Monday, December 17, 2012

Strategy Assessment Methods: SWOT



 

By John Kyriazoglou

 

The following methods and techniques may be utilized for the analysis, assessment and evaluation of strategy of ant type of organization. The evaluator may use only one method, or more than one, depending on his (or her) experience and situation.

These methods and techniques are:

SWOT analysis,

PEST Analysis (also known as PESTLE Analysis),

Gap Analysis,

Portfolio analysis,

Value chain analysis,

Delphi Method,

Life cycle analysis,

Screening strategic options,

Financial analysis,

Scenario planning,

Critical success factor analysis,

The five forces,

Directional Policy Matrix, and

Competitor Analysis.

 

This post describes SWOT. Other future posts will deal with the rest of these methods and techniques.

 

SWOT analysis

 

The SWOT analysis (strengths, weaknesses, opportunities, threats) is one of the most popular. This involves looking at the strengths and weaknesses of your business' capabilities, and any opportunities and threats to your business.

 

Once you've identified all of these, you can assess how to capitalise on your strengths, minimise the effects of your weaknesses, make the most of any opportunities and reduce the impact of any threats.

 

It's important to remember that opportunities can also be threats - for example, new markets could be dominated by competitors, undermining your position. Equally, threats can also be opportunities - for example, a competitor growing quickly and opening a new market for your product or service could mean that your market expands too.

 

A SWOT analysis can provide a clear basis for examining your business performance and prospects. It can be used as part of a regular review process or in preparation for raising finance or bringing in consultants for a review.

 

Once you have collected information on your organisation's internal strengths and weaknesses, and external opportunities and threats, enter this data into a simple table.

 

Use the following questionnaire to help you to carry out a SWOT Analysis.

 

Strengths

 

1. What advantages does your organization have?

2. What do you do better than anyone else?

3. What unique or lowest-cost resources can you draw upon that others can't?

4. What do people in your market and industry see as your strengths?

5. What is the unique selling point of your company?

 

Weaknesses

 

1. What processes could you improve?

2. What should you avoid or minimize?

3. What are people in your market and industry likely to see as your weaknesses?

4. What factors, conditions or circumstances lose you sales?

 

Opportunities

 

1. What good opportunities can you foresee?

2. What interesting trends or inventions are you aware of?

3. What useful opportunities can come technology or systems or production processes or social patterns you can take advantage of?

 

Threats

 

1. What difficulties and obstacles do you face?

2. What are your competitors doing?

3. Are quality standards or specifications for your job, industry, products or services changing?

4. Is changing IT or other technology threatening your position?

5. Do you have bad debt or cash-flow or other financing problems?

6. Could any of your weaknesses seriously threaten your business?

 

Friday, December 14, 2012

Pre-Announcement: Business Management Controls Book


Pre-Announcement: Business Management Controls Book

 

Please see following link for reviewing (and purchasing) my new book on business controls.

 


 

Regards,

 

John Kyriazoglou, CICA, B.A (Hon-University of Toronto),

Business Thinker, Consultant and Author of several books on IT, business controls and ancient Greece (see Amazon) with over 35 years of international experience (Canada, England, Greece, other countries).

Editor-in-Chief for the Internal Controls Magazine (U.S.A.)

Member of the Board of Directors of Voices of Hellenism Literary Society (U.S.A.)





SSRN Free Publications: http://ssrn.com/author=1315434

OECD IT Security Guidelines


OECD IT Security Guidelines

John Kyriazoglou*
Establishing the IT security guidelines and standards (in general terms) for the specific organization should be done by the IT committee and ratified by the board. These standards could follow international guidelines and frameworks issued by organizations such as OECD, NIST (U.S.A.),  European Union, IATF, ISO (ISO/IEC 17799, ISO/IEC 27001, ISO 13335, ISO 15408), U.S. Federal Information Processing Standard (FIPS 140), etc.

I have used the following security principles of OECD in my IT security projects and particularly when large public or private organizations are involved.

PRINCIPLE 1: Awareness. Participants should be aware of the need for security of information systems and networks and what they can do to enhance security.

PRINCIPLE 2: Responsibility. All participants are responsible for the security of information systems and networks.

PRINCIPLE 3: Response. Participants should act in a timely and co‑operative manner to prevent, detect and respond to security incidents.

PRINCIPLE 4: Ethics. Participants should respect the legitimate interests of others.

PRINCIPLE 5: Democracy. The security of information systems and networks should be compatible with essential values of a democratic society.

