Division of Research Graduate School of Business Administration The University of Michigan September 1985 MANAGEMENT RESPONSIBILITIES FOR COMPUTERIZED SYSTEMS IN THE FINANCIAL SERVICES INDUSTRY Working Paper #442 Dennis G. Severance University of Michigan FOR DISCUSSION PURPOSES ONLY None of this material is to be quoted or reproduced without the expressed permission of the Division ofResearch.

/

MANAGEMENT RESPONSIBILITIES FOR COMPUTERIZED SYSTEMS IN THE FINANCIAL SERVICES INDUSTRY by Dennis G. Severance Arthur Andersen Professor of Computer & Information Systems Graduate School of Business Administration University of Michigan Ann Arbor, Michigan 48109-1234 Abstract A recent survey of some 200 managers in 25 financial institutions suggests a lack of fundamental management controls over the use of computer-based systems. There is a clear need for line managers to become more deeply involved in their organization's use of computers and to hold the MIS function more formally accountable for providing the quality of computer services required for long-term survival in the financial services industry. This paper examines the causes of the current state of affairs and proposes a series of steps for executive management concerned about the problem.

I

MANAGEMENT RESPONSIBILITIES FOR COMPUTERIZED SYSTEMS IN THE FINANCIAL SERVICES INDUSTRY 1. INTRODUCTION A recent survey of some 200 managers in 25 financial institutions suggests a lack of fundamental management controls over the use of computerbased systems. There is a clear need for line managers to become more deeply involved in their organization's use of computers and to hold the Management Information Systems (MIS) function more formally accountable for providing the quality of computer services required for long-term survival in the financial services industry. 2. BACKGROUND TO THE STUDY For the past six years the Business School at the University of Michigan has conducted research into current management practices and executive concerns in U. S. corporations. A 1980 study focusing on management controls revealed surprising anxiety over corporate use of computers [1]. A questionnaire motivated by the Foreign Corrupt Practices Act and distributed to the chief financial officer (CFO) in large corporations was returned by 673 firms. In response to the question: "Which of your company's activities cause you the greatest concern from an internal control point of view?," 61 percent responded "electronic data processing." Subsequent interviews with 350 executives in 50 randomly selected Fortune 1000 corporations provided insights into the nature of this concern. Interviews with the CFO, chief internal auditor, chief information officer, and a variety of operating executives identified a dilemma. On the one hand, business managers today are compelled by competitive pressures to apply the productivity leverage offered by computers; on the other hand, they are aware of the very real potential for computer system failure. As itemized in Exhibit 1, the interviewees expressed concerns over both operating disasters and competitive disadvantage. A 1983 study consolidated advice for dealing with this dilemma [2]. This time we selected 12 Fortune 100 companies which were reputed to be wellmanaged, and solicited advice for assuring adequate, efficient and reliable computing systems. The chief executive officer, the chief information officer (CIO), the executive to whom the CIO reported (typically the CFO), and the director of internal audit were interviewed. At the heart of their advice was the need for a clear statement of responsibilities for both the providers and the consumers of computer services. Exhibit 2 summarizes 14 major responsibilities assigned to the chief information officer by the executives in our study. Exhibit 3 defines comparable responsibilities of line management.

Exhibit 1 SENIOR MANAGEMENT CONCERNS POTENTIAL DISASTERS Interruption of Business Activities Destruction of Accounting or Control Records Material Inaccuracies in Accounting or Control Records Manipulation of Accounting and Control Records Exposure of Sensitive Corporate Information COMPETITIVE DISADVANTAGE Erosion of Business Position Due to Obsolete Systems Inefficient Use of Computer Resources Excessive Computer Expenditures Unresponsive Information Systems Function Dissipation of Management Energy

Exhibit 2 CHIEF INFORMATION OFFICER'S RESPONSIBILITIES A. Foster management understanding of the capabilities and the limitations of computers and information systems. B. Provide information systems counsel and education to line management and their personnel. C. Track and disseminate information on technological developments which may impact the corporation. D. Interpret information system implications of the long-range business plans of the corporation. E. Develop and advocate long-range information system plans which are needed to support the stated mission and strategic objectives of the corporation. F. Develop standards and common systems required by these long-range plans. G. Support timely and accurate analysis of line management's computer requirements. H. Establish procedures which assure reliable development or acquisition of new systems. I. Provide technical support and advice to line management in the testing and installing of new systems. J. Assure efficient and reliable operations of all existing systems. K. Assure timely modification of existing systems. L. Develop policies, plans and schedules to reliably direct day-to-day operations. M. Manage the MIS staff through personnel procedures which assure an adequate, competent and loyal staff. N. Establish procedures to assure adequate, efficient, and reliable computer facilities.

