Theessaysofmanagement

See discussions, stats, and author profiles for this publication at: https://www.researchgate.
net/publication/364353265
The essays of management
Preprint · October 2022

DOI: 10.13140/RG.2.2.29775.76968
CITATIONS READS
0 187
1 author:
Velibor Božić
487 PUBLICATIONS 57 CITATIONS
SEE PROFILE
All content following this page was uploaded by Velibor Božić on 18 October 2022.
The user has requested enhancement of the downloaded file.

An example of ICT risk management
This example is based on a real situation, but it does not reflect it completely truthfully. The aim of the example
is to show one approach in risk management (created on the basis of theoretical knowledge about risk
management).
1. Characterization (description) of the system
PEOPLE
 Production company, 920 employees, computer centre with 8 employees
 Structure: system administrator, network administrator, two information systems designers
(one is also the database administrator), 3 programmers and the manager of the computer
centre
 More than 50% of employees have secondary school, 35% elementary school, 10% college
and 5% university
Technologically well supported:
HARDWARE AND NETWORK
 254 personal computers

 two main servers (application and data), client server architecture
 there are so-called thick clients (they are not only terminals, but some processing is also done on them)
 developed LAN; the company is dislocated
 it is part of a larger Group and the company is networked with the centre of the Group
 over 50% of employees who have a PC also have access to the Internet
 over 75% of employees who have a PC use e-mail (there is a mail server and internal e-mail addresses
through which communication is made)
APPLICATIONS
 of the applications there is ERP, the main server for ERP is dislocated and not under the control of the
computing centre (located in the centre of the Group)
 in addition to ERP, there are additional applications that complement the functionality of ERP, and
these applications and the databases for them are located on "local" servers (these servers are under the
control of the computing centre)
 there are applications on the old VAX/VMS system
 there are independent applications and unformatted records (Word, Excel)
 there is an intranet as a medium for information exchange
 there is a website
 application for receiving orders from partners via e-mail
DATA
 transactional business data is located on a dislocated server in the centre of the Group
 part of the data is on "local" servers (data on production, procurement, compensations...); those data that
are "produced" by applications that complement ERP
 part of the data related to the comparison of planned and actual costs and the flow of money are in a
separate database (because they are extracted from the transaction database daily)
SECURITY POLICY
 there is basic protection (antivirus programs on PCs).

Let's say that these are the main characteristics of the IT system. They were arrived at experientially, i.e. by
counting computers, equipment lists, questionnaires to users, conversations with them.
2. Risk identification
Risk identification consists of:
 Defining possible threats and system vulnerabilities

 Analysis of existing and necessary controls
 Determining the probability of threats and exploitation of vulnerabilities
 Determining the size of the impact of threats and vulnerabilities on system operation
 Formal definition of risks and determination of their rank
 Defining possible threats and system vulnerabilities
On the basis of the facts established in the first step, on the basis of records of errors (the company has ISO
9001:2000, so it is obliged to keep records of non-compliance in the IT area as well) and on the basis of
experience (previous non-functioning of the system for any reason), they should be identified sources of possible
threats on the one hand and system vulnerabilities that these threats can exploit. This can be done in different
ways, but it is crucial that this step is done well so that risks can be better determined later.
There are four outputs in this step:
 List of sources of threats to the IT system
 List of threats to the IT system
 List of IT system vulnerabilities
 Threat source list - threat - vulnerability
List of threat sources
People Hardware and network Applications

1. insufficiently trained users 1. Failure of the industrial 1. Insufficiently tested
computer application
2. unlimited Internet access 2. Unprotected network 2. Inadequate operating
system
3. intent to destroy servers and 3. Physical damage to the
network devices optical cable or failure of
the network device
List of threats to the IT system

1. wrong data entry or no entry; 1. No production data input 1. The possibility of entering
not using e-mail incorrect data and obtaining
incorrect information
2. downloading inappropriate 2. Getting viruses and spam 2. Impossibility of using the
content from the Internet network application
3. physical destruction of the 3. Impossibility of using the
system room ERP system (it has nothing
to do with the centre of the
Group)
List of IT system vulnerabilities

1. lack of systematic user training 1. the absence of a spare 1. insufficient input controls in
computer or part that applications and defective
broke code
2. absence of formal prohibitions 2. Absence of hardware- 2. WinXP (10 access limit),
and penalties software protection not Windows Server
3. free access to the system room 3. Absence of a "back up"
for the unemployed connection
Threat source list - threat - vulnerability
The source of the threat Threat Vulnerability (the threat

exploits it)
Insufficiently trained users Incorrect data entry or no Lack of systematic user
entry training
Unlimited Internet access Downloading and "surfing" Absence of formal penalties
inappropriate contents. and prohibitions
Getting viruses and
destroying data.
Failure on the industrial No production data input No spare industrial computer
computer or part that broke
Insufficiently tested application The possibility of entering Insufficient input controls in
incorrect data and obtaining applications and faulty code
incorrect information
Inadequate operating system Inability to use the network WinXP (10 access limit), not
application Windows Server 200x
An unprotected network Getting viruses and spam Absence of hardware-software
protection
Intention to destroy servers and Physical destruction of the Free access to the system
network devices system room room for the unemployed
Physical damage to the fibre Impossibility of using the Absence of a "back up"
optic cable or failure of the ERP system (has nothing to connection
network device do with the centre of the
Group)
This is not a complete list, but it is sufficient to implement an example and show the idea of risk management.
 Analysis of existing and necessary controls

The input to this activity is the "source threats-threats-vulnerability" table. For each record, we need to analyze
whether we have an answer, i.e. some control mechanism to prevent or reduce the threat or vulnerability of the
system. This is important in order to be able to determine as accurately as possible the probability of the threat
being realized.
Insufficiently trained users - they know how to manage in a regular situation, if something unplanned happens,
they get lost.
IT IS NECESSARY:
 additionally train users
 improve applications in the input control part
Unlimited Internet access - too many employees have access to the Internet, unnecessarily
IT IS NECESSARY:
 deny access (through network settings) to those who do not need it for work
 adopt formal rules of conduct (prohibition of access to inappropriate content and punishment for it)
 the acquisition of a software tool that will monitor who goes to which pages
Failure of an industrial computer - since there are more of them in operation, the failure can be compensated if
it does not last too long
IT IS NECESSARY:
 have spare parts
 have a trained man to repair this type of machine
 at best, have a spare industrial computer
Insufficiently tested application - there is often pressure from users to quickly develop applications, so errors
occur
IT IS NECESSARY:
 consider defining the position of 'Application Tester', who would be involved in testing applications in
the working environment
Inadequate operating system - the problem is access to online applications

IT IS NECESSARY:
 provide a server with a server operating system (Windows Server 200x) that has the possibility of
multiple simultaneous accesses and place databases and network applications there
Unprotected network - there is a great danger of hacker attacks, viruses, spam, and data destruction
IT IS NECESSARY:
 provide a hardware firewall

 get an online antivirus program
 get an anti spam device
Intention to destroy servers and network devices - it is possible that someone for any reason wants to destroy
servers or main network devices
IT IS NECESSARY:
 never leave the system room unattended

 lock it outside of working hours
 provide video surveillance
Physical damage to the fibre optic cable or failure of the network device - this is only about the connection to
the Group headquarters. Dangerous, because if we don't have connections, it has to be done manually, this is
almost impossible.
IT IS NECESSARY:
 ensure a permanent connection in any way (e.g. by leasing an alternative line).
Through this or a similar analysis, a kind of inventory can be made of which controls we have and which should
be installed so that threats to the system and the vulnerability of the system are as unlikely as possible, i.e. so that
they have as little impact on the system as possible.
 Determining the probability of threats and exploitation of vulnerabilities

In this step, the probability of the occurrence of a threat and the vulnerability of the system is assessed. Here it is
very important to estimate the probability as realistically as possible. It takes into account the motivation and
capability of the threat source, the nature of the vulnerability and the controls in place. The output from this
phase should be a list of probabilities by rank for each threat-vulnerability pair.
Probability:
 1-33% - small
 34-66% - medium
 67-100% - large
Threat Vulnerability (the threat Probability Description of Numerical
exploits it) - what makes probability rank
the threat possible
Incorrect data entry or no Lack of systematic user about 50% SECONDARY 2

entry training
Downloading and Absence of formal penalties about 70% TALL 3
"surfing" inappropriate and prohibitions
contents.
Getting viruses and
destroying data.
No production data input No spare industrial about 20% SMALL 1
computer or part that broke
The possibility of Insufficient input controls about 30% SMALL 1
entering incorrect data in applications and faulty
and obtaining incorrect code
information
Inability to use the WinXP (10 access limit), about 50% SECONDARY 2
network application not Windows Server 200x
Getting viruses and spam Absence of hardware- about 80% BIG 3
software protection
Physical destruction of Free access to the system about 10% SMALL 1
the system room room for the unemployed
Impossibility of using the Absence of a "back up" about 50% SECONDARY 2
ERP system (has nothing connection
to do with the centre of
the Group)
 Determining the size of the impact of threats and vulnerabilities on system

operation
Here, the impact of threats and vulnerabilities on the IT system is assessed. Again, a team of people should
assess monetary losses, loss of data, importance of lost data, ability to function with the resulting damage, loss of
user trust. Considering all these aspects, the size of the impact could look like this:
 low impact 1 (loss of some resources, disruption to work that is not essential for business)
 medium impact 2 (failure to fulfil part of obligations, monetary losses, loss of part of reputation)
 major impact 3 (impossibility of functioning, irreversible loss of information, monetary losses)
Threat Vulnerability (the threat exploits it) Influence

Incorrect data entry or no entry Lack of systematic user training 2
Downloading and "surfing" Absence of formal penalties and prohibitions 3
inappropriate contents.
Getting viruses and destroying data.
No production data input No spare industrial computer or part that 2
broke
The possibility of entering incorrect Insufficient input controls in applications and 2
data and obtaining incorrect information faulty code
Inability to use the network application WinXP (10 access limit), not Windows 1
Server 200x
Getting viruses and spam Absence of hardware-software protection 3
Physical destruction of the system room Free access to the system room for the 3
unemployed
Impossibility of using the ERP system Absence of a "back up" connection 3
(has nothing to do with the centre of the
Group)
 Formal definition of risks and determination of their rank
Here, risks are formally defined as a function of threats to the IT system and vulnerabilities of the IT system. So
the risks in our example are:
No. RISK
R01 Incorrect data entry or lack of entry due to insufficient user training.
R02 Downloading content and browsing inappropriate content on the Internet. Getting viruses and
destroying data. All this due to the absence of formal prohibitions and penalties.
R03 Absence of production data due to a failure of the industrial computer that cannot be rectified
in time.
R04 Entering incorrect data and obtaining incorrect information due to poorly made applications
R05 Inability to use online applications due to using the wrong operating system.
R06 Infection with viruses and spam due to lack of hardware-software protection.
R07 Physical destruction of the system room due to free access to it by the unemployed
R08 Impossibility of using the ERP system due to the interruption of the optical connection with
the Group's headquarters
In this step, the so-called risk ranking.
Each risk is a function of the probability of the threat occurring and the impact of the threat and vulnerability on
the system.
RISK = PROBABILITY * IMPACT
We use the ranking results:

 The rank of the probability of the realization of threats:
o THREAT 1. 2
o THREAT 2. 3
o THREAT 3. 1
o THREAT 4. 1
o THREAT 5. 2
o THREAT 6. 3
o THREAT 7. 1
o THREAT 8. 2
 The ranking of the effect on the IT system of realized threats and vulnerabilities
o IMPACT 1. 2
o IMPACT 2. 3
o IMPACT 3. 2
o IMPACT 4. 2
o IMPACT 5. 1
o IMPACT 6. 3
o IMPACT 7. 3
o IMPACT 8. 3
 RISK RANK:
No . RISK RANK=PROBABILITY*IMPACT
R01 Incorrect data entry or lack of entry due to 4
insufficient user training.
R02 Downloading content and browsing inappropriate 9
content on the Internet. Getting viruses and
destroying data. All this due to the absence of
formal prohibitions and penalties.
R03 Absence of production data due to a failure of the 2
industrial computer that cannot be rectified in
time.
R04 Entering incorrect data and obtaining incorrect 2
information due to poorly made applications
R05 Inability to use online applications due to using the 2
wrong operating system.
R06 Infection with viruses and spam due to lack of 9
hardware-software protection.
R07 Physical destruction of the system room due to 3
free access to it by the unemployed
R08 Impossibility of using the ERP system due to the 6
interruption of the optical connection with the
Group's headquarters
Risk level:
 The risk is high if the risk rank is 6 or 9
 The risk is medium if the risk rank is 3 or 4
 The risk is low if the risk rank is 1 or 2.
Therefore, very dangerous, high risks that require an immediate reaction are:
R02 Downloading content and browsing inappropriate content on the Internet. Getting viruses and
destroying data. All this due to the absence of formal prohibitions and penalties.
R08 Impossibility of using the ERP system due to the interruption of the optical connection with the
Group's headquarters
Medium risks, which would be good to address, but not necessarily immediately:
R01 Incorrect data entry or lack of entry due to insufficient user training.
R07 Physical destruction of the system room due to free access to it by the unemployed
Low risks, with which it can function, but must be under control are:
R03 Absence of production data due to a failure of the industrial computer that cannot be rectified in
time.
R04 Entering incorrect data and obtaining incorrect information due to poorly made applications
R05 Inability to use online applications due to using the wrong operating system.
3. Recommendations for risk reduction
The input to this step is the risk ranking. Here, for each risk, it is assessed whether there are controls for
reduction, whether controls are needed and what kind. In addition, it is necessary to do a cost-benefit analysis.
The cost benefit analysis should contain data on what is obtained by control, what is not obtained by control, and
this should be presented financially. The result of this step should help management to make a decision on
whether or not to take actions related to risk reduction.
In the specific example, only high risks will be considered, so:
R02 Downloading content and browsing inappropriate content on the Internet. Getting viruses
and destroying data. All this due to the absence of formal prohibitions and penalties.
R08 Impossibility of using the ERP system due to the interruption of the optical connection
with the Group's headquarters
Risk R02 :
 Recommended control: PHYSICAL PROHIBITION OF ACCESS TO THE INTERNET
o Cost: HRK 0, because the company has an employee who administers the network well and will
prohibit access through the network settings. A list of people to whom access should be banned
should be made.
o Failure to implement this control means the possibility of getting a virus and ultimately losing
important data
o Formal rules and penalties for non-compliance should be prescribed
o You need to get a software tool to check who, how much and which addresses are moving on the
Internet (e.g. the so-called Sniffer, which costs approximately 2,000.00 units)
 Cost-Benefit:
o Cost of introducing controls: about 2,000.00 units
o The potential loss of information, downtime due to a virus attack is immeasurable - if you look
only at the fact that 4 people cannot work for 8 hours (formatting the machine, reinstalling
Windows, saving data) and add to that the 8 hours of work of two people from the computer
centre, if we know that average hourly rate 60 units, then it is a cost of: 6 people * 8 hours * 60 =
2,880.00 units. If they introduced controls, we would save 880.00 units.
Risk R08 :
 Recommended control: ADDITIONAL LEASE LINE, ADDITIONAL ROUTER on both sides, UPS
o By implementing this control, we ensure the possibility of uninterrupted work and constant
service to our customers
o Not having control means that, in the event of a loss of connection, we cannot do anything
related to customers. We cannot ship products, invoice.
 Cost-Benefit
o Cost: one-time around 50,000.00 units and monthly for line lease 5,000.00 units or 110,000.00
units for the first year, and 60,000.00 units each subsequent year
o If we don't work for just one day, we lose an average of 540,000.00 units. So potentially, the
entire cost is paid off in just one day.
Risk R06:
 Recommended control: PURCHASE OF HARDWARE FIREWALL, NETWORK ANTI-VIRUS
PROGRAM AND ANTI-SPAM DEVICE
o Carrying out the control avoids the risk of data destruction by viruses, and enables the normal
use of e-mail
o Failure to implement control can mean the loss of business-critical information, the
impossibility of operational use of applications, which may call into question the fulfilment of
organizational goals.
o Controls for this risk are also related to risk R02.

Cost-Benefit1
o Implementation cost: 14,000.00 units one time and 32,000.00 units every year for licenses.
o Benefits: one type of saving is the same as for risk R02. So: the potential loss of information,
the downtime due to a virus attack is immeasurable - if you look only at the fact that 4 people
cannot work for 8 hours due to "PC recovery" and add to that the 8 hours of work of two
people from the computer centre, if we know that is the average hourly rate 60 units, then it is
a cost of: 6 people * 8 hours * 60 = 2,880.00 units. If they introduced controls, we would save
880.00 units.
o Every day all users waste a lot of time to clear spams (about 200 people * their hourly rate of
60 units = 1200 units * e.g. 200 working days = 240,000 units of money just for cleaning
spam).
They should set a deadline for the introduction of each control. Because of the high risks described above, the
deadline for introducing controls should be as soon as possible.
Over time, medium risks should also be resolved, and low ones should be continuously assessed so that
they do not turn into medium or large ones.
Finally, it should be said that the example described above is not entirely true, but it is illustrative in the
sense that it shows the application of theoretical knowledge in practice.
1
The values shown here do not correspond to the truth and serve only for the purposes of this example, but they
allow the idea to be seen.
View publication stats

Basic concept of
risk mamagement Risk management
REDUCES RISK to an acceptable level

Information assets
have
They affect
Vulnerability Affects on
Risk
I can act on The probability of the
threat's realization affects
Threats
Realized threats that act on system
Affects on
weaknesses have The size of the
impact (consequences) acts on
Negative impact on Impact Good controls reduce the negative

inf. assets reduce
impact of threats and reduce the
Controls
their value (consequence) vulnerability of the system
Affects on

BUSINESS
VELIBOR BOŽIĆ
Method of risk analysis

Cost management
Cost management is a managerial skill that makes decisions that:
฀ improve products, services or resource use