PRINCIPLE 6: Risk assessment. Participants should conduct risk assessments.

PRINCIPLE 7: Security design and implementation. Participants should incorporate security as an essential element of information systems and networks.

PRINCIPLE 8: Security management. Participants should adopt a comprehensive approach to security management.

PRINCIPLE 9: Reassessment. Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, practices, measures and procedures.

 


John Kyriazoglou (jkyriazoglou@hotmail.com)

John Kyriazoglou, CICA, B.A (Hon-University of Toronto)

International IT and Management Consultant, author of several books



SSRN Free Publications: http://ssrn.com/author=1315434

 

 

Wednesday, November 28, 2012

Free IT-Business Alignment Book


Free IT-Business Alignment Book


Please check out the following two links. They contain my latest free e-book on how to align your IT systems to your business operations better.


http://bookboon.com/en/business-ebooks/it/it-business-alignment-part-i


http://bookboon.com/en/business-ebooks/it/it-business-alignment-part-ii


Regards,


John Kyriazoglou


 

Free IT-Business Alignment Book


Free IT-Business Alignment Book


Please check out the following two links. They contain my latest free e-book on how to align your IT systems to your business operations better.


http://bookboon.com/en/business-ebooks/it/it-business-alignment-part-i


http://bookboon.com/en/business-ebooks/it/it-business-alignment-part-ii


Regards,


John Kyriazoglou


 

Wednesday, November 14, 2012

IT CONTROLS EVALUATION AUDIT PROGRAM

Topic: IT Controls Audit Program
Message:

IT CONTROLS EVALUATION AUDIT PROGRAM

Here is an audit program you may use if you want to manage and improve your IT operations.

The objective of the checklists contained in this audit program is to support, enable and facilitate IT managers in establishing better the IT function and its components and auditors in evaluating the organizational, security and performance aspects of the IT function of the organization.

T Terms of Reference Checklist

1. Is the CIO/IT Manager reporting to the official / organizational responsibility centre of the IT unit?
2. Are the Terms of Reference detailed enough and tailored to the specific activities of each IT function/department and responsibility centre?
3. Are the Board members and/or executive management of the Company/Organization familiar with these terms of reference and have they been ratified at the appropriate executive / board level?
4. Are the IT department managers familiar with these terms of reference?
5. Are the IT department personnel familiar with these terms of reference?
6. Are the IT user managers familiar with these terms of reference?
7. Are the IT users familiar with these terms of reference?
8. Are these terms of reference aiding the IT managers and staff in discharging their duties?
9. Are these terms of reference known to the external stakeholders of IT (maintenance vendors, society interest groups, community groups, regulatory agencies, etc.)?
10. Is the IT function structured effectively to serve the Organization and its divisions / functions: as a separate division, or as a part of another division, or interfacing with an outsource entity, or shared service among several departments, or a combination of above, or a separate company with its own Board of Directors, and at the right organizational and responsibility level?



IT Performance Assessment Checklist

1. IT Performance Policy: Obtain a copy of the IT performance policy and review with IT management.
2. Assess validity of this policy and usage and up to what level (criteria, user satisfaction etc. ).
3. Operational Statistics: Obtain machine statistics for systems running in the data centre
4. Performance Reporting: Assess how IT management records operational statistics on equipment and systems availability and down -time and how these processing problems (and their resolution) are communicated to end-user and Top Management.
5. Carry out, if possible, a comparison cost analysis of this IT Dept. with other IT units of the Group.
6. Hardware Capacity Planning: Assess computer performance and capacity planning process, especially for computer hardware upgrades.
7. Review the IT Governance Framework.
Consider the following issues: The IT Governance framework should be established and communicated to all. Examine if the IT Governance framework is aligned with a standard model such as COBIT/ISACA, or the ITIL model.
8. Review Key Performance Indicators and their effectiveness for the particular IT function audited.
Consider the following IT performance measures:
Development / maintenance activity (Functions developed worth to users, No. of lines coded / tested / changed, Hours spent on maintenance (person, program)
Operational performance (Timely delivery of reports to users, Average response time, Average availability time, Volume of data stored, Mean time between failures, No. of lines printed, Volume of data maintained, No. of on-line transactions processed)
Financial performance (Adherence to budget, Expenditures on maintenance vs. new development, Expenditures on preventative maintenance, Ratio of administrative (staff)) costs to production (line) costs
Human resource management (Turn over ratios, Training per employee (amounts, hours), Average tenure within the company).


