booming Job Market in IT Security
2. The Sarbanes-Oxley Act
3. Computer Forensics
4. General and Application Controls for Information Systems
5. Management Challenges of Security and Control
6. Software Vulnerability and Reliability
326 Part Two Information Technology Infrastructure
Review Summary
1. Why are information systems vulnerable to destruction, error, and abuse?
Digital data are vulnerable to destruction, misuse, error, fraud, and hardware or software failures.
The Internet is designed to be an open system and makes internal corporate systems more vulnera-
ble to actions from outsiders. Hackers can unleash denial-of-service (DoS) attacks or penetrate cor-
porate networks, causing serious system disruptions. Wi-Fi networks can easily be penetrated by
intruders using sniffer programs to obtain an address to access the resources of the network.
Computer viruses and worms can disable systems and Web sites. The dispersed nature of cloud com-
puting makes it difficult to track unauthorized activity or to apply controls from afar. Software pre-
sents problems because software bugs may be impossible to eliminate and because software vulner-
abilities can be exploited by hackers and malicious software. End users often introduce errors.
2. What is the business value of security and control?
Lack of sound security and control can cause firms relying on computer systems for their core
business functions to lose sales and productivity. Information assets, such as confidential employee
records, trade secrets, or business plans, lose much of their value if they are revealed to outsiders or
if they expose the firm to legal liability. New laws, such as HIPAA, the Sarbanes-Oxley Act, and the
Gramm-Leach-Bliley Act, require companies to practice stringent electronic records management
and adhere to strict standards for security, privacy, and control. Legal actions requiring electronic
evidence and computer forensics also require firms to pay more attention to security and electronic
records management.
3. What are the components of an organizational framework for security and control?
Firms need to establish a good set of both general and application controls for their information
systems. A risk assessment evaluates information assets, identifies control points and control
weaknesses, and determines the most cost-effective set of controls. Firms must also develop a coher-
ent corporate security policy and plans for continuing business operations in the event of disaster or
disruption. The security policy includes policies for acceptable use and identity management.
Comprehensive and systematic MIS auditing helps organizations determine the effectiveness of
security and controls for their information systems.
4. What are the most important tools and technologies for safeguarding information resources?
Firewalls prevent unauthorized users from accessing a private network when it is linked to the
Internet. Intrusion detection systems monitor private networks from suspicious network traffic and
attempts to access corporate systems. Passwords, tokens, smart cards, and biometric authentication
are used to authenticate system users. Antivirus software checks computer systems for infections by
viruses and worms and often eliminates the malicious software, while antispyware software combats
intrusive and harmful spyware programs. Encryption, the coding and scrambling of messages, is a
widely used technology for securing electronic transmissions over unprotected networks. Digital
certificates combined with public key encryption provide further protection of electronic transac-
tions by authenticating a user’s identity. Companies can use fault-tolerant computer systems or cre-
ate high-availability computing environments to make sure that their information systems are always
available. Use of software metrics and rigorous software testing help improve software quality and
reliability.
Key Terms Click fraud, 302
Computer crime, 300
Acceptable use policy (AUP), 310 Computer forensics, 307
Antivirus software, 316 Computer virus, 296
Application controls, 308 Controls, 293
Authentication, 312 Cybervandalism, 298
Biometric authentication, 313 Deep packet inspection (DPI), 319
Botnet, 299 Denial-of-service (DoS) attack, 299
Bugs, 303
Business continuity planning, 311
Digital certificates, 318 Chapter 8 Securing Information Systems 327
Disaster recovery planning, 310
Distributed denial-of-service (DDoS) attack, 299 Pharming, 301
Downtime, 319 Phishing, 301
Encryption, 317 Public key encryption, 317
Evil twin, 301 Public key infrastructure (PKI), 318
Fault-tolerant computer systems, 319 Recovery-oriented computing, 319
Firewall, 314 Risk assessment, 309
General controls, 308 Sarbanes-Oxley Act, 306
Gramm-Leach-Bliley Act, 306 Secure Hypertext Transfer Protocol
Hacker, 298
High-availability computing, 319 (S-HTTP), 317
HIPAA, 306 Secure Sockets Layer (SSL), 317
Identity management, 310 Security, 293
Identity theft, 301 Security policy, 310
Intrusion detection systems, 316 SQL injection attack, 298
Keyloggers, 298 Smart card, 313
Malware, 296 Sniffer, 299
Managed security service providers Social engineering, 302
Spoofing, 299
(MSSPs), 319 Spyware, 298
MIS audit, 312 Token, 313
Online transaction processing, 319 Trojan horse, 298
Password, 313 Unified threat management (UTM), 316
Patches, 303 War driving, 295
Worms, 296
Review Questions • Describe the relationship between security
and control and recent U.S. government reg-
1. Why are information systems vulnerable to ulatory requirements and computer foren-
destruction, error, and abuse? sics.
• List and describe the most common threats 3. What are the components of an organizational
against contemporary information systems. framework for security and control?
• Define general controls and describe each type
• Define malware and distinguish among a of general control.
virus, a worm, and a Trojan horse. • Define application controls and describe each
type of application control.
• Define a hacker and explain how hackers • Describe the function of risk assessment and
create security problems and damage explain how it is conducted for information
systems. systems.
• Define and describe the following: security
• Define computer crime. Provide two exam- policy, acceptable use policy, and identity
ples of crime in which computers are targets management.
and two examples in which computers are • Explain how MIS auditing promotes security
used as instruments of crime. and control.
• Define identity theft and phishing and 4. What are the most important tools and technolo-
explain why identity theft is such a big prob- gies for safeguarding information resources?
lem today.
• Name and describe three authentication
• Describe the security and system reliability methods.
problems created by employees.
• Describe the roles of firewalls, intrusion
• Explain how software defects affect system detection systems, and antivirus software in
reliability and security. promoting security.
2. What is the business value of security and
control?
• Explain how security and control provide
value for businesses.
328 Part Two Information Technology Infrastructure recovery planning and business continuity
planning.
• Explain how encryption protects information.
• Describe the role of encryption and digital • Identify and describe the security problems
posed by cloud computing.
certificates in a public key infrastructure.
• Distinguish between fault-tolerant and high- • Describe measures for improving software
quality and reliability.
availability computing, and between disaster
Discussion Questions Video Cases
1. Security isn’t simply a technology issue, it’s a Video Cases and Instructional Videos illustrating
business issue. Discuss. some of the concepts in this chapter are available.
Contact your instructor to access these videos.
2. If you were developing a business continuity plan
for your company, where would you start? What
aspects of the business would the plan address?
3. Suppose your business had an e-commerce Web
site where it sold goods and accepted credit card
payments. Discuss the major security threats to
this Web site and their potential impact. What can
be done to minimize these threats?
Collaboration and Teamwork: Evaluating Security Software Tools
With a group of three or four students, use the Web to Which is the best product? Why? If possible, use
research and evaluate security products from two Google Sites to post links to Web pages, team commu-
competing vendors, such as antivirus software, nication announcements, and work assignments; to
firewalls, or antispyware software. For each product, brainstorm; and to work collaboratively on project
describe its capabilities, for what types of businesses documents. Try to use Google Docs to develop a
it is best suited, and its cost to purchase and install. presentation of your findings for the class.
Chapter 8 Securing Information Systems 329
Are We Ready for Cyberwarfare?
CASE STUDY
F or most of us, the Internet is a tool we use The attacks were not sophisticated, but were
for e-mail, news, entertainment, socializing, widespread and prolonged, succeeding in slowing
and shopping. But for computer security down most of the U.S. sites and forcing several South
experts affiliated with government agencies Korean sites to stop operating. North Korea or
and private contractors, as well as their hacker coun- pro-North Korean groups were suspected to be
terparts from across the globe, the Internet has behind the attacks, but the Pyongyang government
become a battlefield—a war zone where cyberwar- denied any involvement.
fare is becoming more frequent and hacking tech-
niques are becoming more advanced. Cyberwarfare The lone positive from the attacks was that only
poses a unique and daunting set of challenges for the Web sites of these agencies were affected.
security experts, not only in detecting and prevent- However, other intrusions suggest that hackers
ing intrusions but also in tracking down perpetrators already have the potential for much more damaging
and bringing them to justice. acts of cyberwarfare. The Federal Aviation
Administration (FAA), which oversees the airline
Cyberwarfare can take many forms. Often, hack- activity of the United States, has already been subject
ers use botnets, massive networks of computers that to successful attacks on its systems, including one in
they control thanks to spyware and other malware, 2006 that partially shut down air-traffic data systems
to launch large-scale DDoS attacks on their target’s in Alaska.
servers. Other methods allow intruders to access
secure computers remotely and copy or delete e-mail In 2007 and 2008, computer spies broke into the
and files from the machine, or even to remotely Pentagon’s $300 billion Joint Strike Fighter project.
monitor users of a machine using more sophisticated Intruders were able to copy and siphon off several
software. For cybercriminals, the benefit of cyber- terabytes of data related to design and electronics
warfare is that they can compete with traditional systems, potentially making it easier to defend
superpowers for a fraction of the cost of, for example, against the fighter when it’s eventually produced.
building up a nuclear arsenal. Because more and The intruders entered through vulnerabilities of two
more modern technological infrastructure will rely or three contractors working on the fighter jet pro-
on the Internet to function, cyberwarriors will have ject. Fortunately, computers containing the most
no shortage of targets at which to take aim. sensitive data were not connected to the Internet,
and were therefore inaccessible to the intruders.
Cyberwarfare also involves defending against Former U.S. officials say that this attack originated in
these types of attacks. That’s a major focus of U.S. China, and that China had been making steady
intelligence agencies. While the U.S. is currently at progress in developing online-warfare techniques.
the forefront of cyberwarfare technologies, it’s China rebutted these claims, stating that the U.S.
unlikely to maintain technological dominance media was subscribing to outdated, Cold War-era
because of the relatively low cost of the technologies thinking in blaming them, and that Chinese hackers
needed to mount these types of attacks. were not skilled enough to perpetrate an attack of
that magnitude.
In fact, hackers worldwide have already begun
doing so in earnest. In July 2009, 27 American and In December 2009, hackers reportedly stole a
South Korean government agencies and other organi- classified PowerPoint slide file detailing U.S. and
zations were hit by a DDoS attack. An estimated South Korean strategy for fighting a war against
65,000 computers belonging to foreign botnets North Korea. In Iraq, insurgents intercepted Predator
flooded the Web sites with access requests. Affected drone feeds using software they had downloaded
sites included those of the White House, the from the Internet.
