Professional Documents
Culture Documents
net/publication/364353265
CITATIONS READS
0 187
1 author:
Velibor Božić
SEE PROFILE
All content following this page was uploaded by Velibor Božić on 18 October 2022.
This example is based on a real situation, but it does not reflect it completely truthfully. The aim of the example
is to show one approach in risk management (created on the basis of theoretical knowledge about risk
management).
PEOPLE
Production company, 920 employees, computer centre with 8 employees
Structure: system administrator, network administrator, two information systems designers
(one is also the database administrator), 3 programmers and the manager of the computer
centre
More than 50% of employees have secondary school, 35% elementary school, 10% college
and 5% university
APPLICATIONS
of the applications there is ERP, the main server for ERP is dislocated and not under the control of the
computing centre (located in the centre of the Group)
in addition to ERP, there are additional applications that complement the functionality of ERP, and
these applications and the databases for them are located on "local" servers (these servers are under the
control of the computing centre)
there are applications on the old VAX/VMS system
there are independent applications and unformatted records (Word, Excel)
there is an intranet as a medium for information exchange
there is a website
application for receiving orders from partners via e-mail
DATA
transactional business data is located on a dislocated server in the centre of the Group
part of the data is on "local" servers (data on production, procurement, compensations...); those data that
are "produced" by applications that complement ERP
part of the data related to the comparison of planned and actual costs and the flow of money are in a
separate database (because they are extracted from the transaction database daily)
SECURITY POLICY
2. Risk identification
Risk identification consists of:
On the basis of the facts established in the first step, on the basis of records of errors (the company has ISO
9001:2000, so it is obliged to keep records of non-compliance in the IT area as well) and on the basis of
experience (previous non-functioning of the system for any reason), they should be identified sources of possible
threats on the one hand and system vulnerabilities that these threats can exploit. This can be done in different
ways, but it is crucial that this step is done well so that risks can be better determined later.
There are four outputs in this step:
List of sources of threats to the IT system
List of threats to the IT system
List of IT system vulnerabilities
Threat source list - threat - vulnerability
This is not a complete list, but it is sufficient to implement an example and show the idea of risk management.
Insufficiently trained users - they know how to manage in a regular situation, if something unplanned happens,
they get lost.
IT IS NECESSARY:
additionally train users
improve applications in the input control part
Unlimited Internet access - too many employees have access to the Internet, unnecessarily
IT IS NECESSARY:
deny access (through network settings) to those who do not need it for work
adopt formal rules of conduct (prohibition of access to inappropriate content and punishment for it)
the acquisition of a software tool that will monitor who goes to which pages
Failure of an industrial computer - since there are more of them in operation, the failure can be compensated if
it does not last too long
IT IS NECESSARY:
have spare parts
have a trained man to repair this type of machine
at best, have a spare industrial computer
Insufficiently tested application - there is often pressure from users to quickly develop applications, so errors
occur
IT IS NECESSARY:
consider defining the position of 'Application Tester', who would be involved in testing applications in
the working environment
Unprotected network - there is a great danger of hacker attacks, viruses, spam, and data destruction
IT IS NECESSARY:
Intention to destroy servers and network devices - it is possible that someone for any reason wants to destroy
servers or main network devices
IT IS NECESSARY:
Physical damage to the fibre optic cable or failure of the network device - this is only about the connection to
the Group headquarters. Dangerous, because if we don't have connections, it has to be done manually, this is
almost impossible.
IT IS NECESSARY:
Through this or a similar analysis, a kind of inventory can be made of which controls we have and which should
be installed so that threats to the system and the vulnerability of the system are as unlikely as possible, i.e. so that
they have as little impact on the system as possible.
low impact 1 (loss of some resources, disruption to work that is not essential for business)
medium impact 2 (failure to fulfil part of obligations, monetary losses, loss of part of reputation)
major impact 3 (impossibility of functioning, irreversible loss of information, monetary losses)
Here, risks are formally defined as a function of threats to the IT system and vulnerabilities of the IT system. So
the risks in our example are:
No. RISK
R01 Incorrect data entry or lack of entry due to insufficient user training.
R02 Downloading content and browsing inappropriate content on the Internet. Getting viruses and
destroying data. All this due to the absence of formal prohibitions and penalties.
R03 Absence of production data due to a failure of the industrial computer that cannot be rectified
in time.
R04 Entering incorrect data and obtaining incorrect information due to poorly made applications
R05 Inability to use online applications due to using the wrong operating system.
R06 Infection with viruses and spam due to lack of hardware-software protection.
R07 Physical destruction of the system room due to free access to it by the unemployed
R08 Impossibility of using the ERP system due to the interruption of the optical connection with
the Group's headquarters
Each risk is a function of the probability of the threat occurring and the impact of the threat and vulnerability on
the system.
RISK = PROBABILITY * IMPACT
The ranking of the effect on the IT system of realized threats and vulnerabilities
o IMPACT 1. 2
o IMPACT 2. 3
o IMPACT 3. 2
o IMPACT 4. 2
o IMPACT 5. 1
o IMPACT 6. 3
o IMPACT 7. 3
o IMPACT 8. 3
RISK RANK:
No . RISK RANK=PROBABILITY*IMPACT
R01 Incorrect data entry or lack of entry due to 4
insufficient user training.
R02 Downloading content and browsing inappropriate 9
content on the Internet. Getting viruses and
destroying data. All this due to the absence of
formal prohibitions and penalties.
R03 Absence of production data due to a failure of the 2
industrial computer that cannot be rectified in
time.
R04 Entering incorrect data and obtaining incorrect 2
information due to poorly made applications
R05 Inability to use online applications due to using the 2
wrong operating system.
R06 Infection with viruses and spam due to lack of 9
hardware-software protection.
R07 Physical destruction of the system room due to 3
free access to it by the unemployed
R08 Impossibility of using the ERP system due to the 6
interruption of the optical connection with the
Group's headquarters
Risk level:
The risk is high if the risk rank is 6 or 9
The risk is medium if the risk rank is 3 or 4
The risk is low if the risk rank is 1 or 2.
Therefore, very dangerous, high risks that require an immediate reaction are:
R02 Downloading content and browsing inappropriate content on the Internet. Getting viruses and
destroying data. All this due to the absence of formal prohibitions and penalties.
R08 Impossibility of using the ERP system due to the interruption of the optical connection with the
Group's headquarters
R06 Infection with viruses and spam due to lack of hardware-software protection.
Medium risks, which would be good to address, but not necessarily immediately:
R01 Incorrect data entry or lack of entry due to insufficient user training.
R07 Physical destruction of the system room due to free access to it by the unemployed
Low risks, with which it can function, but must be under control are:
R03 Absence of production data due to a failure of the industrial computer that cannot be rectified in
time.
R04 Entering incorrect data and obtaining incorrect information due to poorly made applications
R05 Inability to use online applications due to using the wrong operating system.
3. Recommendations for risk reduction
The input to this step is the risk ranking. Here, for each risk, it is assessed whether there are controls for
reduction, whether controls are needed and what kind. In addition, it is necessary to do a cost-benefit analysis.
The cost benefit analysis should contain data on what is obtained by control, what is not obtained by control, and
this should be presented financially. The result of this step should help management to make a decision on
whether or not to take actions related to risk reduction.
R02 Downloading content and browsing inappropriate content on the Internet. Getting viruses
and destroying data. All this due to the absence of formal prohibitions and penalties.
R08 Impossibility of using the ERP system due to the interruption of the optical connection
with the Group's headquarters
R06 Infection with viruses and spam due to lack of hardware-software protection.
Risk R02 :
Recommended control: PHYSICAL PROHIBITION OF ACCESS TO THE INTERNET
o Cost: HRK 0, because the company has an employee who administers the network well and will
prohibit access through the network settings. A list of people to whom access should be banned
should be made.
o Failure to implement this control means the possibility of getting a virus and ultimately losing
important data
o Formal rules and penalties for non-compliance should be prescribed
o You need to get a software tool to check who, how much and which addresses are moving on the
Internet (e.g. the so-called Sniffer, which costs approximately 2,000.00 units)
Cost-Benefit:
o Cost of introducing controls: about 2,000.00 units
o The potential loss of information, downtime due to a virus attack is immeasurable - if you look
only at the fact that 4 people cannot work for 8 hours (formatting the machine, reinstalling
Windows, saving data) and add to that the 8 hours of work of two people from the computer
centre, if we know that average hourly rate 60 units, then it is a cost of: 6 people * 8 hours * 60 =
2,880.00 units. If they introduced controls, we would save 880.00 units.
Risk R08 :
Recommended control: ADDITIONAL LEASE LINE, ADDITIONAL ROUTER on both sides, UPS
o By implementing this control, we ensure the possibility of uninterrupted work and constant
service to our customers
o Not having control means that, in the event of a loss of connection, we cannot do anything
related to customers. We cannot ship products, invoice.
Cost-Benefit
o Cost: one-time around 50,000.00 units and monthly for line lease 5,000.00 units or 110,000.00
units for the first year, and 60,000.00 units each subsequent year
o If we don't work for just one day, we lose an average of 540,000.00 units. So potentially, the
entire cost is paid off in just one day.
Risk R06:
Recommended control: PURCHASE OF HARDWARE FIREWALL, NETWORK ANTI-VIRUS
PROGRAM AND ANTI-SPAM DEVICE
o Carrying out the control avoids the risk of data destruction by viruses, and enables the normal
use of e-mail
o Failure to implement control can mean the loss of business-critical information, the
impossibility of operational use of applications, which may call into question the fulfilment of
organizational goals.
o Controls for this risk are also related to risk R02.
Cost-Benefit1
o Implementation cost: 14,000.00 units one time and 32,000.00 units every year for licenses.
o Benefits: one type of saving is the same as for risk R02. So: the potential loss of information,
the downtime due to a virus attack is immeasurable - if you look only at the fact that 4 people
cannot work for 8 hours due to "PC recovery" and add to that the 8 hours of work of two
people from the computer centre, if we know that is the average hourly rate 60 units, then it is
a cost of: 6 people * 8 hours * 60 = 2,880.00 units. If they introduced controls, we would save
880.00 units.
o Every day all users waste a lot of time to clear spams (about 200 people * their hourly rate of
60 units = 1200 units * e.g. 200 working days = 240,000 units of money just for cleaning
spam).
They should set a deadline for the introduction of each control. Because of the high risks described above, the
deadline for introducing controls should be as soon as possible.
Over time, medium risks should also be resolved, and low ones should be continuously assessed so that
they do not turn into medium or large ones.
Finally, it should be said that the example described above is not entirely true, but it is illustrative in the
sense that it shows the application of theoretical knowledge in practice.
1
The values shown here do not correspond to the truth and serve only for the purposes of this example, but they
allow the idea to be seen.
They affect
Vulnerability Affects on
Risk
I can act on The probability of the
threat's realization affects
Threats
Realized threats that act on system
Affects on
weaknesses have The size of the
impact (consequences) acts on
Affects on
Cost management includes the overall planning, coordination, control and reporting of
costs within the performance of a particular business activity. This skill requires managing
identified costs throughout the entire process of making a product or service.
Cost management is important because this skill is one of the key things essential
for the efficient conduct of business and enables successful investment. When running a
business, there are many reasons why costs are higher than planned. Some of the
reasons are:
unclear goals that change during the project
unrealistic assessment (often too optimistic)
incomplete job review (inconsistent view) too much
risk
insufficient management control.
All these reasons must be taken into account if costs are to be managed efficiently and
effectively.
new costs, ie costs incurred after the initial investment in a business activity
assumptions about increased productivity that should be realized
assumptions about the amount of costs necessary for the realization of a job
costs of parallel activities when introducing new functionalities (maintaining
the old way of doing business until the new activity is established).
Cost management must answer the key question, which is the cost of achieving the goal in
a particular way. This issue implicitly suggests that cost management must be flexible
enough. This means that if the costs are estimated to be too high, a new way of doing
business should be sought. You should not be overly optimistic when estimating costs. It
would be good to have the best and worst case scenario and find a balance based on
these borderline cases.
Cost management process
The cost management process consists of cost estimation, cost control, and cost
review. The process begins with an initial estimate of the cost of a business activity. The
costs of preparation of activities, operational costs, costs of risk coverage, internal costs
within a particular department, costs by partners (suppliers, customers) are estimated.
Based on the cost estimate, the budget for the implementation of a certain business
activity is approved.