฀ support strategies
฀ systematically reduce costs.
Cost management includes the overall planning, coordination, control and reporting of
costs within the performance of a particular business activity. This skill requires managing
identified costs throughout the entire process of making a product or service.
Why cost management is important
Cost management is important because this skill is one of the key things essential
for the efficient conduct of business and enables successful investment. When running a
business, there are many reasons why costs are higher than planned. Some of the
reasons are:
฀
unclear goals that change during the project
฀ unrealistic assessment (often too optimistic)
฀ incomplete job review (inconsistent view) too much
฀ risk
฀ insufficient management control.
All these reasons must be taken into account if costs are to be managed efficiently and
effectively.
Key things in cost management
Cost management must be based on an understanding of the whole process "from

order to delivery" of a product or service and on anticipating where costs may arise. This is
especially important where large increases in costs are expected. When considering costs,
the following should be considered:
฀
new costs, ie costs incurred after the initial investment in a business activity
assumptions about increased productivity that should be realized
฀
assumptions about the amount of costs necessary for the realization of a job
฀
costs of parallel activities when introducing new functionalities (maintaining
฀ the old way of doing business until the new activity is established).
Cost management must answer the key question, which is the cost of achieving the goal in
a particular way. This issue implicitly suggests that cost management must be flexible
enough. This means that if the costs are estimated to be too high, a new way of doing
business should be sought. You should not be overly optimistic when estimating costs. It
would be good to have the best and worst case scenario and find a balance based on
these borderline cases.
Cost management process
The cost management process consists of cost estimation, cost control, and cost
review. The process begins with an initial estimate of the cost of a business activity. The
costs of preparation of activities, operational costs, costs of risk coverage, internal costs
within a particular department, costs by partners (suppliers, customers) are estimated.
Based on the cost estimate, the budget for the implementation of a certain business
activity is approved.
During the implementation of a business activity, it is necessary to carry out cost
control. Cost control is carried out with the help of a financial plan that serves as a
reference point for comparing actual with planned costs. If a cost breakdown occurs, the
causes are analyzed and actions are taken to rationalize costs.
U at certain stages of conducting business activities, it is necessary to conduct a
review of costs. The inspection must ensure:
฀
a comparison of the estimated costs with the budget approved for a
particular activity
฀ assessment of whether the process is still feasible (given the cost-
฀ effectiveness)
risk assessment (whether it is acceptable or causes an excessive cost of risk
coverage).
Activities within cost management
In order for cost management to be efficient and effective, the following activities
need to be implemented:
฀ choice of cost management strategy

฀
defining areas and coverage of information
฀
planning of efficient use of resources
฀
implementation of plans and changes
฀ measurement and reporting on results
฀ motivation and evaluation of employees
฀ discussion of plans and results
฀ assessing decision-making and proposing improvements.
If all the listed activities are carried out, there is a great chance that the cost management
will be of good quality.
For the end
Cost management is an important managerial skill that ensures that a certain

business activity is performed within the projected budget. To make this possible, it is
necessary to plan resources, estimate costs, determine the budget and control costs.
Resource planning means determining which resources and how many resources are
needed to carry out an activity. Resources are people, equipment, materials, information ...
After resource planning, it is estimated how much it will cost to use resources for an
activity. When the assessment is made, it is necessary to determine the financial
resources needed for the activities, ie it is necessary to determine the budget. Finally,
costs need to be controlled during the course of the activity.
It is important to say that cost management must be consistent with all other
managerial activities within the organization. Coordinated action is important
cost management with all other management skills to achieve a synergistic effect on the
performance of the organization.
If the cost management is carried out in the manner described above and if it is
related to the overall management efforts, it will be of high quality and will enable efficient
and effective performance of the work as a whole.
The essays on management
Delegation
Delegation is a managerial skill we’ve all heard about, but the question is how much
we understand it. It can be used either as an excuse to blame someone else or as a tool to
motivate and train employees to fully use own potential.
Delegation is managerial skills that allow the development of skills and knowledge of
employees, and for more efficient and effective performance of work. Without delegation,
the potential of employees is not fully exploited. Delegation is actually about transferring
part of one's own authority to the employee. Employees can act autonomously and have
the responsibility to perform certain tasks together with the manager who has delegated
the task to them. What is important when delegating is the requirement that tasks be
delegated so that the task is completed successfully?
The main goal of delegation is for someone else to do a good job. Not only to receive
concrete orders and perform simple tasks, but to make decisions and adapt to new
situations. The essence of delegation is that employees can react independently without
constant contact with management. Delegation allows managers to start doing a job
without having to know in detail how to do it. Prerequisites for management to authorize
someone to do a particular job are to explain well to people what is expected of them (for
employees to understand the problem), that employees have the authority to do a
particular job and finally know how to do something. All these prerequisites can be met if
there is quality communication in which the nature of the task, the method of
implementation, sources of relevant information and the like must be clarified.
The delegation system can work well if employees (who have to make their own decisions)
have complete and fast access to important information. This means that there must be a
system of free flow of information in the organization. There must be the possibility of
exchanging knowledge between employees; all of them must know what the other is
doing. There must be regular information meetings between managers and employees. It
is desirable that there is a computerized distribution of information in the organization. In
this way, it is possible for all employees to incorporate their own experiences into the
overall knowledge of the business process. This gives managers a valuable source of
information that can only help them make better decisions.
One of the greatest fears of managers regarding delegation is that by empowering others
to perform certain tasks, control over the process is lost. This fear is irrational if employees
are properly prepared to perform certain tasks. First of all, employees must be set the
same criteria as the manager himself. In addition, control mechanisms need to be
decentralized, i.e. distributed. The manager must understand that he cannot control
everything at the same time, so he should create control mechanisms that work in parallel
and independently. A crucial prerequisite for all this is a good knowledge of employees
and trust.
For the delegation to be successful, it must not be hesitant in the sense that one day we
authorize someone to perform a task and the next day we forbid them to do so. This
creates complexes in employees and this can lead to poor results. In order to avoid
situations of hesitation, delegation should be carried out gradually. This means that you
first give the employee an easier task, so given how he coped with a particular job, you
decide how to proceed. Tasks should be set in such a way that each one is a little harder
than the previous one in order for employees to gradually get used to the new situation.
This is important because employees need to be confident in order for delegation to
succeed. Self-confidence is achieved by gradually delegating, but also by enabling
employees to get help if they need it. In addition, the manager must, in conversation with
employees, consciously avoid making decisions that he estimates the employee can make
independently.
The essays on management
In this way, the manager teaches his employees responsibilities and encourages them by
leaving them the initiative within the assigned task. Here the manager must be careful not
to fall into the trap of fully open involvement in the task he has delegated to someone else.
The trap is avoided by formalizing communication with employees. Formalization consists
in having employees write some kind of diary in which they describe what they are doing,
suggest improvements, make “decisions” and the like. In response to the diaries, the
manager delegates new tasks to confirm the correctness of employees' decisions
(increases their self-confidence) or points out mistakes (through the assignment of new
corrective tasks). If an employee makes a mistake, the manager who delegated a task to
him is responsible. This is a fact that the manager must be aware of. That is why he must
do everything to discover the mistake in time. This is achieved by constant monitoring of
employees. If he notices a mistake, he must warn the employee. The manager must do
this in such a way that the employee understands the problem, feels confident to solve the
problem and corrects the mistake. It is very important that there is such a climate in which
the employee is not afraid to admit a mistake to the manager. Therefore, the manager
must never criticize employees for mistakes, but must emphasize the importance of
checking, testing and monitoring the implementation of a task.
The eternal question facing managers is what should be delegated. The philosophical
answer is that as many jobs as possible should be delegated in order to train employees to
be as good as possible. In reality, the manager should delegate routine tasks that could be
performed by other employees, so that he has more time for more creative tasks. In
addition, managers should delegate tasks for which they are not experts. In terms of
motivation, the manager must take care to delegate creative tasks that would allow
employees to make full use of their knowledge. The method of delegating tasks is not
unified. This means that the method of delegation and everything related to delegation
(reporting on the performance of work, sources of information, availability of management
assistance, and criteria for success in performing the work) is subject to negotiation, i.e.
negotiation with employees. There must be agreement on everything in order to make the
process delegation was successful.
Is everything can be delegated? Whenever possible and still possible, the manager must
oversee the performance of delegated tasks and must ensure the training and
advancement of employees. There are functions that cannot be delegated. Some of them
are: motivating, coaching, and building a team, organizing, punishing, improving,
monitoring progress...
The manager has the task of demonstrating and improving the efficiency and effectiveness
of the department he heads within the organization. Delegating only gives him a chance to
succeed.
Knowledge management
Today, when we live in the information age, knowledge is imposed as the most
important organizational resource that provides a strategic advantage over the
competition. Knowledge alone is not enough. Namely, the organization may possess
vast knowledge, but it can be unused for various reasons. Most often, the cause of
insufficient use of knowledge in organizations is ignorance of knowledge
management. Therefore, there is something about knowledge management in this
text.
Today, organizations are increasingly recognizing the importance of knowledge and

the need to make the most of it. Knowledge within the organization can be in different
places such as. In databases, knowledge bases, files or simply in people’s heads. It
is spread throughout the organization. It is necessary for organizations to have an
insight into the knowledge at their disposal (knowledge as an asset) and to manage
knowledge in order to enable it to achieve optimal results. This should have been
emphasized because in many organizations the so- called tangible property and the
potential of knowledge are neglected. Knowledge is essential in all business
segments. For example, knowledge of raw materials, planning, production or
distribution is essential in the order-to-delivery process. Product development
requires knowledge of customer requirements, new advances in science, technology,
marketing and the like.
There are several reasons why knowledge and management are important.
Here are some of them:
 The market is becoming more and more competitive, innovations are
becoming more frequent, which means that knowledge must be
continuously enriched with new knowledge and quickly.
 Organizations are increasingly focused on creating value for the customer.
As a result, staff is being reduced, so the rest need to know more.
 Due to the smaller number of people who possess certain
knowledge, it is necessary to manage knowledge well in order for it
 to help better business.
 Acquiring knowledge takes time, and knowledge alone depends on
experience. Employees, however, today have less and less time to
acquire knowledge, so it is necessary to organize things, i.e . . . .
determine who needs to know what.
 Today, the trend is increasing workforce turnover, so it is necessary to
manage knowledge in the sense of ensuring decentralization, not a
monopoly of knowledge.
In order to successfully manage knowledge, it is necessary, first of all, to

understand what knowledge is. Therefore, let’s try to answer what knowledge really
is. Knowledge as an asset is actually a common name for a set of knowledge related
to the market, products / services, technology and organization, which is needed to
enable optimal business operations. Knowledge management means managing
knowledge as an asset, but also a series of knowledge-related processes such as:
improving knowledge, preserving knowledge, using knowledge and sharing
knowledge among everyone in the organization. The purpose of knowledge
management is the identification and analysis of all knowledge and related processes
and the planning and control of activities to increase knowledge and improve the
process, all to meet organizational goals.
Knowledge management is not easy. The biggest problem is actually
identifying the knowledge itself and enabling its use in an optimal way. To overcome
this problem, organizations should:
 speak the same language when it comes to knowledge to prevent
misunderstandings
  be able to identify, model and explicitly present their own knowledge
 enable knowledge to be shared and reused in different parts of the
organization for different applications
 develop a culture of knowledge and should encourage
employees to share knowledge.
Today, there are various methods and tools that help knowledge management
(SWOT analysis, Balanced Scorecard, IDEF technique ...). All of them allow
knowledge to be identified, modelled, assessed and maintained within the
organization. All methods enable the analysis and planning of business with the help
of the application of knowledge, enable the efficient and effective application of
knowledge in all business processes, in the performance of daily tasks. They enable
the distribution of the necessary knowledge to specific locations at a specific time.
Information technology is a great help in the implementation of knowledge
management methods.
We mentioned that knowledge identification, analysis, implementation and validation
are important in knowledge management. In the following, we will talk more about
these basic activities in knowledge management. The first procedure is the
identification of knowledge in the organization, i.e . . . . defining what knowledge the
organization has. Here, answers must be sought to the questions of where
knowledge is stored, what kind of knowledge it is, what it is used for, in what form
and how it can be obtained. Once knowledge has been identified, it is important to
assess how it can help create new value. Again, it is necessary to analyze what are
the chances of using knowledge, what would be the effects of applying knowledge, to
increase the value if knowledge is applied ... After identifying and analyzing
knowledge, it is necessary to define activities that allow better knowledge we do
business. Here it is necessary to develop an action plan, it is necessary to define the
method of implementation of activities as well as the method of controlling the
implementation. One of the important things in knowledge management is to revise
the use of knowledge. It is necessary to answer the question of whether the use of
knowledge has achieved the desired effect, it is necessary to define the way of
maintaining the level of knowledge as well as the act of creating new knowledge. In
addition, the audit needs to answer the question of whether the use of knowledge
has created some new business opportunities.
In order for knowledge management to be successful, it is necessary to keep in mind

the business vision and act in accordance with the adopted strategies. In addition, it
is necessary to have a good team of people who will work together to effectively
manage knowledge. The organization must strive to find a way to preserve the
knowledge it possesses and to increase it over time. This can be done through
technological support (information systems, communication technology, intranet,
Internet), through effective communication between everyone in the organization, the
construction of educational centres, the establishment of libraries etc. Last but not
least, successful knowledge management requires feedback on the effects of
knowledge application. Criteria for assessing the effects of knowledge application
also need to be developed. In the 21st century, knowledge management,
development of cultural knowledge in organizations, i.e. developing a learning
organization imposes itself as a necessary condition for market survival.
VELIBOR BOŽIĆ
RISK ANALYSIS METHOD: HRA (Human Resource Assessment)

This method analyzes the influence of man on the system, the influence of human error on the performance
of the system.
Method input:
• information which defines the tasks that people must perform

• experience about the types of human errors that can occur in practice
• human error processing and their quantification
Process:
• problem definition - what types of human errors in the system will be investigated
• task analysis - how the task will be performed and what logistics are required for quality
performance
• human error analysis – why the performance is not good; which errors appear and how they should
be fixed
• error presentation – it is necessary to reveal how human errors are related to information
technology and the environment in the organization; this helps to reveal the impact of the error on
the organization
• monitoring – is there an error somewhere in the process that does not require detailed
quantification
• quantification – how likely is the occurrence of an error
• impact assessment – which errors are the most important, which have the greatest impact on the
business and lead to the highest risk
• error reduction - how high human reliability can be achieved
• documentation – everything undertaken must be documented
Output:
• a list of errors that may occur and methods by which errors can be reduced - particularly through
system refactoring
• incidence of errors, typical causes and consequences of errors
• risk assessment with respect to human errors
Advantages:
• this method enables a systematic analysis of human errors that affect the realization of system risks
• systematically dealing with ways of reducing errors and the probability of an error occurring at all
Limitations:
• human unpredictability - it is impossible to identify all mistakes, especially in advance

(anticipate human behaviour)
• partial human errors or poor decision-making cannot be qualitatively analyzed with this method

Managing information security in
healthcare
Velibor Božić
General Hospital Koprivnica, Croatia
velibor.bozic@gmail.com
The Smart Cities Conference 7th Edition, December 5-6, 2019.

Content:
1. Context
2. Smart hospital
3. The objective of information security
management in hospital
4. The basic mechanisms of information security
management
5. BSC/4A – top management level
6. COBIT – middle management level
7. ISO 27799:2008 – operation level
8. Conclusion
The Smart Cities Conference 7th Edition,

December 5-6, 2019.
1.Context
Smart city consists of:
❑waste management,
❑smart energy, education,
❑smart communications,
❑smart transportation,
❑traffic management,
❑smart parking,
❑smart streetlights and
❑smart healthcare….
All of these areas require

management of information safety.

2. Smart healthcare organizations
There are various mechanisms in smart healthcare organization:
❑ information communication technology (ICT),

❑cloud computing,
❑smartphone applications and
❑advanced data analysis techniques.
Patient information can be accessed in real time at various smart hospital offices or even at
various smart hospitals in different cities or in the same city.
Doctors, nurses, and medical technicians can access data without losing time when
physically transferring the same data from one office to another.
Similarly, different doctors may see information to judge a patient's condition. Therefore,
real-time decisions about the patient's health can be made.
Telemedicine can be considered as a specific example of smart healthcare.
Telemedicine uses information and communication technologies (ICT) to provide long-

distance or remote healthcare; this approach is especially useful for places where health
services are not easily accessible
3. The objective of information
security management in healthcare
The essence of managing information security systems
(what is this about?)
The objective is ➢Confidentiality, availability and integrity of information are
at risk.
protection of ➢Increasing risk is directly affected by threats to
CIA…. Protect
the system. Threats exploit the vulnerability of the system.
➢System vulnerability also increases risk.
➢System vulnerability allows exposure of
the confidentiality system assets (information in this context).
➢System assets have some value that affects the
, availability and overall organization.
integrity of patient Risk directly affects the value of an organization asset by

reducing it.
information. ➢The organization has certain security requirements. These
security requirements are met through certain controls.
➢ Controls are key to reducing risk (meeting the requirements for
confidentiality, availability and integrity of information).
➢The controls help to protect against threats.

4. The basic mechanisms of
information security management
❑BSC (Balanced Scorecard) - strategic level (BSC / 4A
matrix)
❑COBIT 4.1 + IT Risk (COBIT 5.0) - tactical level

(control targets should be grouped into one of A (access,
availability, accuracy, agility) in the so-called 4A
approach )
❑ISO 27799: 2008 - Operational level - Specific

activities.
5. BSC/4A – top management level
➢Kaplan and Norton introduced the idea of the Balanced Scorecard (BSC) in January - February 1992. The need
for such a tool meant recognizing that measuring financial results alone was not enough to manage a modern
organization.
➢The BSC includes four types of views on the organization: Finance, Buyers, Internal Business Processes,
and Learning and Development.
ICT risk area Key factors of ICT risks
➢4A approach to information security AVAILIBILITY - high fluctuation of IT staff
(Westermann & Hunter, 2007) - non-standard infrastructure
- inefficient management of the upgrade
- old technology
- poor backup system
AGILITY - bad processes and applications
ACCURACY - lack of knowledge to improve the existing
one
ACCESSIBILITY - prohibition of work due to errors observed
AVAILIBILITY
ACCESIBILITY - the data is poorly organized
- applications are not standardized
- lack of internal controls in applications
- insecure network
ACCURACY - applications do not meet business needs
- manual data linking required
-system insecurity in the sense that
applications are constantly upgraded
(insufficient testing)
AGILITY - poor connection between IT and business
- poor implementation of projects

5. BSC/4A – an example
Linking business goals and risks - for each business objective, it is defined what is primary (P)
and what is secondary (S) impact
BUSINESS OBJECTIVES IMPACT ON THE JOB (risks) 4A business impact

agility accuracy access availability
FINANCES
Ensure return on investment in IT Inadequate financial and return on P
IT investments
Manage IT risks IT risks are not managed, the P P P P
company is insecure
Improve corporate governance and Insufficient transparency towards P
transparency stakeholders, non-compliance
with legislation
PATIENTS (users)
Improve customer and service focus Poor or insufficient customer S P P
service, loss of customers
Offer competitive products and Inadequate products and P S P S
services services; fail to meet customer
needs; loss of income
Setting up continuity and availability Insufficient service levels result S P P
of services in customer dissatisfaction and
loss of income
Create agility in line with new Failure to respond to market P S
business requirements changes or customer demands in
a timely manner is a loss

BUSINESS OBJECTIVES IMPACT ON THE JOB 4A business impact
(risks) agility accuracy access availability
Cost optimize service delivery Products or services that are P
too expensive cause
uncompetitiveness and loss of
customers
Real and effective reporting is Poor decisions at the strategic P
essential for decision making level result in the loss of
clients; losses and decline in
the value of the organization
INTERNAL PROCESSES
Improving and maintaining the Inefficient and under- P P
functionality of internal processes optimized processes in the
organization
Lower process costs Lower profitability P
Compliance with laws, regulations and Violation of the same results in P P
contracts outside the organization criminal responsibility of the
administration and those
responsible
Compliance with internal policies Inefficient and inadequate P S S
processes
Business change management Insufficient processes lead to P
non-competitive arrowheads
Improve and maintain staff Failure to do so reduces P P
productivity productivity and efficiency
LEARNING AND GROWTH
Product and business promotion Loss of chances, small growth, P
management loss of market share
Attracting and retaining skilled and Impossibility of progress P S
motivated people (organization growth and
current operations growth)

➢COBIT is an acronym for Control Objective for Information and Related Technolgy. It was
created in 1992 under the auspices of two organizations: the Information Systems Audit and
Control Association (ISACA) and the IT Government Institute (IGI).
➢COBIT enables managers, supervisors, IT users to have a set of measures, indicators, processes
and examples (best practice) that help them to maximize the benefits of information technology
and develop appropriate management and control of business processes in their organizations.
COBIT has 4 domains and 34 processes within domains. Domains are:
Planning and organizing. This domain is about strategy and tactics; it defines the best way in which IT can
contribute to the achievement of business goals.
Acquisitions and implementation. The subject of interest here is the realization of the strategy. IT solutions
are defined, developed and enriched, implemented and integrated into the business process.
Delivery and support. This domain refers to the delivery of the services required, which includes the delivery
itself, security management (RISK!) and continuity, customer service support, data management and
operational services.
Supervision and evaluation. Over time, every IT process needs to be monitored to see if it works according to
customer requirements. Within this domain, performance is managed, internal controls are monitored and
processes are regulated.