Treasury, the Federal Trade Commission, the Defense
Department, the Secret Service, the New York Stock Earlier that year, in April, cyberspies infiltrated
Exchange, and the Washington Post, in addition to the the U.S. electrical grid, using weak points where
Korean Defense Ministry, National Assembly, the computers on the grid are connected to the Internet,
presidential Blue House, and several others. and left behind software programs whose purpose is
unclear, but which presumably could be used to
disrupt the system. Reports indicated that the spies
330 Part Two Information Technology Infrastructure Lastly, many industry analysts are concerned that
the organization of our cybersecurity is messy, with
originated in computer networks in China and no clear leader among our intelligence agencies.
Russia. Again, both nations denied the charges. Several different agencies, including the Pentagon
and the NSA, have their sights on being the leading
In response to these and other intrusions, the agency in the ongoing efforts to combat cyberwar-
federal government launched a program called fare. In June 2009, Secretary of Defense Robert Gates
“Perfect Citizen” to detect cyberassaults on private ordered the creation of the first headquarters
companies running critical infrastructure. The U.S. designed to coordinate government cybersecurity
National Security Agency (NSA) plans to install sen- efforts, called Cybercom. Cybercom was activated in
sors in computer networks for critical infrastructure May 2010 with the goal of’ coordinating the operation
that would be activated by unusual activity signalling and protection of military and Pentagon computer
an impending cyberattack. The initial focus will be networks in the hopes of resolving this organiza-
older large computer control systems that have since tional tangle.
been linked to the Internet, making them more
vulnerable to cyber attack. NSA will likely start with In confronting this problem, one critical question
electric, nuclear, and air-traffic control systems with has arisen: how much control over enforcing cyber-
the greatest impact on national security. security should be given to American spy agencies,
since they are prohibited from acting on American
As of this writing, most federal agencies get soil? Cyberattacks know no borders, so distinguishing
passing marks for meeting the requirements of the between American soil and foreign soil means
Federal Information Security Management Act, the domestic agencies will be unnecessarily inhibited in
most recent set of standards passed into law. But as their ability to fight cybercrime. For example, if the
cyberwarfare technologies develop and become more NSA was investigating the source of a cyberattack on
advanced, the standards imposed by this legislation government Web sites, and determined that the
will likely be insufficient to defend against attacks. attack originated from American servers, under our
current laws, it would not be able to investigate
In each incident of cyberwarfare, the governments further.
of the countries suspected to be responsible have
roundly denied the charges with no repercussions. Some experts believe that there is no effective way
How could this be possible? The major reason is that for a domestic agency to conduct computer opera-
tracing identities of specific attackers through tions without entering prohibited networks within
cyberspace is next to impossible, making deniability the United States, or even conducting investigations
simple. in countries that are American allies. The NSA has
already come under heavy fire for its surveillance
The real worry for security experts and govern- actions after 9-11, and this has the potential to raise
ment officials is an act of cyberwar against a criti- similar privacy concerns. Preventing terrorist or
cal resource, such as the electric grid, financial sys- cyberwar attacks may require examining some
tem, or communications systems. First of all, the e-mail messages from other countries or giving intel-
U.S. has no clear policy about how the country ligence agencies more access to networks or Internet
would respond to that level of a cyberattack. service providers. There is a need for an open debate
Although the electric grid was accessed by hackers, about what constitutes a violation of privacy and
it hasn’t yet actually been attacked. A three-year what is acceptable during ‘cyber-wartime’, which is
study of U.S. cybersecurity recommended that such essentially all the time. The law may need to be
a policy be created and made public. It also sug- changed to accommodate effective cybersecurity
gested that the U.S. attempt to find common techniques, but it’s unclear that this can be done
ground with other nations to join forces in prevent- without eroding some privacy rights that we consider
ing these attacks. essential.
Secondly, the effects of such an attack would As for these offensive measures, it’s unclear as to
likely be devastating. Mike McConnell, the former how strong the United States’ offensive capabilities
director of national intelligence, stated that if even a for cyberwarfare are. The government closely guards
single large American bank were successfully this information, almost all of which is classified. But
attacked, “it would have an order-of-magnitude former military and intelligence officials indicate
greater impact on the global economy” than the that our cyberwarfare capabilities have dramatically
World Trade Center attacks, and that “the ability to increased in sophistication in the past year or two.
threaten the U.S. money supply is the equivalent of
today’s nuclear weapon.” Such an attack would have
a catastrophic effect on the U.S. financial system,
and by extension, the world economy.
And because tracking cybercriminals has proven so Chapter 8 Securing Information Systems 331
difficult, it may be that the best defense is a strong
offense. Hackers,” The Wall Street Journal, May 7, 2009; Thom Shanker,
“New Military Command for Cyberspace,” The New York Times,
Sources: “Cyber Task Force Passes Mission to Cyber June 24, 2009; David E. Sanger and Thom Shanker, “Pentagon
Command,”Defence Professionals, September 8, 2010; Siobhan Plans New Arm to Wage Wars in Cyberspace,” The New York Times,
Gorman, “U.S. Plans Cyber Shield for Utilities, Companies,” The May 29, 2009; Siobhan Gorman, August Cole, and Yochi Dreazen,
Wall Street Journal, July 8, 2010 and “U.S. Hampered in Fighting “Computer Spies Breach Fighter-Jet Project,” The Wall Street
Cyber Attacks, Report Says,” The Wall Street Journal, June, 16, 2010; Journal, April 21, 2009; Siobhan Gorman, “Electricity Grid in U.S.
Siobhan Gorman, Yochi Dreazen and August Cole, “Drone Breach Penetrated by Spies,” The Wall Street Journal, April 8, 2009; “Has
Stirs Calls to Fill Cyber Post,” The Wall Street Journal, December 21, Power Grid Been Hacked? U.S. Won’t Say,” Reuters, April 8, 2009;
2009; Sean Gallagher, “New Threats Compel DOD to Rethink Markoff, John, “Vast Spy System Loots Computers in 103
Cyber Strategy,” Defense Knowledge Technologies and Net-Enabled Countries.” The New York Times, March 29, 2009; Markoff, John,
Warfare, January 22, 2010; Lance Whitney, Cyber Command Chief “Tracking Cyberspies Through the Web Wilderness,” The New York
Details Threat to U.S.,” Military Tech, August 5, 2010; Hoover, J. Times, May 12, 2009.
Nicholas, “Cybersecurity Balancing Act,” Information Week, April
27, 2009; David E. Sanger, John Markoff, and Thom Shanker, “U.S. CASE STUDY QUESTIONS
Steps Up Effort on Digital Defenses,” The New York Times, April
28, 2009; John Markoff and Thom Shanker. “Panel Advises 1. Is cyberwarfare a serious problem? Why or why
Clarifying U.S. Plans on Cyberwar,” The New York Times, April 30, not?
2009; Siobhan Gorman and Evan Ramstad, “Cyber Blitz Hits U.S.,
Korea,” The Wall Street Journal, July 9, 2009; Lolita C. Baldor, 2. Assess the management, organization, and tech-
“White House Among Targets of Sweeping Cyber Attack,” nology factors that have created this problem.
Associated Press, July 8, 2009; Choe Sang-Hun, “Cyberattacks Hit
U.S. and South Korean Web Sites,” The New York Times, July 9, 3. What solutions have been proposed? Do you think
2009; Siobhan Gorman, “FAA’s Air-Traffic Networks Breached by they will be effective? Why or why not?
4. Are there other solutions for this problem that
should be pursued? What are they?
This page intentionally left blank
PART THREE
Key System Applications
for the Digital Age
Chapter 9 Chapter 11
Achieving Operational Excellence and Managing Knowledge
Customer Intimacy: Enterprise
Applications Chapter 12
Chapter 10 Enhancing Decision Making
E-Commerce: Digital Markets,
Digital Goods
Part Three examines the core information system applications businesses are using
today to improve operational excellence and decision making. These applications
include enterprise systems; systems for supply chain management, customer rela-
tionship management, collaboration, and knowledge management; e-commerce
applications; and decision-support systems. This part answers questions such as:
How can enterprise applications improve business performance? How do firms use
e-commerce to extend the reach of their businesses? How can systems improve col-
laboration and decision making and help companies make better use of their knowl-
edge assets?
Chapter 9
Achieving Operational Excellence
and Customer Intimacy: Enterprise
Applications
LEARNING OBJECTIVESS CHAPTER OUTLINE
After reading this chapter,
you will be able to answer 9.1 ENTERPRISE SYSTEMS
the following questions: What Are Enterprise Systems?
Enterprise Software
1. How do enterprise systems help Business Value of Enterprise Systems
businesses achieve operational
excellence? 9.2 SUPPLY CHAIN MANAGEMENT SYSTEMS
The Supply Chain
2. How do supply chain management Information Systems and Supply Chain
systems coordinate planning, Management
production, and logistics with Supply Chain Management Applications
suppliers? Global Supply Chains and the Internet
Business Value of Supply Chain Management
3. How do customer relationship Systems
management systems help firms
achieve customer intimacy? 9.3 CUSTOMER RELATIONSHIP MANAGEMENT
SYSTEMS
4. What are the challenges posed by What Is Customer Relationship Management?
enterprise applications? Customer Relationship Management Software
Operational and Analytical CRM
5. How are enterprise applications Business Value of Customer Relationship
used in platforms for new Management Systems
cross-functional services?
9.4 ENTERPRISE APPLICATIONS: NEW
Interactive Sessions: OPPORTUNITIES AND CHALLENGES
Enterprise Application Challenges
Southwest Airlines Takes Off Next-Generation Enterprise Applications
with Better Supply Chain
Management 9.5 HANDS-ON MIS PROJECTS
Management Decision Problems
Enterprise Applications Move
to the Cloud Improving Decision Making: Using Database
Software to Manage Customer Service Requests
Improving Operational Excellence: Evaluating
Supply Chain Management Services
LEARNING TRACK MODULES
SAP Business Process Map
Business Processes in Supply Chain Management
and Supply Chain Metrics
Best-Practices Business Processes in CRM Software
.CANNONDALE LEARNS TO MANAGE A GLOBAL
SUPPLY CHAIN
I f you enjoy cycling, you may very well be using a Cannondale bicycle. Cannondale,
headquartered in Bethel, Connecticut, is the world-leading manufacturer of high-end
bicycles, apparel, footwear, and accessories, with dealers and distributors in more than
66 countries. Cannondale’s supply and distribution chains span the globe, and the
company must coordinate manufacturing, assembly, and sales/distribution sites in many
different countries. Cannondale produces more than 100 different bicycle models each year;
60 percent of these are newly introduced to meet ever-changing customer preferences.
Cannondale offers both make-to-stock and make-to-order models. A typical bicycle requires
a 150-day lead time and a four-week manufacturing window, and some models have bills of
materials with over 150 parts. (A bill of materials specifies the raw materials, assemblies,
components, parts, and quantities of each needed to manufacture a final product.)
Cannondale must manage more than 1 million of these bills of materials and more than
200,000 individual parts. Some of these parts come from specialty vendors with even longer
lead times and limited production capacity.