During the implementation of a business activity, it is necessary to carry out cost
control. Cost control is carried out with the help of a financial plan that serves as a
reference point for comparing actual with planned costs. If a cost breakdown occurs, the
causes are analyzed and actions are taken to rationalize costs.
U at certain stages of conducting business activities, it is necessary to conduct a
review of costs. The inspection must ensure:
a comparison of the estimated costs with the budget approved for a
particular activity
assessment of whether the process is still feasible (given the cost-
effectiveness)
risk assessment (whether it is acceptable or causes an excessive cost of risk
coverage).
In order for cost management to be efficient and effective, the following activities
need to be implemented:
If all the listed activities are carried out, there is a great chance that the cost management
will be of good quality.
It is important to say that cost management must be consistent with all other
managerial activities within the organization. Coordinated action is important
cost management with all other management skills to achieve a synergistic effect on the
performance of the organization.
If the cost management is carried out in the manner described above and if it is
related to the overall management efforts, it will be of high quality and will enable efficient
and effective performance of the work as a whole.
The essays on management
Delegation
Delegation is a managerial skill we’ve all heard about, but the question is how much
we understand it. It can be used either as an excuse to blame someone else or as a tool to
motivate and train employees to fully use own potential.
Delegation is managerial skills that allow the development of skills and knowledge of
employees, and for more efficient and effective performance of work. Without delegation,
the potential of employees is not fully exploited. Delegation is actually about transferring
part of one's own authority to the employee. Employees can act autonomously and have
the responsibility to perform certain tasks together with the manager who has delegated
the task to them. What is important when delegating is the requirement that tasks be
delegated so that the task is completed successfully?
The main goal of delegation is for someone else to do a good job. Not only to receive
concrete orders and perform simple tasks, but to make decisions and adapt to new
situations. The essence of delegation is that employees can react independently without
constant contact with management. Delegation allows managers to start doing a job
without having to know in detail how to do it. Prerequisites for management to authorize
someone to do a particular job are to explain well to people what is expected of them (for
employees to understand the problem), that employees have the authority to do a
particular job and finally know how to do something. All these prerequisites can be met if
there is quality communication in which the nature of the task, the method of
implementation, sources of relevant information and the like must be clarified.
The delegation system can work well if employees (who have to make their own decisions)
have complete and fast access to important information. This means that there must be a
system of free flow of information in the organization. There must be the possibility of
exchanging knowledge between employees; all of them must know what the other is
doing. There must be regular information meetings between managers and employees. It
is desirable that there is a computerized distribution of information in the organization. In
this way, it is possible for all employees to incorporate their own experiences into the
overall knowledge of the business process. This gives managers a valuable source of
information that can only help them make better decisions.
One of the greatest fears of managers regarding delegation is that by empowering others
to perform certain tasks, control over the process is lost. This fear is irrational if employees
are properly prepared to perform certain tasks. First of all, employees must be set the
same criteria as the manager himself. In addition, control mechanisms need to be
decentralized, i.e. distributed. The manager must understand that he cannot control
everything at the same time, so he should create control mechanisms that work in parallel
and independently. A crucial prerequisite for all this is a good knowledge of employees
and trust.
For the delegation to be successful, it must not be hesitant in the sense that one day we
authorize someone to perform a task and the next day we forbid them to do so. This
creates complexes in employees and this can lead to poor results. In order to avoid
situations of hesitation, delegation should be carried out gradually. This means that you
first give the employee an easier task, so given how he coped with a particular job, you
decide how to proceed. Tasks should be set in such a way that each one is a little harder
than the previous one in order for employees to gradually get used to the new situation.
This is important because employees need to be confident in order for delegation to
succeed. Self-confidence is achieved by gradually delegating, but also by enabling
employees to get help if they need it. In addition, the manager must, in conversation with
employees, consciously avoid making decisions that he estimates the employee can make
independently.
The essays on management
In this way, the manager teaches his employees responsibilities and encourages them by
leaving them the initiative within the assigned task. Here the manager must be careful not
to fall into the trap of fully open involvement in the task he has delegated to someone else.
The trap is avoided by formalizing communication with employees. Formalization consists
in having employees write some kind of diary in which they describe what they are doing,
suggest improvements, make “decisions” and the like. In response to the diaries, the
manager delegates new tasks to confirm the correctness of employees' decisions
(increases their self-confidence) or points out mistakes (through the assignment of new
corrective tasks). If an employee makes a mistake, the manager who delegated a task to
him is responsible. This is a fact that the manager must be aware of. That is why he must
do everything to discover the mistake in time. This is achieved by constant monitoring of
employees. If he notices a mistake, he must warn the employee. The manager must do
this in such a way that the employee understands the problem, feels confident to solve the
problem and corrects the mistake. It is very important that there is such a climate in which
the employee is not afraid to admit a mistake to the manager. Therefore, the manager
must never criticize employees for mistakes, but must emphasize the importance of
checking, testing and monitoring the implementation of a task.
The eternal question facing managers is what should be delegated. The philosophical
answer is that as many jobs as possible should be delegated in order to train employees to
be as good as possible. In reality, the manager should delegate routine tasks that could be
performed by other employees, so that he has more time for more creative tasks. In
addition, managers should delegate tasks for which they are not experts. In terms of
motivation, the manager must take care to delegate creative tasks that would allow
employees to make full use of their knowledge. The method of delegating tasks is not
unified. This means that the method of delegation and everything related to delegation
(reporting on the performance of work, sources of information, availability of management
assistance, and criteria for success in performing the work) is subject to negotiation, i.e.
negotiation with employees. There must be agreement on everything in order to make the
process delegation was successful.
Is everything can be delegated? Whenever possible and still possible, the manager must
oversee the performance of delegated tasks and must ensure the training and
advancement of employees. There are functions that cannot be delegated. Some of them
are: motivating, coaching, and building a team, organizing, punishing, improving,
monitoring progress...
The manager has the task of demonstrating and improving the efficiency and effectiveness
of the department he heads within the organization. Delegating only gives him a chance to
succeed.
Knowledge management
Today, when we live in the information age, knowledge is imposed as the most
important organizational resource that provides a strategic advantage over the
competition. Knowledge alone is not enough. Namely, the organization may possess
vast knowledge, but it can be unused for various reasons. Most often, the cause of
insufficient use of knowledge in organizations is ignorance of knowledge
management. Therefore, there is something about knowledge management in this
text.
Method input:
Process:
• problem definition - what types of human errors in the system will be investigated
• task analysis - how the task will be performed and what logistics are required for quality
performance
• human error analysis – why the performance is not good; which errors appear and how they should
be fixed
• error presentation – it is necessary to reveal how human errors are related to information
technology and the environment in the organization; this helps to reveal the impact of the error on
the organization
• monitoring – is there an error somewhere in the process that does not require detailed
quantification
• quantification – how likely is the occurrence of an error
• impact assessment – which errors are the most important, which have the greatest impact on the
business and lead to the highest risk
• error reduction - how high human reliability can be achieved
• documentation – everything undertaken must be documented
Output:
• a list of errors that may occur and methods by which errors can be reduced - particularly through
system refactoring
• incidence of errors, typical causes and consequences of errors
• risk assessment with respect to human errors
Advantages:
• this method enables a systematic analysis of human errors that affect the realization of system risks
• systematically dealing with ways of reducing errors and the probability of an error occurring at all
Limitations:
Velibor Božić
General Hospital Koprivnica, Croatia
velibor.bozic@gmail.com
❑waste management,
❑smart energy, education,
❑smart communications,
❑smart transportation,
❑traffic management,
❑smart parking,
❑smart streetlights and
❑smart healthcare….
Patient information can be accessed in real time at various smart hospital offices or even at
various smart hospitals in different cities or in the same city.
Doctors, nurses, and medical technicians can access data without losing time when
physically transferring the same data from one office to another.
Similarly, different doctors may see information to judge a patient's condition. Therefore,
real-time decisions about the patient's health can be made.
CIA…. Protect
the system. Threats exploit the vulnerability of the system.
➢System vulnerability also increases risk.
➢System vulnerability allows exposure of
the confidentiality system assets (information in this context).
➢System assets have some value that affects the
, availability and overall organization.
➢The BSC includes four types of views on the organization: Finance, Buyers, Internal Business Processes,
and Learning and Development.
ICT risk area Key factors of ICT risks
➢4A approach to information security AVAILIBILITY - high fluctuation of IT staff
(Westermann & Hunter, 2007) - non-standard infrastructure
- inefficient management of the upgrade
- old technology
- poor backup system
AGILITY - bad processes and applications
ACCURACY - lack of knowledge to improve the existing
one
ACCESSIBILITY - prohibition of work due to errors observed
AVAILIBILITY
ACCESIBILITY - the data is poorly organized
- applications are not standardized
- lack of internal controls in applications
- insecure network
ACCURACY - applications do not meet business needs
- manual data linking required
-system insecurity in the sense that
applications are constantly upgraded
(insufficient testing)
AGILITY - poor connection between IT and business
- poor implementation of projects
➢COBIT enables managers, supervisors, IT users to have a set of measures, indicators, processes
and examples (best practice) that help them to maximize the benefits of information technology
and develop appropriate management and control of business processes in their organizations.
Planning and organizing. This domain is about strategy and tactics; it defines the best way in which IT can
contribute to the achievement of business goals.
Acquisitions and implementation. The subject of interest here is the realization of the strategy. IT solutions
are defined, developed and enriched, implemented and integrated into the business process.
Delivery and support. This domain refers to the delivery of the services required, which includes the delivery
itself, security management (RISK!) and continuity, customer service support, data management and
operational services.
Supervision and evaluation. Over time, every IT process needs to be monitored to see if it works according to
customer requirements. Within this domain, performance is managed, internal controls are monitored and
processes are regulated.
exposure risk – here are measures overall exposure risk, combines are probability occurrencesrisk and size influence on business
EXPOSURE=PROBABILITY*IMPACT
IMPACT
Low (1) Medium (2) High (3)
High (3) 3 6 9
PROBABILITY
Medium (2) 2 4 6
Low (1) 1 2 3
Low exposure risk: 1 or 2
Medium exposure: 3 or 4
Tall exposure: 6 or 9
This way of ranking risks is very acceptable for users; it can also be displayed graphically, for example, through different colours. In the step of analyzing and ranking risks by
importance, it is crucial that the risk analysis is as good as possible in order to ranking either good quality. Here should taking part team People (representative management, leader
computer science, main developer, administrator Database and the system administrator).
Planning and scheduling of activities. The input to this process is lists of risks ranked by importance. The task is to on the basis of these lists, develop detailed strategies and activities
for each main risk, to rank the activities by importance ,that are create integrated risk management plan. Activities in integrated the plan is:
orientation on high exposure risk
determination conditions for reduction probabilities occurrences risks
search key causes that would are reduced symptoms risks
determination repercussions how would are reduced influence risks
after determination key causes, search possible risks who they have similar cause
search addictions between risks.
When creating a risk management plan, care should be taken as to whether the employees know enough to do so able to recognize the risk, whether the risk can be accepted without
taking any action, whether the risk can be avoided, transferred to another area or the consequence of the risk can be reduced. In planning, it is necessary to define reactionary plan (what
to make if the risk causes damage).
In according to with plan, activities are they have to arrange between different employees. Should are determine who is responsible for certain activities from plan.
Tracking risks and reporting. This activity involves writing down all the facts about risk. It is written down how the risk changes, what are the risk trigger values (if the
risk materializes, the reaction plan should be activated), the conditions, consequences, probabilities and impacts related to the risk are monitored. If any of the
mentioned changes things need to be reassessed for risk. In this phase, the implementation of the risk reduction plan is also monitored. If the plan risk reduction does
not perform well, it should be reconsidered. Risk monitoring can be an ongoing activity, periodic or from case until case (ad hoc).
Report has to be made for every risk. For each risk, report describes the following situations:
solution: risk is resolved, action plan for resolution risks is finished
consistency: the risk is constant regardless of the action plan, it should continue to be resolved risks
changes: some actions taken to reduce risks differ from those planned; should to undertake corrective measures that would are activities returned in planning frames
volatility: the risk situation has changed significantly and needs to be done again planning and analysis risks.
Risk control. This phase of MOF risk management refers to activities related to the reaction plan because the risk achieved. This is where corrective actions related to risk monitoring are
undertaken. Information is used in risk control collected through risk monitoring and reporting and information from a database of past risks. Likewise, new experiences related to risk
control are stored in the database. Good is key to risk control communication everyone employees who I can good quality react to risk.
