Customer Relationship Management: A Pulse on the ... - support slidex

What is Customer Relationship Management (CRM)? There are as many ... organizations are just beginning to implement CRM solutions to drive out operating costs. .... (especially in sales, service and marketing areas) in terms of financial ... “These are risks that affect the reputation of the bank such as fraud or rumors from ...
235KB taille 17 téléchargements 314 vues
Customer Relationship Management: A Pulse on the Community by David S. Erickson, Partner, and Michele McLaughlin, Senior Manager, PricewaterhouseCoopers LLP

Disclaimer The Information Systems Audit and Control Foundation and the authors of Customer Relationship Management: A Pulse on the Community have designed the white paper primarily as an educational resource for control professionals. ISACF makes no claim that use of this product will assure a successful outcome. The product should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed towards obtaining the same results. In determining the propriety of any specific procedure or test, the controls professional should apply his or her own professional judgment to the specific control circumstances presented by the particular systems or information technology environment.

Disclosure

2002 Information Systems Audit and Control Foundation Reproduction for any purpose is not permitted without ISACF prior written permission. No other right or permission is granted with respect to this work.

Customer Relationship Management: A Pulse on the Community

Introduction Many of the world’s most influential organizations are implementing comprehensive CRM strategies, processes, applications, technologies and organizational changes to transform themselves into market intelligent enterprises that can respond to and adapt quickly to customer needs. The buzz seems to be everywhere, but what is the reality? How many organizations have projects underway? What are the critical challenges and risks these projects are facing? And, how are organizations managing these challenges and risks? The Information Systems Audit and Control Association (ISACA) wanted to find out the answer to these questions; therefore, they sponsored a worldwide research project with PricewaterhouseCoopers LLP in an attempt to find out. This white paper presents some of our preliminary survey findings with you.

Customer Relationship Management What is Customer Relationship Management (CRM)? There are as many definitions for CRM as there are opinions as to what is going to happen in the stock market the next day. At its basic core, CRM entails initiatives that surround the customer side of the business. An example is initiatives wrapped around the customers in an effort to increase sales, improve customer service, add market share, enhance customer loyalty and reduce operating costs of sales and service. At its more formal definition, CRM is a business strategy comprised of process, organizational and technical change whereby a company seeks to better manage its enterprise around its customer behaviors. It entails acquiring and deploying knowledge about customers and using this information across the various customer touch points to increase revenue and achieve cost reduction through operational efficiencies.

Number of Organizations Implementing CRM Projects The year 2001 will be remembered as a difficult year for CRM, as many organizations delayed their CRM projects due to lack of IT funding and market pressures. Many of the organizations we spoke with had to postpone their projects or divide them into smaller component pieces due to significant IT cutbacks and increased market pressures that caused them to concentrate on the short-term performance of the core business and limit discretionary spending. However, despite the economic downturn of 2001, CRM did continue to grow—not as quickly as seen the year before—but it did grow. Many leading analysts have indicated that CRM spending rose in 2001 40 to 50 percent above the spending year 2000 and that it will continue to grow in 2002 and beyond as companies focus on data mining/analytics, self service, e-commerce, etc. An economic shift occurred in CRM spending in 2001 as decision-makers reacted to the economic down turn. CRM sponsors and decision-makers must now justify their actions at higher levels within their organization, and they must act with greater certainty, which has stopped CRM spending in a speculative fashion. The driver of many CRM projects today is cost reduction, as opposed to the more speculative, revenue growth. The ISACA survey supports these conclusions. Approximately 55 percent of the organizations surveyed indicated that they have recently implemented or are in the process of implementing CRM solutions. For those organizations that did go ahead with their CRM projects, 28 percent indicated that they conducted CRM strategy, vision and business case projects to help them define CRM and understand how it fits into their organization. The second most popular type of projects, with 20 percent of the responses, are data management projects. Through these projects, organizations sought to better manage their CRM data and drive out costs associated with managing their data. Typically these projects consisted of data warehousing, data analytics and data mining projects. It is not surprising that data management rated as a popular type of project, given what has been happening in the field of CRM. Many

