A Confluence of Risks: Control and Compliance in the World of Unstructured Data, Big Data and the Cloud

The emergence of powerful new technologies, the existence of large quantities of data, and increasing demands for the extraction of added value from these technologies and data have created a number of significant challenges for those charged with both corporate and information technology management. The possibilities are great, the expectations high, and the risks significant. Organisations seeking to employ cloud technologies and exploit the value of the data to which they have access, be this in the form of "Big Data" available from different external sources or data held within the organisation, in structured or unstructured formats, need to understand the risks involved in such activities. Data owners have responsibilities towards the subjects of the data and must also, frequently, demonstrate that they are in compliance with current standards, laws and regulations. This thesis sets out to explore the nature of the technologies that organisations might utilise, identify the most pertinent constraints and risks, and propose a framework for the management of data from discovery to external hosting that will allow the most significant risks to be managed through the definition, implementation, and performance of appropriate internal control activities.

Enquête sur les pratiques de gouvernance des systèmes d'information en matière de stratégie pilotage et organisation

Résumé Si l'impact de l'informatique ne fait généralement pas de doute, il est souvent plus problématique d'en mesurer sa valeur. Les Directeurs des Systèmes d'Information (DSI) expliquent l'absence de schéma directeur et de vision à moyen et long terme de l'entreprise, par un manque de temps et de ressources mais aussi par un défaut d'implication des directions générales et des directions financières. L'incapacité de mesurer précisément la valeur du système d'information engendre une logique de gestion par les coûts, néfaste à l'action de la DSI. Alors qu'une mesure de la valeur économique de l'informatique offrirait aux directions générales la matière leur permettant d'évaluer réellement la maturité et la contribution de leur système d'information. L'objectif de cette thèse est d'évaluer à la fois l'alignement de l'informatique avec la stratégie de l'entreprise, la qualité du pilotage (mesure de performance) des systèmes d'information, et enfin, l'organisation et le positionnement de la fonction informatique dans l'entreprise. La mesure de ces trois éléments clés de la gouvernance informatique a été réalisée par l'intermédiaire de deux vagues d'enquêtes successives menées en 2000/2001 (DSI) et 2002/2003 (DSI et DG) en Europe francophone (Suisse Romande, France, Belgique et Luxembourg). Abstract The impact of Information Technology (IT) is today a clear evidence to company stakeholders. However, measuring the value generated by IT is a real challenge. Chief Information Officers (CIO) explain the absence of solid IT Business Plans and clear mid/long term visions by a lack of time and resources but also by a lack of involvement of business senior management (e.g. CEO and CFO). Thus, being not able to measure the economic value of IT, the CIO will have to face the hard reality of permanent cost pressures and cost reductions to justify IT spending and investments. On the other side, being able to measure the value of IT would help CIO and senior business management to assess the maturity and the contribution of the Information System and therefore facilitate the decision making process. The objective of this thesis is to assess the alignment of IT with the business strategy, to assess the quality of measurement of the Information System and last but not least to assess the positioning of the IT organisation within the company. The assessment of these three key elements of the IT Governance was established with two surveys (first wave in 2000/2001 for CIO, second wave in 2002/2003 for CIO and CEO) in Europe (French speaking countries namely Switzerland, France, Belgium and Luxembourg).

Beyond EA Frameworks: Towards an Understanding of the Adoption of Enterprise Architecture Management

Enterprise architectures (EA) are considered promising approaches to reduce the complexities of growing information technology (IT) environments while keeping pace with an ever-changing business environment. However, the implementation of enterprise architecture management (EAM) has proven difficult in practice. Many EAM initiatives face severe challenges, as demonstrated by the low usage level of enterprise architecture documentation and enterprise architects' lack of authority regarding enforcing EAM standards and principles. These challenges motivate our research. Based on three field studies, we first analyze EAM implementation issues that arise when EAM is started as a dedicated and isolated initiative. Following a design-oriented paradigm, we then suggest a design theory for architecture-driven IT management (ADRIMA) that may guide organizations to successfully implement EAM. This theory summarizes prescriptive knowledge related to embedding EAM practices, artefacts and roles in the existing IT management processes and organization.

The business model ontology a proposition in a design science approach

The goal of this dissertation is to find and provide the basis for a managerial tool that allows a firm to easily express its business logic. The methodological basis for this work is design science, where the researcher builds an artifact to solve a specific problem. In this case the aim is to provide an ontology that makes it possible to explicit a firm's business model. In other words, the proposed artifact helps a firm to formally describe its value proposition, its customers, the relationship with them, the necessary intra- and inter-firm infrastructure and its profit model. Such an ontology is relevant because until now there is no model that expresses a company's global business logic from a pure business point of view. Previous models essentially take an organizational or process perspective or cover only parts of a firm's business logic. The four main pillars of the ontology, which are inspired by management science and enterprise- and processmodeling, are product, customer interface, infrastructure and finance. The ontology is validated by case studies, a panel of experts and managers. The dissertation also provides a software prototype to capture a company's business model in an information system. The last part of the thesis consists of a demonstration of the value of the ontology in business strategy and Information Systems (IS) alignment. Structure of this thesis: The dissertation is structured in nine parts: Chapter 1 presents the motivations of this research, the research methodology with which the goals shall be achieved and why this dissertation present a contribution to research. Chapter 2 investigates the origins, the term and the concept of business models. It defines what is meant by business models in this dissertation and how they are situated in the context of the firm. In addition this chapter outlines the possible uses of the business model concept. Chapter 3 gives an overview of the research done in the field of business models and enterprise ontologies. Chapter 4 introduces the major contribution of this dissertation: the business model ontology. In this part of the thesis the elements, attributes and relationships of the ontology are explained and described in detail. Chapter 5 presents a case study of the Montreux Jazz Festival which's business model was captured by applying the structure and concepts of the ontology. In fact, it gives an impression of how a business model description based on the ontology looks like. Chapter 6 shows an instantiation of the ontology into a prototype tool: the Business Model Modelling Language BM2L. This is an XML-based description language that allows to capture and describe the business model of a firm and has a large potential for further applications. Chapter 7 is about the evaluation of the business model ontology. The evaluation builds on literature review, a set of interviews with practitioners and case studies. Chapter 8 gives an outlook on possible future research and applications of the business model ontology. The main areas of interest are alignment of business and information technology IT/information systems IS and business model comparison. Finally, chapter 9 presents some conclusions.

Compliance management is becoming a major issue in IS design

This article aims at improving the information systems management support to Risk and Compliance Management process, i.e. the management of all compliance imperatives that impact an organization, including both legal and stra- tegically self-imposed imperatives. We propose a process to achieve such regula- tory compliance by aligning the Governance activities with the Risk Management ones, and we suggest Compliance should be considered as a requirement for the Risk Management platform. We will propose a framework to align law and IT compliance requirements and we will use it to underline possible directions of investigation resumed in our discussion section. This work is based on an exten- sive review of the existing literature and on the results of a four-month internship done within the IT compliance team of a major financial institution in Switzer- land, which has legal entities situated in different countries.