Technology Return on Investment

Peter S. Cohan
July 3, 2008

In concept, estimating the return on investment (ROI) of a technology initiative is a like any other capital budgeting process. The objective is to estimate the cash flows likely to be generated by the technology initiative and determine whether these cash flows exceed the costs of designing, building, and operating the systems and processes associated with the initiative.

The practical challenges of putting this concept into practice are considerable. It is generally difficult to quantify the benefits of technology initiatives. Often it is more fruitful to estimate the cost savings of technology initiatives by applying activity-based costing, a procedure that assigns costs to activities based on the amount of time they consume. Analysts can estimate the cost savings of a technology initiative by mapping out the steps in the current process and assigning costs to each step. Next, analysts can map out the steps of the new process and cost out each of its steps. Finally, analysts can calculate the cost savings of the new process by subtracting the costs of the "to be" process from the "as is" process.

Often technology initiatives are sold to senior management on the basis of related increases in revenue. While such estimates are often fuzzier, in practice some technology initiatives do generate tangible revenue increases. For example, a division of Eaton Corporation was able to increase by 20% its sales of certain motor control panels after the division began using an online ordering process that let customers' engineers tailor these panels to their specific requirements.

The next practical challenge in calculating the ROI of a technology initiative is estimating the cost to design, build, and operate the new process. While it is often relatively straightforward to estimate the cost of the hardware, software, and communications for the technology initiative, the costs of "softer" resources are often underestimated. For example, companies generally spend several times the cost of hardware and software for systems consulting services. Furthermore, firms tend to underestimate the amount of training required to get the organization to actually use the system.

Finally, there are many ways to determine whether the numbers work. Companies can calculate a project's net present value (NPV), its internal rate of return (IRR), or its payback period. The calculation of the NPV depends to a certain extent on the discount rate used in the formula which in theory is equal to the risk-free (e.g., treasury bill) rate plus a factor to adjust for the riskiness of the project. Since there is often debate about the right interest rate, analysts should use a reasonable range of assumptions. If the technology initiative's NPV is positive, it should be funded.

The IRR calculation also uses assumptions about the right discount rate. With the IRR approach, analysts compare the IRR to the company's cost of funds—a figure which may be easy to estimate if the company is borrowing money for projects. If the technology initiative's IRR exceeds the company's cost of funds, then the project should be funded.

Finally, the payback period method—in which analysts calculate how many months (or years) of the initiatives' benefits it will take to surpass the initiatives' costs—has the advantage of using fewer assumptions—however, what makes an acceptable number of months for payback is somewhat subjective. If the project has what is deemed a reasonable payback period, then the project should be funded.

In general, it may make sense to use all three methods to decide whether a technology initiative has an acceptable ROI. In today's economic climate, such disciplined analysis will probably limit a company's technology initiatives to a handful of high payoff projects.

Peter S. Cohan is president of Peter S. Cohan & Associates in Marlborough, Massachusetts, and teaches management at Babson College. Contact him at peter@petercohan.com.

Get Your E-Mail Messages Through

Greg Crandell, DigitalMailer
June 23, 2008

Spam is here to stay, and the enemy is gaining ground. But take heart: Spam filters are becoming more sophisticated, with forceful weapons that can fight off the worst of foes.

That's good news, but where does it leave you—the legitimate e-mail marketer with important information your members want to read? New tools put in place to combat spam are blocking your e-mail communications as well.

Internet service providers (ISP) have new rules that immediately will shut off your outbound e-mail or place your Internet protocol address and domain on their blacklists. New rules are based on:

• Volume of e-mail sent in a given timeframe
• Content of the e-mail and percent of images to text
• Number of recipients reporting the e-mail as spam in a given timeframe
• The practice of repeatedly sending e-mails to addresses previously reported as bad
• Incorrect sender policy framework (SPF) records

Do Your E-Mails Reach Their Targets?

Without strong e-mail practices and some elbow grease, it will be almost impossible to mass e-mail your members in the near future. E-statement notifications, e-newsletters, promotional e-mails, and e-survey invitations are getting financial institutions across the country blacklisted each month.

A strong spam checker on outbound e-mail is becoming one of the most important tools for ensuring your messages even are considered for delivery by the major ISPs. Financial institutions and top-notch e-mail service providers should employ a forceful system that routinely tests outbound e-mail messages and alerts you to problems. If a message scores too high, you can make the necessary changes to send it on its way.