Learning from risk. Learning from risk is an ongoing process that takes place throughout all phases of risk management. The goal is improving people's knowledge of risk to improve
recognition of potential risks, which affects quality management risks in of the future. When learning you should distinguish two situations:
learning from a new risk - a lot of new information with which we have nothing to compare; helps us to do the same we recognize the situation in the future as a risk and on that one
a way to prevent the consequences that have happened to us happened because now we are not recognized the risk
learning from the reappearance of known risks - by establishing known facts, reminding, we establish knowledge and we have possibility improvements strategy reduction risks
(introducing new ones control).
After the first step, threat identification, vulnerability and control analysis and risk impact analysis can proceed in parallel.
Each step within the risk assessment has its input, activities and output, which are presented here in the form of a table:
The purpose of this step is to determine the level of HIGH RISK: immediate corrective actions
risk for the IT system. A risk level matrix is used to are required. The existing system can
measure risk. In the columns of the matrix is the continue to work, a corrective action plan is
level of influence of threats on the vulnerability of necessary and should be implemented as
Probability of threat realization, magnitude the system. The threat level is (10-low impact; 50- soon as possible.
of impact on functioning, adequacy of medium impact; 100-high impact). In the rows of
current or planned controls the matrix is the probability of the threat (1-high MEDIUM RISK: corrective actions are
probability; 0.5-medium probability; 0.1-low needed, it is necessary to adopt a corrective
probability). plan and implement it in a reasonable time.
The content of the matrix is the product:
LEVEL OF RISK = SIZE OF IMPACT * LOW RISK: the risk management team
PROBABILITY OF THREAT must determine which corrective actions
Risk scale: LOW (1 to 10), MEDIUM (11-50), should be implemented and which risks
HIGH (51-100). should be accepted and worked on
regardless of their existence.
7. Recommendations for controls
This activity recommends introducing new controls
into the system in order to reduce the identified risks
to an acceptable level. At the same time, you should
take care of:
Effectiveness of
Recommended controls
recommended controls
About legal regulations
About the policy of the
organization
On the impact on the
operational execution of tasks
About safety and reliability
9. Documentation of
results Report on assessed risks
- contains identified threats and
At the end of the risk assessment process, everything vulnerabilities in the system that may arise,
should be documented in the form of a set of reports an assessment of the level of risk and makes
to management. This report should help in making recommendations for the implementation of
decisions about policy, budget, operational controls.
implementation of changes and changes in
management, related to risks.
ITIL [1], [2], [3], [4], [5], [6], [7], [8] is an abbreviation from Information Technology Infrastructure Library ( IT Infrastructure Library ). ITIL represents actually norms or the best practice in
providing IT services according to users. ITIL are started develop in early 80's team 20. century. From sides so called Central Computer and Telecommunications Agency (CCTA). Later is
this institution became integral part so called UK Office of Government Commerce (OGC).
Goals of ITIL are:
Improvement efficiency and effectiveness IT service
Quality IT service
Reducing risks.
ITIL presents kind of guide for management IT services on strategic, tactical and operational level. In version 2 (ITIL v2) bases ITIL make:
services deliveries ( relations are on tactical management ) and include management level service , management finance , management availability , management capacities and
management continuity business
services support ( relationships on operative management ) and include : service support users, management incidents , management problems , management changes ,
management configuration and management editions .
At 5 in the month of 2007 [5] began to be used version 3 of ITIL (ITIL v3) in which it is basic news services they stop observe as services deliveries and support is already being followed of
life IT service cycle and so on in version three there is: strategy services, shaping services, transition services, operation services and constantly improvement services.
Strategy services. Here are on basis user demands shape strategies development IT services, policies, sources and limitations you so called package levels service (what IT service offers on
basis user requests).
Shaping services. Here are shapes service, defines her are architecture, standards, and so called package shaping services (here are all information necessary for development services).
Transition services. Here it is shaped service builds up to levels when she is ready for delivery to the user. Here are service and tests.
Operation services. Here are IT service gives on use to the user per agreed upon conditions. Here are definestechnology and infrastructure necessary for support services.
Constantly improvement services. They define are plans and activities for improvement services. They identify are chances for progress you weaknesses or mistakes IT services which _ they
have to correct.
Every from these five groups have purpose, key processes and activities you key roles and responsibilities. Managerial activities which in ITIL v3 appear are:
in framework strategies services : generation strategies, financial management, portfolio management, management demands
in the frame shaping services : management catalogue service, management level services, management capacities, management availability, management continuity IT services
( related to management consequences risk ), management procurement
in framework transitions services: planning and support transition, management changes, management configuration, management implementation, testing and validation,
assessment, management knowledge.
in framework IT service operations: management events, management incidents, fulfilment requests, management problems, management approach IT at your service,
management user support.
in framework permanent improvements services - management improvement services, measurement success services, reporting on to your service.
ITIL is framework for enforcement management IT services. It is explicitly not deals with risks. Nevertheless:
one from goals of ITIL it is reduction risks
ITIL through concept IT service implies management risk because is alone IT service per definition not may to the user bring unforeseen charge and risk
deliverer of service, between other things, manages risks bound with service and it in to all phases of lifecycle services (strategy, shaping, transition, implementation and
permanent improvement).
Risk management in framework ITIL looks are in the following processes:
ITIL v2 in framework service deliveries continuity of IT services. Here in the box demands and strategies identify critical business processes and time IT service recovery from
someone realized risk [8]. Furthermore, the risk is assessed from threats over property (using so called CRAM methodologies – Central Computer and Telecommunications
Associations Risk Analysis Management Methodology). Based on assessments risks strategies are made continuity business that is performance of IT services. CRAMM
analysis risks analyze threats and vulnerability over property. Threats and vulnerability cause risks which management strives control and undertake certain measures.
Categories assets in the analysis risks are hardware, software, people, and buildings. In the analysis risks they must be identified couples threats and vulnerabilities. They can be
displayed diagram causes (threat) and consequence (vulnerability). The result analysis it is list risks. Each risk is a function which have the following parameters:
Probability that threat challenges risk using it vulnerability system
Strength consequences which one causes realized threat on vulnerability system
Control ( planned or already existing ) which affect on reducing or elimination risks
In the framework management continuity of IT services it is important to define the way of recovery from risks. Reactions on risk can be: to do nothing, make security copies, gradual
recovery (longer of three days), fast recovery (1-3 days) or urgent recovery (in 8 hours). Reaction it depends on the importance of the IT service for business. Management continuity enables
survival in case disasters, recovery business activities in case interrupt work, prevention loss.
There is none explicitly presented risk management in ITIL v3 [5] and v2. Risk management is implicitly expresses and that in to all phases of life cycle IT services. In continuation a
few examples:
In the frame strategies services there is an activity shaping and development strategies of IT service development. Risk management is important here, because it is needed
identify, evaluate and prevent or reduce threats which would brought in Question strategy of IT development services.
Identification threats and manage with them is important in Code shaping services. One of key activities is management continuity of IT services (see risk in the framework of
ITIL v2). Here it is through management risk define control mechanisms for recognition and prevention risks as and mechanisms for reducing risks. In the frame shaping
services is also important process management with certainty information, and key thing for safety information is prevention threats destruction you reduction vulnerabilities.
In phase transition of IT services process is important management changes. Changes automatic mean risk so is and here necessary management risk. Actually connection
management changes and management it is a risk mutual. Management risk makes it easier changes, and management changes are one of mechanisms for optimization risks
(reduction risks on acceptable level).
For phase operations service important are processes managed incidents and management problems who are again associated with risks and proportionally that is more incidents
and problems, they mean larger risk. Smaller risk means asmaller one uncertainty that is less incidents and problems.
Code permanent improvement of IT services should lead account for new ones threats and vulnerabilities system who is repercussions new ones demands users of IT services.
Actually code everyone the new one demands should be implemented and analysis possible threats and vulnerabilities that is should be considered possibility of origin the new
one risks you act in according to with as a result analysis (most often new risk proactively prevent or reduce).
From the above review it can be concluded that risk management important activity within ITIL. It is not explicitly anywhere listed as managerial activity, but it is „logistical” i.e.
support is to all to the others activities.
Literature
[1] "ITIL Organisation Structure''; CEC Europe Limited; London in 2002
[2] http://en.wikipedia.org/wiki/ITIL-v2; http://en.wikipedia.org/wiki/ITIL-v3; Downloaded 23. 08. in 2009
[3] "An Introductory Overview of ITIL v3'', Cortlige , Hannah etc all., iTSMF Ltd. in 2007
[4] Prof. Ph.D. sc. Z. Cracker : '' Management informational resources ( selected chapters )'', the script withlectures ''; PDS FOI, in 2007
[5] ''ITIL-The Key it Managing IT Services – Service Delivery''; TSO for OGC; Crown Copyright 2003; London
[6] ''ITIL-The Key it Managing IT Services – Service Support''; TSO for OGC; Crown Copyright 2003; London
[7] IT Service Management – an Introduction''; itSMF Press; London in 1999
[8] "The Benefits of ITIL'' – Pink Elephant Inch., in 2002
[9] Geddes, Ratclife:''ITIL Process Maturity Self-assessment & Action Plan'', Pink Elephant Inc., September in 2002, London
Velibor Božić
The Risk Management Standard
The Risk Management Standard was created in 2002 as a result of the cooperation of three organizations in
Great Britain - IRM (The Institute of Risk Management), AIRMIC (The Association of Insurance and Risk
Managers) and ALARM (The National Forum for Risk Management in the Public Sector ).
The goal was to develop a standard for risk management that would include:
In this standard, risk is defined as a combination of the probability of an event occurring and itsconsequences
on the property.
The Risk Management Standard
The main part of risk assessment is their identification, analysis and treatment. The analysis
evaluates threats and their impact on system vulnerabilities. The ranking of risks is
determined and their impact on the organization is assessed. Those risks that are critical aretreated, i.e. they
try to avoid or reduce them.
Risk management is a continuous process that is embedded in the organizational strategy and the
implementation of that strategy. It must be led by top management, but it must also not be defined only
at the strategic level, but must be translated into tactical and operational goals. Throughout the
organization, all managers and employees must have risk management responsibilities and it must be in
their daily job description.
The Risk Management Standard
The appearance of risk is influenced by many factors and can be roughly divided into:
• Factors within the organization – products and services, employees, procurement, internal
accounting controls
•Factors outside the organization – legislation, culture, organization oversight ( boards, supervisory boards...),
contracts, natural disasters, suppliers, environment, credit, market changes, competition,customer demands...
Considering all the listed risks, the question arises, how risk management can help the organization.Here are
some facts:
provides a framework for the organization to undertake activities in the future in a consistent andcontrolled manner
improves decision-making, planning by enabling understanding of business activities, opportunities and threats
contributes to better distribution of capital and resources within the organization
protects the assets and image of the organization
supports the enhancement of people's capabilities and enables a learning organization
optimizes operational effectiveness and efficiency
The Risk Management Standard
Management process Strategic goals of
risks the organization
RISK EVALUATION
RISK ANALYSIS
-Identification
- risk description
-Examination
RISK ASSESSMENT
REPORTING ABOUT
MODIFICATIONS RISKS PROCESS CONTROL
DECISION-MAKING
REPORTING ABOUT
THE REMAINING RISK
SUPERVISING
The Risk Management Standard
ANALYSIS RISK
Risk identification – the goal is to find out how much the organization is exposed to uncertainty.
In risk identification, they use the expert knowledge of people within the organization and varioustechniques such as:
• Brainstorming, questionnaires, business studies that describe business processes, comparativemeasurements with others (benchmarking),
scenario analysis, workshops, incident investigations,controls and inspections, a number of techniques described in ISO 31010 - HAZOP,
SWOT, FMEA...
Risk identification is key to the success of the risk management process. It shouldsystematically reveal as many risks as
possible in different areas:
•Strategic risks - this refers to risks that affect the strategic, long-term goals of the organization. Examples: availability of
capital, political risks, government crisis, changesin legislation, changes in the environment...
•Operational risks - these are everyday risks that can occur in work and that the organizationfaces on a daily basis
The Risk Management Standard
• Financial risks – this refers to financial risks inside and outside the organization such as: creditavailability, currency exchange
rates, interest rates, market conditions...
• Knowledge management - this refers to the sources of knowledge in the organization, access tothem and the way of communication.