2002 Information Systems Audit and Control Foundation

Page 2

Customer Relationship Management: A Pulse on the Community

organizations are just beginning to implement CRM solutions to drive out operating costs. And, usually, the starting point for many of these initiatives is to glean consolidated comprehensive, accurate customer data that can help them to perform more effective analytics and make better decisions. Once aggregated, this data can help organizations better understand and proactively manage customer information and relationships, which can help maximize the lifetime value of their customers and drive out operating costs. Channel development and integration projects accounted for 11 percent of the survey responses. Channel development and integration is a significant challenge for many organizations as they strive to provide consistent sales, service and marketing information across the multiple channels within their organization, e.g., telephony, face-to-face, Internet and kiosks. Many organizations are struggling with integrating their Internet and self-service channels with their traditional brickand-mortar channels, such as face-to-face and telephony. Additionally, multiple channels are difficult and costly to maintain. Therefore, many organizations are conducting projects to integrate their existing channels, develop new emerging channels (e.g., develop a web presence if none existed) and provide consistency and uniformity across all channels as shown in figure 1. Figure 1

Traditional Channel

Work, home, mobile call centers

Data-enabled mobile phones

Future channel

Videophone WAP

Traditional salesmen

Paper

E-mail

Portals

The Customer

E-mail shop front web page

Tele-text Freestanding kiosk

Interactive TV

Internet capable consoles

Set top boxes

Overwhelmingly, call center improvements were the primary goal for many of the organizations surveyed. Fifty-two percent aimed to make improvements in customer service support, fully automate their operations, improve out-bound or in-bound call center operations or better manage their call center. Other reasons included increasing the effectiveness of the direct sales force (15percent), supporting business-to-business activities (15 percent) and supporting business-toconsumer activities (14 percent), as illustrated in figure 2.

2002 Information Systems Audit and Control Foundation

Page 3

Customer Relationship Management: A Pulse on the Community

Figure 2

Objectives for Using CRM Applications

Full automated operation (i.e., no CRM involvement, "lights out") 3% Other 4%

`

Out-bound call center operations 5% In-bound call center operations 9%

Call center management 13%

To increase the effectiveness of direct sales force 15%

In support of business-tobusiness activities 15%

In support of business-toconsumer activities 14%

Source: ISACA Surveys

Customer service support 22%

Definition of CRM Risks An overwhelming 91 percent of the respondents indicated that risk management is either a very important (55 percent) or moderately important (36 percent) aspect to their CRM projects. Why is it so important? Look at some of the impacts that a CRM initiative may have on an organization: • Increased expectations from senior management to increase revenues, reduce costs, increase market share and increase business flexibility may put tremendous pressure on the organization and may potentially compromise the internal control structure • Increased complexity of managing multiple channels, technologies, customer relationships and customer definitions • Vital and confidential customer information may be transmitted and shared across new networks, systems and platforms • Significant changes to the organization, attitudes and beliefs, placing heavy reliance on the organization’s employees for the successful adoption of the solution These factors introduce many risks to the organization, for instance, the potential disruption of vital operations; violations to customer privacy and confidentiality; ineffective, inconsistent or inefficient processes; lack of internal business controls; poor customer service; incorrectly targeted sales and marketing efforts, nonacceptance of new systems and processes; and security breaches. However, since CRM is still an evolving area and the type of CRM projects can vary so vastly between organizations (e.g., data mining, sales force automation, web-enabling sales, call center consolidation), there are many different definitions of CRM risks. When survey respondents were asked their definition of CRM risks, the definitions ranged from customer dissatisfaction, data corruption, privacy, legal, loss of competitive advantage and business benefits as listed in figure 3.