Department of Labor Federal Credit Union in Merrifield, Virginia, learned firsthand the value of a good spam checker on outbound e-mails.

"We had two e-mail alerts that didn't pass a tough spam-check process," explains Joan Moran, president/CEO of the $51-million-asset credit union. "Our scores weren't outrageous, but the ratio of images to text was higher than normal, which served as a red flag that we were above the normal threshold. We were notified right away so we could adjust the copy and graphics."

Moran says the minor inconvenience of altering content or subject lines is a small price to pay for knowing her credit union's e-mail alerts reach their destinations. That's even more important in Department of Labor Federal's case because most of its members are federal employees or contractors, and government spam filters are notoriously intolerant.

Knowing that e-mail messages from the credit union are safe-listed also provides comfort to members, Moran says. "We have permission to send e-mail alerts to nearly 20% of our members, and we're working for 100%. Most of our members are web-savvy, but they still worry about being attacked. They're quick to let us know if they receive bogus e-mail that looks like it's coming from us."

The credit union uses e-mail alerts to educate members on a variety of topics—including bogus e-mail alerts. "We've had very good pickup with our alerts. Members like communicating with us in that way," Moran says. "The key is to keep members informed, carefully design messages, and take advantage of spam-check services. That's making a big difference for us."

Be Battle-Ready

For most credit unions, staying out of spam filters requires adjusting their own systems or working with e-mail service providers that know how to play well with ISPs around the world.

But if you decide to go it alone, be sure to:

• Get your financial institution's e-mail system certified or safe-listed with ISPs.
• Use internal spam-check tools to evaluate outgoing e-mail to truncate, and repair, e-mail campaigns that are likely to trigger spam filters at ISPs.
• Consider an e-mail software engine that uses throttling programs and more to ensure you conform to your ISP's requirements for numbers of e-mails sent and numbers sent in specified periods.
• Shut off automatically bad e-mail addresses reported by ISPs, and don't send to them again.
• Give careful consideration to e-mail content and the number of images in the e-mail.
• Choose your subject line carefully, avoiding words and punctuation that might look suspicious or illogical.
• Ensure the recipient's name is displayed in the "to" box and that your full name, or financial institution's name, is in the "from" box.
• Send preference-based e-mail messages. Ask members' permission to send them e-mail, and let them choose the type they receive (i.e., loan promotions, rate changes, or account notices). That makes your institution a welcome guest in their e-mail inboxes.
• Register your own SPF records to protect against forged sender addresses and to meet the growing list of ISPs requiring this form of identification.
• Monitor "end-user spam reporting" and research why members reported the e-mail as spam.

Greg Crandell is executive vice president for DigitalMailer in Herndon, Virginia. Contact him at 866-994-4900 or g.crandell@digitalmailer.com. This story first appeared at www.creditunionmagazine.com and is reprinted with permission.

CUNA Councils Connect Webcast Archive Now Available

CUNA Councils
June 19, 2008

Council members now have an opportunity to download and view a short webcast about our new online community - CUNA Councils Connect.

The webcast gives an overview of the Councils' new online community for increased & enhanced networking opportunities. See how easy it is to connect to your peers and find advice or solutions. Learn about:

• Your member profile
• The "People Map" - the visual member directory where you can search by geography, CU info, areas of expertise, vendor usage and more!
• Joining / starting a discussion group
• The blogging platform to share your thoughts with other members.
• The chat feature
• and much more in this twenty-minute session!

You'll take away some handy tips and tools on how to make the most of your Council experience by learning the features of what your new member benefit has to offer.

> Download the Archive & Learn More

 

And Don't Forget - Enter your Profile Information by July 7th and you Could Win a Nintendo Wii!

Through July 7th, we will be giving away three big prizes. The first was a new Garmin nüvi 260 GPS given away on May 28th, followed by an iPod drawing on June 12th, and our final drawing on July 7th. 

For our final prize drawing, you have the chance to own one of the most revolutionary and in demand video game systems ever made.

All members who have completed their CUNA Councils Connect member profile by July 7th will be entered to win a brand new Nintendo Wii (pronounced "we").

> Log in and Get Started! 

> Learn More about the Nintendo Wii

All you have to do is complete your member profile - at least the information in the profile related to your job & your interests and notification preferences - to be entered to win.

In the Meantime, Need Help or More Information?