Examples of risks are: unauthorized access to information, theft of intellectual property, power outages, system unavailability due to
malfunctions, loss of keypersonnel...
• Compatibility – here we mean compliance with laws, regulations, contracts, regulations.
Risks: insufficient protection of clients, non-compliance with contractual obligations...
Risk description – according to RMS, each risk must be described. There is a specific gap:
NAME OF RISK
AREA OF RISK Qualitative description of events, size, type, number and dependencies
NATURE OF RISKS For example strategic, operational, financial, know-how or compatibility risk
Potential loss and financial damage; risk value; probability of loss and potential damage; desired controls
RISK TOLERANCE
and level of performance
ATTITUDE TO RISK I With what the risk is controlled; level of reliability of existing controls; identification of monitoring and reporting
CONTROL MECHANISMS protocols
Low probability (rare) The probability of the threat No event has appeared yet. It is quite rare
occurring is less than 2% in 10
years
Probability of opportunities occurring (positive side of risk)
Risk assessment - after the risk analysis has been completed, it is necessary to compare the analyzedrisks with the risk criteria
(associated costs and benefits of the risk, legislation, socio-economic and environmental factors, shareholder requirements...)
adopted by the organization. The risks are
ranked and it is decided which risks are critical to the business and which will be affected so that they disappearor are reduced.
Risk reporting and communication - different levels in the organization should have different informationabout the risk management
process.
Attitude towards risks - this is the process of selecting and implementing measures toreduce risk, but also ways to avoid
risk, transfer it, and the like.
In relation to risk, you should:
• Determine effective and efficient operations within the organization
• Effective internal controls •
Compliance with laws and regulations.
The basic criterion that must be respected is that the cost of acting on the risk does not exceed thedamage that the realization of the risk
can do to the organization.
Process monitoring and review of risk management - this part is necessary because the organization is alive, circumstances change on a
daily basis that influence the creation of new threats, new vulnerabilities ... therefore, constant monitoring and review is needed in order to
be up todate and able to timely to react.
The Risk Management Standard
In the risk management process, clear roles and responsibilities must be set
Administration:
• assessing the nature of the risk and defining the level to which it must be reduced in order to be acceptable for business
• assessment of the probability of risk occurrence
• determining the way to manage unacceptable risks • defining the company's
ability to minimize the probability of the occurrence of threats and their impact on business
• identifying the costs and benefits of risk and determining control activities
• defining criteria for measuring the effectiveness of the fight against risk
• consideration of the impact of risk on the decisions of the Management Board.
Executive directors
must ensure the inclusion of risk management in the project as one of the phases of the project, without which the project itself
cannot be successfullyrealized.
The Risk Management Standard
Internal control
The board must have a clear business vision and strategy (including a risk management strategy).
Management's task:
How to do it?
Change the practice of choosing people: ABILITY instead of ELIGIBILITY
Reduce vanity and accept the need for learning and improvement
Apply techniques: SWOT analysis, BSC, 4A approach
THE RESULT:
In risk management, the goal is to reduce risk to an acceptable level. Necessary supporting activities are:
Management and executive directors are responsible for carrying out these activities.
In addition to the roles mentioned above, the Board and CEOs have a joint role to ensure effective
and efficient risk management, which means that:
For effective risk management, the company also needs internal control.
The roles of internal control are:
Ability management
Capability management aims at continuously improving the capabilities of employees so that the
organization is of high quality in performing its own activities. With capability management, there is a whole
process of activities that must be undertaken. The first activity is defining the vision, strategies and strategic
goals of the organization. Namely, it is necessary to define the necessary abilities of employees in the context
of the vision, strategies and goals. One should ask what the purpose of the organization is and what kinds of
capabilities are needed to achieve that purpose. The second step in the capability management process is to
divide the required capabilities into specific capability areas at different levels of the organization. It is
necessary to create the so-called competence canters, i.e. places within the organization that are made up of
a team of experts for a specific area. These capability centres are connected to specific processes and people
in them, and enable globally defined capabilities at the level of the organization to be mapped to the level of
the individual. In the competence centre, the key competences needed to perform a specific job are defined. In
doing so, the current situation must be analyzed and compared with the desired state. Based on the analysis,
the competence centre develops a plan explaining how a certain type of competence should be developed.
The next stage is the implementation of the plan at the individual level. In order for the employee to be
able to fulfil his tasks well, he must be provided with certain abilities. Implementation of abilities is carried out
through discussions of experts from ability centres and individuals, through different methods of training,
learning and the like. Finally, through the implementation of capabilities to each individual, the capabilities of
the organization as a whole are increased.
When observing the management of capabilities, it can be said that there are three aspects of
observation: the organizational aspect, the aspect of the current and future situation, and the aspect of the
content of capabilities. When looking at the organizational aspect, for the successful management of
capabilities one needs to know whether it is the capabilities needed by an individual, the capabilities to perform
a job, the capabilities of a team, department or the entire organization. From the aspect of the current or future
situation, capability management is different if one wants to know the current situation or analyze the needs for
the future. From the aspect of the content of the capabilities, again, management differs with regard to whether
they want to develop general, functional, process or key capabilities.
For the successful management of abilities, it is necessary to define ways to develop certain abilities.
In principle, it is known that the strategic goal of capability management is to improve the comparative
advantages of the organization with the help of capability development, process improvement and application
of information technology/information systems. This also means a systematic analysis of existing capabilities
at the individual, team and organizational level. How to achieve all of this? One of the strategies takes care of
cost management, differentiation of activities and focusing on specific activities. Thus, capability management
is limited by allocated funds. The second strategy takes care of the quality of the work done in terms of quality
management and creating processes. There, operations and work efficiency are continuously improved.
Today, the prevailing strategy is to define the key capabilities needed by the organization. The main task of
management in this strategy is to discover, maintain and improve the capabilities of the organization.
Identification of key capabilities
The key capabilities of an organization are those capabilities that are necessary for the organization to
be competitive on the market. The concept of key capabilities should only be used at the organizational level.
The identification of key capabilities is quite a difficult task and requires a great deal of knowledge
about the organization itself and the environment in which it functions. Answers to the following questions help
to identify key capabilities:
Does the ability have an impact on added value for the customer?
Can the ability influence the increased competitiveness of the organization?
Can the ability be incorporated into business activities?
If the answers to all three questions are positive, then something is a key activity. In addition, it is important to
know the characteristics of key activities for identification. These are:
Identification of key capabilities is difficult because no concrete recipes are offered on how to do it. Only a
framework is defined within which each organization takes care of key capabilities, depending on the specific
situation.
When looking at an organization's ability, it can be said that it consists of key abilities that enable
competitiveness and additional abilities that are also important, but not necessary for survival. Key capabilities
have a positive impact on customers. They are further divided into capabilities within individual departments.
At the department level, abilities are still generalized. There, groups of experts make development plans
because abilities are defined in such a way that they can be connected to the level of individuals. The next
level in the capability architecture is the team level. In teams, abilities consist of the individual abilities of team
members. Finally, abilities at the level of individuals are very concrete. They include all the knowledge,
abilities, intentions, experience and contacts that individuals have.
In the end
Successful talent management requires an understanding of the vision, strategies and goals of the
business. This is necessary in order to be able to identify which capabilities the organization wants, i.e. which
capabilities it needs. For the success of capability management, it is necessary to define key capabilities.
These are abilities without which the organization cannot survive in the market. Implementing capability
management is a long process that involves continuous learning and is linked to strategic management and
performance management. Capability management actually combines the strategy making process with
performance management process and thus identifies, maintains existing and develops new capabilities at all
levels of the organization.
Capability management requires that everything is done in accordance with the vision, strategies and
goals of the business. It is a relatively new approach that offers an understandable way of developing
employee capabilities in the context of the organization's strategy.
Velibor BOŽIĆ
Business Intelligence
Business intelligence is the ability of an organization to create useful information from the data
it has. Today, this ability is essential for survival in the market. It enables better decision-making and
is a key part of the corporate information strategy. Namely, the organization's information assets
include a wide variety of data sources that are dislocated and diverse in composition. business
intelligence helps to turn a huge amount of data and information into new knowledge. The goal of
business intelligence is to enable managers and leaders to makemore efficient and effective decisions
in order to increase the profitability of the organization.
TECHNICAL STAFF
At the base of the pyramid are transaction databases that collect raw data arising from business
activities. Data warehouses organize collected raw data into information. Business intelligence and
real-time analytical processing (OLAP) are used to analyze information and create new knowledge.
Finally, top management evaluates knowledge and manages activities and makes decisions.
In order for managers at the top to be able to make quality decisions, information should be
presented in the right way, which is enabled by the technical staff. It enables management to use as
much information as possible within the organization.
Problems related to business intelligence
Some of the significant problems with business intelligence are:
• management is often frustrated because business intelligence seems difficult to them, i.e.
they they have difficulty focusing on critical business factors
The solution to the problem is better cooperation between managers and those who introduce
business intelligence and the sincere desire of both to succeed.
Data collection. Data collection refers to obtaining data from various sources. data can be in
documents (lists, e-mail messages...), photos, images, sound recordings, web pages and the like. The
goal of business intelligence is for data to remain in digital form (scanned, recorded with digital cameras,
stored in databases, placed inside a web server...).
Data analysis. It implies the creation of useful knowledge from the collected information. The analysis
provides different assessments, trends, integrated and recorded information, evaluated models. The
process of data analysis is also called data mining or knowledge search. There are analysis tools such
as: probabilistic theories, statistical methods, operational research or artificial intelligence. All these tools
are built into existing software products dealing with business intelligence.
Understanding data. Understanding data refers to determining the context of information with regard
to the problem being solved. With this in mind, irrelevant information is thrown out, and only key
information essential for decision-making is used.
Risk management. This is the possibility to reduce the risk in the future with the help of business
intelligence, because situations in the future can be simulated, cost/benefit analysis can be done,
decision-making and results can be simulated.
Making decisions. Making decisions is the ultimate goal of business intelligence. Business
intelligence aims to predict important events such as changes in the market, various takeovers, poor
performance of staff and the like. With the help of forecasting, managers can react better and make
better decisions. These decisions can improve sales, customer satisfaction or employee morale. All this
enables the right information at the right time.
Business intelligence solutions must be adapted to the specific organization in order to optimize
business processes, to improve proactive decision-making and maximize profits, i.e. minimize costs.
Velibor Božić
Conflict management
When employees work together it is often the case that they have conflicting goals and work styles. Therefore,
conflicts are a normal part of doing a job. Of course, if you know how to manage conflicts and if you know how to
communicate with conflicting people, you can turn a potentially destructive force into a chance for creativity and greater
productivity. Precisely because of the above fact, conflict management is a very important managerial skill.
There are different situations that can cause conflicts. Some of them are: lack of interest in the job, misunderstanding
of things or lack of information, change of job, actions taken by managers, evaluation of the success of the work done,
private problems that may affect the work activity.
There are two basic ways of managing conflict, informal management and formal conflict management. An informal
way of managing conflicts implies that managers and employees jointly initiate problem solving. It is openly discussed,
without mutual accusations. An attempt is being made to discover the source of the conflict. Conflict mediation services
are often used here. Another way to manage conflict is a formal approach. It is applied when the conflict cannot be
resolved through direct employee interviews. Here, conflict resolution processes are initiated through the completion of
formalized forms on the basis of which the investigation, hearing and finally arbitration are conducted.
What are the most common causes of conflict among employees? First of all, these are:
the natural desire of man to be the first to explain his views in the hope of imposing them on
the other side
the inability of people to be listeners; listening is much more than not speaking, it involves an
effort on our part to really understand the views of the interlocutor
people'sfear of not fulfilling their own ambitions, fear of losing something we believe in,
fear of the truth, fear of turning out to be stupid ...
the assumption that we will lose if someone else wins; this attitude is overcome by
creating a competitive climate (thus defeat is not understood tragically).
There are techniques to alleviate conflicts or prevent them from occurring. Something about them below.