Obviously, managing parts availability in a constantly changing product line impacted by
volatile customer demand requires a great deal of manufacturing flexibility. Until recently,
that flexibility was missing. Cannondale had an antiquated legacy material requirements
planning system for planning production, controlling inventory, and managing manufacturing
processes that could only produce reports on a weekly basis. By Tuesday afternoon, Monday’s
reports were already out of date. The company was forced to substitute parts in order to meet
demand, and sometimes it lost sales. Cannondale needed a solution that could track the flow
of parts more accurately, support its need for flexibility, and work with its existing business
systems, all within a restricted budget.
Cannondale selected the Kinaxis RapidResponse on-demand software service as a solution.
RapidResponse furnishes accurate and detailed supply chain information via an easy-to-use
spreadsheet interface, using data supplied automatically from Cannondale’s existing manufac-
turing systems. Data from operations at multiple sites are assembled in a single place for
analysis and decision making. Supply chain participants from different locations are able to
model manufacturing and inventory data in “what-if” scenarios to see the impact of alternative
actions across the entire supply chain. Old forecasts can be compared to new ones, and the
system can evaluate the constraints of a new plan.
Cannondale buyers, plan-
ners, master schedulers,
sourcers, product managers,
customer service, and finance
personnel, use RapidResponse
for sales reporting, forecasting,
monitoring daily inventory
availability, and feeding pro-
duction schedule information
to Cannondale’s manufactur-
ing and order processing
systems. Users are able to see
up-to-date information for all
sites. Management uses the
system daily to examine areas
where there are backlogs.
335
336 Part Three Key System Applications for the Digital Age
The improved supply chain information from RapidResponse enables
Cannondale to respond to customer orders much more rapidly with lower
levels of inventory and safety stock. Cycle times and lead times for producing
products have also been reduced. The company’s dates for promising deliveries
are more reliable and accurate.
Sources: Kinaxis Corp., “Cannondale Improves Customer Response Times While Reducing
Inventory Using RapidResponse,” 2010; www.kinaxis.com, accessed June 21, 2010; and
www.cannondale.com, accessed June 21, 2010.
Cannondale’s problems with its supply chain illustrate the critical role of
supply chain management (SCM) systems in business. Cannondale’s
business performance was impeded because it could not coordinate its sourc-
ing, manufacturing, and distribution processes. Costs were unnecessarily high
because the company was unable to accurately determine the exact amount of
each product it needed to fulfill orders and hold just that amount in inventory.
Instead, the company resorted to keeping extra “safety stock” on hand “just in
case.” When products were not available when the customer wanted them,
Cannondale lost sales.
The chapter-opening diagram calls attention to important points raised by
this case and this chapter. Like many other firms, Cannondale had a complex
supply chain and manufacturing processes to coordinate in many different
locations. The company had to deal with hundreds and perhaps thousands of
suppliers of parts and raw materials. It was not always possible to have just the
right amount of each part or component available when it was needed because
the company lacked accurate, up-to-date information about parts in inventory
and what manufacturing processes needed those parts.
An on-demand supply chain management software service from Kinaxis
helped solve this problem. The Kinaxis RapidResponse software takes in data
from Cannondale’s existing manufacturing systems and assembles data from
multiple sites to furnish a single view of Cannondale’s supply chain based on up-
to-date information. Cannondale staff are able to see exactly what parts are avail-
able or on order as well as the status of bikes in production. With better tools for
planning, users are able to see the impact of changes in supply and demand so
that they can make better decisions about how to respond to these changes. The
system has greatly enhanced operational efficiency and decision making.
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 337
9.1 ENTERPRISE SYSTEMS
A round the globe, companies are increasingly becoming more
connected, both internally and with other companies. If you run a
business, you’ll want to be able to react instantaneously when a
customer places a large order or when a shipment from a supplier is
delayed. You may also want to know the impact of these events on every part of
the business and how the business is performing at any point in time,
especially if you’re running a large company. Enterprise systems provide the
integration to make this possible. Let’s look at how they work and what they
can do for the firm.
WHAT ARE ENTERPRISE SYSTEMS?
Imagine that you had to run a business based on information from tens or even
hundreds of different databases and systems, none of which could speak to one
another? Imagine your company had 10 different major product lines, each
produced in separate factories, and each with separate and incompatible sets of
systems controlling production, warehousing, and distribution.
At the very least, your decision making would often be based on manual hard-
copy reports, often out of date, and it would be difficult to really understand
what is happening in the business as a whole. Sales personnel might not be able
to tell at the time they place an order whether the ordered items are in inven-
tory, and manufacturing could not easily use sales data to plan for new produc-
tion. You now have a good idea of why firms need a special enterprise system to
integrate information.
Chapter 2 introduced enterprise systems, also known as enterprise resource
planning (ERP) systems, which are based on a suite of integrated software
modules and a common central database. The database collects data from many
different divisions and departments in a firm, and from a large number of key
business processes in manufacturing and production, finance and accounting,
sales and marketing, and human resources, making the data available for
applications that support nearly all of an organization’s internal business activi-
ties. When new information is entered by one process, the information is made
immediately available to other business processes (see Figure 9-1).
If a sales representative places an order for tire rims, for example, the system
verifies the customer’s credit limit, schedules the shipment, identifies the best
shipping route, and reserves the necessary items from inventory. If inventory
stock were insufficient to fill the order, the system schedules the manufacture of
more rims, ordering the needed materials and components from suppliers. Sales
and production forecasts are immediately updated. General ledger and
corporate cash levels are automatically updated with the revenue and cost infor-
mation from the order. Users could tap into the system and find out where that
particular order was at any minute. Management could obtain information at
any point in time about how the business was operating. The system could also
generate enterprise-wide data for management analyses of product cost and
profitability.
338 Part Three Key System Applications for the Digital Age
FIGURE 9-1 HOW ENTERPRISE SYSTEMS WORK
Enterprise systems feature a set of integrated software modules and a central database that enables
data to be shared by many different business processes and functional areas throughout the
enterprise.
ENTERPRISE SOFTWARE
Enterprise software is built around thousands of predefined business
processes that reflect best practices. Table 9-1 describes some of the major
business processes supported by enterprise software.
Companies implementing this software must first select the functions of the
system they wish to use and then map their business processes to the pre-
defined business processes in the software. (One of our Learning Tracks shows
how SAP enterprise software handles the procurement process for a new piece
of equipment.) Identifying the organization’s business processes to be included
in the system and then mapping them to the processes in the enterprise soft-
ware is often a major effort. A firm would use configuration tables provided by
the software to tailor a particular aspect of the system to the way it does busi-
ness. For example, the firm could use these tables to select whether it wants to
track revenue by product line, geographical unit, or distribution channel.
TABLE 9-1 BUSINESS PROCESSES SUPPORTED BY ENTERPRISE SYSTEMS
Financial and accounting processes, including general ledger, accounts payable, accounts receivable, fixed assets, cash management and
forecasting, product-cost accounting, cost-center accounting, asset accounting, tax accounting, credit management, and financial reporting.
Human resources processes, including personnel administration, time accounting, payroll, personnel planning and development, benefits
accounting, applicant tracking, time management, compensation, workforce planning, performance management, and travel expense reporting.
Manufacturing and production processes, including procurement, inventory management, purchasing, shipping, production planning, production
scheduling, material requirements planning, quality control, distribution, transportation execution, and plant and equipment maintenance.
Sales and marketing processes, including order processing, quotations, contracts, product configuration, pricing, billing, credit checking, incentive
and commission management, and sales planning.
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 339
If the enterprise software does not support the way the organization does
business, companies can rewrite some of the software to support the way their
business processes work. However, enterprise software is unusually complex,
and extensive customization may degrade system performance, compromising
the information and process integration that are the main benefits of the
system. If companies want to reap the maximum benefits from enterprise
software, they must change the way they work to conform to the business
processes in the software. To implement a new enterprise system, Tasty Baking
Company identified its existing business processes and then translated them
into the business processes built into the SAP ERP software it had selected. To
ensure it obtained the maximum benefits from the enterprise software, Tasty
Baking Company deliberately planned for customizing less than 5 percent of
the system and made very few changes to the SAP software itself. It used as
many tools and features that were already built into the SAP software as it
could. SAP has more than 3,000 configuration tables for its enterprise software.
Leading enterprise software vendors include SAP, Oracle (with its acquisition
PeopleSoft) Infor Global Solutions, and Microsoft. There are versions of enter-
prise software packages designed for small businesses and on-demand versions,
including software services delivered over the Web (see the Interactive Session
on Technology in Section 9.4). Although initially designed to automate the
firm’s internal “back-office” business processes, enterprise systems have
become more externally-oriented and capable of communicating with cus-
tomers, suppliers, and other entities.
BUSINESS VALUE OF ENTERPRISE SYSTEMS
Enterprise systems provide value both by increasing operational efficiency and
by providing firm-wide information to help managers make better decisions.
Large companies with many operating units in different locations have used
enterprise systems to enforce standard practices and data so that everyone does
business the same way worldwide.
Coca Cola, for instance, implemented a SAP enterprise system to standardize
and coordinate important business processes in 200 countries. Lack of
standard, company-wide business processes prevented the company from
leveraging its worldwide buying power to obtain lower prices for raw materials
and from reacting rapidly to market changes.
Enterprise systems help firms respond rapidly to customer requests for
information or products. Because the system integrates order, manufacturing,
and delivery data, manufacturing is better informed about producing only what
customers have ordered, procuring exactly the right amount of components or
raw materials to fill actual orders, staging production, and minimizing the time
that components or finished products are in inventory.
Alcoa, the world’s leading producer of aluminum and aluminum products
with operations spanning 41 countries and 500 locations, had initially been orga-
nized around lines of business, each of which had its own set of information sys-
tems. Many of these systems were redundant and inefficient. Alcoa’s costs for
executing requisition-to-pay and financial processes were much higher and its
cycle times were longer than those of other companies in its industry. (Cycle
time refers to the total elapsed time from the beginning to the end of a process.)
The company could not operate as a single worldwide entity.
After implementing enterprise software from Oracle, Alcoa eliminated many
redundant processes and systems. The enterprise system helped Alcoa reduce
requisition-to-pay cycle time by verifying receipt of goods and automatically
340 Part Three Key System Applications for the Digital Age
generating receipts for payment. Alcoa’s accounts payable transaction process-
ing dropped 89 percent. Alcoa was able to centralize financial and procurement
activities, which helped the company reduce nearly 20 percent of its worldwide
costs.
Enterprise systems provide much valuable information for improving
management decision making. Corporate headquarters has access to up-to-the-
minute data on sales, inventory, and production and uses this information to
create more accurate sales and production forecasts. Enterprise software
includes analytical tools for using data captured by the system to evaluate
overall organizational performance. Enterprise system data have common
standardized definitions and formats that are accepted by the entire organiza-
tion. Performance figures mean the same thing across the company. Enterprise
systems allow senior management to easily find out at any moment how a
particular organizational unit is performing, determine which products are
most or least profitable, and calculate costs for the company as a whole.