2002 Information Systems Audit and Control Foundation

Page 4

Customer Relationship Management: A Pulse on the Community

Figure 3 Definition of Risks Impacting a CRM Solution Customer dissatisfaction/loss of customers (27 percent) • “CRM risks can be very simply defined to be the risk of losing customers to competitors’ better business practices and strategies and the consequent loss of customer satisfaction and relationship continuance.” • “Inadequate understanding of CRM and wrong system implementation will cause customer dissatisfaction.” Data integrity is compromised/security (15 percent) • “Customer data is mismanaged or misused in a way that corrupts data or erodes customer satisfaction or opinion.” • “CRM risks are those that damage customers privacy and confidentiality.” Inability to meet objectives/ benefits not realized (13 percent) • “The main risk that the implementation of the CRM may cause is the high expectation generated by the potential tool versus the actual possibility of attaining functionality.” • “The implemented solution does not meet the expectation and organization objectives.” Risks to the business in general (13 percent) • “CRM risks are risks to the business (especially in sales, service and marketing areas) in terms of financial risk, operational risk, commercial risk and profitability risk, arising from failure to adopt the right processes and technologies.” • “CRM risks amount to the overall operational impact that the new CRM system will bring about to the entire organization.” Events and circumstances that could effect the implementation (12 percent) • “Any event, action or circumstance that inhibits the achievement of the business objectives related to the customer and his interactions with the business.” • “CRM risks are events or circumstances hindering the successful and/or timely completion of the CRM project.” Loss of competitive advantage (6 percent) • “CRM risks are risks emanating from customer service and competitive advantage of the overall goal of the organization.” • “The biggest CRM risk is the loss of competitive advantage.” Legal considerations (4 percent) • “CRM risks of an engagement could result in legal problems.” • “With CRM, the organization runs the risk of negative profile/impaired credibility leading to public criticism and erosion of statutory role.” Lack of controls (4 percent) • “The risk involves the ability to identify any control weaknesses.” • “The risk of reintroducing or not controlling traditional, manual-based controls for lack of incorporating appropriate controls or mitigating the risk in redefined or automated CRM processes.” Negative impact on business reputation (2 percent) • “These are risks that affect the reputation of the bank such as fraud or rumors from customers that can cause a run on the bank.” • “One risk is the negative impact on revenue and organization image.” Loss of market share (2 percent) • “It is the risk that poor customer service will result in loss of market share.” • “CRM risk is not knowing exactly the expectation levels of customers and ultimately losing market share.” Acceptance of CRM within the organization (2 percent) • “The risk here is the inability of the organizational structure to support the CRM system." • “Acceptance of the system and added value to the business are key CRM risks.”

But regardless of the definition used to describe CRM risks, one thing is apparent: risk management is considered an important aspect of the success of CRM projects.

Determining Risk Tolerances Now that risk management has been established as important to organizations, which risks should be tolerated? The methods and approaches to determining the organizations’ tolerance to CRM risks are as varied as the organizations themselves. When asked how they determine their risk tolerances, 32 percent of organizations indicated informal methods such as arbitrarily assigning risks a high, medium or low rating based on common sense or their intuition. Surprisingly, 22 percent of the organizations did not determine or calculate their risk tolerance. And on the other 2002 Information Systems Audit and Control Foundation

Page 5

Customer Relationship Management: A Pulse on the Community

side of the spectrum, 14 percent of the organizations use statistical analysis methods. The statistical analysis methods also varied significantly, but some of the more common methods include: • Ratio of potential losses to the potential plus actual sales revenues generated • Grade of impact multiplied by the number of times of one action • Risks multiplied by the costs to prevent the risks • Cost of total risks divided by the total revenue • Probability multiplied by impact by timescale to equal risk priority • Multiplying a factor of the probability of the risk happening and the qualitative estimate of the damage it will cause • Proper weighting of the qualitative impact that risks will create for the organization Other methods for determining risk tolerances include determining the maximum acceptable financial risk, scenario analysis, customer responses/feedback and benchmarking. Those organizations that had determined their risk tolerance were asked to identify the risks that would have the most significant impact on their organization. Most survey respondents indicated traditional risk areas such as security, trust, privacy and internal controls as illustrated in figure 4. Figure 4 Fig B-16: Organization's Ri sk Tolerance: Ri sks That Would Have a Potential Major Impact on the Organization Channel conflicts (i.e. Improper integration w eb, telephony) 4% w ithin CRM solution 4%

Inability to capture online customer pre/post buy traffic and statistics Other 4% 1%

Overspending or fraudulent telecom services 4%

Fraudulent or unauthorized transactions 12%

Improperly defined roles and responsibilities 6%

Negative publicity caused by security breaches 11% Interruption in servic e due to inadequate Project overruns business continuity, And scope creep. resilience practices 7% 9%

Source: ISACA Surveys

Inaccurate w eb site content, i.e., products and pricing 7% Customer data obsolescence 7%

Exposure of confidential information (i.e., pricing, customer lists) 14%

Noncompliance w ith data protection and privacy practic es 10%

As shown, clearly data confidentiality, privacy, security, and trust ranked high with 47 percent of the responses, and data management and integration risks with 26 percent of the responses.