In conflict management, whether formal or informal, two things are important: how to control the conflict and how to
communicate with people prone to conflict. In both cases there is a need to know what needs to be done and how
something needs to be done. When keeping a conflict under control, the procedure is as follows:
• need to talk to others - the time that is most appropriate for the conversation should be
determined and determine a place where one can talk in peace
• it should focus on behavior and events, not on people - it should say, for example, "When it happened
..." and not "When you did it ..."; it is necessary to describe a concrete event, not to generalize
• one should listen carefully — one should know how to listen to what others are saying, instead of
constantly reacts; interrupting others in conversation should be avoided; we should repeat what
the interlocutor said to ensure that we understood everything well; sub-questions should be
asked to clarify ambiguities
• what you agree on should be clearly defined, where non-conflict points and points of agreement
should not be found; one should try to find a compromise • one should rank the conflict areas — here
the conflict areas must be ranked by the importance of addressing them
• a plan for resolving the conflict should be created, starting with the most important thing - it should
be focused on the future, the dates of the next meetings should be determined in order to continue
the discussion (and assess what has been done)
• the plan should be adhered to - it should be implemented as agreed; people in conflict need to be
constantly monitored • you need to work on your own success - look for a chance to progress;
admit to others success; congratulate the people you have been in conflict with.
In conflict management, another important ability is to communicate with conflicting people. There are almost
always people prone to conflict. The best defense against them is to know how to treat such people properly.
Here'swhat you need to do:
• should be honest and direct - honestly and directly should tell the person what bothers us about her;
eg "I can'tdo a job because of ...", "I don'tcare about you ..."
• one should listen carefully - here the ability to listen to others is important, not quarrels; should avoid
interrupting the interlocutor; what we have heard should be repeated to make sure we have
understood everything well • blame should be avoided- here one must focus on the facts; if the
conflicting person notices a mistake on our part, it will be caught and solving the problem can be
difficult
• should be focused — must be discussed in detail, not generalized; should
avoid deviating from the topic
• need to talk a little - the problem should be summarized and deliberately paused (let there be
silence for a while) before the person prone to the conflict responds.
•
It can happen that despite the stated knowledge about conflict control and communication with conflicting people,
conflicts do occur. If it is not possible to smooth it out by direct conversation of the conflicting parties, mediators or
arbitrators must be used. In conflict management, the role of mediator or arbitrator is taken over by managers who
have special knowledge of conflict resolution.
The manager-mediator must understand the views of the participants in the conflict, must influence their desire to
overcome the conflict (emphasizing positive views, emphasizing the possibility of compromise), must set rules of
communication, should lead meetings between conflicting parties, should equalize the power of conflicting parties,
should help develop plan for future cooperation.
Another important role of managers in resolving conflicts is arbitration. The manager-arbitrator must perform all
activities as well as the manager-mediator with the difference that in the end he makes a judgment that the
conflicting parties must respect.
Conflicts between employees are relatively common and can affect the business as a whole. Conflicts are normal in
situations where multiple people work together to solve a problem. In conflict management, it is important to turn the
potentially negative energy that erupts from each conflict into something positive (competitive spirit, desire to
succeed, etc.). Therefore, conflict management is an important task of management.
Velibor Božić
One of the dominant trends in today’s management is customer orientation. All levels and segments of
business direct their activities towards identification, categorization, understanding and serving customers.
Information gathering processes and marketing processes are particularly important for successful customer
relationship management. This does not mean that other business segments are not important. On the contrary,
orientation towards the customer should become the guiding principle for all existing and planned activities in
the company. The main areas of customer orientation include image, organizational culture, competition,
evaluations and quality. Orientation towards the customer has a great influence on the image of the company.
Everything from the company’s trademark, furniture and equipment, the colour of work uniforms, the colour of
the walls in the premises or websites on the Internet should be such that they meet the needs and expectations
of customers. The efforts and opinions of all employees are essential for customer orientation, regardless of
whether the employees communicate directly with the customer or not. All employees should work so that
customer expectations are met to the greatest extent. Companies those are ready to compete in the market,
and in relation to excellence for the customer, have a better chance of meeting the needs of potential
customers. In order to create manageable customer services, companies must create a system for collecting
and objectively analyzing customer information. This system must be properly evaluated to ensure that the
information collected is relevant to a particular customer. Otherwise, he is not of much use. In the past,
marketing activities were emphasized in the company, which usually included: market research and
segmentation, defining the market position, analyzing customer needs, creating a marketing plan and
evaluating the achieved results. These activities are the basis for defining the way of advertising, for defining
relations with the public, for distributing information and for "convincing" customers. In today’s companies, all
the listed activities are very important, but not sufficient for a real focus on the customer. Namely, if the
company wants to be truly oriented towards the customer and if it wants to successfully manage relations with
customers, deeper organizational changes are needed. The company should coordinate all business functions
related to the customer (directly or indirectly) and develop a systematic way of adapting, monitoring and
improving relations with customers. In order for customer relations to be successful, i.e. for the company to be
customer-oriented, the following is necessary:
• identify customers through market research, market segmentation and study of potential customer
• define offers, products and services for different customer groups
• identify strategic objectives and critical factors for sales and support in each market segment
• collect information about the wishes and needs of customers and use them as a basis for marketing
activities
• it is necessary to be sure that every change is a response to customer needs
• clearly define the cost-benefit ratio for each product or service and use this knowledge to introduce new
or improve old products or services
• it is necessary to monitor the competition and always strive for better ways of satisfying needs
customers
• provide good employee training and install in them the attitude that the customer is the
most important
• each customer should be considered separately (as a specific case)
• care should be taken to fulfil all promises about the quality of products, services and
support customers.
In order to successfully manage customer relations, it is necessary to keep in mind that customer
satisfaction is not something that can be achieved with an exact recipe. This requires constant
improvements of the entire business organization. The end result of customer orientation is customer
satisfaction. Customer satisfaction must be measurable. It is measured by answers to a series of questions
such as:
o Do you know who your customers are and how many there are?
o Do you listen carefully to the requests of each of your customers?
o Do you respond to customer requests in a timely manner?
o Do you give advice to customers regarding products/services?
o Do you know what the cost is if you lose a certain customer?
o Do you regularly communicate with customers?
o As a manager, do you know how many customer complaints you have?
o Does the top management agree on customer orientation?
o Does the management set a good example for customer orientation by its own
example?
o Does management also assess customer satisfaction?
o Does top management also discuss customer complaints?
o Is customer satisfaction part of the business vision?
o Is the customer satisfaction policy understood in the company?
o Are customers involved in executive processes and company development processes?
o Were the products delivered on time?
o Do you have a website and do you do business over the Internet?
o Do you stimulate employees for ideas related to customer satisfaction?
o Are the interests of employees and customers connected?
These are just some of the questions that can be used to measure customer satisfaction and thus get
feedback that is essential for managers to better manage customer relations.
It should be said that today there are also software tools within the so-called ERP (Enterprise Resource
Planning) information systems that help managers manage relationships with customers. These tools enable
easy collection and use of data about business partners. On the other hand, the Internet, as a global
phenomenon today, represents a medium of communication between companies and customers that speeds
up and simplifies business. Today, customers are increasingly self-confident, more sophisticated, have a large
choice, and are very demanding. Precisely for this reason, customer relationship management becomes
important for successful business. It must become part of them.
Human resource management
You can have the best business plans, vision and strategies that are great for
successful business, but if you do not have people, who would make operative your ideas,
i.e. take concrete action, you will not succeed in your intentions. People are a key resource
that enables business, so they need to be given due attention.
Leadership and management are two concepts that are often equated. Of course, these
terms denote different concepts. Both are vital to the success of an organization so let’s pay a
little attention to them.
A leader is a person who directs. He has a vision, he motivates, and he is full of enthusiasm.
A leader is a person who is respected, she is followed. The leader concentrates on the strategy,
identifies new opportunities, i.e. the chances of the organization, and moves the organization in a
new direction. He must have the ability to gain trust when directing the organization, he must have
the courage to take actions and risks, and he must inspire people and encourage their faith in
success. In order for a leader to be effective and efficient, some principles should be adhered to,
such as:
• personal example should convince followers of what he stands for
• should be optimistic and always think positively
• should strive for the best solutions (if you set high goals, you will achieve
more than to have modest ambitions in the beginning!)
• one should strive for simple solutions in everything that is done
• one should reward a positive result
• one should communicate, which means, listen carefully and talk openly.
If the leader adheres to the above principles, the followers will be more loyal to him and leading as
a process will be much easier.
A leader may or may not be a manager. Namely, leadership is an important characteristic of a
manager that he has or does not have. Every manager nod is a leader. It is a common situation
that leaders act informally within the organization, i.e. they are not members of formal management
structures. If so, managers must recognize this fact and use it for the benefit of the organization.
This is important because employees in the organization can perceive managers as rulers,
enforcers of rules, i.e. as persons whose power comes from their position, not knowledge. This can
be dangerous for the organization. Therefore, if managers are not also leaders, they should
recognize real leaders and take advantage of their influence in the organization.
On the other hand, when it comes to management it should be said that effective management
not only involves leadership but also needs to have formal authority to fulfill its task.
The main task of the manager is to implement the vision and strategy in order to maximize the
business result of the organization. When accomplishing his task, the manager should perform the
activities of organizing, planning, teaming, directing (leadership in the narrow sense!) and
controlling. For all these activities, the manager must also have formal power, i.e. the ability to
command arising from the hierarchy. In addition, managers must have the skills needed to carry
out the above activities. These skills are:
• information skills - the ability to collect and disseminate information, the ability to define
attitudes and possess knowledge that helps the organization, employees and owners
• skills-ability to seek new and better opportunities for organization, ability to allocate
resources, negotiates and resolves conflicts.
The manager must coordinate the work of employees, other managers, departments and resources.
The strategy should be operational zed on a daily basis, tasks should be set for employees that are in
line with the set goals, communication should be improved, and activities such as employee training,
and rewarding or disciplinary measures should be encouraged. Managers need to allocate staff and
other resources, organize internal control and oversee business processes. These are just some of the
activities that are present in the job description of a manager,
In the end, it should be said that the leader and the manager can be in the same person, but that
is not necessary. It is important that managers recognize leaders and use their knowledge and
possible charisma among employees to make the organization do better. If he is a manager and
a leader, by the logic of things, he should deal with strategic management, which means that he
brings a vision and defines a strategy, i.e. a method of implementing the vision into action. Lower-
level managers deal with it implementing the strategy in activities to ensure better business.
It would be ideal for an organization to have leaders in addition to managers. Namely, leaders
know what needs to be done, and managers know how to do it. In the end, the result should be
an efficient job done in an effective way.
Velibor Božić
A learning organization
A learning organization is such an organization that affirms learning as a continuous
process. It encourages the constant learning of employees and the exchange of information between
them. In this way, new knowledge is created, necessary for the successful performance of work. In
addition, a learning organization is very flexible, i.e. people accept and adapt new ideas and
changes through a shared vision.
The reason why learning within the organization is emphasized is the ever greater and more
fundamental changes in the environment in which a company or institution operates. Today, only
those organizations that are able to learn quickly and then innovate their own business have an
advantage over the competition.
Any organization can relatively easily determine whether it is successful or not (whether it needs to
learn or not). By answering a series of questions, one can determine why a learning organization is
needed. The questions are: are employees unmotivated or uninterested in work, do they lack skills
or knowledge to perform work correctly or to get new jobs, do employees have their own ideas for
improving work (and are ideas rewarded) or do they just follow orders , whether managers and
employees communicate sufficiently, whether more employees have knowledge about something
or whether there are "experts" without whom panic arises, whether problems are discussed in the
organization or learned about from customer complaints...
If you answer negatively to just one of the above questions, you need a learning organization.
In order for an organization to start learning, some prerequisites must be met.
The organization must be sure that the knowledge is necessary, before starting transform
into a learning organization. Learning should be affirmed at all levels, not only among
managers. This means that a climate conducive to learning needs to be created within the
company or institution.
The organization must be decentralized in the sense that each individual understands his
own structure and goals to be achieved. The organization must be flexible and encourage
innovation. In addition, it should be possible to provide information to employees,
dialogue between management and employees. In this way, problems can be spotted and
mistakes can be prevented.
Leadership is an essential prerequisite for a learning organization. The leadership must
be such that it accelerates the concept of the so-called systems thinking and that it
encourages learning that helps employees and the organization as a whole. Leaders must
help people understand the changes; they must enable them to understand competition as
learning, not as hostility. In addition, the leadership should provide the logistics (money,
people and time) necessary for learning.
The focus of control should shift from managers to employees. Employees should have
more responsibility for their own actions. The task of management is to encourage,
enable and coordinate the performance of work.
Finally, the prerequisite for creating a learning organization is learning itself.