Every of 34 processes are potential risk and can be describe. An example:
Name of risk: Inconsistency of IT strategy with business strategy
Risk area The area of risk is the business of the enterprise as a
whole. This risk affects the position of the IT department
in the company. The key risk is to understand the role of
IT as a decision support, as an essential factor that
expands the business strategy and enables new ways of
realizing the business vision.
Nature of risk: Strategic risk
Stakeholders: Owners, Management, CIO
Quantification of risk An important risk, rare in terms of occurrence, but with
great consequences.
HIGH RISK AND IMPORTANT.
Risk tolerancy: Low risk tolerance as it potentially causes high losses
and long term bad position of IT and the lack of use of
IT capabilities.
Risk treathing and mechanism of control: In Company X, risk is not currently managed, the level
of risk control is low.
Potential actions for risk: It should be, together with the Board and CEOs,
incorporate an IT strategic plan into current and future
business requirements. Introducing management controls
(through business policies) should increase awareness of
the necessity of IT. Align IT strategic plan with business
strategy. Better communication between IT and
management is essential.
Responibile for risk: This risk is the responsibility of the Management Board,
CEOs and Head of IT.
7. ISO 27799:2008 – operation level
➢ISO 27799: 2008 is the standard for establishing information security in healthcare institutions.
➢Here, we have 11 main areas, which have to consider:
➢Information security policy

➢Information security organization
➢Asset Management
➢Human resource reliability
➢Physical and environmental safety
➢Communications and Operations Management
➢Access control
➢Procurement, development and maintenance of information systems
➢Information security incident management
➢Aspects of information security in business continuity management
➢Compatibility.
➢ With this standard, ISMS (Information Security Management System) is created.

➢When designing an ISMS, BSC / 4A analysis and a list of risks identified through COBIT must be
taken into account

8. Conclusion
➢ Information security management is a complex task that

requires the involvement of everyone in the organization, from
top management to the ordinary worker.
➢It cannot be reduced only to the IT department, to usernames

and passwords. Information security management is a much
broader problem and requires a multidisciplinary approach.
Information security management is successful if there are
organizational controls (policies, procedures, rules of conduct
...), technical controls and logical controls.

MOF (Microsoft Operations framework) – risk management
Microsoft Operations Framework is Microsoft's solution which is foundations on ITIL v3 concept and this in the part of the IT service operation, i.e. the introduction of the IT
service into use. Certain ones may appear in this procedure risks, ago everything bound with occurrence incidents and problems. By appearance incidents or problems, service not it
works as expected, an increase in performance costs is possible, and a delay in performance is also possible. They are all sources of risk that increase the vulnerability of the IT area. In
the following, we will talk about the risk management process MOF.
Process is consists of from six steps and it:
 Identification risks
 Analysis and ranking risks per importance
 Planning and deployment
 Tracking risks and reporting
 Control
 Learning
Identification. This is the first step in proactive risk management. In the framework of risk identification, it is possible a chance for the organization to avoid a risk before it happens
through the definition of a risk statement. It can be reached through the so-called root cause analysis, through defining the effects of downtime, through a list of risks and application best
practices (ITIL concept).
Risk statement - it is a clear and consistent description of the risk that must be made before starting to manage the risk. The statement should describe the current situation, possible
threats, vulnerabilities that threats can exploit, and possible the condition that the risk can cause. A risk statement is a statement that links the cause and effect of the risk in very early
phase (while risk yet not really began to manage).
 key reason - after the risk statement is made, the key or main reason should be defined the source of conditions for the emergence of risk; understanding the key reason allows
them to be identified associated risks; There are four basic reasons for risk: people, processes, technology and environment (these fourcategories often overlap)
 the effect of downtime – identification risks results and recognition consequences why me i.e. consequence that the risk causes. Knowledge of loss (material and financial) helps
to better prepare for risk. There are different ways in which risk affects an organization. These are: increase in labour costs, decrease in performance capability, and impact on
safety. Understanding feature risk consequence very is important for risk ranking by importance.
 risk list – it is a structured list of all the information collected in risk identification in an act. In the shape of tables are listed:
o key cause of downtime
o conditions of origin risks (in by which conditions cause risks becomes active)
o repercussions risks
o consequences of downtime
 best practice – in the process of risk identification, it is good to use the positive experiences of others. Any would good use different _ _ records on risks from the past, base data
on risks,continuously identification risk, discussions on risks, so called matrix causes and effects etc..
Analysis and ranking of risks by importance. In the analysis phase, the identified risks are studied and ranked by importance. Here are defines probability occurrences risk assessment
sizes influence risks and exposure risk.
 probability of risk occurrence - the probability of risk occurrence expressed numerically is shown here (in percentage). Determining the risk probability class is divided into thirds
( 1-33 %; 34- 67%; 68-100%). Every probability occurrences risks enters into one from three class and according to that probability occurrence of risk is determined as low,
medium and high.
 assessment sizes of risks influence – here are evaluates size of potential loss caused by the realization of the risk. The loss should be a direct consequence of the risk defined in
risk statement. The size of the impact of risk is most often measured by financial indicators. They need each other determine classes loss and each class rank (e.g. to 100 kn – 1;
from 101-500 kn – 2; over it 500 ... over HRK 5,000 -10). A higher rank means even more loss. The value scale is subjective and it's a thing agreement. if is it won't be possible
determine financial indicators, they will be able to is determine size _ _ influence according to some criteria , for example according to length downtime and impact on
performance. For example
Rank Criterion Length why me Performance

1 Little <1h Little influence on performance
2 Medium In between 1 and Significant influence (slow work)
5h
3 high >8 h Important influence (moving production on another
machine) for example
 exposure risk – here are measures overall exposure risk, combines are probability occurrencesrisk and size influence on business
EXPOSURE=PROBABILITY*IMPACT
IMPACT
Low (1) Medium (2) High (3)
High (3) 3 6 9
PROBABILITY
Medium (2) 2 4 6
Low (1) 1 2 3
Low exposure risk: 1 or 2
Medium exposure: 3 or 4
Tall exposure: 6 or 9
This way of ranking risks is very acceptable for users; it can also be displayed graphically, for example, through different colours. In the step of analyzing and ranking risks by
importance, it is crucial that the risk analysis is as good as possible in order to ranking either good quality. Here should taking part team People (representative management, leader
computer science, main developer, administrator Database and the system administrator).
Planning and scheduling of activities. The input to this process is lists of risks ranked by importance. The task is to on the basis of these lists, develop detailed strategies and activities
for each main risk, to rank the activities by importance ,that are create integrated risk management plan. Activities in integrated the plan is:
 orientation on high exposure risk
 determination conditions for reduction probabilities occurrences risks
 search key causes that would are reduced symptoms risks
 determination repercussions how would are reduced influence risks
 after determination key causes, search possible risks who they have similar cause
 search addictions between risks.
When creating a risk management plan, care should be taken as to whether the employees know enough to do so able to recognize the risk, whether the risk can be accepted without
taking any action, whether the risk can be avoided, transferred to another area or the consequence of the risk can be reduced. In planning, it is necessary to define reactionary plan (what
to make if the risk causes damage).
In according to with plan, activities are they have to arrange between different employees. Should are determine who is responsible for certain activities from plan.
Tracking risks and reporting. This activity involves writing down all the facts about risk. It is written down how the risk changes, what are the risk trigger values (if the
risk materializes, the reaction plan should be activated), the conditions, consequences, probabilities and impacts related to the risk are monitored. If any of the
mentioned changes things need to be reassessed for risk. In this phase, the implementation of the risk reduction plan is also monitored. If the plan risk reduction does
not perform well, it should be reconsidered. Risk monitoring can be an ongoing activity, periodic or from case until case (ad hoc).
Report has to be made for every risk. For each risk, report describes the following situations:
 solution: risk is resolved, action plan for resolution risks is finished
 consistency: the risk is constant regardless of the action plan, it should continue to be resolved risks
 changes: some actions taken to reduce risks differ from those planned; should to undertake corrective measures that would are activities returned in planning frames
 volatility: the risk situation has changed significantly and needs to be done again planning and analysis risks.
Risk control. This phase of MOF risk management refers to activities related to the reaction plan because the risk achieved. This is where corrective actions related to risk monitoring are
undertaken. Information is used in risk control collected through risk monitoring and reporting and information from a database of past risks. Likewise, new experiences related to risk
control are stored in the database. Good is key to risk control communication everyone employees who I can good quality react to risk.
Learning from risk. Learning from risk is an ongoing process that takes place throughout all phases of risk management. The goal is improving people's knowledge of risk to improve
recognition of potential risks, which affects quality management risks in of the future. When learning you should distinguish two situations:
 learning from a new risk - a lot of new information with which we have nothing to compare; helps us to do the same we recognize the situation in the future as a risk and on that one
a way to prevent the consequences that have happened to us happened because now we are not recognized the risk
 learning from the reappearance of known risks - by establishing known facts, reminding, we establish knowledge and we have possibility improvements strategy reduction risks
(introducing new ones control).

Risk management using the NIST methodology
The risk assessment methodology consists of:
 Description of the system
 Identification of threats
 Identification of vulnerabilities
 Control analyses
 Probability determinations
 Impact analyses
 Risk determinations
 Recommended controls
 Documentation of results.
After the first step, threat identification, vulnerability and control analysis and risk impact analysis can proceed in parallel.
Each step within the risk assessment has its input, activities and output, which are presented here in the form of a table:
INPUT NIST risk metothology activities OUTPUT

Hardware, software, system connections,
data and information, people, system 1. Characterization (description) System boundaries, system functions, what
mission. Additional information that is of the system is critical in the system and data (which IT
useful here is: functional requirements for values are important for the organization as
the IT system, users of the system, security The data is obtained through: questionnaires, a whole), what is sensitive in the system and
architecture of the system, security policy interviews, through a review of documentation, data (this means the required level of
according to which the IT system functions using system analysis tools (e.g. System protection to maintain integrity, availability
(it can be prescribed by the Administration informations, within Windows, etc.) and data confidentiality)
or stipulated by law, regulations, contracts).
2. Identification of threats
Sources of threats: hackers, computer crime,
Historical data on attacks on the system, terrorists, industrial espionage, poorly trained users, Statement of threats - contains a list of
data from the media, data from various employees who intentionally do harm. sources of threats that can cause system
agencies The motivation of these people: challenge, ego, vulnerability.
rebellion, revenge, advantage over the competition,
curiosity, unintentional mistake.
Each threat results in some threatening action for the
system.
VULNERABILITY REPORTS: Reports 3. Vulnerability identification
from previous risk assessments, comments
on various controls, security requirements. When identifying vulnerabilities, it is good to
SAFETY TEST RESULTS: determine threat-vulnerability pairs. Therefore, it is
Conducting system vulnerability checks good which threat (threat source and threatening
using software tools (usually checking activity) can cause a certain vulnerability. List of potential vulnerabilities
network equipment), conducting security For example SOURCE OF THREAT: Fired
tests and assessing security based on them. developer
SECURITY CHECK LISTS: these lists are THREATENING ACTION: The programmer
made at the management, operational connects to the system
security and technical levels. Security VULNERABILITY: The identification of a fired
criteria are defined for each level. developer was not deleted from the system
4. Analysis of controls
The goal is to analyze implemented or planned
controls that must reduce the likelihood of a A list of current and planned controls in the
Current risk controls, planned risk controls threat/vulnerability in the system. IT system that reduce the likelihood of
Controls can be technical (access control threats and vulnerabilities, thus reducing the
mechanisms, identification mechanisms...) and non- impact of these unwanted events.
technical controls (guards, room locking...).
Controls can be preventive (reduces the possibility
of the occurrence of a threat) and detectable (detects
an already occurring threat).
Assessment of the probability of risk
occurrence (ranked from highest to lowest).
An assessment of the probability of the
occurrence of vulnerabilities in the system
can be:
 High – the threat source is highly
5. Determination of probability motivated, sufficiently capable and
controls cannot prevent the
What are the motivations of the threat Here, the probability of the appearance of vulnerability
sources, what is the threat capacity, the vulnerabilities in the system under the conditions of  Medium – the threat source is
nature of the vulnerability, the current a threatening environment is assessed. This should motivated and capable, but existing
controls take into account the motivation and capabilities of controls can control the occurrence of
the threat source, the nature of the vulnerability, and system vulnerabilities
the existence and effectiveness of current controls.  Low - the source of the threat is
unmotivated and not capable enough,
controls are good and significantly
reduce the probability of system
vulnerability.
Assessment of the impact of threats and
possible vulnerabilities on the operation of
the system (ranked from the largest to the
smallest).
6. Analysis of the impact of threats and
vulnerabilities: The strength of the impact can be:
 Loss of integrity of the IT service - is the threat
such that it allows an unauthorized user to  High - consequences can be large
intentionally or accidentally change data? financial losses, large losses in
 Loss of IT service availability - is the threat terms of failure to fulfill the
What is the mission of the impact analysis, and possible vulnerability of the system such organization's mission, loss of
what is the value of the assets to which the that it prevents the use of critical parts of the reputation or interests of
critical risk assessments refer, what are the system? partners, death of people or
critical data (necessary for business), what  Loss of confidentiality of the IT service - are serious injuries
are the sensitive data ( easily subject to risk) the threats and possible vulnerability of such a  Medium-monetary losses, losses
nature as to allow unauthorized access to of significant resources, non-
confidential data that is crucial to the fulfillment of part of the work,
functioning of the organization? loss of part of reputation, injuries
Before the assessment itself, it should be determined to people
which parts of the system and which data are  Low - the loss of some resources
necessary for the functioning of the organization. that can be compensated, is an
obstacle to the achievement of
the organization's mission, can
affect the reputation or interest of
partners
Risks and associated risk level (the level
6. Determination of risk indicates how dangerous they are)
The purpose of this step is to determine the level of HIGH RISK: immediate corrective actions
risk for the IT system. A risk level matrix is used to are required. The existing system can
measure risk. In the columns of the matrix is the continue to work, a corrective action plan is
level of influence of threats on the vulnerability of necessary and should be implemented as
Probability of threat realization, magnitude the system. The threat level is (10-low impact; 50- soon as possible.
of impact on functioning, adequacy of medium impact; 100-high impact). In the rows of
current or planned controls the matrix is the probability of the threat (1-high MEDIUM RISK: corrective actions are
probability; 0.5-medium probability; 0.1-low needed, it is necessary to adopt a corrective
probability). plan and implement it in a reasonable time.
The content of the matrix is the product:
LEVEL OF RISK = SIZE OF IMPACT * LOW RISK: the risk management team
PROBABILITY OF THREAT must determine which corrective actions
Risk scale: LOW (1 to 10), MEDIUM (11-50), should be implemented and which risks
HIGH (51-100). should be accepted and worked on
regardless of their existence.
7. Recommendations for controls
This activity recommends introducing new controls
into the system in order to reduce the identified risks
to an acceptable level. At the same time, you should
take care of:
 Effectiveness of
Recommended controls
recommended controls
 About legal regulations
 About the policy of the
organization
 On the impact on the
operational execution of tasks
 About safety and reliability
9. Documentation of
results Report on assessed risks
- contains identified threats and
At the end of the risk assessment process, everything vulnerabilities in the system that may arise,
should be documented in the form of a set of reports an assessment of the level of risk and makes
to management. This report should help in making recommendations for the implementation of
decisions about policy, budget, operational controls.
implementation of changes and changes in
management, related to risks.

