Capital Budgeting: Rational Outsourcing Decision in VoIP Projects, Page 3
The dollar amounts shown in red to the right of the red circles and in green to the right of the green square in Figure 4 are only weighted averages of the possible payoffs. As such, they can be interpreted in one of two ways.
First, imagine the project occurring many times, not just once. That's the case if you are the outside contractor who builds VoIP systems for many customers. If you use a particular decision each time, then "on average," you will experience the gain or losses shown. You're "playing the averages."
Of course, this decision is not guaranteed to produce a good outcome for a given company.
Unfortunately, in problems with uncertainty, you virtually can never guarantee that the probabilities-based decision will produce the best results. All you can guarantee is that a NPV-maximizing or cost-minimizing decision is the most rational decision, given what you know when you must make the decision.
But, what if the current situation is a "one-shot deal" that will not occur many times in the future? That's the case if you build the VoIP system just once, for internal use, using in-house staff. Then, financial theorists tell us that this is a "sensible" criterion for making decisions under uncertainty, as long as the monetary values are not too large.
For situations where the monetary values are extremely large, rational decision makers are sometimes willing to violate the maximization (minimization) criteria imposed by the usual rules of capital investment. These decision makers are willing to sacrifice NPV (or other measures of return) to reduce risk. To do so, a few (a very few) firms turn to utility functions for help. They maximize (minimize) expected utility—that is, they choose the alternative with the largest expected utility. Utility is a concept that was introduced by Daniel Bernoulli in the eighteenth century. He believed that for the usual person, utility increases with wealth but at a decreasing rate.
A discussion of utility theory and utility functions (mathematical functions that transform monetary values—payoffs and costs—into utility values) is beyond the scope of this article. However, before leaving this subject altogether, I'd like to mention that much of this methodology's complexity can be handled for you by tools such as Precision Tree, as shown in Figure 5.
Figure 5. A utility function is selected on a tree-specific basis.
In Figure 5, the Optimum Path option specifies the criterion this tool will use for selecting the optimum path at each node in the tree and whether decisions are forced to a specific branch.
Two options are available for selecting the optimum path at each decision node in a tree. If Maximum is selected, Precision Tree will follow the path that has the highest expected value or expected utility at a decision node. If Minimum is selected, Precision Tree will follow the path that has the lowest expected value for a decision node.
Privacy and Legal Issues with VOIP
Although legal issues regarding VOIP also are beyond the scope of this article, you should be aware that laws and rulings governing interception or monitoring of VOIP lines may be different from those for conventional telephone systems. Privacy issues, including the security of call detail records (CDR) are addressed primarily by the Privacy Act of 1974.
A CDR is a record containing information about recent system usage, such as the identities of sources (points of origin), the identities of destinations (endpoints), the duration of each call, the amount billed for each call, the total usage time in the billing period, the total free time remaining in the billing period, and the running total charged during the billing period. The format of the CDR varies among telecom providers and call-logging software. Some software allows you to configure the CDR format.
You should review any questions regarding privacy and statutory concerns with your legal advisors.
VOIP Security Issues
With the introduction of VOIP, the need for security is compounded because now we must protect two invaluable assets, our data and our voice. In a conventional office telephone system, security is a more valid assumption. Intercepting conversations requires physical access to telephone lines or compromise of the office private branch exchange (PBX). Only particularly security-sensitive organizations bother to encrypt voice traffic over traditional telephone lines. The same cannot be said for Internet-based connections. For example, when ordering merchandise over the phone, most people will read their credit card number to the person on the other end. The numbers are transmitted without encryption to the seller. In contrast, the risk of sending unencrypted data across the Internet is more significant. Packets sent from a user's home computer to an online retailer may pass through 15-20 systems that are not under the control of the user's ISP or the retailer.
Because digits are transmitted using a standard for transmitting digits out of band as special messages, anyone with access to these systems could install software that scans packets for credit card information. For this reason, online retailers use encryption software to protect a user's information and credit card number. So, it stands to reason that if you are to transmit voice over the Internet Protocol, and specifically across the Internet, similar security measures must be applied. The current Internet architecture does not provide the same physical wire security as the phone lines. The key to securing VOIP is to use the security mechanisms like those deployed in data networks (firewalls, encryption, and so forth) to emulate the security level currently experienced by PSTN network users.
Sarbanes-Oxley Act of 2002 Compliance
The Sarbanes-Oxley Act (also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX) is a United States federal law passed in response to a number of major corporate and accounting scandals involving prominent companies in the United States. These scandals resulted in a decline of public trust in accounting and reporting practices.
The first and most important part of the Act establishes a new quasi-public agency, the Public Company Accounting Oversight Board, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies.
There is considerable debate over the specific requirements of the Sarbanes-Oxley act, as written. The problem with compliance is that, as usual, the federal act is not specific to IT and is vague in its language. See References 13 and 14.
For companies, a key concern is the cost of updating information systems to comply with the control and reporting requirements. Systems that provide document management, access to financial data, or long-term storage of information now must provide auditing capabilities. In most cases, this requires significant changes, or even complete replacement, of existing systems that were designed without the needed level of auditing details.
Examples of the internal controls that are required for compliance include firewalls, access measures, authentication mechanisms, continuous vulnerability assessments, and so forth. A possible situation could occur when an organization uses Active Directory for single sign-on for IT applications and telephony access. Another possibility is using IP phones to access financial information through a wired or wireless VoIP connection.
The cost of implementing and maintaining a VoIP (or any other IT) system must consider that the telecom or security staff has to perform a security audit. This is a systematic evaluation of the organization's information systems. The audit measures how well the systems conform to a set of established security criteria. An audit will include user practices, software, information-handling processes, and the physical environment and configuration. Vulnerability assessment is the study of the system's potential security weaknesses.
Besides security audits and vulnerability assessment, the IP Telephony system will have to undergo penetration testing on a regular basis in order to determine whether the system can withstand hackers and other malicious behavior.
Contracts between suppliers and the project team are commonly employed to change the risk profile. Contracts transfer risk among the parties, but they do not eliminate risk. All parties have a risk even after the contract is signed.
Some buy decisions lead to granting a fixed-cost turnkey contract to the lowest bidder. This can be a risky proposition, especially when yours is a large organization with a complex IT infrastructure! At the very least, these contracts should include provisions for costly mid-course and post-priori adjustments. A recent survey by DiamondCluster International (http://www.diamondcluster.com) found dissatisfaction among customers who chose the lowest-priced bidder and found that early contract terminations were way up. Once again, caveat emptor.
Software tools, despite their analytical power, are just tools. They do not replace the analyst in any way.
Fifty percent of the challenge in decision making is simply thinking about the problem, with 25 percent being the actual modeling and analytics, and the remaining 25 percent being able to convince and explain the results to senior management, clients, colleagues, and yourself.