For example, Alcoa’s enterprise system includes functionality for global
human resources management that shows correlations between investment in
employee training and quality, measures the company-wide costs of delivering
services to employees, and measures the effectiveness of employee recruit-
ment, compensation, and training.
9.2 SUPPLY CHAIN MANAGEMENT SYSTEMS
If you manage a small firm that makes a few products or sells a few services,
chances are you will have a small number of suppliers. You could coordinate your
supplier orders and deliveries using a telephone and fax machine. But if you man-
age a firm that produces more complex products and services, then you will have
hundreds of suppliers, and your suppliers will each have their own set of suppli-
ers. Suddenly, you are in a situation where you will need to coordinate the activi-
ties of hundreds or even thousands of other firms in order to produce your prod-
ucts and services. Supply chain management systems, which we introduced in
Chapter 2, are an answer to these problems of supply chain complexity and scale.
THE SUPPLY CHAIN
A firm’s supply chain is a network of organizations and business processes for
procuring raw materials, transforming these materials into intermediate and
finished products, and distributing the finished products to customers. It links
suppliers, manufacturing plants, distribution centers, retail outlets, and customers
to supply goods and services from source through consumption. Materials,
information, and payments flow through the supply chain in both directions
Goods start out as raw materials and, as they move through the supply chain,
are transformed into intermediate products (also referred to as components or
parts), and finally, into finished products. The finished products are shipped to
distribution centers and from there to retailers and customers. Returned items
flow in the reverse direction from the buyer back to the seller.
Let’s look at the supply chain for Nike sneakers as an example. Nike designs,
markets, and sells sneakers, socks, athletic clothing, and accessories through-
out the world. Its primary suppliers are contract manufacturers with factories
in China, Thailand, Indonesia, Brazil, and other countries. These companies
fashion Nike’s finished products.
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 341
Nike’s contract suppliers do not manufacture sneakers from scratch. They
obtain components for the sneakers—the laces, eyelets, uppers, and soles—
from other suppliers and then assemble them into finished sneakers. These
suppliers in turn have their own suppliers. For example, the suppliers of soles
have suppliers for synthetic rubber, suppliers for chemicals used to melt the
rubber for molding, and suppliers for the molds into which to pour the rubber.
Suppliers of laces would have suppliers for their thread, for dyes, and for the
plastic lace tips.
Figure 9-2 provides a simplified illustration of Nike’s supply chain for
sneakers; it shows the flow of information and materials among suppliers,
Nike, and Nike’s distributors, retailers, and customers. Nike’s contract manu-
facturers are its primary suppliers. The suppliers of soles, eyelets, uppers, and
laces are the secondary (Tier 2) suppliers. Suppliers to these suppliers are the
tertiary (Tier 3) suppliers.
The upstream portion of the supply chain includes the company’s suppliers,
the suppliers’ suppliers, and the processes for managing relationships with
them. The downstream portion consists of the organizations and processes for
distributing and delivering products to the final customers. Companies doing
manufacturing, such as Nike’s contract suppliers of sneakers, also manage their
own internal supply chain processes for transforming materials, components,
and services furnished by their suppliers into finished products or intermediate
products (components or parts) for their customers and for managing materials
and inventory.
FIGURE 9-2 NIKE’S SUPPLY CHAIN
This figure illustrates the major entities in Nike’s supply chain and the flow of information upstream and downstream to coordi-
nate the activities involved in buying, making, and moving a product. Shown here is a simplified supply chain, with the
upstream portion focusing only on the suppliers for sneakers and sneaker soles.
342 Part Three Key System Applications for the Digital Age
The supply chain illustrated in Figure 9-2 only shows two contract manufac-
turers for sneakers and only the upstream supply chain for sneaker soles. Nike
has hundreds of contract manufacturers turning out finished sneakers, socks,
and athletic clothing, each with its own set of suppliers. The upstream portion
of Nike’s supply chain would actually comprise thousands of entities. Nike also
has numerous distributors and many thousands of retail stores where its shoes
are sold, so the downstream portion of its supply chain is also large and com-
plex.
INFORMATION SYSTEMS AND SUPPLY CHAIN
MANAGEMENT
Inefficiencies in the supply chain, such as parts shortages, underutilized plant
capacity, excessive finished goods inventory, or high transportation costs, are
caused by inaccurate or untimely information. For example, manufacturers
may keep too many parts in inventory because they do not know exactly when
they will receive their next shipments from their suppliers. Suppliers may
order too few raw materials because they do not have precise information on
demand. These supply chain inefficiencies waste as much as 25 percent of a
company’s operating costs.
If a manufacturer had perfect information about exactly how many units of
product customers wanted, when they wanted them, and when they could be
produced, it would be possible to implement a highly efficient just-in-time
strategy. Components would arrive exactly at the moment they were needed
and finished goods would be shipped as they left the assembly line.
In a supply chain, however, uncertainties arise because many events cannot
be foreseen—uncertain product demand, late shipments from suppliers, defec-
tive parts or raw materials, or production process breakdowns. To satisfy
customers, manufacturers often deal with such uncertainties and unforeseen
events by keeping more material or products in inventory than what they think
they may actually need. The safety stock acts as a buffer for the lack of flexibil-
ity in the supply chain. Although excess inventory is expensive, low fill rates
are also costly because business may be lost from canceled orders.
One recurring problem in supply chain management is the bullwhip effect,
in which information about the demand for a product gets distorted as it passes
from one entity to the next across the supply chain. A slight rise in demand for
an item might cause different members in the supply chain—distributors,
manufacturers, suppliers, secondary suppliers (suppliers’ suppliers), and ter-
tiary suppliers (suppliers’ suppliers’ suppliers)—to stockpile inventory so each
has enough “just in case.” These changes ripple throughout the supply chain,
magnifying what started out as a small change from planned orders, creating
excess inventory, production, warehousing, and shipping costs (see Figure 9-3).
For example, Procter & Gamble (P&G) found it had excessively high invento-
ries of its Pampers disposable diapers at various points along its supply chain
because of such distorted information. Although customer purchases in stores
were fairly stable, orders from distributors would spike when P&G offered
aggressive price promotions. Pampers and Pampers’ components accumulated
in warehouses along the supply chain to meet demand that did not actually
exist. To eliminate this problem, P&G revised its marketing, sales, and supply
chain processes and used more accurate demand forecasting
The bullwhip is tamed by reducing uncertainties about demand and supply
when all members of the supply chain have accurate and up-to-date informa-
tion. If all supply chain members share dynamic information about inventory
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 343
FIGURE 9-3 THE BULLWHIP EFFECT
Inaccurate information can cause minor fluctuations in demand for a product to be amplified as one moves further back in the supply
chain. Minor fluctuations in retail sales for a product can create excess inventory for distributors, manufacturers, and suppliers.
levels, schedules, forecasts, and shipments, they have more precise knowledge
about how to adjust their sourcing, manufacturing, and distribution plans.
Supply chain management systems provide the kind of information that helps
members of the supply chain make better purchasing and scheduling decisions.
Table 9-2 describes how firms benefit from these systems.
TABLE 9-2 HOW INFORMATION SYSTEMS FACILITATE SUPPLY CHAIN MANAGEMENT
INFORMATION FROM SUPPLY CHAIN MANAGEMENT SYSTEMS HELPS FIRMS
Decide when and what to produce, store, and move
Rapidly communicate orders
Track the status of orders
Check inventory availability and monitor inventory levels
Reduce inventory, transportation, and warehousing costs
Track shipments
Plan production based on actual customer demand
Rapidly communicate changes in product design
344 Part Three Key System Applications for the Digital Age
SUPPLY CHAIN MANAGEMENT SOFTWARE
Supply chain software is classified as either software to help businesses plan
their supply chains (supply chain planning) or software to help them execute
the supply chain steps (supply chain execution). Supply chain planning
systems enable the firm to model its existing supply chain, generate demand
forecasts for products, and develop optimal sourcing and manufacturing plans.
Such systems help companies make better decisions such as determining how
much of a specific product to manufacture in a given time period; establishing
inventory levels for raw materials, intermediate products, and finished goods;
determining where to store finished goods; and identifying the transportation
mode to use for product delivery.
For example, if a large customer places a larger order than usual or changes that
order on short notice, it can have a widespread impact throughout the supply
chain. Additional raw materials or a different mix of raw materials may need to be
ordered from suppliers. Manufacturing may have to change job scheduling. A
transportation carrier may have to reschedule deliveries. Supply chain planning
software makes the necessary adjustments to production and distribution plans.
Information about changes is shared among the relevant supply chain members
so that their work can be coordinated. One of the most important—and complex—
supply chain planning functions is demand planning, which determines how
much product a business needs to make to satisfy all of its customers’ demands.
Manugistics and i2 Technologies (both acquired by JDA Software) are major
supply chain management software vendors, and enterprise software vendors
SAP and Oracle-PeopleSoft offer supply chain management modules.
Whirlpool Corporation, which produces washing; machines, dryers, refriger-
ators, ovens, and other home appliances, uses supply chain planning systems
to make sure what it produces matches customer demand. The company uses
supply chain planning software from i2 Technologies, which includes modules
for master scheduling, deployment planning, and inventory planning.
Whirlpool also installed i2’s Web-based tool for Collaborative Planning,
Forecasting, and Replenishment (CPFR) for sharing and combining its sales
forecasts with those of its major sales partners. Improvements in supply chain
planning combined with new state-of-the-art distribution centers helped
Whirlpool increase availability of products in stock when customers needed
them to 97 percent, while reducing the number of excess finished goods in
inventory by 20 percent and forecasting errors by 50 percent (Barrett, 2009).
Supply chain execution systems manage the flow of products through
distribution centers and warehouses to ensure that products are delivered to the
right locations in the most efficient manner. They track the physical status of
goods, the management of materials, warehouse and transportation operations,
and financial information involving all parties. Haworth Incorporated’s
Warehouse Management System (WMS) is an example. Haworth is a world-
leading manufacturer and designer of office furniture, with distribution centers
in four different states. The WMS tracks and controls the flow of finished goods
from Haworth’s distribution centers to its customers. Acting on shipping plans
for customer orders, the WMS directs the movement of goods based on imme-
diate conditions for space, equipment, inventory, and personnel.
The Interactive Session on Organizations describes how supply chain
management software improved decision making and operational performance
at Southwest Airlines. This company maintains a competitive edge by combin-
ing superb customer service with low costs. Effectively managing its parts
inventory is crucial to achieving these goals.