Risk management and ITIL
ITIL [1], [2], [3], [4], [5], [6], [7], [8] is an abbreviation from Information Technology Infrastructure Library ( IT Infrastructure Library ). ITIL represents actually norms or the best practice in
providing IT services according to users. ITIL are started develop in early 80's team 20. century. From sides so called Central Computer and Telecommunications Agency (CCTA). Later is
this institution became integral part so called UK Office of Government Commerce (OGC).
Goals of ITIL are:
 Improvement efficiency and effectiveness IT service
 Quality IT service
 Reducing risks.
ITIL presents kind of guide for management IT services on strategic, tactical and operational level. In version 2 (ITIL v2) bases ITIL make:
 services deliveries ( relations are on tactical management ) and include management level service , management finance , management availability , management capacities and
management continuity business
 services support ( relationships on operative management ) and include : service support users, management incidents , management problems , management changes ,
management configuration and management editions .
At 5 in the month of 2007 [5] began to be used version 3 of ITIL (ITIL v3) in which it is basic news services they stop observe as services deliveries and support is already being followed of
life IT service cycle and so on in version three there is: strategy services, shaping services, transition services, operation services and constantly improvement services.
Strategy services. Here are on basis user demands shape strategies development IT services, policies, sources and limitations you so called package levels service (what IT service offers on
basis user requests).
Shaping services. Here are shapes service, defines her are architecture, standards, and so called package shaping services (here are all information necessary for development services).
Transition services. Here it is shaped service builds up to levels when she is ready for delivery to the user. Here are service and tests.
Operation services. Here are IT service gives on use to the user per agreed upon conditions. Here are definestechnology and infrastructure necessary for support services.
Constantly improvement services. They define are plans and activities for improvement services. They identify are chances for progress you weaknesses or mistakes IT services which _ they
have to correct.
Every from these five groups have purpose, key processes and activities you key roles and responsibilities. Managerial activities which in ITIL v3 appear are:
 in framework strategies services : generation strategies, financial management, portfolio management, management demands
 in the frame shaping services : management catalogue service, management level services, management capacities, management availability, management continuity IT services
( related to management consequences risk ), management procurement
 in framework transitions services: planning and support transition, management changes, management configuration, management implementation, testing and validation,
assessment, management knowledge.
 in framework IT service operations: management events, management incidents, fulfilment requests, management problems, management approach IT at your service,
management user support.
 in framework permanent improvements services - management improvement services, measurement success services, reporting on to your service.
ITIL is framework for enforcement management IT services. It is explicitly not deals with risks. Nevertheless:
 one from goals of ITIL it is reduction risks
 ITIL through concept IT service implies management risk because is alone IT service per definition not may to the user bring unforeseen charge and risk
 deliverer of service, between other things, manages risks bound with service and it in to all phases of lifecycle services (strategy, shaping, transition, implementation and
permanent improvement).
Risk management in framework ITIL looks are in the following processes:
 ITIL v2 in framework service deliveries continuity of IT services. Here in the box demands and strategies identify critical business processes and time IT service recovery from
someone realized risk [8]. Furthermore, the risk is assessed from threats over property (using so called CRAM methodologies – Central Computer and Telecommunications
Associations Risk Analysis Management Methodology). Based on assessments risks strategies are made continuity business that is performance of IT services. CRAMM
analysis risks analyze threats and vulnerability over property. Threats and vulnerability cause risks which management strives control and undertake certain measures.
Categories assets in the analysis risks are hardware, software, people, and buildings. In the analysis risks they must be identified couples threats and vulnerabilities. They can be
displayed diagram causes (threat) and consequence (vulnerability). The result analysis it is list risks. Each risk is a function which have the following parameters:
 Probability that threat challenges risk using it vulnerability system
 Strength consequences which one causes realized threat on vulnerability system
 Control ( planned or already existing ) which affect on reducing or elimination risks
In the framework management continuity of IT services it is important to define the way of recovery from risks. Reactions on risk can be: to do nothing, make security copies, gradual
recovery (longer of three days), fast recovery (1-3 days) or urgent recovery (in 8 hours). Reaction it depends on the importance of the IT service for business. Management continuity enables
survival in case disasters, recovery business activities in case interrupt work, prevention loss.
There is none explicitly presented risk management in ITIL v3 [5] and v2. Risk management is implicitly expresses and that in to all phases of life cycle IT services. In continuation a
few examples:
 In the frame strategies services there is an activity shaping and development strategies of IT service development. Risk management is important here, because it is needed
identify, evaluate and prevent or reduce threats which would brought in Question strategy of IT development services.
 Identification threats and manage with them is important in Code shaping services. One of key activities is management continuity of IT services (see risk in the framework of
ITIL v2). Here it is through management risk define control mechanisms for recognition and prevention risks as and mechanisms for reducing risks. In the frame shaping
services is also important process management with certainty information, and key thing for safety information is prevention threats destruction you reduction vulnerabilities.
 In phase transition of IT services process is important management changes. Changes automatic mean risk so is and here necessary management risk. Actually connection
management changes and management it is a risk mutual. Management risk makes it easier changes, and management changes are one of mechanisms for optimization risks
(reduction risks on acceptable level).
 For phase operations service important are processes managed incidents and management problems who are again associated with risks and proportionally that is more incidents
and problems, they mean larger risk. Smaller risk means asmaller one uncertainty that is less incidents and problems.
 Code permanent improvement of IT services should lead account for new ones threats and vulnerabilities system who is repercussions new ones demands users of IT services.
Actually code everyone the new one demands should be implemented and analysis possible threats and vulnerabilities that is should be considered possibility of origin the new
one risks you act in according to with as a result analysis (most often new risk proactively prevent or reduce).
From the above review it can be concluded that risk management important activity within ITIL. It is not explicitly anywhere listed as managerial activity, but it is „logistical” i.e.
support is to all to the others activities.
Literature
[1] "ITIL Organisation Structure''; CEC Europe Limited; London in 2002
[2] http://en.wikipedia.org/wiki/ITIL-v2; http://en.wikipedia.org/wiki/ITIL-v3; Downloaded 23. 08. in 2009
[3] "An Introductory Overview of ITIL v3'', Cortlige , Hannah etc all., iTSMF Ltd. in 2007
[4] Prof. Ph.D. sc. Z. Cracker : '' Management informational resources ( selected chapters )'', the script withlectures ''; PDS FOI, in 2007
[5] ''ITIL-The Key it Managing IT Services – Service Delivery''; TSO for OGC; Crown Copyright 2003; London
[6] ''ITIL-The Key it Managing IT Services – Service Support''; TSO for OGC; Crown Copyright 2003; London
[7] IT Service Management – an Introduction''; itSMF Press; London in 1999
[8] "The Benefits of ITIL'' – Pink Elephant Inch., in 2002
[9] Geddes, Ratclife:''ITIL Process Maturity Self-assessment & Action Plan'', Pink Elephant Inc., September in 2002, London

THE RISK MANAGEMENT METHODOLOGY:
THE RISK MANAGEMENT STANDARD
Velibor Božić
The Risk Management Standard
The Risk Management Standard was created in 2002 as a result of the cooperation of three organizations in
Great Britain - IRM (The Institute of Risk Management), AIRMIC (The Association of Insurance and Risk
Managers) and ALARM (The National Forum for Risk Management in the Public Sector ).
The goal was to develop a standard for risk management that would include:
• Terminology used in the field

• Processes that are necessary for risk management
• Organizational structure essential for risk management
• Objectives of risk management
In this standard, risk is defined as a combination of the probability of an event occurring and itsconsequences
on the property.
Risk management is defined as a central part of strategic management. It is a process

in which an organization methodically assesses risks, adjusts its activities in such a way as to avoid or
reduce risks and thus function more efficiently and effectively.
The main part of risk assessment is their identification, analysis and treatment. The analysis
evaluates threats and their impact on system vulnerabilities. The ranking of risks is
determined and their impact on the organization is assessed. Those risks that are critical aretreated, i.e. they
try to avoid or reduce them.
Risk management is a continuous process that is embedded in the organizational strategy and the
implementation of that strategy. It must be led by top management, but it must also not be defined only
at the strategic level, but must be translated into tactical and operational goals. Throughout the
organization, all managers and employees must have risk management responsibilities and it must be in
their daily job description.
The appearance of risk is influenced by many factors and can be roughly divided into:
• Factors within the organization – products and services, employees, procurement, internal
accounting controls
•Factors outside the organization – legislation, culture, organization oversight ( boards, supervisory boards...),
contracts, natural disasters, suppliers, environment, credit, market changes, competition,customer demands...
Considering all the listed risks, the question arises, how risk management can help the organization.Here are
some facts:
 provides a framework for the organization to undertake activities in the future in a consistent andcontrolled manner
 improves decision-making, planning by enabling understanding of business activities, opportunities and threats
 contributes to better distribution of capital and resources within the organization
 protects the assets and image of the organization
 supports the enhancement of people's capabilities and enables a learning organization
 optimizes operational effectiveness and efficiency
Management process Strategic goals of
risks the organization
RISK EVALUATION
RISK ANALYSIS
-Identification
- risk description
-Examination
RISK ASSESSMENT
REPORTING ABOUT
MODIFICATIONS RISKS PROCESS CONTROL
- threats and opportunities
DECISION-MAKING
ATTITUDE TOWARD RISKS
REPORTING ABOUT
THE REMAINING RISK
SUPERVISING
ANALYSIS RISK
Risk identification – the goal is to find out how much the organization is exposed to uncertainty.
In risk identification, they use the expert knowledge of people within the organization and varioustechniques such as:
• Brainstorming, questionnaires, business studies that describe business processes, comparativemeasurements with others (benchmarking),
scenario analysis, workshops, incident investigations,controls and inspections, a number of techniques described in ISO 31010 - HAZOP,
SWOT, FMEA...
Risk identification is key to the success of the risk management process. It shouldsystematically reveal as many risks as
possible in different areas:
•Strategic risks - this refers to risks that affect the strategic, long-term goals of the organization. Examples: availability of
capital, political risks, government crisis, changesin legislation, changes in the environment...
•Operational risks - these are everyday risks that can occur in work and that the organizationfaces on a daily basis
• Financial risks – this refers to financial risks inside and outside the organization such as: creditavailability, currency exchange
rates, interest rates, market conditions...
• Knowledge management - this refers to the sources of knowledge in the organization, access tothem and the way of communication.
Examples of risks are: unauthorized access to information, theft of intellectual property, power outages, system unavailability due to
malfunctions, loss of keypersonnel...
• Compatibility – here we mean compliance with laws, regulations, contracts, regulations.
Risks: insufficient protection of clients, non-compliance with contractual obligations...
Risk description – according to RMS, each risk must be described. There is a specific gap:
NAME OF RISK
AREA OF RISK Qualitative description of events, size, type, number and dependencies
NATURE OF RISKS For example strategic, operational, financial, know-how or compatibility risk
INTERESTED Who is interested in risk management and their expectations
QUANTIFICATION OF RISK Importance and probability
Potential loss and financial damage; risk value; probability of loss and potential damage; desired controls
RISK TOLERANCE
and level of performance
ATTITUDE TO RISK I With what the risk is controlled; level of reliability of existing controls; identification of monitoring and reporting
CONTROL MECHANISMS protocols
POSSIBLE ACTIONS FOR

Recommendations for risk reduction
PROMOTION
STRATEGY AND DEVELOPMENT

identification of functions responsible for strategy and policy development
POLITICS
Example of risk description:
RISK NAME: Delivery of insufficient quality IT services
AREA OF RISK: Due to an insufficiently well-developed system
of quality management, reach the users
low quality products. This results in risks
availability, accuracy of information, access and then i
agility. Because of this risk, IT product,s do not have
value for business as a whole and that fact is
visible to the Management and owners.
NATURE OF RISKS: Strategic risk.
INTERESTED: All IT service users.
QUANTIFICATION OF RISK: The probability of risk occurrence is small, but possible
the consequences are great, so the risk is medium.
RISK TOLERANCE: Risk tolerance is low, potential financial
the loss is great.
TREATMENT OF RISKS I In company X, there are procedures and work instructions according to
CONTROL MECHANISMS: ISO 9001:2000 norms that minimize this risk, i.e.
they reduce it to an acceptable level.
POTENTIAL ACTIONS FOR Greater involvement of users in the development of IT services.
RISK REDUCTION.
RESPONSIBLE FOR THE RISK: The leader is responsible for overcoming this risk
informatics (for setting up the management system
quality, to create IT service quality standards,
for communication with the environment and for measurement i
monitoring what has been done). In this segment, the presenter
informatics must cooperate with the quality manager.
Risk assessment - it can be quantitative, semi-quantitative or qualitative.
It is examined:
•Consequence of threats and opportunities
• Probability of threat occurrence
•Probability of opportunities occurring
Consequence of threats and opportunities
The financial impact exceeds HRK xxx, disastrous

Big consequence impact on the organization's strategy and operational
activities, significant concern of shareholders
Financial impact between HRK xxx and HRK yyy,

moderate impact on the organization's strategy and
Medium consequence
operational activities, moderate concern of shareholders
Financial impact HRK xxx or less, low impact on the

Small consequence organization's strategy and operational activities, little concern
for shareholders
Probability of threats
ASSESSMENT DESCRIPTION INDICATORS

High probability (likely) The probability of the The potential for occurrence is several times a year
occurrence of the threat is
25% on an annual basis
Medium probability The probability of the threat It appears unannounced and it is difficult to control the
(possible) occurring is 25% in 10 years event because it depends on external factors
Low probability (rare) The probability of the threat No event has appeared yet. It is quite rare
occurring is less than 2% in 10
years
Probability of opportunities occurring (positive side of risk)
ASSESSMENT DESCRIPTION INDICATORS
A clear opportunity with high

The probability of a good
certainty, can be achieved in a
High probability (likely) result is greater than 75%
short time with existing
on an annual basis
processes
The chance of a good It is possible to achieve a result,

Medium probability
result is between 25% but with careful management.
(possible)
and 75%. Exceeding the plan is possible.
With the current way of

The probability of a good
management and resources, it is
Low probability (rare) result is less than 2% in
difficult to achieve the desired
10 years
result
Risk examination - after the risk analysis, in this phase a risk profile is created, i.e. the amount of risk is determined, taking into account the
probability of occurrence of threats and opportunities and the magnitudeof the impact of threats and opportunities.
Risk assessment - after the risk analysis has been completed, it is necessary to compare the analyzedrisks with the risk criteria
(associated costs and benefits of the risk, legislation, socio-economic and environmental factors, shareholder requirements...)
adopted by the organization. The risks are
ranked and it is decided which risks are critical to the business and which will be affected so that they disappearor are reduced.
Risk reporting and communication - different levels in the organization should have different informationabout the risk management
process.
ADMINISTRATION: ORG. UNITS: INDIVIDUALS:

•Be sure that a certain risk belongs
• Become familiar with the most • understand your responsibility
to their area
important risks • Have the skills to take action to reduce
•Define performance indicators that
• Become familiar with the consequences risk
enable process monitoring
of the realization of these risks •Understand that risk management is an
•Ensure the conditions for essential part of org. cultures
• Have an elaborate
combating risks •Reporting to the management about
communication system
•Ensure the possibility of everything (lack of controls, errors,
• Report everything to the management
communication successes...)
immediately
•Be sure that the risk
management process is good
• Adopt risk management policies
There must be reporting to the outside, to shareholders and everyone interested in the business. Reportsmust show:
• How to protect the interests of shareholders
•Transparently presented risk management process
Attitude towards risks - this is the process of selecting and implementing measures toreduce risk, but also ways to avoid
risk, transfer it, and the like.
In relation to risk, you should:
• Determine effective and efficient operations within the organization
• Effective internal controls •
Compliance with laws and regulations.
The basic criterion that must be respected is that the cost of acting on the risk does not exceed thedamage that the realization of the risk
can do to the organization.
Process monitoring and review of risk management - this part is necessary because the organization is alive, circumstances change on a
daily basis that influence the creation of new threats, new vulnerabilities ... therefore, constant monitoring and review is needed in order to
be up todate and able to timely to react.
In the risk management process, clear roles and responsibilities must be set
Administration:
• assessing the nature of the risk and defining the level to which it must be reduced in order to be acceptable for business
• assessment of the probability of risk occurrence
• determining the way to manage unacceptable risks • defining the company's
ability to minimize the probability of the occurrence of threats and their impact on business
• identifying the costs and benefits of risk and determining control activities
• defining criteria for measuring the effectiveness of the fight against risk
• consideration of the impact of risk on the decisions of the Management Board.
Executive directors
 have responsibility for the daily implementation of risk management

•should spread risk awareness within the areas they manage
 employees should be introduced to the objectives of risk management
 must ensure that risk management becomes an equal topic with all other topics at management meetings.
 must ensure the inclusion of risk management in the project as one of the phases of the project, without which the project itself
cannot be successfullyrealized.
Management and executive directors jointly
 enact risk management policy and strategy

 define risk management at the strategic and operational level
 create a culture of risk awareness in the company
 ensure risk monitoring processes
 coordinate activities in the
 company related to risk management
 develop responses to risk (what to do if risk realized - business
continuity programs) prepare reports on risks for owners and all others
who are interested in business.
Internal control
 controlling the management of critical risks (identified by management)

 pointing outpossible failures in the management process
 assistance with risk identification
 coordinating risk reports to the Board and owners...

THE BOARD
The board must have a clear business vision and strategy (including a risk management strategy).
Management's task:
They need to develop a  define strategic risks that affect

culture of "awareness" of business
the existence of risk.  adopting a risk management policy
 communication through the
organization (suppression of the
"sacred cow" syndrome)
How to do it?
 Change the practice of choosing people: ABILITY instead of ELIGIBILITY
 Reduce vanity and accept the need for learning and improvement
 Apply techniques: SWOT analysis, BSC, 4A approach
THE RESULT:
 Identified strategic risks and adopted risk management

policy
 Quality communication in the organization is ensured
THE METHODOLOGY ACCORDING TO

RISK MANAGEMENT MODEL ISO 31000 IS APPLIED ON EACH OF THE
LEVELS, BUT WITH A DIFFERENT LEVEL
OF DETAIL
Top management – The Board

Defining the context -
C determine the domain on which we
O concentrate
M A
Tactical (middle) management - M Risk identification -
managers, supervisors U U
the problem here is how to objectively
N determine threats and their impact
I D
C Risk analysis -
Operational management - A I
defining threat/consequence pairs; risk
foremen T prioritization; analysis of existing controls
I T
O Attitude towards risk -
N acceptance, transfer, risk mitigation;
Direct executioners - workers proposing new controls (management,
technical, operational)

Roles in risk management
In risk management, the goal is to reduce risk to an acceptable level. Necessary supporting activities are:
• efficient and effective operations in the organization

• effective internal controls
• compliance with laws and regulations.
Management and executive directors are responsible for carrying out these activities.
Management roles in risk management:
• assessing the nature of the risk and defining the

level to which it must be reduced in order to be The roles of executive directors are:
acceptable for business
• assessment of the probability of risk occurrence • have responsibility for the daily implementation
• determining how to manage unacceptable risks of risk management
• defining the company's ability to minimize the • should spread risk awareness within the area
probability of the occurrence of threats and their they manage
impact on business operations • employees should be introduced to the
• determination of costs and benefits of risk and objectives of risk management
determination of control activities • must ensure that risk management becomes an
• defining criteria for measuring the effectiveness equal topic with all other topics at management
of the fight against risk meetings
• consideration of the influence of risk on the • ensure the inclusion of risk management in the
decisions of the Management Board. project as one of the phases of the project,
without which the project itself cannot be
successfully realized
In addition to the roles mentioned above, the Board and CEOs have a joint role to ensure effective
and efficient risk management, which means that:
• adopt a risk management policy and strategy

• define risk management at the strategic and operational level
• creating a culture of risk awareness in the company
• ensure risk monitoring processes
• coordinate activities in the company that are related to risk management
• develop responses to risk (what to do if the risk materializes - business continuity programs)
• prepare risk reports for the owners and all others who are interested in the business
For effective risk management, the company also needs internal control.
The roles of internal control are:
• controlling the management of critical risks (identified by

management)
• indicating possible failures in the management process
• help with risk identification
• coordination of risk reports to the Management Board and
owners...