> Read the Getting Started (1-page pdf) on how to set up your profile.

> Visit our Help/FAQ page for an overview of CUNA Councils Connect.

 

CUNA Councils Connect - We've taken professional networking to the next level.

Business Continuity/Disaster Recovery: Executive Summary of FFIEC IT Examination Handbook

Thomas Donchez
June 18, 2008

The Business Continuity Planning (BCP) manual is part of the IT Examination Handbook from Federal Financial Institutions Examination Council (FFIEC). The March 2008 version of the BCP manual has been updated since it original release in March 2003. This booklet is intended to provide guidance to the financial institutions regarding business continuity planning, which helps companies recover and resume business processes when operations have been disrupted unexpectedly. Because financial institutions are part of the nation's critical infrastructure, it is important to minimize disruptions to their business.

Key Topics

The BCP booklet is divided into two main areas: Business continuity plans and examination procedures. The first part describes the planning process of creating a business continuity plan, along with the responsibilities of senior management during that process. The second part describes the technical aspects regarding risk, including assessment, management, testing and monitoring.

Business Continuity Plan

Financial institutions should develop a comprehensive BCP based on the size and complexity of the institution. The goal of the BCP should be to minimize financial losses to the institution, serve customers and financial markets with minimal disruptions, and mitigate the negative effects of disruptions on business operations.

A financial institution's board and senior management are responsible for the following:

• Establishing policy by determining how the institution will manage and control identified risks
• Allocating knowledgeable personnel and sufficient financial resources to implement the BCP
• Ensuring that the BCP is independently reviewed and approved at least annually
• Ensuring employees are trained and aware of their roles in the implementation of the BCP
• Ensuring the BCP is regularly tested on an enterprise-wide basis
• Reviewing the BCP testing program and test results on a regular basis
• Ensuring the BCP is continually updated to reflect the current operating environment

Examination Procedures

The following describes the different aspects of creating and maintaining a business continuity plan. These different topics allow organizations to evaluate the critical aspects of their business and include them in their BCP.

Business Impact Analysis

A business impact analysis is the first step in creating a business continuity plan. This part of the process includes all of the critical functions and processes of the business along with the potential threats to these different aspects.

A business impact analysis report should include:

• Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis
• Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes
• Identification of the legal and regulatory requirements for the institution's business functions and processes
• Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes
• Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path

Risk Assessment

The risk assessment is the second step in the process of creating a business continuity plan. During the risk assessment step, business processes and the business impact analysis assumptions are evaluated using various threat scenarios.

A Risk assessment should include:

• Evaluating the BIA assumptions using various threat scenarios
• Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves
• Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence
• Performing a "gap analysis" that compares the existing BCP to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution

Risk Management

Risk management is the process of identifying, assessing, and reducing risk to an acceptable level through a proper business continuity plan.

Through risk management, the business continuity plan should be:

• Based on a comprehensive BIA and risk assessment
• Documented in a written program
• Reviewed and approved by the board and senior management at least annually
• Disseminated to financial institution employees
• Properly managed when the maintenance and development of the BCP is outsourced to a third party
• Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP
• Specific regarding what immediate steps should be taken during a disruption
• Flexible to respond to unanticipated threat scenarios and changing internal conditions
• Focused on the impact of various threats that could potentially disrupt operations rather than on specific events
• Developed based on valid assumptions and an analysis of interdependencies;
• Effective in minimizing service disruptions

Risk Monitoring and Testing

Risk monitoring and testing is the final step in the business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the:

• Incorporation of the BIA and risk assessment into the BCP and testing program
• Development of an enterprise-wide testing program
• Assignment of roles and responsibilities for implementation of the testing program
• Completion of annual, or more frequent, tests of the BCP
• Evaluation of the testing program and the test results by senior management and the board
• Assessment of the testing program and test results by an independent party
• Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results

Closing Thoughts

The above examination procedures are intended to be a cyclical process. The business continuity plan is an ongoing process that needs to be updated as events occur.

As an organization's risk testing and monitoring detects changes in the company, a new risk assessment phase should occur to evaluate the impact of the changes and modify the business continuity plan as needed.

To see the full BCP booklet or any of the other sections of the FFIEC IT Examination Handbook, visit: http://www.ffiec.gov/ffiecinfobase/html_pages/bcp_book_frame.htm.

This article originally appeared in CUInfoSecurity (www.CUInfoSecurity.com). Reprinted with permission.