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 345
INTERACTIVE SESSION: ORGANIZATIONS
SOUTHWEST AIRLINES TAKES OFF WITH BETTER SUPPLY CHAIN
MANAGEMENT
“Weather at our destination is 50 degrees with some and reduced aircraft groundings would have a strong
broken clouds, but they’ll try to have them fixed impact on the airline’s bottom line. Richard
before we arrive. Thank you, and remember, nobody Zimmerman, Southwest’s manager of inventory
loves you or your money more than Southwest management, stated that “there’s a significant cost
Airlines.” when we have to ground aircraft because we ran out
of a part. The long-term, cost-effective way to solve
Crew humor at 30,000 feet? Must be Southwest that problem was to increase productivity and to
Airlines. The company is the largest low-fare, high- ensure that our maintenance crews were supported
frequency, point-to-point airline in the world, and with the right spare parts, through the right software
largest overall measured by number of passengers application.”
per year. Founded in 1971 with four planes serving
three cities, the company now operates over 500 air- Southwest’s management started looking for a
craft in 68 cities, and has revenues of $10.1 billion. better inventory management solution, and a vendor
Southwest has the best customer service record that was capable of working within the airline’s
among major airlines, the lowest cost structure, and unique corporate culture. After an extensive search,
the lowest and simplest fares. The stock symbol is Southwest eventually chose i2 Technologies, a
LUV (for Dallas’s Love Field where the company is leading supply chain management software and
headquartered), but love is the major theme of services company that was recently purchased by
Southwest’s employee and customer relationships. JDA Software. Southwest implemented the i2
The company has made a profit every year since Demand Planner, i2 Service Parts Planner, and i2
1973, one of the few airlines that can make that Service Budget Optimizer to overhaul its supply
claim. chain management and improve data visibility.
Despite a freewheeling, innovative corporate I2 Demand Planner improves Southwest’s
culture, even Southwest needs to get serious about forecasts for all of the part location combinations in
its information systems to maintain profitability. its system, and provides better visibility into
Southwest is just like any other company that needs demand for each part. Planners are able to differen-
to manage its supply chain and inventory efficiently. tiate among individual parts based on criticality and
The airline’s success has led to continued expansion, other dimensions such as demand volume, demand
and as the company has grown, its legacy informa- variability, and dollar usage. I2 Service Parts Planner
tion systems have been unable to keep up with the helps Southwest replenish its store of parts and
increasingly large amount of data being generated. ensures that “the right parts are in the right location
at the right time.“ The software can recommend the
One of the biggest problems with Southwest’s best mix of parts for each location that will satisfy
legacy systems was lack of information visibility. the customer service requirements of that location
Often, the data that Southwest’s managers needed at the lowest cost. If excess inventory builds up in
were safely stored on their systems but weren’t certain service locations, the software will recom-
”visible”, or readily available for viewing or use in mend the most cost-efficient way to transfer that
other systems. Information about what replacement excess inventory to locations with parts deficits. I2
parts were available at a given time was difficult or Service Budget Optimizer helps Southwest use its
impossible to acquire, and that affected response historical data of parts usage to generate forecasts of
times for everything from mechanical problems to future parts usage.
part fulfillment.
Together, these solutions gather data from
For Southwest, which prides itself on its excellent Southwest’s legacy systems and provide useful
customer service, getting passengers from one information to Southwest’s managers. Most impor-
location to another with minimal delay is critically tantly, Southwest can recognize demand shortages
important. Repairing aircraft quickly is an important before they become problems, thanks to the visibil-
part of accomplishing that goal. The company had ity provided by i2’s solutions. Southwest’s managers
$325 million in service parts inventory, so any
solution that more efficiently handled that inventory
346 Part Three Key System Applications for the Digital Age increased availability of parts, increased speed and
intelligence of decision making, reduced parts
now have a clear and unobstructed view of all of the inventory by 15 percent, saving the company over
data up and down the company’s supply chain. $30 million, and increased service levels from 92
percent prior to the implementation to over 95 per-
By using what-if analysis, planners can quantify cent afterwards.
the cost to the company of operating at different
levels of service. Zimmerman added that i2 “will Sources: Chris Lauer, Southwest Airlines: Corporations That Changed
help us lower inventory costs and keep our cost per the World, Greenwood Press, May 2010; www.i2.com, “Ensuring
air seat mile down to the lowest in the industry. Optimal Parts Inventory at Southwest Airlines,” and “Service Parts
Also, the solutions will help us ensure that the Management,” accessed April 25, 2010; and www.southwest.com,
maintenance team can quickly repair the aircraft so accessed July 1, 2010.
that our customers experience minimal delays.”
The results of the i2 implementation were
CASE STUDY QUESTIONS MIS IN ACTION
1. Why is parts inventory management so important Visit i2’s site (www.i2.com) and learn more about
at Southwest Airlines? What business processes some of the other companies using its software. Pick
are affected by the airline’s ability or inability to one of these companies, then answer the following
have required parts on hand? questions:
2. Why management, organization, and technology 1. What problem did the company need to address
factors were responsible for Southwest’s problems with i2’s software?
with inventory management?
2. Why did the company select i2 as its software
3. How did implementing the i2 software change the vendor?
way Southwest ran its business?
3. What were the gains that the company realized as
4. Describe two decisions that were improved by a result of the software implementation?
implementing the i2 system.
GLOBAL SUPPLY CHAINS AND THE INTERNET
Before the Internet, supply chain coordination was hampered by the difficulties
of making information flow smoothly among disparate internal supply chain
systems for purchasing, materials management, manufacturing, and distribu-
tion. It was also difficult to share information with external supply chain
partners because the systems of suppliers, distributors, or logistics providers
were based on incompatible technology platforms and standards. Enterprise
and supply chain management systems enhanced with Internet technology
supply some of this integration.
A manager will use a Web interface to tap into suppliers’ systems to deter-
mine whether inventory and production capabilities match demand for the
firm’s products. Business partners will use Web-based supply chain manage-
ment tools to collaborate online on forecasts. Sales representatives will access
suppliers’ production schedules and logistics information to monitor customers’
order status.
Global Supply Chain Issues
More and more companies are entering international markets, outsourcing
manufacturing operations, and obtaining supplies from other countries as well
as selling abroad. Their supply chains extend across multiple countries and
regions. There are additional complexities and challenges to managing a global
supply chain.
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 347
Global supply chains typically span greater geographic distances and time
differences than domestic supply chains and have participants from a number
of different countries. Although the purchase price of many goods might be
lower abroad, there are often additional costs for transportation, inventory (the
need for a larger buffer of safety stock), and local taxes or fees. Performance
standards may vary from region to region or from nation to nation. Supply
chain management may need to reflect foreign government regulations and
cultural differences. All of these factors impact how a company takes orders,
plans distribution, sizes warehousing, and manages inbound and outbound
logistics throughout the global markets it services.
The Internet helps companies manage many aspects of their global supply
chains, including sourcing, transportation, communications, and international
finance. Today’s apparel industry, for example, relies heavily on outsourcing to
contract manufacturers in China and other low-wage countries. Apparel
companies are starting to use the Web to manage their global supply chain and
production issues.
For example, Koret of California, a subsidiary of apparel maker Kellwood Co.,
uses e-SPS Web-based software to gain end-to-end visibility into its entire global
supply chain. E-SPS features Web-based software for sourcing, work-in-progress
tracking, production routing, product-development tracking, problem identifi-
cation and collaboration, delivery-date projections, and production-related
inquiries and reports.
As goods are being sourced, produced, and shipped, communication is
required among retailers, manufacturers, contractors, agents, and logistics
providers. Many, especially smaller companies, still share product information
over the phone, via e-mail, or through faxes. These methods slow down the sup-
ply chain and also increase errors and uncertainty. With e-SPS, all supply chain
members communicate through a Web-based system. If one of Koret’s vendors
makes a change in the status of a product, everyone in the supply chain sees
the change.
In addition to contract manufacturing, globalization has encouraged out-
sourcing warehouse management, transportation management, and related
operations to third-party logistics providers, such as UPS Supply Chain
Solutions and Schneider Logistics Services. These logistics services offer Web-
based software to give their customers a better view of their global supply
chains. Customers are able to check a secure Web site to monitor inventory and
shipments, helping them run their global supply chains more efficiently.
Demand-Driven Supply Chains: From Push to Pull
Manufacturing and Efficient Customer Response
In addition to reducing costs, supply chain management systems facilitate
efficient customer response, enabling the workings of the business to be driven
more by customer demand. (We introduced efficient customer response
systems in Chapter 3.)
Earlier supply chain management systems were driven by a push-based
model (also known as build-to-stock). In a push-based model, production
master schedules are based on forecasts or best guesses of demand for prod-
ucts, and products are “pushed” to customers. With new flows of information
made possible by Web-based tools, supply chain management more easily
follows a pull-based model. In a pull-based model, also known as a demand-
driven model or build-to-order, actual customer orders or purchases trigger
events in the supply chain. Transactions to produce and deliver only what
customers have ordered move up the supply chain from retailers to distributors
348 Part Three Key System Applications for the Digital Age
to manufacturers and eventually to suppliers. Only products to fulfill these
orders move back down the supply chain to the retailer. Manufacturers use only
actual order demand information to drive their production schedules and the
procurement of components or raw materials, as illustrated in Figure 9-4.
Walmart’s continuous replenishment system described in Chapter 3 is an exam-
ple of the pull-based model.
The Internet and Internet technology make it possible to move from sequen-
tial supply chains, where information and materials flow sequentially from
company to company, to concurrent supply chains, where information flows in
many directions simultaneously among members of a supply chain network.
Complex supply networks of manufacturers, logistics suppliers, outsourced
manufacturers, retailers, and distributors are able to adjust immediately to
changes in schedules or orders. Ultimately, the Internet could create a “digital
logistics nervous system” throughout the supply chain (see Figure 9-5).
BUSINESS VALUE OF SUPPLY CHAIN MANAGEMENT
SYSTEMS
You have just seen how supply chain management systems enable firms to
streamline both their internal and external supply chain processes and provide
management with more accurate information about what to produce, store, and
move. By implementing a networked and integrated supply chain management
system, companies match supply to demand, reduce inventory levels, improve
delivery service, speed product time to market, and use assets more effectively.
Total supply chain costs represent the majority of operating expenses for many
businesses and in some industries approach 75 percent of the total operating bud-
get. Reducing supply chain costs may have a major impact on firm profitability.
In addition to reducing costs, supply chain management systems help
increase sales. If a product is not available when a customer wants it, customers
often try to purchase it from someone else. More precise control of the supply
chain enhances the firm’s ability to have the right product available for
customer purchases at the right time.
FIGURE 9-4 PUSH- VERSUS PULL-BASED SUPPLY CHAIN MODELS
The difference between push- and pull-based models is summarized by the slogan “Make what we
sell, not sell what we make.”