Management should learn based on models of real situations with help simulation games. Through
these games, managers acquire the skills necessary to create a climate organizations that encourages
employees to learn. In addition, mistakes that could occur in reality are observed and learned how
to avoid them. There are different strategies for introducing a learning organization. Any
organization that introduces learning as a model of its own existence can do so in different ways.
However, three strategies can be singled out: accidental approach, subversive approach and
declared approach. The accidental approach is reflected in the fact that many organizations
unknowingly, i.e. through the realization of some other business goals, founded a learning
organization. The subversive approach of establishing a learning organization differs from the
haphazard approach only in the degree of conviction. Namely, here, a learning organization is
consciously introduced (and not accidentally), but they do not stand out openly ideals (constant
learning, better communication, encouraging innovation...). The declared approach implies learning
as part of the organizational culture. The principles of the organization that learns here are part of
the "speech" of the organization, they are expressed openly, and they are an integral part of all
initiatives of the company or institution.
Every learning organization has certain rules that must be followed. These rules are:
don’t be afraid of changes - a learning organization feeds on changes; changes are
new knowledge that needs to be mastered
experiment - a learning organization encourages experiments because they necessary
risk in advancement; experimentation should be rewarded, not punished
discuss - every success or mistake should be discussed through conversations,
reviews, reports, diagrams and the like
learn from examples from the environment - you need to find internal and external
sources information; should learn from the experiences of other organizations;
customers ‘needs should be kept in mind and learned from them
learn from employees - encourage participation and experimentation; invest in
training, give employees authority, but also define responsibilities; minimize
hierarchy
reward learning - everyone wants a reward for what has been done; measure
achievements and reward
be clear - define goals and expectations clearly and unambiguously
be caring - take care of employees; you need to find a way to ensure employee
protection.
By following these principles, a learning organization will be effective. In a learning organization,
the key potential is people and their behaviour. When it comes to human behaviour, there are certain
areas that must be supported within a learning organization. Areas that are critical to success are:
team learning, shared visions, mental model and personal advantage.
• Team learning - all important decisions are made in groups through the exchange of information.
The basic unit of learning is the group, not the individual. People learn best from each other. A
synergy effect is achieved through team learning. A team as a group knows more than the sum of
individuals.
• Common visions - in order to create a common vision, all individuals in the organization must
understand what the common goals are, how to reach them and how they themselves can
contribute to achieving the goal. The vision is shared because people do certain things
voluntarily, not because they have to
• Mental model - each individual has his own image of the world, his own ideas and prejudices.
• A learning organization must challenge people to openly discuss ideas and prejudices, to reflect
on their own and others ‘mental models, and to create a shared team mental model. This is
essential for the success of the joint business
• Personal advantage is a process of continuous refinement of one’s own visions. A learning
organization should encourage the development of employees ‘visions of job improvement. In
this way, employees are encouraged to feel useful and self-confident.
A learning organization must encourage employees to have the so-called ability to systemic
thinking. It is the ability to see the bigger picture, to notice certain interdependencies, i.e. the
structure of work performance. Systemic thinking is the ability to achieve set goals through
cooperation, to see the need to perform some tasks that indirectly (and are necessary!) contribute to
the successful performance of work. Prerequisites for systemic thinking are the areas of employee
behaviour described above, i.e. team learning, shared visions, mental model and personal strengths.
A learning organization requires a certain type of behaviour. This also implies the fact that certain
types of behaviour are undesirable. For example, new ideas should not be rejected just because
they are new. One should not be suspicious of the new. On the other hand, one must not be
uncritical. We need to find a balance between criticality and uncriticality. Problems should not be
considered as a sign of mistakes but as a chance to gain new knowledge. All changes must be made
publicly. They must not be unexpected for employees. Behaviour must be such as to enable
efficient and effective business.
A learning organization provides many benefits. These are:
• Development of human potential through better motivation, flexibility of employees,
greater creativity and improvement of social contacts.
• Teamwork is better because the sharing of knowledge and the interdependence of team
members increases.
• The organization as a whole progresses because traditional barriers in communication
are broken down, contacts with business partners are better, information resources are
developed, innovation and creativity are encouraged.
Organizations that learn are necessary, because in the future, in order to survive on the market,
more and more investments will have to be made in the knowledge of employees, and this is due
to sophisticated technology, the increasing amount of information that will need to be processed,
due to increasingly ruthless competition, due to the increasing demands of customers.
A learning organization is not a tangible goal, it is a desired concept. The method of its
implementation is not unambiguous. Each company or institution should find its own way of
implementing a learning organization. This organization is necessary if one wants to survive in
the global market. Changes and constant adaptations are the only way to survive, and they can be
implemented through a learning organization.
Velibor Božić
Today, management and informatics are mutually dependent. Management knows what needs to be done, and how,
and IT enables the work to be done in a quality manner. Everyone more or less knows this fact, but many only verbally
support. There are few people who really see the benefits of applying informatics in management. Therefore, this text
discusses informatics from the aspect of its usefulness for management.
PROBLEM SOLVING
There are various ways in which informatics can be applied in a high-quality manner in business and in which the
success of informatics as a function can be measured. So called. ERP (Enterprise Resource Planning) is imposed as a
high-quality IT solution that helps in better business, and the evaluation of the application of the ERP system can be
carried out by the so-called Balanced Scorecard (BSC) method. Before the ERP system is introduced into the business, it
is also necessary to carry out a BSC analysis of the business in order to identify what needs to be computerized with the
help of the ERP system. In order for investments in computerization to be fruitful, good preparation is necessary. The fact
is that the introduction and application of information technology (IT) alone does not mean much. It was observed,
contrary to expectations, that if the introduction of IT is not understood as a project, then it represents a large investment
that has no effect. IT makes its real contribution if it is given the same attention as all other investments in the company.
Introducing IT and building an ERP system is a long-term and expensive undertaking that should not be taken lightly. The
association with the introduction of information technology is money, time and performance. It is known that during the
construction of the ERP system and the introduction of information technology, a lot of money and resources (which can
be expressed in money) are invested and spent, and the efficiency of the investment is low. THE MAIN CAUSE OF
SUCH A SITUATION IS INSUFFICIENT PREPARATION FOR ENTERING INTO SUCH A COMPREHENSIVE JOB. This
means organizational unpreparedness and inadequacy as well as insufficient professional equipment (EVERY PERSON
IS IMPORTANT!!!). It often happens that managers, due to their incompetence in the field of informatics, due to
insufficient consultation with professional colleagues (or perhaps due to something else), agree to introduce ERP systems
(which in many cases are meet the specifics of a certain company’s operations. It happens that these outsourcing
companies do not cooperate with IT specialists within the company in a quality way and the end result is bad. This is a
great danger that causes great expense without the desired result. In order to overcome this danger, it is necessary to
familiarize managers in detail with the advantages and disadvantages of hiring external collaborators in the introduction of
the ERP system, it is necessary to explain to them what the ERP system is, why it is needed, how it introduced and what
prerequisites are necessary for its successful introduction . . Therefore, in the follow ERP (Enterprise Resource Planning)
is a software solution that meets the needs of companies by observing business processes. In this way, it enables the
fulfilment of organizational goals and the integration of all business functions. This system enables computerization of all
company activities, connects the company with customers and suppliers, and enables image enhancement. ERP is
necessary because it enables the complete integration of all business in the company, enables better project
management, better customer service, and enables the application of the latest technologies and a large source of a wide
variety of business information needed for better decision-making. In addition, ERP enables business development and
enables the company to stand up to the competition in a better way.
With the help of the ERP system, the following are most often computerized: sales and marketing, planning, procurement
of materials, warehouse operations, production, retail, finance and accounting, and logistics. A quality implemented ERP
system is the basis for quality management decision-making. Informatics helps quality decision-making with the help of
tools such as: decision support systems, management information systems, reporting systems, data mining systems or
early warning systems (so-called intelligent agents). However, a prerequisite for the introduction of any of these systems
is a quality ERP system.
In order for the ERP system to be effective, it is necessary to carry out a business analysis before its introduction. One of
the most effective methods that can be used to do this is the so-called Balanced Scorecard method. In addition to
"classic" financial indicators, she also analyzes the so-called the company’s intangible assets, such as business
processes, relationships with customers and suppliers, and the level of knowledge in the company. The results obtained
from the analysis are measurable and based on them it is decided whether to introduce the ERP system and to what
extent, i.e. which function will be computerized.
When you decide to go for computerization, you have to decide how to do it. Should you hire external consultants, an
external IT company that will make the software, should you buy ready-made software (ready-made solutions SAP,
BAAN, Oracle, PeopleSoft...), should you go into software development with your own strength or maybe combine?
There are numerous implementation options, but there is no universal recipe for how to go about computerization. It all
depend After implementation, it is necessary to continuously monitor the operation of the ERP system and measure its
efficiency and effectiveness (again with the help of the Balanced Scorecard method) in order to obtain the feedback
necessary for future system improvements.
CONCLUSION
Here, emphasis is placed on the so-called ERP system as an IT tool that helps management to make better decisions.
In addition to helping management, this tool enables better business as a whole. It gives the right results if it is applied in
combination with the Balanced Scorecard method. Together, these two concepts have a synergistic effect on the overall
business.
Motivation
When you are faced with a tight deadline or you are in a complex situation, the last thing you
think about is people. When you are in a real struggle with a problem, you certainly want cooperation,
speed and rationality in your team; you don’t want people who aren’t working properly, who aren’t
motivated, or who aren’t concentrating for reasons unrelated to work. But such things happen and the
manager must face them. The manager must be able to manage people in a way that minimizes
external influences on the work of the team and to ensure optimal performance.
The question is how?
As a leader, the manager must know his people well, i.e. their habits and even the
problems they face. The manager should be an authority that sanctions but also
rewards. So he has to emphasize responsibility, he has to encourage employees and
support them in doing their job. In addition, his behaviour should set an example to
others.
Behaviour
Every manager must observe their own behaviour. Always start from yourself when
evaluating your co-workers. Ask yourself how you communicate with co-workers. Are
you a dictator or a democrat? Do you ask co-workers what bothers them? Do you treat
them like an unquestioning authority or do you try to be their friend or at least a partner?
Do you spread fear or are you willing to listen to others? These are just some of the
questions a manager must ask himself if he wants to communicate correctly with co-
workers. Honest answers to these and similar questions can be a corrective to a
manager’s own behaviour. Willingness to improve one’s own behaviour can have a huge
impact on better performance. Open communication, without hidden dissatisfaction,
contributes to more efficient and successful problem solving.
Motivation.
When thinking about motivation, it should always be looked at in the long run.
Throughout the process of solving a problem, the manager must maintain the
enthusiasm of the team and the team's faith in a positive solution to the problem. This is
not an easy task, but it is necessary for work efficiency. Motivating employees is a
complex job. The ways of motivation are different, e.g., salary and incentives, working
conditions, or company policy. These are the so-called classic ways of motivation that
are not so successful precisely because they are common and employees do not
perceive them as motivation but something that is taken for granted. Therefore,
additional forms of motivation should be sought.
First of all, the team should be motivated by convincing them of their own value (the
importance of each worker to do the job). Employees should be motivated so that they
feel the trust that the manager has towards them, they should be motivated by
emphasizing the responsibility they have and through public thanks for a job well done.
In the following, some aspects of motivating people that are important for human
resources management will be highlighted.
Achievement
Managers must set goals and should be very careful because the work of the team
depends on the set goals. Namely, if the goals are set too high, the team will be
frustrated because despite the desire they will not be able to meet the goal.
Conversely, if the goalis too easy, the team will feel underestimated or will not try
hard enough. It is ideal to set a number of sub-goals and do so gradually. This
means that by achieving one sub-goal, one move to fulfil the next if possible.
In short, people's motivation is also achieved through setting realistic, achievable
goals that are recognized by employees.
Recognition
One of the powerful motivational techniques that a manager must use is to give
recognition to employees for a job well done. No one likes to do something
without being rewarded for it. Managers must always keep this fact in mind. At
all times, employees must be clear about what they have done well, what they
need to improve and what is expected of them in the future. The answers to these
questions can be obtained very effectively by the manager by shaping the
question into recognition for the work done. Namely, the manager should, after
the job is done: point out what is good, emphasize what should be improved and
suggest how to improve things. In other words, the manager must always act
towards co-workers in a positive way. When acknowledging work done, one
should be precise (say exactly what is good and what is not; do not use general
phrases). Recognition for the work done is important because as a form of
motivation it allows employees to do their job better in the future because they
know what they did well and what they didn’t.
