Overview of Risk
One implementation risk is the fact that a firm becomes contractual obligated to Oracle for a specified period, which limits flexibility and future options (Gallagher, 2014, p. 903). If IVK were to become dissatisfied, as with Netifects, there may be monetary penalties for making changes to the contract. In addition, software as service makes the client firm entirely dependent on the longevity and stability of the vendor for their own success. If Oracle's ability to provide services as contracted is ever in jeopardy, it could create potentially insurmountable switching costs for IVK (Gallagher, 2014, p. 903). The amount of time it will take to implement Oracle, depending on what suite is purchased, may also be a risk factor. Oracle would likely take a waterfall approach to project management, which may overlook the specific needs of IVK.
Implementation complications or complete failure is also a real possibility. Keeping up with upgrades and being forced into new versions, will cause additional cost, training, and possibly more errors as employees learn the new system (Gallagher, 2014, p. 904). This posses a unique risk to IVK as a financial firm, since they must be able to ensure continuous compliance with all regulatory and legal requirements without disruption (Gallagher, 2014, p. 830). IVK must have a plan for redundancy and disaster recovery in case of an outage and should be performing backups of its data (Gallagher, 2014, p. 831). If IVK decides to use the cloud system, they must face the possibility that if internet connectivity is disrupted, operational application functionality will be lost as well (Gallagher, 2014, p. 904).
Implementation complications or complete failure is also a real possibility. Keeping up with upgrades and being forced into new versions, will cause additional cost, training, and possibly more errors as employees learn the new system (Gallagher, 2014, p. 904). This posses a unique risk to IVK as a financial firm, since they must be able to ensure continuous compliance with all regulatory and legal requirements without disruption (Gallagher, 2014, p. 830). IVK must have a plan for redundancy and disaster recovery in case of an outage and should be performing backups of its data (Gallagher, 2014, p. 831). If IVK decides to use the cloud system, they must face the possibility that if internet connectivity is disrupted, operational application functionality will be lost as well (Gallagher, 2014, p. 904).
Potential Privacy Issues
Privacy issues arising from implementing Oracle ERP could impact customers, employees and vendors of IVK and its brand. Oracle collects information from all parties through the use of cookies, embedded URLs and identifying physical locations of devices (Oracle, 2014).
Customers
- If the misuse of customer information occurs, it could result in legal ramifications, loss of customer confidence, and decreased inquiries by potential customers.
Employees
- Employees may be negatively impacted if user access is not properly managed. Oracle ERP provides client firms the ability to manage their own user accounts; including role based access control. However, designated user account managers may not be aware what level of access is associated with the roles and responsibilities that they are assigning to employees.
- Privacy of vendor information may be vulnerable if it is shared by Oracle to third party services which use the information to improve Oracle’s services (Oracle, 2014).
- Conversely, like in the case of Target, third party vendors could pose vulnerabilities that allow hackers to infiltrate through Oracle and ultimately to IVK.
Potential Security Issues
The cloud platform of Oracle ERP exposes the system to numerous security vulnerabilities. InfoWorld’s article, titled “9 top threats to Cloud Computing Security”, identifies data breach, data loss and account commandeering as the biggest three threats of cloud computing (Samson, 2013). Also, in a complex SaaS system such as Oracle, patches prove to be difficult and timely to implement due to their highly customizable nature (Higgins, 2012). The InfoWorld article also mentions that DDoS attacks as well as insecure interfaces and shared technologies between the company and the cloud services pose a significantly increased risk compared with operating on a private network and server. While these aforementioned risks apply to technical risks, the bigger risks exist within the user platform. Due to the customization available in Oracle ERP, each user is granted specific permissions. These permissions dictate which applications of Oracle ERP the user is permitted to view or interact with. If the permissions are set up incorrectly, the user may have access to copious amounts of information within the system that they should or should not have been available to them; which could pose risks in times of turnover and job changeover. Also, the users could share passwords to gain unauthorized access to information. As a result of all these issues, security is considerably dependent on good leadership and accountability within the company to guarantee information is being properly managed by employees through education and training (Carver, 2014).