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 349
FIGURE 9-5 THE FUTURE INTERNET-DRIVEN SUPPLY CHAIN
The future Internet-driven supply chain operates like a digital logistics nervous system. It provides
multidirectional communication among firms, networks of firms, and e-marketplaces so that entire
networks of supply chain partners can immediately adjust inventories, orders, and capacities.
9. 3 CUSTOMER RELATIONSHIP MANAGEMENT
SYSTEMS
You’ve probably heard phrases such as “the customer is always right” or “the
customer comes first.” Today these words ring more true than ever. Because
competitive advantage based on an innovative new product or service is often
very short lived, companies are realizing that their only enduring competitive
strength may be their relationships with their customers. Some say that the
basis of competition has switched from who sells the most products and
services to who “owns” the customer, and that customer relationships represent
a firm’s most valuable asset.
WHAT IS CUSTOMER RELATIONSHIP MANAGEMENT?
What kinds of information would you need to build and nurture strong, long-
lasting relationships with customers? You’d want to know exactly who your
customers are, how to contact them, whether they are costly to service and sell
to, what kinds of products and services they are interested in, and how much
money they spend on your company. If you could, you’d want to make sure
you knew each of your customers well, as if you were running a small-town
store. And you’d want to make your good customers feel special.
In a small business operating in a neighborhood, it is possible for business
owners and managers to really know their customers on a personal, face-to-face
basis. But in a large business operating on a metropolitan, regional, national, or
even global basis, it is impossible to “know your customer” in this intimate way.
In these kinds of businesses there are too many customers and too many
different ways that customers interact with the firm (over the Web, the phone,
350 Part Three Key System Applications for the Digital Age
fax, and in person). It becomes especially difficult to integrate information from
all theses sources and to deal with the large numbers of customers.
A large business’s processes for sales, service, and marketing tend to be
highly compartmentalized, and these departments do not share much essential
customer information. Some information on a specific customer might be
stored and organized in terms of that person’s account with the company. Other
pieces of information about the same customer might be organized by products
that were purchased. There is no way to consolidate all of this information to
provide a unified view of a customer across the company.
This is where customer relationship management systems help. Customer
relationship management (CRM) systems, which we introduced in Chapter 2,
capture and integrate customer data from all over the organization, consolidate
the data, analyze the data, and then distribute the results to various systems
and customer touch points across the enterprise. A touch point (also known as
a contact point) is a method of interaction with the customer, such as
telephone, e-mail, customer service desk, conventional mail, Web site, wireless
device, or retail store.
Well-designed CRM systems provide a single enterprise view of customers
that is useful for improving both sales and customer service. Such systems
likewise provide customers with a single view of the company regardless of
what touch point the customer uses (see Figure 9-6).
Good CRM systems provide data and analytical tools for answering questions
such as these: “What is the value of a particular customer to the firm over his or
her lifetime?” “Who are our most loyal customers?” (It can cost six times more
to sell to a new customer than to an existing customer.) “Who are our most
profitable customers?” and “What do these profitable customers want to buy?”
Firms use the answers to these questions to acquire new customers, provide
better service and support to existing customers, customize their offerings more
precisely to customer preferences, and provide ongoing value to retain
profitable customers.
FIGURE 9-6 CUSTOMER RELATIONSHIP MANAGEMENT (CRM)
CRM systems examine customers from a multifaceted perspective. These systems use a set of
integrated applications to address all aspects of the customer relationship, including customer service,
sales, and marketing.
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 351
CUSTOMER RELATIONSHIP MANAGEMENT SOFTWARE
Commercial CRM software packages range from niche tools that perform
limited functions, such as personalizing Web sites for specific customers, to
large-scale enterprise applications that capture myriad interactions with
customers, analyze them with sophisticated reporting tools, and link to other
major enterprise applications, such as supply chain management and
enterprise systems. The more comprehensive CRM packages contain modules
for partner relationship management (PRM) and employee relationship
management (ERM).
PRM uses many of the same data, tools, and systems as customer relation-
ship management to enhance collaboration between a company and its selling
partners. If a company does not sell directly to customers but rather works
through distributors or retailers, PRM helps these channels sell to customers
directly. It provides a company and its selling partners with the ability to trade
information and distribute leads and data about customers, integrating lead
generation, pricing, promotions, order configurations, and availability. It also
provides a firm with tools to assess its partners’ performances so it can make
sure its best partners receive the support they need to close more business.
ERM software deals with employee issues that are closely related to CRM,
such as setting objectives, employee performance management, performance-
based compensation, and employee training. Major CRM application
software vendors include Oracle-owned Siebel Systems and PeopleSoft, SAP,
Salesforce.com, and Microsoft Dynamics CRM.
Customer relationship management systems typically provide software and
online tools for sales, customer service, and marketing. We briefly describe
some of these capabilities.
Sales Force Automation (SFA)
Sales force automation modules in CRM systems help sales staff increase their
productivity by focusing sales efforts on the most profitable customers, those
who are good candidates for sales and services. CRM systems provide sales
prospect and contact information, product information, product configuration
capabilities, and sales quote generation capabilities. Such software can assemble
information about a particular customer’s past purchases to help the salesperson
make personalized recommendations. CRM software enables sales, marketing,
and delivery departments to easily share customer and prospect information. It
increases each salesperson’s efficiency in reducing the cost per sale as well as
the cost of acquiring new customers and retaining old ones. CRM software also
has capabilities for sales forecasting, territory management, and team selling.
Customer Service
Customer service modules in CRM systems provide information and tools to
increase the efficiency of call centers, help desks, and customer support staff.
They have capabilities for assigning and managing customer service requests.
One such capability is an appointment or advice telephone line: When a
customer calls a standard phone number, the system routes the call to the
correct service person, who inputs information about that customer into the
system only once. Once the customer’s data are in the system, any service
representative can handle the customer relationship. Improved access to
consistent and accurate customer information help call centers handle more
calls per day and decrease the duration of each call. Thus, call centers and
customer service groups achieve greater productivity, reduced transaction
352 Part Three Key System Applications for the Digital Age
time, and higher quality of service at lower cost. The customer is happier
because he or she spends less time on the phone restating his or her problem to
customer service representatives.
CRM systems may also include Web-based self-service capabilities: The
company Web site can be set up to provide inquiring customers personalized
support information as well as the option to contact customer service staff by
phone for additional assistance.
Marketing
CRM systems support direct-marketing campaigns by providing capabilities for
capturing prospect and customer data, for providing product and service
information, for qualifying leads for targeted marketing, and for scheduling and
tracking direct-marketing mailings or e-mail (see Figure 9-7). Marketing modules
also include tools for analyzing marketing and customer data, identifying prof-
itable and unprofitable customers, designing products and services to satisfy spe-
cific customer needs and interests, and identifying opportunities for cross-selling.
Cross-selling is the marketing of complementary products to customers.
(For example, in financial services, a customer with a checking account might
be sold a money market account or a home improvement loan.) CRM tools also
help firms manage and execute marketing campaigns at all stages, from
planning to determining the rate of success for each campaign.
Figure 9-8 illustrates the most important capabilities for sales, service, and mar-
keting processes that would be found in major CRM software products. Like enter-
prise software, this software is business-process driven, incorporating hundreds of
business processes thought to represent best practices in each of these areas. To
achieve maximum benefit, companies need to revise and model their business
processes to conform to the best-practice business processes in the CRM software.
Figure 9-9 illustrates how a best practice for increasing customer loyalty
through customer service might be modeled by CRM software. Directly
FIGURE 9-7 HOW CRM SYSTEMS SUPPORT MARKETING
Customer relationship management software provides a single point for users to manage and evaluate
marketing campaigns across multiple channels, including e-mail, direct mail, telephone, the Web, and
wireless messages.
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 353
FIGURE 9-8 CRM SOFTWARE CAPABILITIES
The major CRM software products support business processes in sales, service, and marketing,
integrating customer information from many different sources. Included are support for both the
operational and analytical aspects of CRM.
FIGURE 9-9 CUSTOMER LOYALTY MANAGEMENT PROCESS MAP
This process map shows how a best practice for promoting customer loyalty through customer service would be modeled by customer
relationship management software. The CRM software helps firms identify high-value customers for preferential treatment.
354 Part Three Key System Applications for the Digital Age
servicing customers provides firms with opportunities to increase customer
retention by singling out profitable long-term customers for preferential
treatment. CRM software can assign each customer a score based on that
person’s value and loyalty to the company and provide that information to
help call centers route each customer’s service request to agents who can best
handle that customer’s needs. The system would automatically provide the
service agent with a detailed profile of that customer that includes his or her
score for value and loyalty. The service agent would use this information to
present special offers or additional service to the customer to encourage the
customer to keep transacting business with the company. You will find more
information on other best-practice business processes in CRM systems in our
Learning Tracks.
OPERATIONAL AND ANALYTICAL CRM
All of the applications we have just described support either the operational or
analytical aspects of customer relationship management. Operational CRM
includes customer-facing applications, such as tools for sales force automation,
call center and customer service support, and marketing automation. Analytical
CRM includes applications that analyze customer data generated by operational
CRM applications to provide information for improving business performance.
Analytical CRM applications are based on data warehouses that consolidate the
data from operational CRM systems and customer touch points for use with online
analytical processing (OLAP), data mining, and other data analysis techniques
(see Chapter 6). Customer data collected by the organization might be combined
with data from other sources, such as customer lists for direct-marketing
campaigns purchased from other companies or demographic data. Such data are
analyzed to identify buying patterns, to create segments for targeted marketing,
and to pinpoint profitable and unprofitable customers (see Figure 9-10).
FIGURE 9-10 ANALYTICAL CRM DATA WAREHOUSE
Analytical CRM uses a customer data warehouse and tools to analyze customer data collected from
the firm’s customer touch points and from other sources.
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 355
Another important output of analytical CRM is the customer’s lifetime value
to the firm. Customer lifetime value (CLTV) is based on the relationship
between the revenue produced by a specific customer, the expenses incurred in
acquiring and servicing that customer, and the expected life of the relationship
between the customer and the company.
BUSINESS VALUE OF CUSTOMER RELATIONSHIP
MANAGEMENT SYSTEMS
Companies with effective customer relationship management systems realize
many benefits, including increased customer satisfaction, reduced direct-
marketing costs, more effective marketing, and lower costs for customer acqui-
sition and retention. Information from CRM systems increases sales revenue by
identifying the most profitable customers and segments for focused marketing
and cross-selling.
Customer churn is reduced as sales, service, and marketing better respond to
customer needs. The churn rate measures the number of customers who stop
using or purchasing products or services from a company. It is an important
indicator of the growth or decline of a firm’s customer base.