IT Security Assessment Checklist

Basic Management Issues

1. Determine who has responsibility for IT Security for the organization and assess whether it is the right level of management.
2. Ensure that procedures for the preparation, approval, and monitoring of IT strategic plans are implemented and these plans are in alignment with the strategic plan of the organization.
3. Examine the organizational security policy and compare it to the IT security policy to ensure that both of these serve the same purpose and needs.
4. Ensure that the IT security policy contains at least data classification and security penetration testing for all critical IT systems and services.
5. Assess the IT management reporting method to ensure that all IT issues are reported and monitored.
6. Assess the operation of the IT review mechanisms between end-users and IT, such as: Ι.Τ. Steering Committee, User Liaison Group, και Project Steering Committee, etc.
7. Review the resolution procedures for security problems and ensure that these resolve all reported security incidents satisfactorily.
8. Ensure that all security issues are made known via written reports and discussions to higher levels of management, including the board members.
9. Ensure that the evaluation of information security status is executed on the basis of: self-assessments, onsite audit reviews, penetration testing, onsite technical evaluations, ethics assessments, data quality testing, and best practice benchmarking.

Human Resource Management

1. Review the organizational charts and job descriptions to ensure that there is adequate segregation of duties in terms of security issues.
2. Review the training and education programs and budget to ensure that all personnel have been given the approved training on security related matters.
3. Assess the effectiveness of support provided by IT and other security mechanisms to the end-users on IT security issues.

IT Procurement Procedure

1. Review the IT procurement policy and procedures to ensure that all IT purchases are examined from the security perspective.
2. Review a good sample of IT purchase documentation to ensure that the formal IT policy and procedures are been implemented properly.
3. Review the major IT hardware and software contracts to ensure that the formal IT policy and procedures are been implemented properly.
4. Review the Computer Insurance policy of the organization to ensure that major risks of IT hardware and software systems are covered adequately.

Contingency Planning

1. Review the IT contingency plan and ensure that all critical IT systems are covered.
2. Ensure that this plan is reviewed and tested on a periodic basis.
3. Review the backup policy and procedures to ensure that these are adequately implemented and monitored by IT management.
4. Review the backup register to ensure that this is kept up to date.
5. Review both the onsite and offsite vault procedures.
I.T. Legislation Compliance
1. Determine which national and international laws and regulations pertaining to IT issues are relevant to the organization.
2. Ensure that proper licenses exist for all IT software and hardware purchased.
3. Test compliance with IT legislation, including data privacy and copyright issues.

Physical and Environmental Controls

1. Ensure that physical access controls are enforced in accordance with the corporate security policy and professional practices for the following: Wholly owned buildings, Shared buildings, Central computer room and server rooms, Personal computers and work stations, Peripheral equipment, such as: modems, routers, printers, etc., Magnetic and other digital media, and Technical manuals and documentation.
2. Ensure that management controls are enforced to protect buildings, personnel, equipment and media in accordance with the corporate security policy, vendor guidelines, and professional health and safety practices against the following: Fire, Flood, Power fluctuations, Static electricity, Storms, and Food and beverage accidents, etc..

System Development and Maintenance

1. Assess the system development and maintenance procedures to ensure that they are adequate in terms of security in all phases, such as: Analysis, design, construction, testing, implementation, and support.
2. Review the system development and maintenance procedures to ensure that all phases are signed off by the key end-users.
3. Review the programming standards to ensure that they handle the security issues related to interfacing with other operating system software and application systems.
4. Review the program library maintenance procedures to ensure that all programs are fully tested and their movement to production status approved before they are transferred to the production library.

Data Center Operations

1. Assess the adequacy of controls to ensure that the correct production files are used in all application systems running in the data center.
2. Review all logs to ensure that all events are recorded and monitored.
3. Assess the adequacy of backup and recovery procedures.
4. Assess the adequacy of external party maintenance and support procedures.

Software and data security

1. Ensure that general procedures and specific measures are implemented to protect against illegal access to the system, its utilities, the program libraries, the system and application software, the data files, etc.
2. Assess the adequacy of the general procedures and specific measures implemented to protect against illegal access to the system, its utilities, the program libraries, the application software, the data files, etc.
3. Ensure that passwords are used for each set of users and corresponding applications and for each class of actions (update, delete, read, remote access, etc.) and that these passwords are changed according to the corporate password policy.
4. Ensure that users cannot run their own programs to access production libraries and production data.
5. Ensure that IT personnel cannot access production data without specific authorization.