VELIBOR BOŽIĆ
Ability management
Capability management aims at continuously improving the capabilities of employees so that the
organization is of high quality in performing its own activities. With capability management, there is a whole
process of activities that must be undertaken. The first activity is defining the vision, strategies and strategic
goals of the organization. Namely, it is necessary to define the necessary abilities of employees in the context
of the vision, strategies and goals. One should ask what the purpose of the organization is and what kinds of
capabilities are needed to achieve that purpose. The second step in the capability management process is to
divide the required capabilities into specific capability areas at different levels of the organization. It is
necessary to create the so-called competence canters, i.e. places within the organization that are made up of
a team of experts for a specific area. These capability centres are connected to specific processes and people
in them, and enable globally defined capabilities at the level of the organization to be mapped to the level of
the individual. In the competence centre, the key competences needed to perform a specific job are defined. In
doing so, the current situation must be analyzed and compared with the desired state. Based on the analysis,
the competence centre develops a plan explaining how a certain type of competence should be developed.
The next stage is the implementation of the plan at the individual level. In order for the employee to be
able to fulfil his tasks well, he must be provided with certain abilities. Implementation of abilities is carried out
through discussions of experts from ability centres and individuals, through different methods of training,
learning and the like. Finally, through the implementation of capabilities to each individual, the capabilities of
the organization as a whole are increased.
Aspects of capability management
When observing the management of capabilities, it can be said that there are three aspects of
observation: the organizational aspect, the aspect of the current and future situation, and the aspect of the
content of capabilities. When looking at the organizational aspect, for the successful management of
capabilities one needs to know whether it is the capabilities needed by an individual, the capabilities to perform
a job, the capabilities of a team, department or the entire organization. From the aspect of the current or future
situation, capability management is different if one wants to know the current situation or analyze the needs for
the future. From the aspect of the content of the capabilities, again, management differs with regard to whether
they want to develop general, functional, process or key capabilities.
Capability management strategies
For the successful management of abilities, it is necessary to define ways to develop certain abilities.
In principle, it is known that the strategic goal of capability management is to improve the comparative
advantages of the organization with the help of capability development, process improvement and application
of information technology/information systems. This also means a systematic analysis of existing capabilities
at the individual, team and organizational level. How to achieve all of this? One of the strategies takes care of
cost management, differentiation of activities and focusing on specific activities. Thus, capability management
is limited by allocated funds. The second strategy takes care of the quality of the work done in terms of quality
management and creating processes. There, operations and work efficiency are continuously improved.
Today, the prevailing strategy is to define the key capabilities needed by the organization. The main task of
management in this strategy is to discover, maintain and improve the capabilities of the organization.
Identification of key capabilities
The key capabilities of an organization are those capabilities that are necessary for the organization to
be competitive on the market. The concept of key capabilities should only be used at the organizational level.
The identification of key capabilities is quite a difficult task and requires a great deal of knowledge
about the organization itself and the environment in which it functions. Answers to the following questions help
to identify key capabilities:
 Does the ability have an impact on added value for the customer?
 Can the ability influence the increased competitiveness of the organization?
 Can the ability be incorporated into business activities?
If the answers to all three questions are positive, then something is a key activity. In addition, it is important to
know the characteristics of key activities for identification. These are:
 there are between five and ten key activities

 key activities bring the organization a specific advantage on the market,
bring additional value to customers, are difficult to copy
 their development takes three to five years
 they are a combination of knowledge, skills, technologies, processes and methods
 key activities are created gradually through the accumulation of learning processes in the
organization.
Identification of key capabilities is difficult because no concrete recipes are offered on how to do it. Only a
framework is defined within which each organization takes care of key capabilities, depending on the specific
situation.
Organizational Capability Architecture
When looking at an organization's ability, it can be said that it consists of key abilities that enable
competitiveness and additional abilities that are also important, but not necessary for survival. Key capabilities
have a positive impact on customers. They are further divided into capabilities within individual departments.
At the department level, abilities are still generalized. There, groups of experts make development plans
because abilities are defined in such a way that they can be connected to the level of individuals. The next
level in the capability architecture is the team level. In teams, abilities consist of the individual abilities of team
members. Finally, abilities at the level of individuals are very concrete. They include all the knowledge,
abilities, intentions, experience and contacts that individuals have.
In the end
Successful talent management requires an understanding of the vision, strategies and goals of the
business. This is necessary in order to be able to identify which capabilities the organization wants, i.e. which
capabilities it needs. For the success of capability management, it is necessary to define key capabilities.
These are abilities without which the organization cannot survive in the market. Implementing capability
management is a long process that involves continuous learning and is linked to strategic management and
performance management. Capability management actually combines the strategy making process with
performance management process and thus identifies, maintains existing and develops new capabilities at all
levels of the organization.
Capability management requires that everything is done in accordance with the vision, strategies and
goals of the business. It is a relatively new approach that offers an understandable way of developing
employee capabilities in the context of the organization's strategy.
Velibor BOŽIĆ
Business Intelligence
Business intelligence is the ability of an organization to create useful information from the data
it has. Today, this ability is essential for survival in the market. It enables better decision-making and
is a key part of the corporate information strategy. Namely, the organization's information assets
include a wide variety of data sources that are dislocated and diverse in composition. business
intelligence helps to turn a huge amount of data and information into new knowledge. The goal of
business intelligence is to enable managers and leaders to makemore efficient and effective decisions
in order to increase the profitability of the organization.
Development of business intelligence
Management requirements should condition the development of business intelligence.

Managers should use business intelligence as a powerful tool in the fight against complex and diverse
business operations within a changing environment. The key reasons why business intelligence should
be used are: industrial consolidation and globalization, the development of information and
communication technology, the development of a new, highly developed economy, orientation towards
the customer, requirements for comparative advantages.
The context of business intelligence

When looking at information assets within an organization, they can be represented as a
pyramid (Figure 1).
MANAGEMENT
Actions decision making
Business intelligence analysis

and processing in real
time
Data warehouse organizing

Transaction bases enrichment
TECHNICAL STAFF
Figure 1. Context of business intelligence
At the base of the pyramid are transaction databases that collect raw data arising from business
activities. Data warehouses organize collected raw data into information. Business intelligence and
real-time analytical processing (OLAP) are used to analyze information and create new knowledge.
Finally, top management evaluates knowledge and manages activities and makes decisions.
In order for managers at the top to be able to make quality decisions, information should be
presented in the right way, which is enabled by the technical staff. It enables management to use as
much information as possible within the organization.
Problems related to business intelligence
Some of the significant problems with business intelligence are:
• implementing or changing business intelligence solutions requires a long and expensive

time consultations between management and experts
• management is often frustrated because business intelligence seems difficult to them, i.e.
they they have difficulty focusing on critical business factors
• maintenance costs for business intelligence are often unreasonably high
The solution to the problem is better cooperation between managers and those who introduce
business intelligence and the sincere desire of both to succeed.
Key activities in business intelligence

The key activities are: data collection, data analysis, data understanding, risk management and
finally - decision making.
Data collection. Data collection refers to obtaining data from various sources. data can be in
documents (lists, e-mail messages...), photos, images, sound recordings, web pages and the like. The
goal of business intelligence is for data to remain in digital form (scanned, recorded with digital cameras,
stored in databases, placed inside a web server...).
Data analysis. It implies the creation of useful knowledge from the collected information. The analysis
provides different assessments, trends, integrated and recorded information, evaluated models. The
process of data analysis is also called data mining or knowledge search. There are analysis tools such
as: probabilistic theories, statistical methods, operational research or artificial intelligence. All these tools
are built into existing software products dealing with business intelligence.
Understanding data. Understanding data refers to determining the context of information with regard
to the problem being solved. With this in mind, irrelevant information is thrown out, and only key
information essential for decision-making is used.
Risk management. This is the possibility to reduce the risk in the future with the help of business
intelligence, because situations in the future can be simulated, cost/benefit analysis can be done,
decision-making and results can be simulated.
Making decisions. Making decisions is the ultimate goal of business intelligence. Business
intelligence aims to predict important events such as changes in the market, various takeovers, poor
performance of staff and the like. With the help of forecasting, managers can react better and make
better decisions. These decisions can improve sales, customer satisfaction or employee morale. All this
enables the right information at the right time.
For the end

Business intelligence brings timely and fresh information that enables better understanding work and
making reasoned decisions in real time.
Business intelligence software provides access to various data sources and applications within an
organization. The software turns data into valuable business information in the form of reports, useful
tables or graphs.
Business intelligence solutions must be adapted to the specific organization in order to optimize
business processes, to improve proactive decision-making and maximize profits, i.e. minimize costs.
Velibor Božić
Conflict management
When employees work together it is often the case that they have conflicting goals and work styles. Therefore,
conflicts are a normal part of doing a job. Of course, if you know how to manage conflicts and if you know how to
communicate with conflicting people, you can turn a potentially destructive force into a chance for creativity and greater
productivity. Precisely because of the above fact, conflict management is a very important managerial skill.
There are different situations that can cause conflicts. Some of them are: lack of interest in the job, misunderstanding
of things or lack of information, change of job, actions taken by managers, evaluation of the success of the work done,
private problems that may affect the work activity.
There are two basic ways of managing conflict, informal management and formal conflict management. An informal
way of managing conflicts implies that managers and employees jointly initiate problem solving. It is openly discussed,
without mutual accusations. An attempt is being made to discover the source of the conflict. Conflict mediation services
are often used here. Another way to manage conflict is a formal approach. It is applied when the conflict cannot be
resolved through direct employee interviews. Here, conflict resolution processes are initiated through the completion of
formalized forms on the basis of which the investigation, hearing and finally arbitration are conducted.
What are the most common causes of conflict among employees? First of all, these are:
 the natural desire of man to be the first to explain his views in the hope of imposing them on
the other side
 the inability of people to be listeners; listening is much more than not speaking, it involves an
effort on our part to really understand the views of the interlocutor
 people'sfear of not fulfilling their own ambitions, fear of losing something we believe in,
fear of the truth, fear of turning out to be stupid ...
 the assumption that we will lose if someone else wins; this attitude is overcome by
creating a competitive climate (thus defeat is not understood tragically).
There are techniques to alleviate conflicts or prevent them from occurring. Something about them below.
In conflict management, whether formal or informal, two things are important: how to control the conflict and how to
communicate with people prone to conflict. In both cases there is a need to know what needs to be done and how
something needs to be done. When keeping a conflict under control, the procedure is as follows:
• need to talk to others - the time that is most appropriate for the conversation should be
determined and determine a place where one can talk in peace
• it should focus on behavior and events, not on people - it should say, for example, "When it happened
..." and not "When you did it ..."; it is necessary to describe a concrete event, not to generalize
• one should listen carefully — one should know how to listen to what others are saying, instead of
constantly reacts; interrupting others in conversation should be avoided; we should repeat what
the interlocutor said to ensure that we understood everything well; sub-questions should be
asked to clarify ambiguities
• what you agree on should be clearly defined, where non-conflict points and points of agreement
should not be found; one should try to find a compromise • one should rank the conflict areas — here
the conflict areas must be ranked by the importance of addressing them
• a plan for resolving the conflict should be created, starting with the most important thing - it should
be focused on the future, the dates of the next meetings should be determined in order to continue
the discussion (and assess what has been done)
• the plan should be adhered to - it should be implemented as agreed; people in conflict need to be
constantly monitored • you need to work on your own success - look for a chance to progress;
admit to others success; congratulate the people you have been in conflict with.
In conflict management, another important ability is to communicate with conflicting people. There are almost
always people prone to conflict. The best defense against them is to know how to treat such people properly.
Here'swhat you need to do:
• should be honest and direct - honestly and directly should tell the person what bothers us about her;
eg "I can'tdo a job because of ...", "I don'tcare about you ..."
• one should listen carefully - here the ability to listen to others is important, not quarrels; should avoid
interrupting the interlocutor; what we have heard should be repeated to make sure we have
understood everything well • blame should be avoided- here one must focus on the facts; if the
conflicting person notices a mistake on our part, it will be caught and solving the problem can be
difficult
• should be focused — must be discussed in detail, not generalized; should
avoid deviating from the topic
• need to talk a little - the problem should be summarized and deliberately paused (let there be
silence for a while) before the person prone to the conflict responds.
•
It can happen that despite the stated knowledge about conflict control and communication with conflicting people,
conflicts do occur. If it is not possible to smooth it out by direct conversation of the conflicting parties, mediators or
arbitrators must be used. In conflict management, the role of mediator or arbitrator is taken over by managers who
have special knowledge of conflict resolution.
The manager-mediator must understand the views of the participants in the conflict, must influence their desire to
overcome the conflict (emphasizing positive views, emphasizing the possibility of compromise), must set rules of
communication, should lead meetings between conflicting parties, should equalize the power of conflicting parties,
should help develop plan for future cooperation.
Another important role of managers in resolving conflicts is arbitration. The manager-arbitrator must perform all
activities as well as the manager-mediator with the difference that in the end he makes a judgment that the
conflicting parties must respect.
Conflicts between employees are relatively common and can affect the business as a whole. Conflicts are normal in
situations where multiple people work together to solve a problem. In conflict management, it is important to turn the
potentially negative energy that erupts from each conflict into something positive (competitive spirit, desire to
succeed, etc.). Therefore, conflict management is an important task of management.
Velibor Božić
Customer relationship management
One of the dominant trends in today’s management is customer orientation. All levels and segments of
business direct their activities towards identification, categorization, understanding and serving customers.
Information gathering processes and marketing processes are particularly important for successful customer
relationship management. This does not mean that other business segments are not important. On the contrary,
orientation towards the customer should become the guiding principle for all existing and planned activities in
the company. The main areas of customer orientation include image, organizational culture, competition,
evaluations and quality. Orientation towards the customer has a great influence on the image of the company.
Everything from the company’s trademark, furniture and equipment, the colour of work uniforms, the colour of
the walls in the premises or websites on the Internet should be such that they meet the needs and expectations
of customers. The efforts and opinions of all employees are essential for customer orientation, regardless of
whether the employees communicate directly with the customer or not. All employees should work so that
customer expectations are met to the greatest extent. Companies those are ready to compete in the market,
and in relation to excellence for the customer, have a better chance of meeting the needs of potential
customers. In order to create manageable customer services, companies must create a system for collecting
and objectively analyzing customer information. This system must be properly evaluated to ensure that the
information collected is relevant to a particular customer. Otherwise, he is not of much use. In the past,
marketing activities were emphasized in the company, which usually included: market research and
segmentation, defining the market position, analyzing customer needs, creating a marketing plan and
evaluating the achieved results. These activities are the basis for defining the way of advertising, for defining
relations with the public, for distributing information and for "convincing" customers. In today’s companies, all
the listed activities are very important, but not sufficient for a real focus on the customer. Namely, if the
company wants to be truly oriented towards the customer and if it wants to successfully manage relations with
customers, deeper organizational changes are needed. The company should coordinate all business functions
related to the customer (directly or indirectly) and develop a systematic way of adapting, monitoring and
improving relations with customers. In order for customer relations to be successful, i.e. for the company to be
customer-oriented, the following is necessary:
• identify customers through market research, market segmentation and study of potential customer
• define offers, products and services for different customer groups
• identify strategic objectives and critical factors for sales and support in each market segment
• collect information about the wishes and needs of customers and use them as a basis for marketing
activities
• it is necessary to be sure that every change is a response to customer needs
• clearly define the cost-benefit ratio for each product or service and use this knowledge to introduce new
or improve old products or services
• it is necessary to monitor the competition and always strive for better ways of satisfying needs
customers
• provide good employee training and install in them the attitude that the customer is the
most important
• each customer should be considered separately (as a specific case)
• care should be taken to fulfil all promises about the quality of products, services and
support customers.
In order to successfully manage customer relations, it is necessary to keep in mind that customer
satisfaction is not something that can be achieved with an exact recipe. This requires constant
improvements of the entire business organization. The end result of customer orientation is customer
satisfaction. Customer satisfaction must be measurable. It is measured by answers to a series of questions
such as:
o Do you know who your customers are and how many there are?
o Do you listen carefully to the requests of each of your customers?
o Do you respond to customer requests in a timely manner?
o Do you give advice to customers regarding products/services?
o Do you know what the cost is if you lose a certain customer?
o Do you regularly communicate with customers?
o As a manager, do you know how many customer complaints you have?
o Does the top management agree on customer orientation?
o Does the management set a good example for customer orientation by its own
example?
o Does management also assess customer satisfaction?
o Does top management also discuss customer complaints?
o Is customer satisfaction part of the business vision?
o Is the customer satisfaction policy understood in the company?
o Are customers involved in executive processes and company development processes?
o Were the products delivered on time?
o Do you have a website and do you do business over the Internet?
o Do you stimulate employees for ideas related to customer satisfaction?
o Are the interests of employees and customers connected?
These are just some of the questions that can be used to measure customer satisfaction and thus get
feedback that is essential for managers to better manage customer relations.
It should be said that today there are also software tools within the so-called ERP (Enterprise Resource
Planning) information systems that help managers manage relationships with customers. These tools enable
easy collection and use of data about business partners. On the other hand, the Internet, as a global
phenomenon today, represents a medium of communication between companies and customers that speeds
up and simplifies business. Today, customers are increasingly self-confident, more sophisticated, have a large
choice, and are very demanding. Precisely for this reason, customer relationship management becomes
important for successful business. It must become part of them.
Human resource management
You can have the best business plans, vision and strategies that are great for
successful business, but if you do not have people, who would make operative your ideas,
i.e. take concrete action, you will not succeed in your intentions. People are a key resource
that enables business, so they need to be given due attention.
Successful human resource management requires a strategic approach to this issue.