9.4 ENTERPRISE APPLICATIONS: NEW
OPPORTUNITIES AND CHALLENGES
Many firms have implemented enterprise systems and systems for supply
chain management and customer relationship because they are such powerful
instruments for achieving operational excellence and enhancing decision
making. But precisely because they are so powerful in changing the way the
organization works, they are challenging to implement. Let’s briefly examine
some of these challenges, as well as new ways of obtaining value from these
systems.
ENTERPRISE APPLICATION CHALLENGES
Promises of dramatic reductions in inventory costs, order-to-delivery time, as
well as more efficient customer response and higher product and customer
profitability make enterprise systems and systems for supply chain manage-
ment and customer relationship management very alluring. But to obtain this
value, you must clearly understand how your business has to change to use
these systems effectively.
Enterprise applications involve complex pieces of software that are very
expensive to purchase and implement. It might take a large Fortune 500
company several years to complete a large-scale implementation of an
enterprise system or a system for SCM or CRM. The total cost for an average
large system implementation based on SAP or Oracle software, including
software, database tools, consulting fees, personnel costs, training, and
perhaps hardware costs, runs over $12 million. The implementation cost of a
enterprise system for a small or mid-sized company based on software
from a “Tier II” vendor such as Epicor or Lawson averages $3.5 million.
(Wailgum, 2009).
Enterprise applications require not only deep-seated technological changes
but also fundamental changes in the way the business operates. Companies
356 Part Three Key System Applications for the Digital Age
must make sweeping changes to their business processes to work with the
software. Employees must accept new job functions and responsibilities. They
must learn how to perform a new set of work activities and understand how the
information they enter into the system can affect other parts of the company.
This requires new organizational learning.
Supply chain management systems require multiple organizations to share
information and business processes. Each participant in the system may have
to change some of its processes and the way it uses information to create a
system that best serves the supply chain as a whole.
Some firms experienced enormous operating problems and losses when they
first implemented enterprise applications because they didn’t understand how
much organizational change was required. For example, Kmart had trouble get-
ting products to store shelves when it first implemented i2 Technologies supply
chain management software in July 2000. The i2 software did not work well
with Kmart’s promotion-driven business model, which created sharp spikes in
drops in demand for products. Overstock.com’s order tracking system went
down for a full week in October 2005 when the company replaced a home-
grown system with an Oracle enterprise system. The company rushed to
implement the software, and did not properly synchronize the Oracle soft-
ware’s process for recording customer refunds with its accounts receivable sys-
tem. These problems contributed to a third-quarter loss of $14.5 million that
year.
Enterprise applications also introduce “switching costs.” Once you adopt an
enterprise application from a single vendor, such as SAP, Oracle, or others, it is
very costly to switch vendors, and your firm becomes dependent on the vendor
to upgrade its product and maintain your installation.
Enterprise applications are based on organization-wide definitions of data.
You’ll need to understand exactly how your business uses its data and how the
data would be organized in a customer relationship management, supply chain
management, or enterprise system. CRM systems typically require some data
cleansing work.
Enterprise software vendors are addressing these problems by offering
pared-down versions of their software and “fast-start” programs for small and
medium-sized businesses and best-practice guidelines for larger companies.
Our Interactive Session on Technology describes how on-demand and cloud-
based tools deal with this problem as well.
Companies adopting enterprise applications can also save time and money
by keeping customizations to the minimum. For example, Kennametal, a $2
billion metal-cutting tools company in Pennsylvania, had spent $10 million
over 13 years maintaining an ERP system with over 6,400 customizations. The
company is now replacing it with a “plain vanilla,” non-customized-version of
SAP enterprise software and changing its business processes to conform to the
software (Johnson, 2010).
NEXT-GENERATION ENTERPRISE APPLICATIONS
Today, enterprise application vendors are delivering more value by becoming
more flexible, Web-enabled, and capable of integration with other systems.
Standalone enterprise systems, customer relationship systems, and supply
chain management systems are becoming a thing of the past.
The major enterprise software vendors have created what they call
enterprise solutions, enterprise suites, or e-business suites to make their
customer relationship management, supply chain management, and enter-
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 357
prise systems work closely with each other, and link to systems of cus-
tomers and suppliers. SAP Business Suite, Oracle’s e-Business Suite, and
Microsoft’s Dynamics suite (aimed at mid-sized companies) are examples,
and they now utilize Web services and service-oriented architecture (SOA,
see Chapter 5).
SAP’s next-generation enterprise applications are based on its enterprise
service-oriented architecture. It incorporates service-oriented architecture
(SOA) standards and uses its NetWeaver tool as an integration platform linking
SAP’s own applications and Web services developed by independent software
vendors. The goal is to make enterprise applications easier to implement and
manage.
For example, the current version of SAP enterprise software combines key
applications in finance, logistics and procurement, and human resources
administration into a core ERP component. Businesses then extend these
applications by linking to function-specific Web services such as employee
recruiting or collections management provided by SAP and other vendors. SAP
provides over 500 Web services through its Web site.
Oracle also has included SOA and business process management capabilities
into its Fusion middleware products. Businesses can use Oracle tools to
customize Oracle’s applications without breaking the entire application.
Next-generation enterprise applications also include open source and
on-demand solutions. Compared to commercial enterprise application
software, open source products such as Compiere, Apache Open for Business
(OFBiz), and Openbravo are not as mature, nor do they include as much
support. However, companies such as small manufacturers are choosing this
option because there are no software licensing fees and fees are based on usage.
(Support and customization for open source products cost extra.)
SAP now offers an on-demand enterprise software solution called Business
ByDesign for small and medium-sized businesses in select countries. For large
businesses, SAP’s on-site software is the only version available. SAP is, however,
hosting function-specific applications (such as e-sourcing and expense manage-
ment) available by subscription that integrate with customers’ on-site SAP
Business Suite systems.
The most explosive growth in software as a service (SaaS) offerings has been
for customer relationship management. Salesforce.com has been the leader in
hosted CRM solutions, but Oracle and SAP have also developed SaaS capabili-
ties. SaaS and cloud-based versions of enterprise systems are starting to be
offered by vendors such as NetSuite and Plex Online. Compiere sells both cloud
and on-premise versions of its ERP systems. Use of cloud-based enterprise
applications is starting to take off, as discussed in the Interactive Session on
Technology.
The major enterprise application vendors also offer portions of their
products that work on mobile handhelds. You can find out more about this topic
in our Learning Track on Wireless Applications for Customer Relationship
Management, Supply Chain Management, and Healthcare.
Salesforce.com and Oracle have added Web 2.0 capabilities that enable
organizations to identify new ideas more rapidly, improve team productivity,
and deepen interactions with customers. For example, Salesforce Ideas
enables subscribers to harness the “wisdom of crowds” by allowing their
customers to submit and discuss new ideas. Dell Computer deployed this
technology as Dell IdeaStorm (dellideastorm.com) to encourage its
customers to suggest and vote on new concepts and feature changes in Dell
products.
358 Part Three Key System Applications for the Digital Age
INTERACTIVE SESSION: TECHNOLOGY
ENTERPRISE APPLICATIONS MOVE TO THE CLOUD
You’ve already read about Salesforce.com in this ity to implement that system, but it also had an
book. It’s the most successful enterprise-scale array of other useful services. When Nikon discov-
software as a service (SaaS). Until recently, there ered that it could combine outbound e-mail, contact
were few other SaaS enterprise software applications management, and customer records into a single
available on the Internet. Today, that’s changed, as a system in RightNow’s cloud, it made the move,
growing number of cloud-based enterprise resource expecting to receive a solid return on the invest-
planning (ERP) and customer relationship manage- ment.
ment (CRM) application providers enter this market-
space. While traditional enterprise software vendors What Nikon got was far more than expected: an
like Oracle are using their well-established position astonishing 3,200 percent return on investment
to grab a share of the cloud-based application market, (ROI), equivalent to a savings of $14 million after
newcomers like RightNow, Compiere, and SugarCRM three years! The FAQ system reduced the number of
have found success using some different tactics. incoming calls to Nikon’s customer service staff.
More customers found the information they needed
Most companies interested in cloud computing are on the Web, call response times dropped by 50 per-
small to midsize and lack the know-how or financial cent, and incoming e-mail dropped by 70 percent.
resources to successfully build and maintain ERP While Nikon still hosts its SAP ERP system internally
and CRM applications in-house. Others are simply due to its complexity, Nikon switched its entire CRM
looking to cut costs by moving their applications to system to RightNow.
the cloud. According to the International Data
Corporation (IDC), about 3.2 percent of U.S. small Not all companies experience gains of that magni-
businesses, or about 230,000 businesses, use cloud tude, and cloud computing does have drawbacks.
services. Small-business spending on cloud services Many companies are concerned about maintaining
increased by 36.2 percent in 2010 to $2.4 billion. control of their data and security. Although cloud
computing companies are prepared to handle these
Even larger companies have made the switch to issues, availability assurances and service-level
the cloud. For example, camera manufacturer Nikon agreements are uncommon. Companies that manage
decided to go with a cloud-based solution as it their CRM apps with a cloud infrastructure have no
attempted to merge customer data from 25 disparate guarantees that their data will be available at all
sources and applications into a single system. times, or even that the provider will still exist in the
Company officials were hoping to eliminate future.
maintenance and administrative costs, but not at the
expense of a storage system that met their require- Many smaller companies have taken advantage of
ments, was never out of service, and worked a new type of cloud computing known as open
perfectly. source cloud computing. Under this model, cloud
vendors make the source code of their applications
Nikon found its solution with RightNow, a cloud- available to their customers and allow them to make
based CRM provider located in Bozeman, Montana. any changes they want on their own. This differs
The company was founded in 1997 and has attracted from the traditional model, where cloud vendors
firms intrigued by its customizable applications, offer applications which are customizable, but not at
impeccable customer service, and robust infrastruc- the source code level.
ture. Prices start at $110 per user per month and the
average deployment time is 45 days. For example, Jerry Skaare, president of O-So-Pure
(OSP), a manufacturer of ultraviolet water purifica-
Nikon had been using several different systems to tion systems, selected the Compiere Cloud Edition
perform business functions, and was struggling to versions of ERP software hosted on the Amazon
merge customer data located in a variety of legacy EC2 Cloud virtual environment. OSP had long
systems. While looking for vendors to help imple- outgrown its existing ERP system and was held back
ment a Web-based FAQ system to answer customer by inefficient, outdated processes in accounting,
questions and provide support on the basis of these inventory, manufacturing, and e-commerce.
data, the company came across RightNow. Nikon Compiere ERP provides a complete end-to-end ERP
found that not only did RightNow have the capabil- solution that automates processes from accounting
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise 359
to purchasing, order fulfillment, manufacturing, Not to be outdone, established CRM companies
and warehousing. like Oracle have moved into SaaS. Pricing starts at
$70 per month per user. Oracle may have an edge
Compiere uses a model-driven platform that stores because its CRM system has so many capabilities and
business logic in an applications dictionary rather includes embedded tools for forecasting and analyt-
than being hard-coded into software programs. Firms ics, including interactive dashboards. Subscribers are
using Compiere are able to customize their applica- able to use these tools to answer questions such as
tions by creating, modifying, or deleting business “How efficient is your sales effort?” or “How much
logic in the applications dictionary without extensive are your customers spending?”