• The job itself
The manager should ensure that the job itself is interesting and challenging and
as such to be a source of motivation. This means that the job must occupy the
employees completely and it should allow the employee to feel that he has
contributed to solving the problem. The worst that can happen to a manager is
giving co-workers boring jobs. The manager should start from the fact that there are
no boring jobs. There can only be bad ways in which some jobs are done. The
manager should avoid boredom in performing work by giving certain tasks, over
time, to other associates or by sharing certain tasks to a larger number of
associates
. • Responsibility
One of the strongest forms of employee motivation is giving a sense of
importance to doing a particular job. In other words, the manager should
emphasize the responsibility of the employee to perform a particular job. In this
way, it is achieved that employees take the assigned task more seriously and
perform it better.
Progress
Progress as a form of motivation can be viewed in the long and short term. In
the long run, we can talk about progress in recognizing better worker status, progress
in pay or progress in doing work more efficiently. In the short term, progress is
reflected in increased employee responsibility, the acquisition of new skills and
increased experience in doing a job. The manager should provide such a form of
doing the job that every employee feels that through doing the job he learns and
progresses and that he will benefit from doing some work in the future.
Velibor Božić
Velibor Božić
Organizational culture
Understanding and having an organizational culture can mean the difference between success and
failure in today’s changing business environment. Despite this fact, management often thinks of organizational
culture as a desired category, i.e. does not look at it objectively. It is very important to realistically assess the
organizational culture; you need to be aware of how the leader (i.e. management) affects the creation and
maintenance of organizational culture.
The strongest indicator of organizational culture is what management pays attention to and rewards. It often
happens that this is completely different from what is publicly proclaimed. When each of us thinks about the
organization in which he is employed, what can he say?
Does management encourage or discourage innovation and risk-taking, reward employees for new ideas and
new ways of doing business, or punish them for introducing new ways of doing business? Is the management
ready for change or does it wants to maintain the status quo? Does the organization strive to be a centre of
excellence or to swim in mediocrity? Do employees have the right to vote in decision-making or not? These are
just some of the questions whose answers tell us what the organizational culture is in a company or institution.
What exactly is organizational culture? Organizational culture is not a set of values created at a board meeting
or team of managers. Likewise, it would be ideal for the organizational culture to be made up of the beliefs and
norms to which the organization aspires. But it’s not quite like that. Organizational culture consists of existing
beliefs and norms expressed through the daily practice and behaviour of all employees, from the general
manager to the cleaning lady. So when trying to define organizational culture, one should start from the existing
situation. You need to have the courage to look in the mirror and admit to yourself all your weaknesses so that
you can qualitatively determine what we really want, what we strive for. A key step in defining organizational
culture is to understand the difference between the real situation and the ideals we strive for as an organization.
That is the task of management. This confrontation of management with the truth can be painful. Namely, the
management can see that not all its decisions are implemented in practice. In this case, the ability to take risks,
initiate and manage change and conflict should be applied. Through the implementation of all these activities,
the organizational culture is defined. In other words, assumptions, values and standards that influence the
behaviour and implementation of the business process within the organization are defined.
The culture in the organization operates on a conscious and unconscious level. It is reflected in visible facts, but
also in deep-rooted and invisible prejudices. Precisely because of this unconscious part of organizational culture,
it is much more realistically assessed by people outside the organization than by employees within the
organization. Employees are often burdened with some prejudices that are an obstacle to quality assessment of
the culture in the organization.
Culture drives an organization and its activities. It determines employees’ thinking, actions and feelings. It is
dynamic and partly intangible. An important part of it is the so-called artefacts. Artefacts imply that part of
organizational culture that is visible. These are, for example, the arrangement of workspaces, employee clothing,
organizational structure and processes, rituals, symbols or celebrations. Thus, artefacts are concrete indicators
of organizational cultures. In addition to the already listed artefacts, there are also trademarks (logo), brochures,
slogans, status symbols and the like. If someone from outside comes into the organization, they first notice the
artefacts. Employees who are within the organization perceive artefacts as a secondary part of organizational
culture, i.e. as its background.
The key thing in understanding organizational culture is recognizing the role of the leader. Namely, it is often the
case that the organization reflects the personality of the leader, including its negative sides. So, if the leader, for
example, avoids conflicts, it will not be a miracle conflicts are not resolved in the organization either. The
behaviour of management is reflected on the entire organization. Through what is important to management,
through the system of rewards and punishments, the culture of the organization is reflected.
Why does an organization need culture at all? First of all, because of the optimization of the ability to meet
strategic goals. Culture in this case encourages and guides the behaviour of all employees in doing business. If
the organization is aware of its own culture, it can help it spot shortcomings in its own business, it can help it
analyze its own position in relation to the competition and possibly change.
Organizational culture is often imposed through the organization, gender units, or even in different regions.
Businesses or institutions often possess a high degree of cultural integration. That, however, is not good. Large
organizations often possess great cultural diversity, so the imposition of a single, unique style of behaviour can
cause conflicts.
Management must be aware of this fact. There may be different subcultures in an organization that differ in
certain characteristics, norms, beliefs and values. Management needs to prioritize this diversity and ensure the
coexistence of subcultures. Subcultures in the organization can differ in function (egg engineers versus sales
staff), hierarchy (management versus workers), departments, headquarters, geographical area ... It is very
important to take into account the above facts. Management should tolerate and support a certain level of
cultural differences. A measure needs to be found between the core values and principles that must be
respected throughout the organization and all other cultural specificities.
Organizational culture must have the ability to change. This is necessary if the organization wants to survive.
Constant changes in organizational culture are driven by many factors such as: rapid technological progress,
changes in industry and the market, changes in regulations, aggressive competition, globalization, increasing
organizational complexity, new business models.
In addition to changes in organizational culture, the success of the organization depends on the preservation of
traditional values in parallel with the changes. In fact, a successful balance between preserving the traditional
elements of organizational culture and the constant introduction of new elements of organizational culture is the
secret of success.
Organizational culture, as a set of beliefs and norms expressed through practice and behaviour, needs to be
well known. They need to be aware of their own culture in order to be able to compare themselves with others,
to be able to spot possible shortcomings and work on correcting them. Understanding the organizational
culture and its constant upgrading can give the organization a great business advantage over the competition
and can save a lot of time and money. Organizational culture is not some imaginary concept but a series of
very realistic actions (conscious and unconscious) within an organization that enable more efficient and
effective business.
VELIBOR BOŽIĆ
Outsourcing
At first glance, outsourcing is an intelligent solution. It enables the adaptability and innovation
needed by the organization. It brings the possibility of introducing new technologies, enables
continuous progress and, in a word, helps the organization achieve its goals. Let's say in IT,
outsourcing can help in the transfer of technology (transition from an old to a new information
system, enabling the availability of the latest programs and the like). In order for all of the above to
be achieved, management must be clear about how outsourcing can help. It is necessary to
accurately estimate the costs with regard to the benefits expected from hiring external
collaborators. If there are employees within the organization who deal with certain jobs, it should be
assessed whether they can perform the jobs for which external partners are intended to be
employed. If a detailed analysis shows that outsourcing is profitable, then you should go for that
variant.
On the other side, not everything is so rosy with outsourcing. In our environment, there are
relatively frequent cases of unsuccessful outsourcing, which are reflected in high costs and
unfulfilled expectations for the organization. There are two main reasons for this. First, insufficient
preparation of the organization, i.e. insufficient analysis of the organization's needs and the ability
of external partners to fulfill the organization's needs. Another reason for unsuccessful outsourcing
is insufficient expertise of the partner company to fulfill the contractual obligations. Due to
insufficient preparation of the organization and external partners for entering into cooperation,
there is frustration and inefficiency in work. We have example of IT again. Informatics is a specific
activity for several reasons:
• The structure of people employed in the IT service, in terms of professional qualifications, is
very high, so this fact implies a different approach to human resources management.
• Informatics is necessary for management because it enables quality management; on the
other side they are not very interested in it because they do not understand it, therefore very often
to cover up their incompetence they do not enter into detailed analyzes of the intention of the
need to engage external IT companies
• IT is very expensive, it will never make the company direct benefits but indirect and through
increasing the quality of performance of other functions in the organization.
For the above reasons, outsourcing in IT can be a double-edged sword. If its introduction is not
understood as a serious business, failure may occur. Today, there are numerous IT companies
on the market that advertise their products, increasing their authority by emphasizing the fact that
they cooperate with large IT companies such as Oracle or Microsoft. This is a great argument that
should confirm their expertise. Often this is not enough, but this fact is discovered too late, i.e.
already when the cooperation agreement is signed. It also often happens that IT specialists within
the organization know more than the so-called external experts, and they are forced to test the
purchased applications and fix errors. Of course, they do this for a regular salary, while those
from external IT companies receive handsome fees for their work. All of this leads to frustrations
and inefficient work, and all because of the insufficient analysis (unpreparedness for entering
into business with an external partner). The result of all this is much higher costs than they
would be without outsourcing and much less work efficiency than it would be without
outsourcing.
On the other hand, IT outsourcing can be a good thing. The prerequisite for this is that joint
people from the organization and from the IT company define business rules, analyze the
existing situation and define the desired state. Once this is done, it is necessary to start
changing the offered applications and acquiring equipment. In addition, people should be
trained and work support by an external company should be precisely defined. Then
outsourcing could be successful. This was an example of IT outsourcing, but it is similar or
almost the same in other areas.
In the end, the question remains whether outsourcing is friend or foe. The answer depends on
the management of the organization. If a good analysis is carried out of what the organization
needs, how existing resources can be used, if care is taken in choosing external partners, then
outsourcing can be successful. Otherwise, the result of the whole adventure will be disastrous.
Velibor Božić
Performance management
Performance management is a systematic process by which the organization involves its employees
(individually or as members of teams) in improving organizational efficiency, in relation to the organization’s
mission and goals. Performance management includes:
Planning.
If the organization wants to be effective, it must plan. Planning means establishing expectations and goals related
to a certain individual or work group. The plan therefore determines what must be done in order to achieve
organizational goals. It is of great importance to involve employees in the planning process, because in this way
they can understand the goals of the organization, better understand the purpose of what they have to do, and
understand why it is important that they do something in a certain way. Within the framework of performance
planning, it is necessary to define elements and standards with the help of which the realization of the planned will
be evaluated. These elements and standards should be measurable, understandable, verifiable, fair and
achievable. The performance plan should be adaptable in the sense that it can be adapted to changed
organizational goals and work requirements.
Supervising.
The process of carrying out a business process must be continuously monitored. Good monitoring means
consistently measuring performance and informing individuals and teams of their progress toward achieving
goals. The monitoring process should be carried out in cooperation with employees, where its performance is
always compared with the elements and standards set during performance planning. Constant monitoring brings
the possibility of checking how well employees meet the defined standards and enables the change of unrealistic
or problematic standards. The biggest advantage of constant monitoring is the ability to react quickly. In the case
of a detected error, one can react immediately, and one does not have to wait for the end of the process in order
to detect the error through subsequent analysis.
Development.
An effective organization should assess AND record employee development. Employee development means
increasing performance opportunities through training, learning new skills, giving greater authority and improving
work processes. Providing training and learning encourages employees to perform better, strengthens job
attachment and helps employees cope with changes in the workplace, such as the introduction of new
technology. The implementation of performance management makes it possible to discover the development
needs of employees. During the planning and monitoring of the performance of the work, defects in performance
become evident and can be unambiguously determined. Areas that can be improved are also visible. Most
importantly, through performance management it is possible to determine the actions that help employees to be
successful and beyond.
Assessing.
From time to time, it is useful for an organization to summarize employee performance. This can be helpful in
tracking performance and comparing the performance of different employees. It is useful for an organization to
know who its best people are. The evaluation of the employee's performance is based on the work performed
over a certain period, in accordance with the goals and standards defined in the plan.
Rewarding.
Finally, let's repeat what is essential for effective performance management. Managers and employees must
constantly learn skills that fulfil the mission and set goals of the organization. It is necessary to plan well what
you want to do. Employees should be given the conditions to meet the set goals. Performance should be
monitored. Progress towards the set goals should be measured in order to spot errors and to improve the
performance of business processes. In the end, employees must be rewarded for their achievements in order
to be motivated for work. All elements of performance management work together and support each other to
make performance management effective and efficient.