Human resources need to be included in business strategies, but it is also necessary to
ensure the implementation of human resources activities such as human selection, training
or a reward system. Strategic human resource management should provide an answer to
the question of what are the strengths and weaknesses of the company over the
competition, in relation to human resources. In addition, this managerial activity at the
strategy level should help in planning the organization of the business; it should provide an
answer to the question of what experts the company needs for better business. Strategic
human resource management also influences the adoption of comprehensive business
strategies.
When we talk about human resource management, managers should keep in mind
leadership, people management in the narrow sense and people's satisfaction. When we
talk about leadership we mean top management activities that provide conditions for
quality work of people. People management in the narrow sense includes employee
training, their involvement in decision-making processes, communication with employees,
teamwork, determining responsibilities and rewards to employees. People satisfaction is a
collective name for a series of activities that provide feedback on whether employees are
satisfied with their work or not. Managers must provide mechanisms through which
employees will express their opinion which is the basis for assessing employee
satisfaction.
It is very important that when managing human resources, managers set a personal
example. Through their own behaviour, managers should promote what they want to
achieve with employees. In other words, managers significantly influence the creation of a
certain organizational culture. Managers, for example, can promote a commitment to
quality, should take initiatives to improve business, should support continuous training of
employees, should encourage teamwork, should communicate with employees outside
formal forms (e.g. walk around the factory and visit employees at their workplaces) ...
Human resource management consists of three main activities: organizational planning,
teaming and team building. Organizational planning involves identifying, documenting, and
assigning business roles, defining responsibilities, and reporting obligations. Equipping
means defining the necessary experts to work on specific projects. Creating teams means
developing individual and group skills in people that are important for performing certain
tasks.
Organizational planning is an important activity of human resource management because
it creates a framework for quality work of employees. What kind of work organization plan
will be depends on what kind of work needs to be done (with which processes and people
it is connected), it depends on what technologies (types of knowledge) are needed to do
the job. The organization's plan also depends on which people or groups need to work
together to do the job. One of the biggest reasons for a specific type of organizational plan
is the requirement for certain skills of employees or teams (requirement for certain staff).
Last but not least, the planning of the organization depends on some limitations such as
organizational structure (matrix, project ...), existing skills of employees, collective
agreements and the like. Techniques for conducting organizational planning are:
samples-taking models of organizational plans from some similar situations
organizational theory — there are many books that can help managers
in organizational planning
analysis — primarily the analysis of shareholder (owner) expectations.
The end result of organizational planning in the context of human resource

management is:
assignment of roles and responsibilities - this defines who does what in the
context of performing a particular job
staff (people) management plan - this describes when and how certain people
will be involved in the work; care should be taken to ensure that people are
always optimally engaged and well motivated
reporting system - this defines who reports on a particular part of the work and to
whom it reports; the way of communication is defined through reports (between
employees at the same level and upwards, i.e. according to the management 
additional descriptions — this refers to a description of the skills needed to do the
job; this
it is necessary to know how to plan schooling if the required skills
are lacking.
Another important activity in human resource management is staffing. This task of the
manager involves acquiring people who possess certain skills needed to do the job.
Equipping as a job depends on the staff management plan (which is defined in the
organizational planning), on the description of the staff and on the limitations in the
staffing. A job description is actually a set of criteria that a potential employee must meet,
in relation to previous experience, personal interests, characteristics and the possibility of
starting a business. Restrictions on teaming indicate a number of rules that may exist in
the company regarding employment. Techniques used for teaming are negotiating with
potential employees, signing pre-contracts and hiring. Teaming creates a set of employees
with the desired skills. Employees can work full time, part time, can work as external
collaborators, etc .... depends on the terms of the contract. Second important thing that
results from teaming is the list of employees who participate in a job with a list of their
tasks.
When managing human resources, an important task of a manager is to create a team.
Creating a team is a complex task in which one tries to achieve that each employee is
confirmed as an individual, but at the same time that the work of each person is
harmonized into teamwork. When a team starts to form, it is necessary to take into
account what kind of employees we have at our disposal (what skills they have), what are
the business conditions (what is the context in which a certain job must be done), should
be aware of staff management plan (see organizational planning!). Creating a team is not
an easy task. It takes three to five years for a quality team. Therefore, many activities need
to be undertaken to improve the work of employees in the team. This means that work
rules should be set, rules for resolving conflict situations, and the participation of team
members in planning should be encouraged. Team members should be motivated through
a system of rewards and recognition. It should be ensured that people working in a
particular job communicate with each other, preferably in the same space. Finally,
employees should be provided with ongoing training. What do you gain by creating a
team? Teams are a guarantee of improving performance, i.e. performing a certain job.
Within the team, each individual improves their own skills, and thus the work as a whole is
better done. Conflict situations are better resolved in the team, so employees spend more
energy on work, not on conflicts.
What to say at the end of the story? In today's globalized market, comparative advantages
are very important. They lie not only in the offer of products / services at a lower price, but
also in the special capabilities of the company, such as the speed of responding to
customer needs or the knowledge of employees. An increasing number of companies are
realizing that people could also be a comparative advantage. The awareness that an
educated, satisfied employee is the only good employee is increasingly prevalent.
Therefore, the development of employee skills, the development of organizational culture
in which people comes to the fore (their knowledge, innovation ...) is increasingly
encouraged. Today businesses need try to affirm the human resource management
system because it ensures constant business progress and competitive advantage.
Velibor Božić
Leader and manager
Leadership and management are two concepts that are often equated. Of course, these
terms denote different concepts. Both are vital to the success of an organization so let’s pay a
little attention to them.
A leader is a person who directs. He has a vision, he motivates, and he is full of enthusiasm.
A leader is a person who is respected, she is followed. The leader concentrates on the strategy,
identifies new opportunities, i.e. the chances of the organization, and moves the organization in a
new direction. He must have the ability to gain trust when directing the organization, he must have
the courage to take actions and risks, and he must inspire people and encourage their faith in
success. In order for a leader to be effective and efficient, some principles should be adhered to,
such as:
• personal example should convince followers of what he stands for
• should be optimistic and always think positively
• should strive for the best solutions (if you set high goals, you will achieve
more than to have modest ambitions in the beginning!)
• one should strive for simple solutions in everything that is done
• one should reward a positive result
• one should communicate, which means, listen carefully and talk openly.
If the leader adheres to the above principles, the followers will be more loyal to him and leading as
a process will be much easier.
A leader may or may not be a manager. Namely, leadership is an important characteristic of a
manager that he has or does not have. Every manager nod is a leader. It is a common situation
that leaders act informally within the organization, i.e. they are not members of formal management
structures. If so, managers must recognize this fact and use it for the benefit of the organization.
This is important because employees in the organization can perceive managers as rulers,
enforcers of rules, i.e. as persons whose power comes from their position, not knowledge. This can
be dangerous for the organization. Therefore, if managers are not also leaders, they should
recognize real leaders and take advantage of their influence in the organization.
On the other hand, when it comes to management it should be said that effective management
not only involves leadership but also needs to have formal authority to fulfill its task.
The main task of the manager is to implement the vision and strategy in order to maximize the
business result of the organization. When accomplishing his task, the manager should perform the
activities of organizing, planning, teaming, directing (leadership in the narrow sense!) and
controlling. For all these activities, the manager must also have formal power, i.e. the ability to
command arising from the hierarchy. In addition, managers must have the skills needed to carry
out the above activities. These skills are:
• information skills - the ability to collect and disseminate information, the ability to define
attitudes and possess knowledge that helps the organization, employees and owners
• interpersonal skills-ability to lead (see principles of leadership) • decision-making
• skills-ability to seek new and better opportunities for organization, ability to allocate
resources, negotiates and resolves conflicts.
The manager must coordinate the work of employees, other managers, departments and resources.
The strategy should be operational zed on a daily basis, tasks should be set for employees that are in
line with the set goals, communication should be improved, and activities such as employee training,
and rewarding or disciplinary measures should be encouraged. Managers need to allocate staff and
other resources, organize internal control and oversee business processes. These are just some of the
activities that are present in the job description of a manager,
In the end, it should be said that the leader and the manager can be in the same person, but that
is not necessary. It is important that managers recognize leaders and use their knowledge and
possible charisma among employees to make the organization do better. If he is a manager and
a leader, by the logic of things, he should deal with strategic management, which means that he
brings a vision and defines a strategy, i.e. a method of implementing the vision into action. Lower-
level managers deal with it implementing the strategy in activities to ensure better business.
It would be ideal for an organization to have leaders in addition to managers. Namely, leaders
know what needs to be done, and managers know how to do it. In the end, the result should be
an efficient job done in an effective way.
Velibor Božić
A learning organization
A learning organization is such an organization that affirms learning as a continuous
process. It encourages the constant learning of employees and the exchange of information between
them. In this way, new knowledge is created, necessary for the successful performance of work. In
addition, a learning organization is very flexible, i.e. people accept and adapt new ideas and
changes through a shared vision.
The reason why learning within the organization is emphasized is the ever greater and more
fundamental changes in the environment in which a company or institution operates. Today, only
those organizations that are able to learn quickly and then innovate their own business have an
advantage over the competition.
Any organization can relatively easily determine whether it is successful or not (whether it needs to
learn or not). By answering a series of questions, one can determine why a learning organization is
needed. The questions are: are employees unmotivated or uninterested in work, do they lack skills
or knowledge to perform work correctly or to get new jobs, do employees have their own ideas for
improving work (and are ideas rewarded) or do they just follow orders , whether managers and
employees communicate sufficiently, whether more employees have knowledge about something
or whether there are "experts" without whom panic arises, whether problems are discussed in the
organization or learned about from customer complaints...
If you answer negatively to just one of the above questions, you need a learning organization.
In order for an organization to start learning, some prerequisites must be met.
 The organization must be sure that the knowledge is necessary, before starting transform
into a learning organization. Learning should be affirmed at all levels, not only among
managers. This means that a climate conducive to learning needs to be created within the
company or institution.
 The organization must be decentralized in the sense that each individual understands his
own structure and goals to be achieved. The organization must be flexible and encourage
innovation. In addition, it should be possible to provide information to employees,
dialogue between management and employees. In this way, problems can be spotted and
mistakes can be prevented.
 Leadership is an essential prerequisite for a learning organization. The leadership must
be such that it accelerates the concept of the so-called systems thinking and that it
encourages learning that helps employees and the organization as a whole. Leaders must
help people understand the changes; they must enable them to understand competition as
learning, not as hostility. In addition, the leadership should provide the logistics (money,
people and time) necessary for learning.
 The focus of control should shift from managers to employees. Employees should have
more responsibility for their own actions. The task of management is to encourage,
enable and coordinate the performance of work.
 Finally, the prerequisite for creating a learning organization is learning itself.
Management should learn based on models of real situations with help simulation games. Through
these games, managers acquire the skills necessary to create a climate organizations that encourages
employees to learn. In addition, mistakes that could occur in reality are observed and learned how
to avoid them. There are different strategies for introducing a learning organization. Any
organization that introduces learning as a model of its own existence can do so in different ways.
However, three strategies can be singled out: accidental approach, subversive approach and
declared approach. The accidental approach is reflected in the fact that many organizations
unknowingly, i.e. through the realization of some other business goals, founded a learning
organization. The subversive approach of establishing a learning organization differs from the
haphazard approach only in the degree of conviction. Namely, here, a learning organization is
consciously introduced (and not accidentally), but they do not stand out openly ideals (constant
learning, better communication, encouraging innovation...). The declared approach implies learning
as part of the organizational culture. The principles of the organization that learns here are part of
the "speech" of the organization, they are expressed openly, and they are an integral part of all
initiatives of the company or institution.
Every learning organization has certain rules that must be followed. These rules are:
 don’t be afraid of changes - a learning organization feeds on changes; changes are
new knowledge that needs to be mastered
 experiment - a learning organization encourages experiments because they necessary
risk in advancement; experimentation should be rewarded, not punished
 discuss - every success or mistake should be discussed through conversations,
reviews, reports, diagrams and the like
 learn from examples from the environment - you need to find internal and external
sources information; should learn from the experiences of other organizations;
customers ‘needs should be kept in mind and learned from them
 learn from employees - encourage participation and experimentation; invest in
training, give employees authority, but also define responsibilities; minimize
hierarchy
 reward learning - everyone wants a reward for what has been done; measure
achievements and reward
 be clear - define goals and expectations clearly and unambiguously
 be caring - take care of employees; you need to find a way to ensure employee
protection.
By following these principles, a learning organization will be effective. In a learning organization,
the key potential is people and their behaviour. When it comes to human behaviour, there are certain
areas that must be supported within a learning organization. Areas that are critical to success are:
team learning, shared visions, mental model and personal advantage.
• Team learning - all important decisions are made in groups through the exchange of information.
The basic unit of learning is the group, not the individual. People learn best from each other. A
synergy effect is achieved through team learning. A team as a group knows more than the sum of
individuals.
• Common visions - in order to create a common vision, all individuals in the organization must
understand what the common goals are, how to reach them and how they themselves can
contribute to achieving the goal. The vision is shared because people do certain things
voluntarily, not because they have to
• Mental model - each individual has his own image of the world, his own ideas and prejudices.
• A learning organization must challenge people to openly discuss ideas and prejudices, to reflect
on their own and others ‘mental models, and to create a shared team mental model. This is
essential for the success of the joint business
• Personal advantage is a process of continuous refinement of one’s own visions. A learning
organization should encourage the development of employees ‘visions of job improvement. In
this way, employees are encouraged to feel useful and self-confident.
A learning organization must encourage employees to have the so-called ability to systemic
thinking. It is the ability to see the bigger picture, to notice certain interdependencies, i.e. the
structure of work performance. Systemic thinking is the ability to achieve set goals through
cooperation, to see the need to perform some tasks that indirectly (and are necessary!) contribute to
the successful performance of work. Prerequisites for systemic thinking are the areas of employee
behaviour described above, i.e. team learning, shared visions, mental model and personal strengths.
A learning organization requires a certain type of behaviour. This also implies the fact that certain
types of behaviour are undesirable. For example, new ideas should not be rejected just because
they are new. One should not be suspicious of the new. On the other hand, one must not be
uncritical. We need to find a balance between criticality and uncriticality. Problems should not be
considered as a sign of mistakes but as a chance to gain new knowledge. All changes must be made
publicly. They must not be unexpected for employees. Behaviour must be such as to enable
efficient and effective business.
A learning organization provides many benefits. These are:
• Development of human potential through better motivation, flexibility of employees,
greater creativity and improvement of social contacts.
• Teamwork is better because the sharing of knowledge and the interdependence of team
members increases.
• The organization as a whole progresses because traditional barriers in communication
are broken down, contacts with business partners are better, information resources are
developed, innovation and creativity are encouraged.
Organizations that learn are necessary, because in the future, in order to survive on the market,
more and more investments will have to be made in the knowledge of employees, and this is due
to sophisticated technology, the increasing amount of information that will need to be processed,
due to increasingly ruthless competition, due to the increasing demands of customers.
A learning organization is not a tangible goal, it is a desired concept. The method of its
implementation is not unambiguous. Each company or institution should find its own way of
implementing a learning organization. This organization is necessary if one wants to survive in
the global market. Changes and constant adaptations are the only way to survive, and they can be
implemented through a learning organization.
Velibor Božić
Management and informatics

(or how an ERP system can help management)
Today, management and informatics are mutually dependent. Management knows what needs to be done, and how,
and IT enables the work to be done in a quality manner. Everyone more or less knows this fact, but many only verbally
support. There are few people who really see the benefits of applying informatics in management. Therefore, this text
discusses informatics from the aspect of its usefulness for management.
WHAT IS THE PROBLEM?

The question is what is the basic problem or obstacle in understanding the role of IT in the company. Primarily, the
problem lies in misunderstanding, i.e. in running away from the unknown. It is a subjective problem of each person, so I
would not waste too many words on it. The objective problem that arises is the assessment of the usefulness of
informatics as a function for the company. Why Informatics, by its very nature, is a specific activity in business. The
specificity is reflected in the need to invest a lot in it, and the results are often "intangible", indirectly visible. Therefore, it
is necessary to look at informatics differently. Namely, every management is interested in, among other things, the
justification of the existence of a certain function in the organization, costs, efficiency and effectiveness of operations...
Informatics is also one of the areas of interest of management. What troubles managers today are how to measure the
productivity and efficiency of IT in the organization? They are aware of the necessity of the existence of informatics (it
enables the achievement of strategic goals), but they are concerned about the necessity of relatively large investments in
informatics that do not show direct results, i.e. they cannot be measured only by traditional financial indicators such as
return on investment (%) or return on investment time . It is often the case that a lot of money is invested in IT, in the so-
called an integrated information system that in practice proves to be insufficiently effective for solving everyday problems
in the company. The consequence of such a situation is increasing frustration in business and the marginalization of
informatics as a function, which is a big mistake.
PROBLEM SOLVING
There are various ways in which informatics can be applied in a high-quality manner in business and in which the
success of informatics as a function can be measured. So called. ERP (Enterprise Resource Planning) is imposed as a
high-quality IT solution that helps in better business, and the evaluation of the application of the ERP system can be
carried out by the so-called Balanced Scorecard (BSC) method. Before the ERP system is introduced into the business, it
is also necessary to carry out a BSC analysis of the business in order to identify what needs to be computerized with the
help of the ERP system. In order for investments in computerization to be fruitful, good preparation is necessary. The fact
is that the introduction and application of information technology (IT) alone does not mean much. It was observed,
contrary to expectations, that if the introduction of IT is not understood as a project, then it represents a large investment
that has no effect. IT makes its real contribution if it is given the same attention as all other investments in the company.
Introducing IT and building an ERP system is a long-term and expensive undertaking that should not be taken lightly. The
association with the introduction of information technology is money, time and performance. It is known that during the
construction of the ERP system and the introduction of information technology, a lot of money and resources (which can
be expressed in money) are invested and spent, and the efficiency of the investment is low. THE MAIN CAUSE OF
SUCH A SITUATION IS INSUFFICIENT PREPARATION FOR ENTERING INTO SUCH A COMPREHENSIVE JOB. This
means organizational unpreparedness and inadequacy as well as insufficient professional equipment (EVERY PERSON
IS IMPORTANT!!!). It often happens that managers, due to their incompetence in the field of informatics, due to
insufficient consultation with professional colleagues (or perhaps due to something else), agree to introduce ERP systems
(which in many cases are meet the specifics of a certain company’s operations. It happens that these outsourcing
companies do not cooperate with IT specialists within the company in a quality way and the end result is bad. This is a
great danger that causes great expense without the desired result. In order to overcome this danger, it is necessary to
familiarize managers in detail with the advantages and disadvantages of hiring external collaborators in the introduction of
the ERP system, it is necessary to explain to them what the ERP system is, why it is needed, how it introduced and what
prerequisites are necessary for its successful introduction . . Therefore, in the follow ERP (Enterprise Resource Planning)
is a software solution that meets the needs of companies by observing business processes. In this way, it enables the
fulfilment of organizational goals and the integration of all business functions. This system enables computerization of all
company activities, connects the company with customers and suppliers, and enables image enhancement. ERP is
necessary because it enables the complete integration of all business in the company, enables better project
management, better customer service, and enables the application of the latest technologies and a large source of a wide
variety of business information needed for better decision-making. In addition, ERP enables business development and
enables the company to stand up to the competition in a better way.
With the help of the ERP system, the following are most often computerized: sales and marketing, planning, procurement
of materials, warehouse operations, production, retail, finance and accounting, and logistics. A quality implemented ERP
system is the basis for quality management decision-making. Informatics helps quality decision-making with the help of
tools such as: decision support systems, management information systems, reporting systems, data mining systems or
early warning systems (so-called intelligent agents). However, a prerequisite for the introduction of any of these systems
is a quality ERP system.
In order for the ERP system to be effective, it is necessary to carry out a business analysis before its introduction. One of
the most effective methods that can be used to do this is the so-called Balanced Scorecard method. In addition to
"classic" financial indicators, she also analyzes the so-called the company’s intangible assets, such as business
processes, relationships with customers and suppliers, and the level of knowledge in the company. The results obtained
from the analysis are measurable and based on them it is decided whether to introduce the ERP system and to what
extent, i.e. which function will be computerized.
When you decide to go for computerization, you have to decide how to do it. Should you hire external consultants, an
external IT company that will make the software, should you buy ready-made software (ready-made solutions SAP,
BAAN, Oracle, PeopleSoft...), should you go into software development with your own strength or maybe combine?
There are numerous implementation options, but there is no universal recipe for how to go about computerization. It all
depend After implementation, it is necessary to continuously monitor the operation of the ERP system and measure its
efficiency and effectiveness (again with the help of the Balanced Scorecard method) in order to obtain the feedback
necessary for future system improvements.
CONCLUSION
Here, emphasis is placed on the so-called ERP system as an IT tool that helps management to make better decisions.
In addition to helping management, this tool enables better business as a whole. It gives the right results if it is applied in
combination with the Balanced Scorecard method. Together, these two concepts have a synergistic effect on the overall
business.
Motivation
When you are faced with a tight deadline or you are in a complex situation, the last thing you
think about is people. When you are in a real struggle with a problem, you certainly want cooperation,
speed and rationality in your team; you don’t want people who aren’t working properly, who aren’t
motivated, or who aren’t concentrating for reasons unrelated to work. But such things happen and the
manager must face them. The manager must be able to manage people in a way that minimizes
external influences on the work of the team and to ensure optimal performance.
The question is how?
As a leader, the manager must know his people well, i.e. their habits and even the
problems they face. The manager should be an authority that sanctions but also
rewards. So he has to emphasize responsibility, he has to encourage employees and
support them in doing their job. In addition, his behaviour should set an example to
others.
Behaviour
Every manager must observe their own behaviour. Always start from yourself when
evaluating your co-workers. Ask yourself how you communicate with co-workers. Are
you a dictator or a democrat? Do you ask co-workers what bothers them? Do you treat
them like an unquestioning authority or do you try to be their friend or at least a partner?
Do you spread fear or are you willing to listen to others? These are just some of the
questions a manager must ask himself if he wants to communicate correctly with co-
workers. Honest answers to these and similar questions can be a corrective to a
manager’s own behaviour. Willingness to improve one’s own behaviour can have a huge
impact on better performance. Open communication, without hidden dissatisfaction,
contributes to more efficient and successful problem solving.
Motivation.
When thinking about motivation, it should always be looked at in the long run.
Throughout the process of solving a problem, the manager must maintain the
enthusiasm of the team and the team's faith in a positive solution to the problem. This is
not an easy task, but it is necessary for work efficiency. Motivating employees is a
complex job. The ways of motivation are different, e.g., salary and incentives, working
conditions, or company policy. These are the so-called classic ways of motivation that
are not so successful precisely because they are common and employees do not
perceive them as motivation but something that is taken for granted. Therefore,
additional forms of motivation should be sought.
First of all, the team should be motivated by convincing them of their own value (the
importance of each worker to do the job). Employees should be motivated so that they
feel the trust that the manager has towards them, they should be motivated by
emphasizing the responsibility they have and through public thanks for a job well done.
In the following, some aspects of motivating people that are important for human
resources management will be highlighted.
 Achievement
Managers must set goals and should be very careful because the work of the team
depends on the set goals. Namely, if the goals are set too high, the team will be
frustrated because despite the desire they will not be able to meet the goal.
Conversely, if the goalis too easy, the team will feel underestimated or will not try
hard enough. It is ideal to set a number of sub-goals and do so gradually. This
means that by achieving one sub-goal, one move to fulfil the next if possible.
In short, people's motivation is also achieved through setting realistic, achievable
goals that are recognized by employees.
 Recognition
One of the powerful motivational techniques that a manager must use is to give
recognition to employees for a job well done. No one likes to do something
without being rewarded for it. Managers must always keep this fact in mind. At
all times, employees must be clear about what they have done well, what they
need to improve and what is expected of them in the future. The answers to these
questions can be obtained very effectively by the manager by shaping the
question into recognition for the work done. Namely, the manager should, after
the job is done: point out what is good, emphasize what should be improved and
suggest how to improve things. In other words, the manager must always act
towards co-workers in a positive way. When acknowledging work done, one
should be precise (say exactly what is good and what is not; do not use general
phrases). Recognition for the work done is important because as a form of
motivation it allows employees to do their job better in the future because they
know what they did well and what they didn’t.
• The job itself
The manager should ensure that the job itself is interesting and challenging and
as such to be a source of motivation. This means that the job must occupy the
employees completely and it should allow the employee to feel that he has
contributed to solving the problem. The worst that can happen to a manager is
giving co-workers boring jobs. The manager should start from the fact that there are
no boring jobs. There can only be bad ways in which some jobs are done. The
manager should avoid boredom in performing work by giving certain tasks, over
time, to other associates or by sharing certain tasks to a larger number of
associates
. • Responsibility
One of the strongest forms of employee motivation is giving a sense of
importance to doing a particular job. In other words, the manager should
emphasize the responsibility of the employee to perform a particular job. In this
way, it is achieved that employees take the assigned task more seriously and
perform it better.
 Progress
Progress as a form of motivation can be viewed in the long and short term. In
the long run, we can talk about progress in recognizing better worker status, progress
in pay or progress in doing work more efficiently. In the short term, progress is
reflected in increased employee responsibility, the acquisition of new skills and
increased experience in doing a job. The manager should provide such a form of
doing the job that every employee feels that through doing the job he learns and
progresses and that he will benefit from doing some work in the future.
Motivation is an essential part of managerial work. It is important to motivate people well

so that they can perform their tasks more successfully and efficiently. The motivation
process itself is not easy. What the motivation will be depends on the specific situation
and the specific people. Therefore, one should be careful with motivation but also decisive
in its implementation.
Velibor Božić
Velibor Božić
Organizational culture
Understanding and having an organizational culture can mean the difference between success and
failure in today’s changing business environment. Despite this fact, management often thinks of organizational
culture as a desired category, i.e. does not look at it objectively. It is very important to realistically assess the
organizational culture; you need to be aware of how the leader (i.e. management) affects the creation and
maintenance of organizational culture.
The strongest indicator of organizational culture is what management pays attention to and rewards. It often
happens that this is completely different from what is publicly proclaimed. When each of us thinks about the
organization in which he is employed, what can he say?
Does management encourage or discourage innovation and risk-taking, reward employees for new ideas and
new ways of doing business, or punish them for introducing new ways of doing business? Is the management
ready for change or does it wants to maintain the status quo? Does the organization strive to be a centre of
excellence or to swim in mediocrity? Do employees have the right to vote in decision-making or not? These are
just some of the questions whose answers tell us what the organizational culture is in a company or institution.
What exactly is organizational culture? Organizational culture is not a set of values created at a board meeting
or team of managers. Likewise, it would be ideal for the organizational culture to be made up of the beliefs and
norms to which the organization aspires. But it’s not quite like that. Organizational culture consists of existing
beliefs and norms expressed through the daily practice and behaviour of all employees, from the general
manager to the cleaning lady. So when trying to define organizational culture, one should start from the existing
situation. You need to have the courage to look in the mirror and admit to yourself all your weaknesses so that
you can qualitatively determine what we really want, what we strive for. A key step in defining organizational
culture is to understand the difference between the real situation and the ideals we strive for as an organization.
That is the task of management. This confrontation of management with the truth can be painful. Namely, the
management can see that not all its decisions are implemented in practice. In this case, the ability to take risks,
initiate and manage change and conflict should be applied. Through the implementation of all these activities,
the organizational culture is defined. In other words, assumptions, values and standards that influence the
behaviour and implementation of the business process within the organization are defined.
The culture in the organization operates on a conscious and unconscious level. It is reflected in visible facts, but
also in deep-rooted and invisible prejudices. Precisely because of this unconscious part of organizational culture,
it is much more realistically assessed by people outside the organization than by employees within the
organization. Employees are often burdened with some prejudices that are an obstacle to quality assessment of
the culture in the organization.
Culture drives an organization and its activities. It determines employees’ thinking, actions and feelings. It is
dynamic and partly intangible. An important part of it is the so-called artefacts. Artefacts imply that part of
organizational culture that is visible. These are, for example, the arrangement of workspaces, employee clothing,
organizational structure and processes, rituals, symbols or celebrations. Thus, artefacts are concrete indicators
of organizational cultures. In addition to the already listed artefacts, there are also trademarks (logo), brochures,
slogans, status symbols and the like. If someone from outside comes into the organization, they first notice the
artefacts. Employees who are within the organization perceive artefacts as a secondary part of organizational
culture, i.e. as its background.
The key thing in understanding organizational culture is recognizing the role of the leader. Namely, it is often the
case that the organization reflects the personality of the leader, including its negative sides. So, if the leader, for
example, avoids conflicts, it will not be a miracle conflicts are not resolved in the organization either. The
behaviour of management is reflected on the entire organization. Through what is important to management,
through the system of rewards and punishments, the culture of the organization is reflected.
Why does an organization need culture at all? First of all, because of the optimization of the ability to meet
strategic goals. Culture in this case encourages and guides the behaviour of all employees in doing business. If
the organization is aware of its own culture, it can help it spot shortcomings in its own business, it can help it
analyze its own position in relation to the competition and possibly change.
Organizational culture is often imposed through the organization, gender units, or even in different regions.
Businesses or institutions often possess a high degree of cultural integration. That, however, is not good. Large
organizations often possess great cultural diversity, so the imposition of a single, unique style of behaviour can
cause conflicts.
Management must be aware of this fact. There may be different subcultures in an organization that differ in
certain characteristics, norms, beliefs and values. Management needs to prioritize this diversity and ensure the
coexistence of subcultures. Subcultures in the organization can differ in function (egg engineers versus sales
staff), hierarchy (management versus workers), departments, headquarters, geographical area ... It is very
important to take into account the above facts. Management should tolerate and support a certain level of
cultural differences. A measure needs to be found between the core values and principles that must be
respected throughout the organization and all other cultural specificities.
Organizational culture must have the ability to change. This is necessary if the organization wants to survive.
Constant changes in organizational culture are driven by many factors such as: rapid technological progress,
changes in industry and the market, changes in regulations, aggressive competition, globalization, increasing
organizational complexity, new business models.
In addition to changes in organizational culture, the success of the organization depends on the preservation of
traditional values in parallel with the changes. In fact, a successful balance between preserving the traditional
elements of organizational culture and the constant introduction of new elements of organizational culture is the
secret of success.
Organizational culture, as a set of beliefs and norms expressed through practice and behaviour, needs to be
well known. They need to be aware of their own culture in order to be able to compare themselves with others,
to be able to spot possible shortcomings and work on correcting them. Understanding the organizational
culture and its constant upgrading can give the organization a great business advantage over the competition
and can save a lot of time and money. Organizational culture is not some imaginary concept but a series of
very realistic actions (conscious and unconscious) within an organization that enable more efficient and
effective business.
VELIBOR BOŽIĆ
Outsourcing
Nowadays, the management of human resources in an organization is very important. Very

often, managers evaluate whether it is profitable for the organization to hire staff to perform certain
tasks or whether it is better to find partners - external companies - that would perform certain tasks
for the organization. The criteria that are most important when solving the above-mentioned
dilemma are: the possibility of reducing costs, quality and constant service, the possibility of
decision-making based on numerous data and facts. For example, take the IT department.
Managers will opt for an external IT company (therefore they will not have employed IT specialists)
if it is estimated that time will reduce costs with satisfactory quality of the obtained information
essential for timely decision-making.
At first glance, outsourcing is an intelligent solution. It enables the adaptability and innovation
needed by the organization. It brings the possibility of introducing new technologies, enables
continuous progress and, in a word, helps the organization achieve its goals. Let's say in IT,
outsourcing can help in the transfer of technology (transition from an old to a new information
system, enabling the availability of the latest programs and the like). In order for all of the above to
be achieved, management must be clear about how outsourcing can help. It is necessary to
accurately estimate the costs with regard to the benefits expected from hiring external
collaborators. If there are employees within the organization who deal with certain jobs, it should be
assessed whether they can perform the jobs for which external partners are intended to be
employed. If a detailed analysis shows that outsourcing is profitable, then you should go for that
variant.
On the other side, not everything is so rosy with outsourcing. In our environment, there are
relatively frequent cases of unsuccessful outsourcing, which are reflected in high costs and
unfulfilled expectations for the organization. There are two main reasons for this. First, insufficient
preparation of the organization, i.e. insufficient analysis of the organization's needs and the ability
of external partners to fulfill the organization's needs. Another reason for unsuccessful outsourcing
is insufficient expertise of the partner company to fulfill the contractual obligations. Due to
insufficient preparation of the organization and external partners for entering into cooperation,
there is frustration and inefficiency in work. We have example of IT again. Informatics is a specific
activity for several reasons:
• The structure of people employed in the IT service, in terms of professional qualifications, is
very high, so this fact implies a different approach to human resources management.
• Informatics is necessary for management because it enables quality management; on the
other side they are not very interested in it because they do not understand it, therefore very often
to cover up their incompetence they do not enter into detailed analyzes of the intention of the
need to engage external IT companies
• IT is very expensive, it will never make the company direct benefits but indirect and through
increasing the quality of performance of other functions in the organization.
For the above reasons, outsourcing in IT can be a double-edged sword. If its introduction is not
understood as a serious business, failure may occur. Today, there are numerous IT companies
on the market that advertise their products, increasing their authority by emphasizing the fact that
they cooperate with large IT companies such as Oracle or Microsoft. This is a great argument that
should confirm their expertise. Often this is not enough, but this fact is discovered too late, i.e.
already when the cooperation agreement is signed. It also often happens that IT specialists within
the organization know more than the so-called external experts, and they are forced to test the
purchased applications and fix errors. Of course, they do this for a regular salary, while those
from external IT companies receive handsome fees for their work. All of this leads to frustrations
and inefficient work, and all because of the insufficient analysis (unpreparedness for entering
into business with an external partner). The result of all this is much higher costs than they
would be without outsourcing and much less work efficiency than it would be without
outsourcing.
On the other hand, IT outsourcing can be a good thing. The prerequisite for this is that joint
people from the organization and from the IT company define business rules, analyze the
existing situation and define the desired state. Once this is done, it is necessary to start
changing the offered applications and acquiring equipment. In addition, people should be
trained and work support by an external company should be precisely defined. Then
outsourcing could be successful. This was an example of IT outsourcing, but it is similar or
almost the same in other areas.
In the end, the question remains whether outsourcing is friend or foe. The answer depends on
the management of the organization. If a good analysis is carried out of what the organization
needs, how existing resources can be used, if care is taken in choosing external partners, then
outsourcing can be successful. Otherwise, the result of the whole adventure will be disastrous.
Velibor Božić
Performance management
Performance management is a systematic process by which the organization involves its employees
(individually or as members of teams) in improving organizational efficiency, in relation to the organization’s
mission and goals. Performance management includes:
 Planning work and defining expectations

 Continuous monitoring of performance
 Developing the capacity needed for performance
 Periodic evaluation of performance
 Rewarding good performance.
Planning.
If the organization wants to be effective, it must plan. Planning means establishing expectations and goals related
to a certain individual or work group. The plan therefore determines what must be done in order to achieve
organizational goals. It is of great importance to involve employees in the planning process, because in this way
they can understand the goals of the organization, better understand the purpose of what they have to do, and
understand why it is important that they do something in a certain way. Within the framework of performance
planning, it is necessary to define elements and standards with the help of which the realization of the planned will
be evaluated. These elements and standards should be measurable, understandable, verifiable, fair and
achievable. The performance plan should be adaptable in the sense that it can be adapted to changed
organizational goals and work requirements.
Supervising.
The process of carrying out a business process must be continuously monitored. Good monitoring means
consistently measuring performance and informing individuals and teams of their progress toward achieving
goals. The monitoring process should be carried out in cooperation with employees, where its performance is
always compared with the elements and standards set during performance planning. Constant monitoring brings
the possibility of checking how well employees meet the defined standards and enables the change of unrealistic
or problematic standards. The biggest advantage of constant monitoring is the ability to react quickly. In the case
of a detected error, one can react immediately, and one does not have to wait for the end of the process in order
to detect the error through subsequent analysis.
Development.
An effective organization should assess AND record employee development. Employee development means
increasing performance opportunities through training, learning new skills, giving greater authority and improving
work processes. Providing training and learning encourages employees to perform better, strengthens job
attachment and helps employees cope with changes in the workplace, such as the introduction of new
technology. The implementation of performance management makes it possible to discover the development
needs of employees. During the planning and monitoring of the performance of the work, defects in performance
become evident and can be unambiguously determined. Areas that can be improved are also visible. Most
importantly, through performance management it is possible to determine the actions that help employees to be
successful and beyond.
Assessing.
From time to time, it is useful for an organization to summarize employee performance. This can be helpful in
tracking performance and comparing the performance of different employees. It is useful for an organization to
know who its best people are. The evaluation of the employee's performance is based on the work performed
over a certain period, in accordance with the goals and standards defined in the plan.
Rewarding.
Rewarding is an important segment in achieving the efficiency of an organization. Rewarding is recognition of

employees (individuals or groups of people) for their commitment. It is a thank you for their contribution in
achieving the organization’s mission. The basic principle of effective management is that all behaviours are
controlled with their consequences. Consequences can be formal and informal as well as positive and negative.
Good performance should be recognized without waiting for nomination for a formal award. Rewarding should be
a natural part of everyday work. Many activities that reward good performance (such as a simple thank you) do
not require specific, formal procedures or authority approval. Rewards take a wide range of forms such as money,
days off and many non-monetary forms. Performance management must accurately define the forms of rewarding
as well as the rules of what is rewarded.
Finally, let's repeat what is essential for effective performance management. Managers and employees must
constantly learn skills that fulfil the mission and set goals of the organization. It is necessary to plan well what
you want to do. Employees should be given the conditions to meet the set goals. Performance should be
monitored. Progress towards the set goals should be measured in order to spot errors and to improve the
performance of business processes. In the end, employees must be rewarded for their achievements in order
to be motivated for work. All elements of performance management work together and support each other to
make performance management effective and efficient.
VELIBOR BOŽIĆ
Quality management
Quality management is a management task that enables quality performance of work and fulfilment of the
purpose for which the work was started. Quality management is a complex job that requires good preparation
in terms of securing all necessary material and human resources. In quality management, three processes
are important:
1. Quality planning-implies the identification of standards that are important for performing work as well as
determining the manner in which these standards must be met
2. Quality assurance - here the performance of the entire work is evaluated to see if the activities
undertaken meet the quality standards
3. Quality control - monitoring of results that are specific to individual activities in order to spot errors and
correct them in time.
These three processes within quality management are interconnected, and they are also connected to other
processes in business.
When managing quality, managers should keep in mind customer satisfaction, prevention, own responsibility
and phased product or service development. Customer satisfaction means understanding, managing and
influencing customer needs. Quality management should ensure that the product or service is exactly as we
have agreed with the customer, i.e. that it meets the real needs of the customer. Prevention refers to the fact
that the costs of preventing errors are always lower than the costs of error correction. Management
responsibility means the manager’s awareness that the success of the job depends on the effort and fulfilment
of tasks by all employees, including managers who must ensure the conditions necessary for success. When
we talk about the phased development of a product or service, we mean the recommendation that every job
should be done in stages whose quality is measurable, i.e. it can be evaluated. Below is a little more about
processes within quality management.
1. Quality planning
Quality planning includes the identification of quality standards that are essential for business as well as the
definition of how to comply with those standards. In order for quality planning to be successful, some
prerequisites must be met, namely: quality policy, defined area to which the quality policy applies, description
of products or services, defined standards and limitations, defined inputs from other processes. The quality
policy is a document that defines the organization’s intentions regarding quality and instructions on how to
achieve the desired quality of business.
The quality policy is brought by the administration, that is, top management. The area covered by the quality
policy is a key prerequisite for quality planning. It is a series of documents in which the justification for a
certain job is expressed, the basic product or service is described, the critical success factors and criteria for
them are defined, and the business goals are determined. Through these documents, the needs and wishes
of the owners (shareholders) are determined and quality planning is facilitated. The description of products or
services is contained in the description of the area to which quality applies, but a separate document with a
detailed description containing technical details and other details essential for quality planning is also
required. Standards and restrictions refer to the way of performing a particular job. They must be taken into
account when creating the quality plan. Finally, for quality planning, the connections between the specific
business and the environment are also important. In other words, it is necessary to take into account the
outputs from other processes that can affect the quality performance of work (for example, the procurement of
quality raw materials affects the production of a quality product, which in turn affects customer satisfaction).
Quality planning as an activity within quality management is carried out with the help of cost/benefit analysis,
benchmarking, block diagrams and design of experiments. Cost/benefit analysis should answer what are the
benefits and what are the costs of quality management. The answer to this question should be defined already
in quality planning. In principle, the advantage of management quality means less repeated work, which
means higher productivity, lower costs and greater shareholder satisfaction. The main costs are related to
quality management activities. Benchmarking is a measurement process that involves comparing standards
for monitoring work performance. It compares a specific job with another job inside or outside the organization.
Block diagrams are graphic techniques that show how different system elements (processes, activities,
resources...) are connected. Two types of block diagrams are used in quality planning: cause and effect
diagrams (also called "fishbone" or "Ishikawa" diagrams) and system or process block diagrams. The cause
and effect diagram (see Figure 1) shows how different causes and sub-causes are connected and how they
create particular problems or consequences. System or process block diagrams (see Figure 2) show the
activities within a system or process and the connection between these activities. These block diagrams show
the beginning, end, sequence of activities, repetition of actions and decision points.
Designing experiments is an analytical technique used to discover the factors that have the greatest influence
on the quality of work. With this technique, different possibilities are tried out (e.g. solving the dilemma: more
inexperienced workers and doing work for a longer time or more experienced workers and doing work in a
shorter period).
The main outputs of quality planning are the quality management plan, operational definitions, checklists and
inputs to other processes. The quality management plan is a document that contains the method of
implementing the quality policy. Here, the organizational structure, procedures, processes and resources
needed to implement the quality management plan. Operational definitions are actually metrics used to
measure the quality of the execution of certain procedures and processes. Checklists are documents that are
used to check the steps that must be performed within a process. Checklists can be simple or complex, and
they are important as a reminder of what needs to be done at a certain moment. Inputs to other processes
are data that are the result of quality planning, and are used in some other areas of business.
2. Quality assurance
Another important process within quality management is quality assurance. Quality assurance includes all
planned and systematic activities that guarantee that the work will meet all relevant quality standards. For
quality assurance to be successful, some prerequisites must be met. First of all, there must be a quality
management plan. In addition, there must be records of quality control benchmarks and testing (you need to
know what quality control benchmarks are and which quality control tests are best). Quality assurance is
carried out using all techniques and tools, as well as quality planning. So there are cost/benefit analysis,
benchmarking, block diagrams and design of experiments. In addition to them, quality control is also used here.
It is a structured review of quality management activities in other organizations. The goal of supervision is to
identify ways to improve the performance of individual activities and to apply them in a specific situation.
The basic result of quality assurance is quality improvement. Quality improvement includes activities that
increase the efficiency and effectiveness of work performance, resulting in the satisfaction of owners
(shareholders).
Figure 2 – system or process block diagram

3. Quality control
In quality management, an important process is quality control. It involves looking at specific business
results and deciding whether they are in line with relevant quality standards. In addition, quality control has the
task of discovering ways to eliminate unsatisfactory results. Work results, quality management plan,
operational definitions (criteria) and checklists are important for quality control. Work results are the results of
activities essential for the performance of work. They contain information about which products are completed
and which is not, to what extent the standards are met and what the production costs are.
Quality control is carried out with the help of inspection, control charts, so-called. Pareto diagrams, statistical
sampling, block diagrams and trend analysis. Inspection includes measurement, examination and testing
activities to determine the extent to which the results have met the requirements. Control charts show the
results of work performance throughout the entire time course. Here, the lower and upper limits of the
deviation from the optimum are determined
It is observed whether the work is within these quality limits throughout its course. Pareto charts are graphical
representations that show the number and percentage of errors associated with certain causes. These
diagrams are used to define the so-called corrective actions (to correct observed deficiencies). Statistical
sampling is a technique of taking a sample for statistical processing in order to observe some regularity in the
performance of work. Block diagrams are used in quality control to help analyze the cause of a problem.
Trend analysis is a mathematical technique used to forecast future results based on past data. Trend
analyzes usually look at the number of errors that have appeared and not been resolved, and how many
activities were performed in a certain period in accordance with the defined quality.
Quality control achieves quality improvement, repeat work (repeat performance of certain activities in order to
correct observed defects), check lists are completed (a series of procedures necessary to perform work in
accordance with the required quality). Quality control also improves work (this refers to a series of corrective
and preventive actions that are the result of quality control). Today, quality management, as a management
task, occupies a very prominent place. Many organizations strive to obtain internationally recognized quality
certificates such as ISO 9001:2000 or ISO 14000. Certificates are important because they are proof of quality
business and are an important reference in business relations with partners and competitors. Because of all
this, quality management is a necessary management skill crucial for the survival of an organization.
VELIBOR BOŽIĆ
Management styles
If someone wants to be an effective manager, he must understand the basic

management styles and must recognize the conditions under which a certain style is
needed, i.e. when it is not needed. The most frequently described management styles
are: authoritative, team and situational management. In the following, there will be a
few words about each of them.
Authoritative management style is quite dangerous if it is exclusive. With him, it is
about the manager understanding his role as a consequence of his own superiority
over others.
This management style implies that all employees need guidance from the manager.
The authoritative type of manager likes to have complete control over all processes
without respecting the skills of associates and employees. This kind of manager
emphasizes that only his decisions are important in the implementation of all activities.
The result of this understanding of management is the destruction of the organization.
In the conditions of authoritative management, productivity weakens, morale drops, and
sometimes open conflicts occur. Because of all this, experienced managers are very
careful when promoting new managers. They are careful in judging the qualities of the
candidate in order to avoid problems later.
The question arises whether an authoritative style of management is good in some
conditions. First of all, this style of management can be good if it is applied in a limited
way, i.e. only in conditions when employees work in dangerous jobs, so the manager
take responsibility for their safety. Then firm discipline is needed, but even then it must
be carried out in such a way that the employees see that the firm hand of the manager is
there to actually protect the employees. Another case in which the authoritative type of
management is applied is when there is a risky situation in which the manager does not
have time to coordinate positions with colleagues. Again, the manager must present his
decisions in such a way that the employees accept them as the manager’s responsibility
and concern for themselves and the company, and not as coercion and arbitrariness.
Another management style that is very important is team management. In this
management style, managers are team players. They feel comfortable working with a
group of people working together to achieve a common goal. Such managers are
relatively informal. Namely, they know how to create such a working atmosphere that
employees often do not perceive them as someone who gives orders, but as
collaborators. The basic characteristic of "team" managers is their ability to accept the
ideas of their associates and to combine them with their own ideas. In order for a
manager to be a team player, he must have the trust and respect of the people he works
with is at the helm. The philosophy of this style of management is that it does not so
much order others, but rather supports them, i.e. provides them with quality conditions
for performing their work. This is actually the goal of management. So the goal is to
efficiently and effectively complete the task by meeting the needs of others. A positive
thing about the team management style is a good working climate and high employee
morale. With this management style, employees have a sense of self-confidence and
are happy to go to work because they feel useful knowing that their views are taken into
account when making business decisions. The negative side of this management style is
the danger that manager-employee relations become too informal. The result is
indiscipline, so work tasks can begin to be performed more poorly.
The situational management style is characterized by the adaptation of the
management style to the needs of the business or to the demands of customers.
Managers of this style are actually a combination of an authoritative type and a team
manager. The characteristics of situational managers are: teamwork, decisiveness,
budgeting, time management and customer service and interpersonal relations.
Teamwork means respecting the ideas of collaborators in order to achieve results.
Decisiveness is a trait that indicates a manager’s ability to stand behind his own decisions.
Calculation refers to the assessment to what extent to accept the ideas of collaborators
in relation to one’s own assessments. Time management is the manager's ability to
estimate the time needed to carry out certain activities, given the situation. Customer
service includes the ability to respond to customer requests in an acceptable time and to
keep them informed. Interpersonal relationships speak of the manager’s ability to
maintain a quality working atmosphere by communicating with colleagues and
employees. The citation style of management is perhaps the most acceptable. Knowing
the good and bad sides, one can balance between a sufficiently informal relationship with
employees so that they work better and a sufficiently formal relationship so that the
employees know who is in charge.
There is no ideal management style. Which style to apply and when depends on the
specific situation. The only recommendation that is universally valid is that you should not
be exclusive. In other words, all management styles should be combined in order to
achieve the organization’s goal, which is more efficient and effective functioning.
Velibor Božić
Time management
The goal of every manager is to be effective and efficient. This means that certain work must be done in the
right way, with minimal consumption of resources. One way for managers to be effective and efficient is to
manage their time well. Managers who do not manage their own time are always in a hurry, often lead
unproductive meetings, and cause crisis situations because everything has to be done at the last minute. Such
managers are often disorganized and spread a bad atmosphere to colleagues. The end result of managers
who do not manage time is poor work performance. Poor time management is often the result of
overconfidence on the part of managers. Managerial methods and techniques applied in smaller projects
cannot simply be copied to larger jobs. Namely, if exists the greater demands and problems facing the
manager, the manager’s responsibility is the greater. Therefore, managers have to learn new things without
interruption, and one of the important things is time management. Time management is much more than
keeping a diary and planning activities. It is a set of tools that enable the elimination of redundancies, enable
better preparation of meetings, prevent useless work, enable project monitoring, allocate time according to the
importance of the task, ensure that long-term projects are not neglected, and enable efficient and effective
daily and weekly planning.
Time management is a managerial activity that needs to be planned, monitored and subsequently analyzed.
The question is how to manage time? First of all, the current situation should be accurately identified. This
means that it would be good to analyze the current situation and to see what we spend our time on and how
we spend it. After that, we need to see if all the activities we spend time on are necessary. Therefore, it is
necessary to determine which „unnecessary consumers of time“are. Examples of them are: phone calls to
friends, conversations over coffee, surfing the Internet, etc. For all such and similar activities, it is necessary
to objectively assess how valuable they really are for each of us, and with this in mind, assess whether they
should be completely abolished or reduced to an acceptable level.
Another category of time consumers are jobs. It is necessary to determine why we waste a lot of time on
some work. The work can be difficult and demanding (it’s a justified waste of time), but it can also be boring,
so we postpone its execution. In this case, the loss of time should be tried to be solved by delegating the work
to someone else who is interested in the work. The loss of time should also be reduced by grouping similar
activities within a job in order to reduce preparation and finishing times.
When it comes to time management, the important thing is to delegate work. A manager manages time well if
he assigns certain tasks to his subordinates. At the same time, it is important that he knows the abilities of the
employees well, i.e. it is important that he assigns the right tasks to the right people. Helping others to do
their work is a very good and noble thing, but there should be limits. Namely, helping others must not in any
way affect the quality performance of one’s own work. Time management must give an answer to the
question to what extent we can help others in doing work without it affecting our own performance. This
applies to our superiors. We often fall into the trap of helping our superiors to be efficient and effective, while
not being so ourselves because we don’t have enough time for our own activities. By managing time, we
avoid such situations. When all the above-mentioned facts are established, i.e. the causes of the insufficient
time we have, it is necessary to take control of our own time. There are various techniques that can be used
to achieve this. The most important of them is keeping a schedule (in which the activities that we have to do
are written down). When keeping a schedule, it is important to assess which activities are really important, it
is necessary to estimate how much time is needed for their execution, it is necessary to determine the
sequence of activities. It is necessary to plan the time for the next day and week every day.
A very important thing in time management is time planning within a project. It is necessary to accurately plan
the duration of individual parts of the project so that they are not pressed for time. With the help of time
management, you always know how time is spent and how much time is still unallocated, i.e. available for
some other activity within the project. In short, time management allows the project to be completed on time
because it allows us to constantly have control over how much time we have available for certain activities.
With the help of time management, you can also supervise the staff. You can set a time limit for each task that
you have assigned to the staff, i.e. you can set a deadline for completing the task. In this way, the manager
can monitor the progress of the project and initiate certain actions if necessary. Regarding the staff, it is
necessary to plan the time devoted to the training of the staff so that they can perform their duties better in the
future. Time management enables quality fulfilment of long-term goals. Every manager also has long-term
goals, the fulfilment of which is important, but not urgent. It is precisely because of this "lack of urgency" that
long-term goals can be neglected. Through time management, a manager can easily determine the time of the
week to devote to meeting a long-term goal. Time management forces the manager to always keep the long-
term goal in mind and not to put himself in a crisis situation when he has to do something in a hurry.
Time management is a managerial skill that requires little effort from the manager, and results in more effective
work that enables more efficient use of time by focusing on specific activities. Time management is not a magic
wand to solve all problems. It only provides a structure for introducing and monitoring solutions. Time
management allows the manager to take control of his own over time.
VELIBOR BOŽIĆ
Value Management
What is Value Management? Value management is a management style that is primarily aimed at motivating
people, developing skills, promoting synergies and innovations, with the aim of maximizing overall
performance within the organization. Value management arose as a result of different methods based on the
value concept and the functional approach. First of all, for the development of value management, the method
of "value analysis" is essential, which aimed to improve the value of existing products or services. In addition,
this method was effective in increasing performance as well as defining the necessary resources for certain
products and services. Over time, this method (along with some others) evolved into value management. In
value management, three basic things are important:
1. conviction that value is essential for the organization, defining criteria for evaluating value, monitoring
and controlling value
2. focus on goals and tasks before finding solutions
3. focus on functions in order to determine solutions essential for realizing innovative and practical
solutions.
The concept of value. The concept of value is based on the relationship between the satisfaction of different
needs and the resources needed to fulfil those needs. The fewer resources needed to satisfy as many needs
as possible, the greater the value. Stakeholders, customers and suppliers may have very different and multiple
demands and views on what an organization’s value is. The goal of value management is to take into account
all these diverse requirements and views and to enable the organization to make the greatest possible
progress with the minimum expenditure of resources.
It is important to note that value can be increased through increased fulfilment of needs and increased
consumption of resources, but the increase in resource consumption must be less than the increase in
meeting the needs of all interested parties within and around the organization.
Key principles of value management. Value management differs from other managerial skills in that
combines some skills that do not seem to go together at first glance. These skills are: management style,
motivation of people, focus on the organization's environment and effective use of methods and tools. Below is
something about the mentioned skills in the context of value management.
 Management style
Teamwork and communication should be emphasized when managing values. A functional approach to
solving problems should be affirmed, a climate that encourages creativity and innovation should be
fostered. It should focus on customer requirements. Evaluation of the quality of work performance should be
carried out continuously in order to be competitive.
 Motivation of people
This includes teamwork (people should be encouraged to solve problems together), satisfaction (successes
should be recognized and rewarded), communication (people should communicate with each other in order
to do their work better). As part of motivation, mutual understanding and joint decision-making (co-decision-
making) should be supported, changes should be encouraged (because it is a chance to learn something
new).
 Orientation to the organization's environment

It is necessary to take into account external conditions (over which the organization has no influence these
are objective circumstances to which it must adapt) and internal conditions (over which the organization has
influence - these are subjective circumstances which in a large number of cases can be improve). Here it is
necessary to clearly define the "degree of freedom" of the organization. In other words, it is necessary to
determine one’s own position on the market as well as one’s own goals and limitations, taking into account
the conditions prevailing in the organization’s environment and within the organization itself.
 Effective use of methods and tools

It is necessary to use confirmed methods and tools that help in achieving the desired goals. Some of the
methods are: Business Technology Reengineering (BPR), SixSigma (6ÿ), Balanced Scorecard (BSC), and
Business Process Monitoring (BPM) ...
Benefits of value management. The most visible benefits resulting from the application of value
management are:
 better business decision-making because decision-makers have a better basis
for decision-making, better products and services that better meet customer
needs
 improved competitiveness as a result of technical and organizational
innovations within the organization
 a common "value" culture in the organization that increases understanding
business goals for each individual
 better communication within the organization and creation of common
knowledge about the main success factors
 more efficient and effective work through the creation of
multidisciplinary and multifunctional teams
 in value management, decisions made within the organization are very
important they are often supported by shareholders
Finally, it is important to say that value management can be applied in all segments of society, which means:
 in the industrial sector, including production, construction and process industry

 in the service segment, both public and private
 in administration, healthcare, education and other public activities.

Theessaysofmanagement

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Theessaysofmanagement

Uploaded by

Copyright:

Available Formats

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

The essays of management

Preprint · October 2022

487 PUBLICATIONS 57 CITATIONS

The user has requested enhancement of the downloaded file.

1. Characterization (description) of the system

Technologically well supported:

HARDWARE AND NETWORK

 254 personal computers

 there is basic protection (antivirus programs on PCs).

 Defining possible threats and system vulnerabilities

 Defining possible threats and system vulnerabilities

List of threat sources

People Hardware and network Applications

People Hardware and network Applications

People Hardware and network Applications

Threat source list - threat - vulnerability

The source of the threat Threat Vulnerability (the threat

 Analysis of existing and necessary controls

Inadequate operating system - the problem is access to online applications

 provide a hardware firewall

 never leave the system room unattended

 ensure a permanent connection in any way (e.g. by leasing an alternative line).

 Determining the probability of threats and exploitation of vulnerabilities

Incorrect data entry or no Lack of systematic user about 50% SECONDARY 2

 Determining the size of the impact of threats and vulnerabilities on system

Threat Vulnerability (the threat exploits it) Influence

In this step, the so-called risk ranking.

We use the ranking results:

In the specific example, only high risks will be considered, so:

View publication stats

REDUCES RISK to an acceptable level

Negative impact on Impact Good controls reduce the negative

View publication stats

Method of risk analysis

View publication stats

฀ improve products, services or resource use

Why cost management is important

Key things in cost management

Cost management must be based on an understanding of the whole process "from

Activities within cost management

฀ choice of cost management strategy

For the end

Cost management is an important managerial skill that ensures that a certain

Today, organizations are increasingly recognizing the importance of knowledge and

In order to successfully manage knowledge, it is necessary, first of all, to

In order for knowledge management to be successful, it is necessary to keep in mind

RISK ANALYSIS METHOD: HRA (Human Resource Assessment)

• information which defines the tasks that people must perform

• human unpredictability - it is impossible to identify all mistakes, especially in advance

View publication stats

The Smart Cities Conference 7th Edition, December 5-6, 2019.

The Smart Cities Conference 7th Edition,

All of these areas require

The Smart Cities Conference 7th Edition, December 5-6, 2019.

❑ information communication technology (ICT),

Telemedicine can be considered as a specific example of smart healthcare.

Telemedicine uses information and communication technologies (ICT) to provide long-

integrity of patient Risk directly affects the value of an organization asset by

The Smart Cities Conference 7th Edition, December 5-6, 2019.

❑COBIT 4.1 + IT Risk (COBIT 5.0) - tactical level

❑ISO 27799: 2008 - Operational level - Specific

The Smart Cities Conference 7th Edition, December 5-6, 2019.

BUSINESS OBJECTIVES IMPACT ON THE JOB (risks) 4A business impact