programming. In contrast to traditional ERP systems
that encourage subscribers to modify their business Bryant & Stratton College, a pioneer in career
processes to conform to the software, Compiere education, used Oracle CRM On Demand to create
encourages its subscribers to customize its system to more successful marketing campaigns. Bryant &
match their unique business needs. Stratton analyzed past campaigns for tech-savvy recent
high school graduates, as well as older, non-traditional
The fact that the Compiere software is open students returning to school later in life. Oracle CRM
source also makes it easier for users to modify. OSP On Demand tracked advertising to prospective stu-
was attracted to this feature, along with the robust dents and determined accurate costs for each lead,
functionality, scalability, and low cost, of the admissions application, and registered attending stu-
Compiere ERP Cloud Edition. Skaare said that he dent. This information helped the school determine
was comfortable that “the little idiosyncrasies of my the true value of each type of marketing program.
company” could be handled by the software. Though
Skaare is unlikely to make any changes himself, it’s Sources: Marta Bright, “Know Who. Know How.” Oracle Magazine,
important for him to know that his staff has the January/February 2010; Brad Stone, “Companies Slowly Join
option to tweak OSP’s ERP applications. Open Cloud-Computing,” The New York Times, April 28, 2010; and Esther
source cloud computing provides companies that Shein, “Open-source CRM and ERP: New Kids on the Cloud,”
flexibility. Computerworld, October 30, 2009.
CASE STUDY QUESTIONS MIS IN ACTION
1. What types of companies are most likely to adopt Visit the Web site of RightNow, Compiere, or another
cloud-based ERP and CRM software services? competing company offering a cloud-based version of
Why? What companies might not be well-suited ERP or CRM. Then answer the following questions:
for this type of software?
1. What kinds of open source offerings does the
2. What are the advantages and disadvantages of company have, if any? Describe some of the
using cloud-based enterprise applications? features.
3. What management, organization, and technology 2. Toward what types of companies is the company
issues should be addressed in deciding whether to marketing its services?
use a conventional ERP or CRM system versus a
cloud-based version? 3. What other services does the company offer?
Enterprise application vendors have also beefed up their business intelli-
gence features to help managers obtain more meaningful information from
the massive amounts of data generated by these systems. Rather than requir-
ing users to leave an application and launch separate reporting and analytics
tools, the vendors are starting to embed analytics within the context of the
application itself. They are also offering complementary analytics products,
such as SAP Business Objects and Oracle Business Intelligence Enterprise
Edition. We discuss business intelligence analytics in greater detail in
Chapter 12.
360 Part Three Key System Applications for the Digital Age
Service Platforms
Another way of extending enterprise applications is to use them to create service
platforms for new or improved business processes that integrate information
from multiple functional areas. These enterprise-wide service platforms provide
a greater degree of cross-functional integration than the traditional enterprise
applications. A service platform integrates multiple applications from multiple
business functions, business units, or business partners to deliver a seamless
experience for the customer, employee, manager, or business partner.
For instance, the order-to-cash process involves receiving an order and
seeing it all the way through obtaining payment for the order. This process
begins with lead generation, marketing campaigns, and order entry, which are
typically supported by CRM systems. Once the order is received, manufactur-
ing is scheduled and parts availability is verified—processes that are usually
supported by enterprise software. The order then is handled by processes for
distribution planning, warehousing, order fulfillment, and shipping, which are
usually supported by supply chain management systems. Finally, the order is
billed to the customer, which is handled by either enterprise financial applica-
tions or accounts receivable. If the purchase at some point required customer
service, customer relationship management systems would again be invoked.
A service such as order-to-cash requires data from enterprise applications
and financial systems to be further integrated into an enterprise-wide
composite process. To accomplish this, firms need software tools that use
existing applications as building blocks for new cross-enterprise processes (see
Figure 9-11). Enterprise application vendors provide middleware and tools that
use XML and Web services for integrating enterprise applications with older
legacy applications and systems from other vendors.
FIGURE 9-11 ORDER-TO-CASH SERVICE
Order-to-cash is a composite process that integrates data from individual enterprise systems and
legacy financial applications. The process must be modeled and translated into a software system
using application integration tools.
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 361
Increasingly, these new services will be delivered through portals. Portal
software can integrate information from enterprise applications and disparate
in-house legacy systems, presenting it to users through a Web interface so that
the information appears to be coming from a single source. For example, Valero
Energy, North America’s largest refiner, used SAP NetWeaver Portal to create a
service for wholesale clients to view their account information all at once.
SAP NetWeaver Portal provides an interface to clients’ invoice, price, electronic
funds, and credit card transaction data stored in SAP’s customer relationship
management system data warehouse as well as in non-SAP systems.
9.5 HANDS-ON MIS PROJECTS
The projects in this section give you hands-on experience analyzing business
process integration, suggesting supply chain management and customer
relationship management applications, using database software to manage
customer service requests, and evaluating supply chain management business
services.
Management Decision Problems
1. Toronto-based Mercedes-Benz Canada, with a network of 55 dealers, did not
know enough about its customers. Dealers provided customer data to the
company on an ad hoc basis. Mercedes did not force dealers to report this
information, and its process for tracking dealers that failed to report was
cumbersome. There was no real incentive for dealers to share information with
the company. How could CRM and partner relationship management (PRM)
systems help solve this problem?
2. Office Depot sells a wide range of office products and services in the United
States and internationally, including general office supplies, computer supplies,
business machines (and related supplies), and office furniture. The company
tries to offer a wider range of office supplies at lower cost than other retailers
by using just-in-time replenishment and tight inventory control systems. It uses
information from a demand forecasting system and point-of-sale data to replen-
ish its inventory in its 1,600 retail stores. Explain how these systems help Office
Depot minimize costs and any other benefits they provide. Identify and
describe other supply chain management applications that would be especially
helpful to Office Depot.
Improving Decision Making: Using Database Software
to Manage Customer Service Requests
Software skills: Database design; querying and reporting
Business skills: Customer service analysis
In this exercise, you’ll use database software to develop an application that
tracks customer service requests and analyzes customer data to identify
customers meriting priority treatment.
Prime Service is a large service company that provides maintenance and
repair services for close to 1,200 commercial businesses in New York, New
Jersey, and Connecticut. Its customers include businesses of all sizes.
Customers with service needs call into its customer service department with
requests for repairing heating ducts, broken windows, leaky roofs, broken water
pipes, and other problems. The company assigns each request a number and
362 Part Three Key System Applications for the Digital Age
writes down the service request number, identification number of the customer
account, the date of the request, the type of equipment requiring repair, and a
brief description of the problem. The service requests are handled on a
first-come-first-served basis. After the service work has been completed, Prime
calculates the cost of the work, enters the price on the service request form,
and bills the client.
Management is not happy with this arrangement because the most impor-
tant and profitable clients—those with accounts of more than $70,000—are
treated no differently from its clients with small accounts. It would like to find
a way to provide its best customers with better service. Management would also
like to know which types of service problems occur most frequently so that it
can make sure it has adequate resources to address them.
Prime Service has a small database with client account information, which can
be found in MyMISLab. A sample is shown above, but the Web site may have a
more recent version of this database for this exercise. The database table includes
fields for the account ID, company (account) name, street address, city, state, ZIP
code, account size (in dollars), contact last name, contact first name, and contact
telephone number. The contact is the name of the person in each company who is
responsible for contacting Prime about maintenance and repair work.
Use your database software to design a solution that would enable Prime’s cus-
tomer service representatives to identify the most important customers so that
they could receive priority service. Your solution will require more than one table.
Populate your database with at least 15 service requests. Create several reports
that would be of interest to management, such as a list of the highest—and low-
est—priority accounts or a report showing the most frequently occurring service
problems. Create a report listing service calls that customer service representa-
tives should respond to first on a specific date.
Achieving Operational Excellence: Evaluating Supply
Chain Management Services
Software skills: Web browser and presentation software
Business skills: Evaluating supply chain management services
Trucking companies no longer merely carry goods from one place to another.
Some also provide supply chain management services to their customers and
help them manage their information. In this project, you’ll use the Web to
research and evaluate two of these business services.
Investigate the Web sites of two companies, UPS Logistics and Schneider
Logistics, to see how these companies’ services can be used for supply chain
management. Then respond to the following questions:
• What supply chain processes can each of these companies support for their
clients?
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 363
• How can customers use the Web sites of each company to help them with
supply chain management?
• Compare the supply chain management services provided by these compa-
nies. Which company would you select to help your firm manage its supply
chain? Why?
LEARNING TRACK MODULES
The following Learning Tracks provide content relevant to topics covered in
this chapter:
1. SAP Business Process Map
2. Business Processes in Supply Chain Management and Supply Chain Metrics
3. Best-Practice Business Processes in CRM Software
Review Summary
1. How do enterprise systems help businesses achieve operational excellence?
Enterprise software is based on a suite of integrated software modules and
a common central database. The database collects data from and feeds the
data into numerous applications that can support nearly all of an organiza-
tion’s internal business activities. When new information is entered by one
process, the information is made available immediately to other business
processes.
Enterprise systems support organizational centralization by enforcing uniform
data standards and business processes throughout the company and a single
unified technology platform.The firmwide data generated by enterprise systems
helps managers evaluate organizational performance.
2. How do supply chain management systems coordinate planning,
production, and logistics with suppliers?
Supply chain management systems automate the flow of information among
members of the supply chain so they can use it to make better decisions about
when and how much to purchase, produce, or ship. More accurate information
from supply chain management systems reduces uncertainty and the impact of
the bullwhip effect.
Supply chain management software includes software for supply chain plan-
ning and for supply chain execution. Internet technology facilitates the man-
agement of global supply chains by providing the connectivity for organizations
in different countries to share supply chain information. Improved communi-
cation among supply chain members also facilitates efficient customer
response and movement toward a demand-driven model.
3. How do customer relationship management systems help firms achieve
customer intimacy?
Customer relationship management (CRM) systems integrate and automate
customer-facing processes in sales, marketing, and customer service, providing
an enterprise-wide view of customers. Companies can use this knowledge
when they interact with customers to provide them with better service or to sell
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
MIS_KC_Laudon
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
MIS_KC_Laudon
- 1 - 50
- 51 - 100
- 101 - 150
- 151 - 200
- 201 - 250
- 251 - 300
- 301 - 350
- 351 - 400
- 401 - 450
- 451 - 500
- 501 - 550
- 551 - 600
- 601 - 650
- 651 - 677
Pages: