Business Process Review
Business Process Review (BPR) assesses the efficiency and effectiveness of administrative, financial and operational business processes, and evaluates the alternatives. BPR considers process effectiveness and efficiency, including the presence of appropriate controls, to mitigate business risk. BPR identifies opportunities for improvement, highlights areas of risk or control deficiency, and suggests “best practices” to spur company-wide performance. The BPR team partners with the client, who becomes a valuable contributor in the risk identification process.
A high level analysis is conducted by discussions with management. Optionally, a more detailed analysis is conducted based on interviews with key personnel. The detailed analysis is recommended when management is unsure of the nature and extent of existing problems. The objective of the BPR is to identify opportunities for business process improvement, which are identified and evaluated from a business case perspective. The detailed analysis will lead to a more accurate business case.
IT systems are vulnerable to a variety of disruptions, ranging from mild (e.g., short-term power outage, disk drive failure) to severe (e.g., equipment destruction, fire) from a variety of sources such as natural disasters to terrorists actions. While many vulnerabilities may be minimized or eliminated through technical, management, or operational solutions as part of the organization’s risk management effort, it is virtually impossible to completely eliminate all risks. In many cases, critical resources may reside outside the organization’s control (such as electric power or telecommunications), and the organization may be unable to ensure their availability. Thus effective contingency planning, execution, and testing are essential to mitigate the risk of system and service unavailability. Accordingly, in order for contingency planning to be successful agency management must ensure the following:
- Understand the IT Contingency Planning Process and its place within the overall Continuity of Operations Plan and Business Continuity Plan process.
- Develop or reexamine their contingency policy and planning process and apply the elements of the planning cycle, including preliminary planning, business impact analysis, alternate site selection, and recovery strategies.
- Develop or reexamine their IT contingency planning policies and plans with emphasis on maintenance, training, and exercising the contingency plan.
Business Continuity planning requires a thorough review of your organization's entire operation for safety and operational vulnerabilities. This business impact assessment (BIA) should include not only day-to-day operations but also include key suppliers, business, and data partners as well as infrastructure components that are deemed vital. Planning must include detailed contingency plans that will guide your organization in performing its critical functions during a disruption or disaster.
You must start the process by identifying all critical processes and by evaluating threats at every location, identifying all the key components, their interdependencies, and their relative importance.
This planning should include:
- A review of all hazards and threats quantifying the potential for impact.
- Triage to identify processes, systems, functions, and partners that are most critical and at risk.
- Developing contingency and disaster-recovery plans for each process.
- Identification of mitigation steps.
- A review of the functionality, practicality, and cost-benefit of various contingency and recovery options.
- Crisis communication and notification plans for employees and stakeholders.
Contingency planning should be an integral part of your overall business continuity management process.
System Development Life Cycle (SDLC) Review
Companies spend millions of dollars each year on the acquisition, design, development, implementation, and maintenance of information systems vital to their various business and administrative functions. The need for safe, secure, and reliable system solutions is heightened by the increasing dependence on computer systems and technology to provide services and develop products, administer daily activities, and perform short- and long-term management functions. There is also a need to ensure privacy and security when developing information systems, to establish uniform privacy and protection practices, and to develop acceptable implementation strategies for these practices.
Companies need a systematic and uniform methodology for information systems development. Using the SDLC will ensure that systems developed meet IT mission critical objectives; are compliant with the current and planned Information Technology Architecture (ITA); and are easy to maintain and cost-effective to enhance. Sound life cycle management practices include planning and evaluation in each phase of the information system life cycle. The appropriate level of planning and evaluation is commensurate with the cost of the system, the stability and maturity of the technology under consideration, how well defined the user requirements are, the level of stability of program and user requirements and security considerations.
We have extensive experience in reviewing the SDLC methodology compliance within our client companies and to recommend specific corrective actions to ensure that the system development activities are being carried out in the most efficient manner. We look at the activities being performed in all stages of the SDLC. Our recommendations take into account benchmarking data from our project experiences with other client companies in similar industries.
Application Controls Review
Application controls are the controls over input, processing, and output of data associated with individual applications. An application controls review examines the methods and procedures designed for each application to ensure the authority of data origination, the accuracy of data input, integrity of processing, and verification and distribution of output.
Enterprise Resource Planning (ERP) Pre/Post Reviews
Companies expend significant time and cost in selecting an appropriate enterprise resource planning (ERP) system to support their business processes and management decision making. The process of such selection is never easy. It requires significant coordination of various requirements from different functional departments. These requirements have to be carefully tallied and matched against the ERP software capabilities to ensure that the software selected truly will meet the company needs. There are numerous ERP systems in the market and thus this selection task has become even more critical since selecting the wrong system can be inordinately expensive for a company, no matter what