Exhibit 3 LINE MANAGEMENT RESPONSIBILITIES A. Remain informed regarding the potential impact of technology upon the operations, products, and services of the line function which they manage. B. Develop specifications and justification for new information systems required to support their line function. C. Manage the development of new systems once approved. D. Analyze risks to assets affected by information systems and define control requirements for their adequate protection. E. Define and plan testing and conversion procedures for new systems before they are implemented. F. Assure adequate testing and documentation of all systems affecting their line function. G. Take reasonable steps to assure compliance with all system control procedures. H. Establish contingency plans for loss of computerized systems which support their line function. I. Classify all data stored by MIS according to its importance and confidentiality so that it can be protected accordingly. J. Assure that data are provided with appropriate integrity, privacy and recoverability safeguards. K. Evaluate the quality of MIS services on a regular and formal basis.

3. A SURVEY OF THE BANKING INDUSTRY A study was undertaken earlier this year to determine how well the executive prescription for management of computer systems was currently followed in the banking industry. A survey of management attitudes toward information systems and services was performed in 25 financial institutions participating in a Banking and Financial Services Executive Program at the University of Michigan. In each organization, a questionnaire was distributed to the president, four senior line managers, the chief information officer, and two of the CIO's immediate reports. In total, the questionnaire was returned by 52 MIS and 144 non-MIS respondents. The questionnaire itself consisted of approximately 150 questions grouped into 7 major topic areas: o Respondent Profile o Bothersome Aspects of MIS Service o Important Enhancements to MIS Service o Personal Computing Needs o Critical Factors of Success for MIS o Critique of MIS Responsibilities o Critique of Line Manager Responsibilities The MIS respondents to our survey reported a higher knowledge of data processing and greater confidence in the adequacy of this knowledge to support their work than did the non-MIS executives. They rated the performance of the MIS function highly and substantially underestimated the level of dissatisfaction reported by their users. Heading the list of bothersome aspects of MIS services reported by the non-MIS managers were slow and expensive processes for developing new systems and for modifying existing systems. The large backlog of service requests and a perceived lack of fair priority given to their personal requests were also of significant concern. Potential service enhancements considered most valuable were (a) coordination of a long-range plan for computing in the financial institution, (b) reduction of current operating expenses, and (c) a variety of steps to facilitate personal computing outside of the MIS function. To gain some insight into types of changes that might improve the quality of MIS services, all respondents were asked first to rate the importance of 26 service and organization factors which might affect the success of the MIS function and then to rate the current quality of each factor. While again, MIS gave themselves higher performance marks in all areas than they were given by the line managers, there was a surprising agreement among the groups in identifying those areas where the gap between rated importance and current performance was greatest. Three factors were in the top four items in both lists: o MIS responsiveness to service requests of line managers. o Ability of MIS director to communicate with line managers. o Ability of MIS staff to communicate with line managers. The fourth item for line managers was: o The attitude of MIS staff in providing service;

while the item which topped the MIS list was: o MIS access to the strategic plans of the organization Interestingly, the areas in which line managers rated MIS performance highest were all operational in nature: o Assuring the physical security of the computing facility. o Maintaining data accuracy, privacy and recoverability. o Minimizing times when the computer is down. o Management skills of the MIS director. o Efficient operation of computer hardware. o On time delivery of schedule reports. On the other hand, the lowest ratings were given in areas which required MIS directors to look outward from their department: o Involvement of line managers in establishing MIS policies. o Assuring line management understanding of computer concepts, capabilities and limitations. o Involvement of line managers in setting MIS priorities. o Delivering new systems on time. Each of these areas was rated important by the line managers, while performance was considered to be inadequate. 4. PROBLEMS IN THE MANAGEMENT AND USE OF INFORMATION RESOURCES The survey results of particular interest to us here summarize management's attitudes toward both the CIO and line management responsibilities listed in Exhibits 2 and 3. Each respondent was asked first to rate the appropriateness of each assignment, and then to rate the quality with which the responsibility was currently carried out in his or her company. To compare your own opinions with those of our sample, you might wish at this point to return to those Exhibits and score each item with two numbers using the following scales: Rating Appropriateness Performance 1 Totally inappropriate Poor or not done 2 Somewhat inappropriate Weak 3 Neutral Adequate 4 Reasonably appropriate Good 5 Very appropriate Excellent The views of the non-MIS executives toward the "CIO Responsibilities" are summarized by the graph shown as Figure 1. Average PERFORMANCE and APPROPRIATENESS ratings for the 14 responsibilities are represented by the letters A through N assigned in Exhibit 2. For example, the letter B in Figure 1 corresponds to the Exhibit 2 responsibility: "B. Provide information systems counsel and education to line management and their personnel."

Figure 1... NON.1 " r-; I ON ET NON-MIS RESPONDENTS 5 - 4.8 - 4.6 - LJ bW: LLCl 4.4 -4 - 5.8 - 5.6 - 3. -.9- N M J.2 - l1 L 3-,l2.8 - 2.E.6 - H K G DA E F B O 2.4 2.8.3.2 *I 1 - 1i i i 3.6 4 APPROPRIATENESS i4 4.4 4.8

The (appropriateness, performance) coordinates of (4.3, 2.6) shown by the graph indicate that the responsibility is quite appropriate, and that performance is less than adequate. In general, a symbol falling significantly below the main diagonal in the figure suggests inadequate performance, while symbols above the diagonal may be receiving too much attention. The five CIO responsibilities requiring greatest additional attention are: C Track and disseminate information on technological developments which may impact the corporation. E Develop and advocate long-range information systems plans to support the strategic objectives of the corporation. B Provide information systems counsel and education to line management and their personnel. J Assure efficient and reliable operation of all existing systems. A Foster management understanding of the capabilities and limitations of computers and information systems. The exact ratings given by the line managers are shown below together with those of the MIS respondents. We notice substantial agreement on the appropriateness rating, but significant disagreement on the quality of performance: Ratings of CIO Responsibilities Line Management, MIS Respondents Item ' I I, Appro I Perform I Differ I Appro I Perform i Differ C 4.33 2.641.694.52 3.411.11 E I 4.47 2.79 1.68 4.71 1 3.52 1.19 B 4.272.62 1.65 4.33 3.08 1 1.25 J 1 4.94 3.31 1 1.63 1 4.71 4.290.44 A 4.402.80 1 1.60 4.62 1 3.50 1.12 ' '~~~~~~~~~~~~~~~~~~~~~~~~~~ The rating of "Line Management Responsibilities" in Figure 2 suggests a comparable need for attention. In their self-evaluation, the line managers identified the following five responsibilities as having the greatest need for improvement: K. Evaluate the quality of MIS services on a regular and formal basis. A. Remain informed on the potential impact of technology upon the operations, products and services of their line function. B. Develop specifications and justification for new information systems required to support their line function.

PE. RF'O F:RMA1 4 NCE N".J '0 '!~, t b ~;,, t },.:l,,;:! ClN..b. F,.! Zl;;. I I5C.. C _1 r l..1 4L c C: O ic; P K) 4 II rS _.... Fm- I' I F- "T1i 0 - - ' H',-,,R:;I r'S.rl..I J *:l..'"... 1w~~ ~~~~~~~~~~~~~~~~~-7f~~~~ ti",3...3.,t ril — I,. 1 4"' )I Z I,., lipsCs~~~~~~~~~~~~~ Pi _" pn I ', royal r(A Si b'~ -i dt m [.... tPb --," 'su''1 Ir

I. Classify data stored by MIS according to its importance and confidentiality so that it can be protected accordingly. H. Establish contingency plans for loss of computerized systems which support their line function. The differences in appropriateness and performance shown below for these items strongly suggests a need for line managers to become more deeply involved in their organization's use of computers and to hold MIS more formally accountable for providing the quality and type of computing services that they require. The even poorer ratings of current performance given by the MIS respondents make the point more obvious. Ratings of Line Management Responsibilities ' _ _ Line Management, MIS Respondents Item Appro Perform Differ pro Perform Differ K I 4.02 1 2.29 1.73 3.94 2.29 1.69 A 4.31 1 2.71 1.60 4.24 2.70 1.54 B 1 3.80 2.50 I 1.30 1 4.04 2.45 1.59 I 1 3.91 2.62 I 1.29,4.02 2.43 1.59 H 1 3.64 1 2.49 1.15 1 3.58 1.96 1 1.62 I.' 5. SOURCE OF THE PROBLEMS Two problems are obvious from the survey. First, the MIS respondents had an inflated opinion of the quality of the services that they are providing for their customers. Second, line management responsibilities considered to be important by all respondents were inadequately performed. Both problems arise from the failure of executive management, first, to assign these responsibilities clearly and, second, to monitor and reward performance appropriately. The reasons for this can be understood if one traces the evolution of computer-based systems in the banking industry. Computerization began simply with the introduction of mechanical methods to support back room operations, and evolved with the use of electronic means to accomplish the same tasks even faster and more economically. It has culminated, however, in uses of computers which have totally restructured the way in which banks plan, produce, and deliver their products and services. The effects of computerization are no longer confined to back room operations and yet management roles have not been redesigned to reflect this reality. The original applications of computers were technologically simple and tied in with conventional operating and accounting practices. Electronic data processing was impressive for the speed with which quantities of transactions could be posted, but it did not affect traditional relations between front office services and back room operations. The computers did what operations staff used to do; they simply did it faster and more efficiently. They were easily assimilated.

A continued search for speed, economy and customer service, however, soon expanded computer applications far beyond processing of many simple transactions. New integrated applications consolidated customer files, blurred organizational boundaries, linked banks into external databases, introduced new processing concepts and terminology, and very soon excluded from any real understanding of the mechanics of the process all those who were not computer specialists. Almost unconsciously and without consideration of the consequences, increased use of computers had resulted not only in computer addiction, but also in confusion in management roles and responsibilities. Who, after all, is responsible for the justification, implementation and operational integrity of a computer-based system which is intimately involved in the customer services provided by a line function? Is it the CIO or the line manager? If we answer "the CIO" as many organizations have in the past, we saddle him with a herculian job. First, as the CIO he has a staff of technical experts in an evolving technological environment who must be directed and supervised. Second, he must control and efficiently manage the facilities, hardware, programs, and data which support the day-to-day operations of the bank and which constitute a major operating expense. Third, the CIO must interface with functional managers on their needs for the design of new systems and the maintenance of old systems, and then establish development priorities within current resource constraints. Finally, the CIO must anticipate and provide for the financial institution's future needs, including innovative applications of computer technology intended to yield competitive advantages. The position requires balancing short-term operational efficiency and reliability, with long-range planning and R&D investments. Like it or not, these are strategic decisions for the entire bank. Who is qualified to fill such a position? It is not difficult to find a manager of computer operations, that is, someone who can schedule and execute established computer runs reliably and efficiently. Doing what we do today a little better is not generally a difficult task, however important it may be. The harder problem is to establish an effective dialogue between the operating managers that enables them to define, coordinate, and prioritize their present needs, and to anticipate and prepare for their future needs. On the one hand, to manage a group of highly trained specialists and, on the other, to keep abreast of all the developments within the company that have implications for present and future system needs calls for a rare combination of experience and talents. Yet the scope and complexity of the CIO's assignment are seldom appreciated by other members of management. Rather, he is often viewed as the head technician in charge of back room operations. In many organizations, the CIO reports at such a low level that he is not privy to information required for effective long-range planning. He is seldom a member of the corporate planning team or operating committee, and may have only a vague notion of what the company's product and operating expectations are, even for the near future. The operational pressures of his job and his reputation as a technical person tend to insulate him from exchanges on strategic direction with senior executives. And yet he is expected to respond in a timely fashion to management requests for computer support of these plans.

Ironically, the line managers for whom systems are built are often so busy with the host of functional problems which the new systems are intended to relieve that they have insufficient time to be seriously involved in the specification, design, and development of their new systems. As a result many changes in specifications occur both during and after development. Since a line manager may have little understanding of how computer systems are developed, he is often unable to appreciate that a change in specifications, once development has begun, is generally expensive and time consuming and may well be impossible. The CIO is often a convenient scapegoat for the resulting development problems. Similarly, most line managers do not appreciate the impact that their requirements may have on the rest of the organization, especially when a common data base is affected. What sounds to them like an easy request for additional information often results in restructuring that has cascading effects on other systems. The CIO finds himself in the unenviable position of either rejecting the request or of imposing unwanted changes on others. He faces a "no win proposition;" a disgruntled line manager, for whatever reason, is a career-terminating force to be reckoned with. Much of this comes about I have found because line managers in financial institutions tend to know less about information systems than about any other function of the company. Both because it is foreign to them, and because it is technical and continually changing, they have little inclination to improve their understanding. Their plate is full of other obligations and "computers," after all, are not their responsibility. 5. IMPLICATIONS FOR MANAGEMENT ACTION If I am correct in arguing that the management problems highlighted by our survey stem from a failure to assign appropriate responsibilities, then the following steps are reasonable for an executive management concerned about the possibility of such problems within their organization. First, be sure that the problem is real. Through formal and informal discussions, gather facts and perceptions from managers involved with or affected by information systems. Their reactions to this article, a formal evaluation of MIS services, or a questionnaire rating of the appropriateness of the management responsibilities of Exhibits 2 and 3, would make a good starting point. The goal is to initiate a dialogue to explore opportunities, differences of understanding, reasons for complaints, and evidence of tasks performed well. Very likely, these discussions will initially draw out only symptoms of underlying problems such as "our systems are always late," "they don't understand what we need," "our facilities are inadequate," or "we need more computer resources." In following up such responses, senior management should remember that their interest is in the underlying problems. "Why were they late? Did you change your specifications after development began? Were your people available to participate as promised? What did you do to get the project back on schedule?" Skillful questioning should get past the superficial symptoms quickly. What are the real problems? To get them all unearthed and identified may take more than one round of questioning and lead to something akin to "shuttle diplomacy."

With the problem insights developed through such interviews, the qualifications required of a CIO capable of remedying the current problems should be established. The CEOs in our sample of well-managed companies believed that the CIO's skills as a manager and knowledge of the business and its industry were of highest priority; technical competence, while essential, is irrelevant if management skill or industry knowledge is lacking. The appropriate CIO, once selected, must be given an assignment in as specific terms as possible, and then positioned within the organization with appropriate authority to fill the assignment. A formal statement of mission for MIS and criteria for evaluation of the CIO are essential, as is an explicit definition of the responsibilities of line managers. The exemplary definitions provided by Exhibits 2 and 3, assign the line manager a far greater burden of responsibility than he or she has traditionally assumed. The implications of this must be clearly communicated and understood. The CIO must be provided with necessary resources. This implies an understanding of the bank's strategic direction in sufficient detail to enable development of a long-range plan for information systems with its implied budget and staff requirements. Concurrence with and support for this plan from the corporate planning committee is essential. Senior management should establish some method of monitoring individuals to assure that assignments are performed satisfactorily and that meaningful steps are being taken to achieve desired goals. Some CEOs have said that they would expect to see signs of professional respect and cooperation between the CIO and line managers. The CIOs should be running "a business within a business," with a focus on service to "customers," thoughtful planning and management of resources, development of policies and standards, and encouragement of professional attitudes and conduct. As a minimum, a regular and formal evaluation of MIS performance by line managers should be required. In addition, a charge-back system coupled with an alternative source of service would provide the ultimate market test; this has been used successfully in many organizations to keep both the providers and consumers of staff services honest in their negotiations and complaints. While a customer orientation is fundamental, the successful CIO must also be an entrepreneur of the technology and expertise under his control. MIS should provide the focal point for technological R&D activities within the bank. If the information systems function is reacting only to what it is asked to do by the line managers, the company is probably not making the most effective use of this costly resource. To avoid conflict, both the budget and effectiveness measures for day-to-day operations should be clearly distinguished from those associated with these research and development activities. One of the intriguing facts about good management to an academic like myself is that it all appears so easy and simple. Only a few very basic ideas are ever involved: define your problem, consider your alternatives, and do the right thing. The complexity of management principles, of course, lies not in their conception, but in their application. The steps proposed here will not be painless. They imply rethinking organization boundaries and will likely require the redesign of management roles and responsibilities. They will surely involve some expense and will probably require some remedial education. Above all, they will demand the scarcest of all resources in the financial services industry today —management time.

Be assured the results will be worth the cost. Our research convinces me that no financial institution will survive the decade without well managed information systems. Competition will force them on even the most reluctant of us. If, as executives, we are to meet our responsibilities to control our companies tomorrow, we must learn to control our information systems today.

REFERENCES [1] Mautz, R. K., et al. Internal Control in U. S. Corporations: The State of the Art, Financial Executive Research Foundation, Morristown, N. J., 1980, 454 pages. [2] Mautz, R. K., Merten, A. G., and Severance, D. G. Senior Management Control of Computer Based Information Systems, Financial Executives Research Foundation, Morristown, N. J., 1983, 144 pages.