For more on IT controls, see my books:
IT Strategic & Operastional Controls,
available at Amazon and IT Governance

Regards,

Friday, October 19, 2012

Manage and Improve Your Business Relationships


Manage and Improve your Business Relationships

By John Kyriazoglou*

Managing your professional and business relationships is a very important and critical issue in dealing with your people (staff, partners, customers, authorities, colleagues, etc.) in any business environment. It takes a significant amount of time to build and can be broken in just an instant.

Is it possible to manage, improve and sustain your business relationships?
The answer is YES! But you have to ACT immediately.
Don’t let one or more mistakes in judgment turn into a failure of your character.


I would suggest that you take the actions and that you use the behavioral dimensions noted next:


1. Sensitivity. Show sensitivity by avoiding personal comments and do not criticize, condemn or complain to anyone.

2. Collaboration. Make your goal the habit to work together harmoniously, show patience and maintain good relationships with everyone (colleagues, supervisors, senior management, customers, authorities, etc.).

3. Honesty. Be interested in others (colleagues, supervisors, senior management, customers, etc.) with sincerity, always showing friendship, goodness and love to all.

4. Respect. Remember that it is the sweetest sound in any language when you address the other person with friendship and love.

5. Politeness. Address the other person always in plural terms, unless the other person allows you to speak in the singular.

6. Silence. Use silence appropriately. Be careful how long you talk so that you do not become wordy and boring.

7. Importance. Make the other person feel important to you, and you do that with sincerity.

8. Opinion. Show respect for the opinion of others and do not to tell them that they are wrong.

9. Errors. When you are in error, accept it quickly and emphatically and apologize with honesty.

10. Conversation. Start a conversation in a friendly and pleasant manner.

11. Sympathy. Express your sympathy to the other person.

12. Humor. Keep your humor within acceptable social boundaries while rejecting slander and vulgarities.
13. Appreciation. Relate to the other person by using praise, appreciation and honesty.

14. Time Management. Examine your activities in accordance with the values ​​of love and friendship, and your obligations. Spend 60% of your time in critical non-emergency activities, 30% of your time in critical and emergency activities, and the remaining 10% of your time in uninteresting activities.

15. Rejection. Learn to say a friendly "no" when others attempt to load you with activities that are not aligned with your needs, your vision, your mission and your values​​.

16. Positive Thinking. Use positive and friendly thinking to manage all the events, issues, problems and facts related to your business life and take preventive action when it is required on your part.

17. Priority. Perform your activities based on the priorities set by you and the time requirements of your life, but also reinforcing the values ​​of justice, goodness, fairness, love and friendship.

18. Participation. Participate in social groups, professional societies and corporate volunteering (unpaid) activities on the basis of love and friendship.

19. Ethics. Understand and know your personal limits and the limits of your business organization.

20. Quality. Do not take on more responsibility and tasks that you can do with absolute quality and execute your tasks and deliver your work, studies, services, etc., within well-accepted time and cost limits and best quality, technical and scientific standards.

 
Will these improve your relationships? Yes, if you act with honesty, love, friendship and self-control.

 

*John Kyriazoglou (jkyriazoglou@hotmail.com)

John Kyriazoglou, CICA, B.A (Hon-University of Toronto),

International IT and Management Consultant (with over 35 years of experience),

Editor-in-Chief for the Internal Controls Magazine, www.theiic.org

Author of several books:

(1) ‘IT Strategic and Operational Controls’, Publisher: www.itgovernance.co.uk


(2) ‘Addendum to IT Strategic & Operational Controls’

This book contains over 60 of IT audit programs and checklists in all IT audit areas.

Direct Link: www.itgovernance.co.uk/products/3143

(3) ‘Corporate Strategic and Operational Controls’, Publisher: www.theiic.org

with Dr. F. Nasuti and Dr. C. Kyriazoglou.


(4) ‘Implementing Management Controls for Small and Medium-Size Companies   

AMAZON Kindle Books:www.amazon.com


(5) ‘Business Management Controls: A Guide’, Publisher: www.itgovernance.co.uk

Expected to be published within 2012

(6) ‘Pearls of Wisdom of the 7 Sages of Ancient Greece

AMAZON Kindle Books:www.amazon.com




SSRN Free Publications: http://ssrn.com/author=1315434