VELIBOR BOŽIĆ
Quality management
Quality management is a management task that enables quality performance of work and fulfilment of the
purpose for which the work was started. Quality management is a complex job that requires good preparation
in terms of securing all necessary material and human resources. In quality management, three processes
are important:
1. Quality planning-implies the identification of standards that are important for performing work as well as
determining the manner in which these standards must be met
2. Quality assurance - here the performance of the entire work is evaluated to see if the activities
undertaken meet the quality standards
3. Quality control - monitoring of results that are specific to individual activities in order to spot errors and
correct them in time.
These three processes within quality management are interconnected, and they are also connected to other
processes in business.
When managing quality, managers should keep in mind customer satisfaction, prevention, own responsibility
and phased product or service development. Customer satisfaction means understanding, managing and
influencing customer needs. Quality management should ensure that the product or service is exactly as we
have agreed with the customer, i.e. that it meets the real needs of the customer. Prevention refers to the fact
that the costs of preventing errors are always lower than the costs of error correction. Management
responsibility means the manager’s awareness that the success of the job depends on the effort and fulfilment
of tasks by all employees, including managers who must ensure the conditions necessary for success. When
we talk about the phased development of a product or service, we mean the recommendation that every job
should be done in stages whose quality is measurable, i.e. it can be evaluated. Below is a little more about
processes within quality management.
1. Quality planning
Quality planning includes the identification of quality standards that are essential for business as well as the
definition of how to comply with those standards. In order for quality planning to be successful, some
prerequisites must be met, namely: quality policy, defined area to which the quality policy applies, description
of products or services, defined standards and limitations, defined inputs from other processes. The quality
policy is a document that defines the organization’s intentions regarding quality and instructions on how to
achieve the desired quality of business.
The quality policy is brought by the administration, that is, top management. The area covered by the quality
policy is a key prerequisite for quality planning. It is a series of documents in which the justification for a
certain job is expressed, the basic product or service is described, the critical success factors and criteria for
them are defined, and the business goals are determined. Through these documents, the needs and wishes
of the owners (shareholders) are determined and quality planning is facilitated. The description of products or
services is contained in the description of the area to which quality applies, but a separate document with a
detailed description containing technical details and other details essential for quality planning is also
required. Standards and restrictions refer to the way of performing a particular job. They must be taken into
account when creating the quality plan. Finally, for quality planning, the connections between the specific
business and the environment are also important. In other words, it is necessary to take into account the
outputs from other processes that can affect the quality performance of work (for example, the procurement of
quality raw materials affects the production of a quality product, which in turn affects customer satisfaction).
Quality planning as an activity within quality management is carried out with the help of cost/benefit analysis,
benchmarking, block diagrams and design of experiments. Cost/benefit analysis should answer what are the
benefits and what are the costs of quality management. The answer to this question should be defined already
in quality planning. In principle, the advantage of management quality means less repeated work, which
means higher productivity, lower costs and greater shareholder satisfaction. The main costs are related to
quality management activities. Benchmarking is a measurement process that involves comparing standards
for monitoring work performance. It compares a specific job with another job inside or outside the organization.
Block diagrams are graphic techniques that show how different system elements (processes, activities,
resources...) are connected. Two types of block diagrams are used in quality planning: cause and effect
diagrams (also called "fishbone" or "Ishikawa" diagrams) and system or process block diagrams. The cause
and effect diagram (see Figure 1) shows how different causes and sub-causes are connected and how they
create particular problems or consequences. System or process block diagrams (see Figure 2) show the
activities within a system or process and the connection between these activities. These block diagrams show
the beginning, end, sequence of activities, repetition of actions and decision points.
Designing experiments is an analytical technique used to discover the factors that have the greatest influence
on the quality of work. With this technique, different possibilities are tried out (e.g. solving the dilemma: more
inexperienced workers and doing work for a longer time or more experienced workers and doing work in a
shorter period).
The main outputs of quality planning are the quality management plan, operational definitions, checklists and
inputs to other processes. The quality management plan is a document that contains the method of
implementing the quality policy. Here, the organizational structure, procedures, processes and resources
needed to implement the quality management plan. Operational definitions are actually metrics used to
measure the quality of the execution of certain procedures and processes. Checklists are documents that are
used to check the steps that must be performed within a process. Checklists can be simple or complex, and
they are important as a reminder of what needs to be done at a certain moment. Inputs to other processes
are data that are the result of quality planning, and are used in some other areas of business.
2. Quality assurance
Another important process within quality management is quality assurance. Quality assurance includes all
planned and systematic activities that guarantee that the work will meet all relevant quality standards. For
quality assurance to be successful, some prerequisites must be met. First of all, there must be a quality
management plan. In addition, there must be records of quality control benchmarks and testing (you need to
know what quality control benchmarks are and which quality control tests are best). Quality assurance is
carried out using all techniques and tools, as well as quality planning. So there are cost/benefit analysis,
benchmarking, block diagrams and design of experiments. In addition to them, quality control is also used here.
It is a structured review of quality management activities in other organizations. The goal of supervision is to
identify ways to improve the performance of individual activities and to apply them in a specific situation.
The basic result of quality assurance is quality improvement. Quality improvement includes activities that
increase the efficiency and effectiveness of work performance, resulting in the satisfaction of owners
(shareholders).
Management styles
There is no ideal management style. Which style to apply and when depends on the
specific situation. The only recommendation that is universally valid is that you should not
be exclusive. In other words, all management styles should be combined in order to
achieve the organization’s goal, which is more efficient and effective functioning.
Velibor Božić
Time management
The goal of every manager is to be effective and efficient. This means that certain work must be done in the
right way, with minimal consumption of resources. One way for managers to be effective and efficient is to
manage their time well. Managers who do not manage their own time are always in a hurry, often lead
unproductive meetings, and cause crisis situations because everything has to be done at the last minute. Such
managers are often disorganized and spread a bad atmosphere to colleagues. The end result of managers
who do not manage time is poor work performance. Poor time management is often the result of
overconfidence on the part of managers. Managerial methods and techniques applied in smaller projects
cannot simply be copied to larger jobs. Namely, if exists the greater demands and problems facing the
manager, the manager’s responsibility is the greater. Therefore, managers have to learn new things without
interruption, and one of the important things is time management. Time management is much more than
keeping a diary and planning activities. It is a set of tools that enable the elimination of redundancies, enable
better preparation of meetings, prevent useless work, enable project monitoring, allocate time according to the
importance of the task, ensure that long-term projects are not neglected, and enable efficient and effective
daily and weekly planning.
Time management is a managerial activity that needs to be planned, monitored and subsequently analyzed.
The question is how to manage time? First of all, the current situation should be accurately identified. This
means that it would be good to analyze the current situation and to see what we spend our time on and how
we spend it. After that, we need to see if all the activities we spend time on are necessary. Therefore, it is
necessary to determine which „unnecessary consumers of time“are. Examples of them are: phone calls to
friends, conversations over coffee, surfing the Internet, etc. For all such and similar activities, it is necessary
to objectively assess how valuable they really are for each of us, and with this in mind, assess whether they
should be completely abolished or reduced to an acceptable level.
Another category of time consumers are jobs. It is necessary to determine why we waste a lot of time on
some work. The work can be difficult and demanding (it’s a justified waste of time), but it can also be boring,
so we postpone its execution. In this case, the loss of time should be tried to be solved by delegating the work
to someone else who is interested in the work. The loss of time should also be reduced by grouping similar
activities within a job in order to reduce preparation and finishing times.
When it comes to time management, the important thing is to delegate work. A manager manages time well if
he assigns certain tasks to his subordinates. At the same time, it is important that he knows the abilities of the
employees well, i.e. it is important that he assigns the right tasks to the right people. Helping others to do
their work is a very good and noble thing, but there should be limits. Namely, helping others must not in any
way affect the quality performance of one’s own work. Time management must give an answer to the
question to what extent we can help others in doing work without it affecting our own performance. This
applies to our superiors. We often fall into the trap of helping our superiors to be efficient and effective, while
not being so ourselves because we don’t have enough time for our own activities. By managing time, we
avoid such situations. When all the above-mentioned facts are established, i.e. the causes of the insufficient
time we have, it is necessary to take control of our own time. There are various techniques that can be used
to achieve this. The most important of them is keeping a schedule (in which the activities that we have to do
are written down). When keeping a schedule, it is important to assess which activities are really important, it
is necessary to estimate how much time is needed for their execution, it is necessary to determine the
sequence of activities. It is necessary to plan the time for the next day and week every day.
A very important thing in time management is time planning within a project. It is necessary to accurately plan
the duration of individual parts of the project so that they are not pressed for time. With the help of time
management, you always know how time is spent and how much time is still unallocated, i.e. available for
some other activity within the project. In short, time management allows the project to be completed on time
because it allows us to constantly have control over how much time we have available for certain activities.
With the help of time management, you can also supervise the staff. You can set a time limit for each task that
you have assigned to the staff, i.e. you can set a deadline for completing the task. In this way, the manager
can monitor the progress of the project and initiate certain actions if necessary. Regarding the staff, it is
necessary to plan the time devoted to the training of the staff so that they can perform their duties better in the
future. Time management enables quality fulfilment of long-term goals. Every manager also has long-term
goals, the fulfilment of which is important, but not urgent. It is precisely because of this "lack of urgency" that
long-term goals can be neglected. Through time management, a manager can easily determine the time of the
week to devote to meeting a long-term goal. Time management forces the manager to always keep the long-
term goal in mind and not to put himself in a crisis situation when he has to do something in a hurry.
Time management is a managerial skill that requires little effort from the manager, and results in more effective
work that enables more efficient use of time by focusing on specific activities. Time management is not a magic
wand to solve all problems. It only provides a structure for introducing and monitoring solutions. Time
management allows the manager to take control of his own over time.
VELIBOR BOŽIĆ
Value Management
What is Value Management? Value management is a management style that is primarily aimed at motivating
people, developing skills, promoting synergies and innovations, with the aim of maximizing overall
performance within the organization. Value management arose as a result of different methods based on the
value concept and the functional approach. First of all, for the development of value management, the method
of "value analysis" is essential, which aimed to improve the value of existing products or services. In addition,
this method was effective in increasing performance as well as defining the necessary resources for certain
products and services. Over time, this method (along with some others) evolved into value management. In
value management, three basic things are important:
1. conviction that value is essential for the organization, defining criteria for evaluating value, monitoring
and controlling value
2. focus on goals and tasks before finding solutions
3. focus on functions in order to determine solutions essential for realizing innovative and practical
solutions.
The concept of value. The concept of value is based on the relationship between the satisfaction of different
needs and the resources needed to fulfil those needs. The fewer resources needed to satisfy as many needs
as possible, the greater the value. Stakeholders, customers and suppliers may have very different and multiple
demands and views on what an organization’s value is. The goal of value management is to take into account
all these diverse requirements and views and to enable the organization to make the greatest possible
progress with the minimum expenditure of resources.
It is important to note that value can be increased through increased fulfilment of needs and increased
consumption of resources, but the increase in resource consumption must be less than the increase in
meeting the needs of all interested parties within and around the organization.
Key principles of value management. Value management differs from other managerial skills in that
combines some skills that do not seem to go together at first glance. These skills are: management style,
motivation of people, focus on the organization's environment and effective use of methods and tools. Below is
something about the mentioned skills in the context of value management.
Management style
Teamwork and communication should be emphasized when managing values. A functional approach to
solving problems should be affirmed, a climate that encourages creativity and innovation should be
fostered. It should focus on customer requirements. Evaluation of the quality of work performance should be
carried out continuously in order to be competitive.
Motivation of people
This includes teamwork (people should be encouraged to solve problems together), satisfaction (successes
should be recognized and rewarded), communication (people should communicate with each other in order
to do their work better). As part of motivation, mutual understanding and joint decision-making (co-decision-
making) should be supported, changes should be encouraged (because it is a chance to learn something
new).
Benefits of value management. The most visible benefits resulting from the application of value
management are:
better business decision-making because decision-makers have a better basis
for decision-making, better products and services that better meet customer
needs
improved competitiveness as a result of technical and organizational
innovations within the organization
a common "value" culture in the organization that increases understanding
business goals for each individual
better communication within the organization and creation of common
knowledge about the main success factors
more efficient and effective work through the creation of
multidisciplinary and multifunctional teams
in value management, decisions made within the organization are very
important they are often supported by shareholders
Finally, it is important to say that value management can be applied in all segments of society, which means: