Implementation of ERP on a Transitioning Firm: Risk Analysis

Original Title: A Risk Analysis: Goodstuff, Inc.

Author: Achmad B. Djauhari

Course: Managing with Technology

Instructor: Michael Thomas

Date: November 30, 2016

NB: GoodStuff, Inc is a made-up name for the actual company in the original case study given by the instructor.

Introduction

GoodStuff, Inc. is a retail store in Bellevue established in the 1980s. The firm has owned six retail stores in the Seattle area by 1995. Three years later, it launched its first web store which currently remains operating. The firm successfully took more than 40% of the leading business into an online web store. All the business systems from the management office, including the accounting department, to the retail stores, is connected to a single in-home server as well as sales and inventory report that are managed by the IT department.

GoodStuff's IT department was responsible for all the IT systems in the company. Recently, the corporate has an issue regarding its monthly report because of a failed upgrade on the point of sales (PoS) system by its previous director. Unfortunately, the business continued to use the same AS400 business system, which was also connected to every retail store in the Seattle area with the main server that is operated in the headquarter. Due to the AS400 machine and PoS, management found its report is not always the same compared to the report from its merchant services.

This case study provides analysis and recommendations to GoodStuff, Inc., including an offer to install such new enterprise management systems to replace the company's old system. This study suggests GoodStuff relocates the current PoS system into an Enterprise Resource Planning (ERP) system, construction information management system (CMISs), or Condition-based maintenance (CBM) with the CIA risk assessment model. The model provided, in this case, was developed by the author from technical and business viewpoints to meet GoodStuff business requirements such as costs, investment, and security.

Problem Description

PoS system is a network that is operated via a central computer that is interconnected with other terminal channels. PoS allows a company to analyze, maintain, and improve company sales and financial data in the databases. It includes all the necessary systems to keep the business cash flow on its track. A company relies on PoS due to the ease of use, entry of sales information, pricing, updating product information, tracking sales, security, and taxes (Staff).

GoodStuff found that since the previous director resigned from the company due to a failure on a planning upgrade project, the corporate decided to keep the current PoS machine, which was an A/S400 system that was installed on every company's retail stores. IBM made the AS400 system in 1988. Recently, the system is still being used by some company and work well. However, the brand name was shut down by IBM in 2008 and got rebranded. IBM called it the IBM i, which stands for integration, according to Kerner (2013). Some new features that IBM introduced to its new system are not limited to data-warehousing, Java application development, web-based e-commerce services, and corporate groupware services (Gomzin, 2014).

Because of the current PoS system, the firm found that the monthly financial report acquired from the merchant services company does not match the report generated from the internal business. On the one hand, the difference report between GoodStuff and its merchant services was a system disintegration that was evaluated by either the firm or its merchant services. On the other hand, since GoodStuff still utilized the old IT system, several incompatible issues might be encountered by the old PoS system to communicate correctly to what the merchant services used so that the report generated a different result.

Analyzing the risks with CIA risk assessment model

According to Gomzin (2014), an electronic payment system works by integrating two payment methods, either swipe or manual entry, to input data into a PoS system to initiate a payment. Buyers, Merchants, Acquirers, Issuers, and Card Network are the key players in which every payment process is processing. In addition to the key performers, several participants such as gateways, processors, software vendors, and hardware manufacturers that involve in a payment transaction.

Moreover, in a payment process, buyers swipe their cards to pay the bills. They are extremely recommended regarding security beyond protecting the PIN number as well. When the customers' cards were swiped, all private information within the card is transferred with merchants, which are supposed to protect the customers' information through their systems. In fact, merchants decide both business and technical processes including choosing which acceptable payment methods to be offered, what networks can be accepted, what the bank should be opened, what PoS software and terminal to be installed, and how to protect the customer data.

The other key players, such as acquirers, issuers, and card networks acquirers approved transactions made by customers and regulated the fee for each processed payment transaction paid by merchants. Issuers keep buyers accounts, produce cards, as well as charge the bill in which the buyers make purchases then transfer the transaction to the merchants. The card networks, additionally, enable the connections between acquirers and issuers. The card networks, or card brands, also store and protect sensitive data from cardholders and make sure the merchants involved pay the fee as well as the data protection (Gomzin, 2014).

According to this case, however, none of the IT department, Issuers, or Card Network knew why the corporate's monthly report showed different transaction value. Avoiding the same problem in the future, Goodstuff is suggested to install a new system that ensures each transaction process gathers into one database that can easily be controlled. If the company retains the current system, the financial report will experience some problems, and the company might experience financial trouble. Therefore, to assess the right decision for the enterprise to upgrade its PoS system, the CIA risk assessment model is recommended due to the intuitive approach for decision-makers.

Fell (2013) explained that the CIA stands for Confidentiality, Integrity, and Availability. Confidentiality is the degree of secrecy needed for information stored in a system application. While Integrity keeps the degree of accuracy and consistency of held within a system, availability keeps the level of uptime needed for an application that hands out data.

Table 1. An example of CIA Risk Assessment Model (Fell, 2013)

Setting up the CIA risk assessment model can be designed as Table 1. After figuring out the risks by confidentiality, Integrity, and availability, the elements of risks are selected by a value of scale from three to one. As an example, in Table 1, three as the highest and one as the lowest values (Fell, 2013).

Alternatives

Several alternatives offered for GoodStuff to deal with the dissimilarity of the company's generated-report. First, installing an ERP system and integrating into the current business system followed by integrated CRM software; second, installing CMISs. The last alternative given to GoodStuff is implementing (CBM). Additionally, the company might not take an alternative provided by the author by keeping its current system.

One of the ways would be establishing an ERP system as the corporate tried to manage every aspect enterprise integration system by manually connecting its IT infrastructure into a financial system separately. Besides, six retail stores, in the Seattle area, and a Webstore could be easily both connected and managed by the management office if the company has installed a proper ERP system. Some reasons that make ERP implementation failed, however, are manufacturing problems, flexibility information system, different information system practice, and misunderstand the software package (Sharma, Patil, & Tandon, 2012). Using an ERP system will rapidly communicate sales reports through production that is directly converted into invoices, then transferring all the information to the accounting department management office automatically. Once the system passes the management office, ERP will keep the information across all the departments as well, Legman (2015) stated.

Additionally, installing an ERP system in the enterprise, Goodstuff must concern about its existing documents and other crucial data. In other words, how the firm will be able not only to migrate sensitive data safely but also integrate its reports and current application into the brand-new system. Data migration is a critical process to move and restructure all the corporate reports to the new system. Third-party services can complete data migration on the ERP system. The migration service producers or vendors offer some features via various published interfaces. This service might be proposed as an extension in real-time, including reporting and archiving data, analyzing planning, and scheduling.

Legman (2015) suggested, to be able to succeed in migrating company data, the migration process could be planned by identifying data, determining the time, generating data templates, freezing the toolset, deciding migration-related setups, and defining data policies and procedures archives. However, before implementing an ERP system, the firm should show the expenses. The costs could increase because of the upgrading support and maintenance in which the services are offered in a different program by the vendors.

Installing an ERP system requires training for the company staff extensively as well. A survey conducted by McKendrick (2012) to 266 enterprise members of the Oracle Applications Users Group (OAUG) watched the time, cost, and work efforts used to keep up with the ERP system ability. Overall respondents decided to upgrade their systems.

Figure 1. List of Business Funding Sources for Oracle ERP Upgrade Project other than IT (McKendrick, 2012)

Figure 1 represented that in the Oracle ERP upgrade project, finance/accounting was the highest funding on the project, followed by general corporate fund and operation. Moreover, Figure 2 showed that while the most affected budgeted-upgrade by financial conditions, the budget has not been affected, according to more than 50% of the respondents.

Figure 2. Is Original 2012 ERP Upgrade Budget Affected by Financial Condition? (McKendrick, 2012)

Regarding functionality or technical upgrade, over 40% demanded technical upgrade as well as getting new system features. In addition to the survey, more than half of the total respondents said that the upgrade projects are in the processes. The current ERP system is designed to be compatible with all company systems and networks. ERP system can analyze and process a large amount of data from all systems on cloud-based. For many firms, investing in this IT system may give more value to their business (McKendrick, 2012).

Since an ERP system has come up with a customer relationship management (CRM) feature, Goodstuff would get benefits of the feature to analyze and forecast its sales performance, the ability the firm might not use in the past as well. Also, the enterprise would be able to research its buyers profoundly. CRM has been used by major mid to large corporations. CRM application controls data regarding customers, forecasts, accounts, and sales within the software as a service (SaaS) model. CRM application is programmed in C, C++, C#, Java, Visual Basic, PHP, Python, among others, which decode sentences, pictures, or mathematical operations into machine code (First Research Industry Profile, 2016).

As Active Server pages built the company website with C#, Goodstuff does not necessarily have to write the new code for the migrating system. The firm already has also owned a development machine that is operated by IIS and Windows Server 2007 to run its website. The website has used an MSSQL database to store the sales data and its descriptions. In other words, migrating the business databases could be simplified due to existing compatible code languages.

Table 2. CIMS Purchasing Costs (Vaughan et al., 2013)

Other alternatives the firm might consider is a CIMSs installation. According to Vaughan, Leming, Liu, and Jaselskis (2013), CIMSs has helped to improve technological innovations in construction. It improves effectiveness, lower staff demands, saves time management, and budget. Table 2. Shows CIMS was purchasing Costs on a university library construction project GoodStuff might consider. On the purchasing costs, the enterprise could cut the estimated installation cost by not taking the equipment that the business already has one, for example not having such wireless broadband and USB devices or barcoding devices might save the corporate cost up to $10,000.

Table 3. CBM Analysis for a wind farm project (Heikkilä, 2015)

The last alternatives GoodStuff could think about is a CBM system. In Table 3, a wind farm project used as a CBM analysis. Through the analysis, the firm could figure out and adapt the analysis given to the current PoS system as a consideration for installing additional features in the future.

CBM provides remote diagnose and analysis throughout the status and maintenance needs of a specific project. Usually, maintenance is done to ensure each equipment's lifetime, whose service fee might be pricey, is extended. Three maintenance approaches are available via the system, which are corrective maintenance, scheduled maintenance, and preventive maintenance. The corrective maintenance is completed by replacing equipment when it does not work or at a given period. The schedule maintenance is carried out by presuming all equipment within such categories then replaced them, followed by the interval or when they do not work (Heikkilä, 2015). In short, this system not only diagnoses and analyzes the network equipment but also signals every equipment that may harm the business operation and fix such devices to avoid interruption system.

By applying the CIA risk assessment model, GoodStuff could figure out some alternatives regarding system migration or keeping the existing system. Table 4 represented the actual risk matrix by assuming the CIA risks the assessment's scaled-value.

Table 4. CIA Risk Assessment Matrix generated by the author

Overall decision options given, Integrity has the same high-level of consideration due to the high requirement for the accuracy along with the consistency of the processed data. On the other hand, CRM, CIMSs, and CBM are the lowest-level of availability because when these systems are not available soon or at the same time as the other crucial installation system, these availability systems can be delayed to be utilized within the core system of the PoS system.

After acknowledging all the possible brand-new installation options, GoodStuff could also keep the current old system. Having said that if the firm decided to keep the old system, the firm should consider security issues that might harm the system as the existing system is the old system that is not used by most modern retail companies. Michelberger and Dombora (2016) claimed that the production, introduction, and installation of a new system without sufficient security knowledge in a company would distress security consciousness and deteriorate information security. Notifying the staff regarding these damages might refine the working environment.

Besides, investigating user accounts may reveal uncommon behavior and regulate carelessness and malicious intentions. Gozmin (2014), moreover, indicated that a numerous number of merchants depend on software and hardware by vendors whose technology was defenseless. The technology brought various security and network issues and made trouble for many retail companies.

Figure 3. Key Vulnerability Areas (Gomzin, 2014)

In addition to the security system, the PoS system can be attacked with several techniques to steal private information on card data and its system. In information security theory, such techniques are named Attack Vectors. The attack vector uses such penetration methods, detailed instructions, and tools to implement the attack. Usually, data in memory, data at rest, and data transit are the vulnerable elements that are potentially get attacked by Attack Vectors. In data memory, a payment process is authorized via numerous manipulation systems within the POS machine.

Data at rest, additionally, stores application data for a certain period on a hard drive. Next, the payment system transaction is sending and receiving information between other application systems to many devices on data in transit. Figure 3 described how POI devices in a retail store connect with other systems to process each payment transaction.

In addition to vulnerability elements, Application Code and Configuration, as described in Figure 1, are the subjects that do not store any cardholder information. However, these elements can be taken by hackers for authorizing access to entering other weak elements on a system (Gomzin, 2014).

Recommendation

To improve business performance in the future, GoodStuff must be able to maintain all of its business processes. Having a little discrepancy, particularly in the financial report, might lead the firm into trouble, either financial or operational. Therefore, taking action as soon as possible to fix the PoS problem is suggested, albeit the company must create a limited budget to do so.

After explaining some alternatives such as keeping the old system, installing an ERP system, adding a CMISs system, or implementing CBM, the corporate decision-makers are offered to install a brand-new ERP system along with its CRM application feature. GoodStuff is the firm that manages its business through an integrated IT system which communicates the business needs to its web store, retail stores, headquarter, and merchant services. Fixing the old system problem might be good because the business does not have to pay anything to add a new feature to its networks.

However, concerning a security system, this issue is vulnerable to be attacked by hackers. By installing such an ERP system, the corporate could minimize the security issue as the new system runs on cloud-based technology, which is maintained by its vendor real-time. If a security issue is not the primary concern by GoodStuff, the ERP system offers an additional business feature such as CRM to help boost the corporate's sales performance since the online transaction is growing. Moreover, if the business decides to transfer into the new IT management system, it might quickly be able to control and evaluate the financial and other related reports as the system is already connected to a single cloud-based system, which is more secure and well-maintained.

Conclusion

GoodStuff, Inc. is a company from Bellevue focused on retail business. It operates six retail stores located in the Seattle area, which is managed in a single office established in Bellevue since 1980. The company has also successfully opened a retail website generating nearly half of the business transaction. While the firm has been operating for years, it found an issue regarding the financial report, which produced financial reports that different between the enterprise and the merchant services. Because these issues might impact the enterprise performance in the future, some alternatives have been presented in this study to give GoodStuff some insight into the decision-making process for its business future.

This study notably represented how a brand-new ERP system may increase business performance and solve the dispute report at the same time. Besides, another consideration, such as security issues is given to the business as the most substantial risk if the company is not taking any action in the future. In short, this case is expected to be helpful for the decision-makers in the business to help the corporate decide what steps can be taken in its next move.

References

First Research Industry Profile. (2016). Customer Relationship Management, Marketing & Sales Software. Austin: Hoover's Inc. Retrieved from ProQuest database.

Gomzin, S. (2014). Hacking point of sale: Payment application secrets, threats, and solutions (1st ed.). US: John Wiley & Sons Ltd.

Heikkilä, T. (2015). A decision support system to evaluate the business impacts of machine-to-machine system. Benchmarking, 22(2): 201-221. Retrieved from ProQuest database.

Kerner, S. M. (June 24, 2013). IBM AS/400 Turns 25: Will It Last Another 25 Years?. Retrieved November 16, 2016, from http://www.serverwatch.com/server-trends/ibm-as400-turns-25-will-it-last-another-25-yrs.html

Legman, V. (2015). BASIC KNOLEDGE ABOUT ERP SYSTEMS. Economic Science Series, 24(2): 299-305. Retrieved from Business Source Complete database.

McKendrick, J. (2012). Today's ERP Upgrades Cut Through Budget Pressures. Database Trends and Applications, 26(4): 2-3. Retrieved from ProQuest database.

Michelberger, P., & Dombora, S. (2016). A Possible Tool for Development of Information Security - SIEM System. Ekonomika, 62(1): 125-139. doi:http://dx.doi.org/10.5937/ekonomika1601125M

Sharma, R. K., Patil, S. M., & Tandon, A. (2012). Customization and Best Practices Model for Adopting ERP System: An Analysis. Journal Of International Business Strategy, 12(1): 1-9. Retrieved from Business Source Complete database.

Staff, E. (n.d.). Point of Sale (POS) System. Retrieved November 16, 2016, from https://www.entrepreneur.com/encyclopedia/point-of-sale-pos-system

Vaughan, J. L., Leming, M. L., Liu, M., & Jaselskis, E. (2013). Cost-Benefit Analysis of Construction Information Management System Implementation: Case Study. Journal of Construction Engineering & Management, 139(4): 445-455. doi:10.1061/(ASCE)CO.1943-7862.0000611

Original File: Download