Risk in Relation to Estimated Benefits
We've previously discussed how Oracle ERP can potentially deliver tangible benefits in terms of decreased administrative and operational costs, as well as increased sales. Intangible benefits that may be derived from a successful implementation are improved decision making through user dashboards and real-time analytics. In contrast to these benefits, many of the risks we've discussed are inherent vulnerabilities to any enterprise system and are not necessarily unique to Oracle. All firms must mitigate against these sort of IT risks through disciplined "security regimes" and accept this as a cost of doing business (Gallaugher, 2014, p. 1226). However, the greatest risk that offsets any potential benefit is Oracle's track record of running over budget and under delivering on capabilities. A simple search for "Oracle ERP" on CIO.com generates a list of articles about firms that have not had a favorable experience. Here in Pennsylvania, the liquor control board saw profits drop 47% between 2008 and 2010 as the result of an Oracle ERP project "that failed to do what it set out to do"; according to Jay Ostrich as cited by Kanarcus (2011). In another example, the United States Air Force spent $1 billion and close to ten years working on implementing Oracle ERP before canceling the project and walking away empty-handed (Kanarcus, 2013) To be fair, these examples are of enterprises with very different needs than IVK and there are success stories as well, such as the restaurant chain Wendy's (Kanarcus, 2014). But with Oracle ERP topping the charts in terms of expense, IVK must be certain that they can deliver value as advertised. Oracle is a large vendor with an extensive client list, much like the fictional companies Netifects and SeroLith found in the Austin text. At this critical point for IVK, IT needs more assurance that a new enterprise system is responsive, affordable, and value generating.
References
Aberdeen Group. (2007, July). The total cost of ERP ownership in mid-size companies.
Retrieved from http://www.meritalk.com/uploads_legacy/ whitepapers/Aberdeen-
TCO_Midsize_COs_0707.pdf.
Carver, Curt (2014, September 30). Good old-fashioned leadership can help reduce IT security
incidents. The Enterprisers Project. Retrieved from http://www.enterprisersproject.com
/article/2014/8/good-old-fashioned-leadership-can-help-reduce-it-security-incidents
Gallaugher, J. (2014). Information Systems: A Manager's Guide to Harnessing Technology (2nd
ed.) Flatworld Education. Retrieved from http://catalog.flatworldknowledge.com/bookhu
b/reader/12375?cid=#fwk-38086-chac
Higgins, K. (2012, February 23). New oracle ERP vulnerabilities unmasked. Information Week.
Retrieved form http://www.darkreading.com/risk/new-oracle-erp-vulnerabilities-
unmasked/d/d-id/1137162
Kanarus, C. (2011, August). Audit: Oracle ERP project racked with woes. CIO. Retrieved
from http://www.cio.com/article/2405718/enterprise-resource-planning/audit--oracle-
erp-project-wracked-with-woes.html
Kanarus, C. (2014, April). Wendy's makes its Oracle ERP upgrade quick and tasty. CIO. Retrieved
from http://www.cio.com/article/2377242/cio-role/wendy-s-makes-its-oracle-erp-upgrade-
quick-and-tasty.html
Kanarus, C. (2013, January). Senate to probe failed air force software project as lawmakers call for
stop to IT waste. CIO. Retrieved from http://www.cio.com/article/2388872/cio-role/senate-to-
robe-failed-air-force-software-project-as-lawmakers-call-for-stop-to-it-waste.html
Oracle privacy policy. (2014, February) Oracle. Retrieved from http://www.oracle.com/us/legal/pri
vacy/privacy-policy/index.html
Sayana, S.A. (2014). Auditing security and privacy in ERP Applications. Retrieved from ISAC
website Retrieved from http://www.isaca.org/Journal/Past-Issues/2004/Volume-
4/Pages/Auditing-Security-and-Privacy-in-ERP-Applications.aspx
Samson, T. (2013, February 25). 9 top threats to Cloud Computing Security. Retrieved from
http://www.infoworld.com/article/2613560/cloud-security/9-top-threats-to-cloud-
computing-security.html
No comments:
Post a Comment