Challenges Facing CRM Projects In addition to the risks noted previously, CRM projects also face a multitude of challenges that make their implementation difficult. For instance, because these projects impact areas that are

2002 Information Systems Audit and Control Foundation

Page 6

Customer Relationship Management: A Pulse on the Community

very visible to customers (e.g., customer service, sales and marketing), problems or errors will be very visible to the client. After all, just as e-business is about letting customers into the organization, the CRM solution should not be about letting bad practices out. Another key area is integration, CRM projects include significant challenges as people, technologies, channels, processes, data, and applications must be integrated for the solution to operate effectively. According to the ISACA survey, the following were the most significant challenges facing the CRM projects conducted at the respondent organizations: • Participation of different departments (12.91 percent); • Integrating multiple data sources (9.73 percent); • Integration of multiple technologies (8.27 percent); • Securing internal resources (8.18 percent); • Managing customer data integrity and obsolescence (6.82 percent); • Integration with back-office applications (6.73 percent); • Understanding and deploying new technologies (6.27 percent); • Measuring and managing customer satisfaction (6.09 percent); • Changes in sales, marketing, and customer service programs and strategies (6 percent); • Staff recruitment, training, and retention (5.45 percent); • Realizing expected benefits within acceptable timeframes (5.09 percent); • Executive sponsorship (4.45 percent); • Large complex multi-national scope (4.18 percent); • Leveraging cross-selling opportunities (3.36 percent); • Managing external partners/vendors (2.91 percent); • Integration of in-bound and out-bound operations (2.27 percent); and • Other (1.29 percent).

The Role of Risk Management on CRM Projects Now that risk management has been established as an important aspect of CRM projects and that CRM projects are facing significant challenges, what is risk management’s role in the project? Again, the responses varied significantly, but most respondents indicated that early involvement is critical to proactively controlling risks. Instead of auditing risks on the back-end, most respondents indicated it is better to provide proactive risk management involvement at critical stages of the CRM project. Roles varied from initial objective setting to point-in-time control audits, to continuous controls consulting during the project as illustrated in figure 5.

2002 Information Systems Audit and Control Foundation

Page 7

Customer Relationship Management: A Pulse on the Community

Figure 5 Role of Risk Management

Percent of Responses

Provides risk management policies, frameworks and methodologies to project

8.17 percent

Evaluates the key risks and develops key control objectives for mitigating the risks

7.57 percent

Increase risk management awareness by working with the project team members

7.14 percent

Implements a structured risk management approach and methodology

6.96 percent

Establishes standards and protocols for identifying, assessing and managing CRM risks

6.71 percent

Coordinates with other resources to identify the key risks, then analyzes, tracks and addresses risks based on pre-established criteria

5.85 percent

Designs ongoing procedures for monitoring and managing CRM risks

5.59 percent

Reports to the steering committee on risk management

5.42 percent

Primary advocate for risk management at strategic and operational levels of the project

5.42 percent

Works with project leads to design and implement controls

5.33 percent

Performs post-implementation review of major CRM projects/releases

5.33 percent

Tests the effectiveness of controls to ensure that they have been implemented properly and to identify any control weaknesses

5.33 percent

Performs pre-implementation review of major CRM projects/releases

5.16 percent

Provides assurance that risk management policy and strategy is effective in achieving CRM objectives

4.90 percent

Solicits input from the project team members and steering committee to determine risk tolerances

4.90 percent

Continues to evaluate CRM processes, applications and technologies and recommends enhancements to support the control environment

4.64 percent

Coordinates with project leads and operating organizations to design and implement action plans for achieving control objectives

4.47 percent

Other

1.11 percent

Conclusion

To learn more about CRM and its key components, CRM risk management methodologies and CRM risks and controls, look for the full research results which will be published jointly in 2002 by ISACA and PricewaterhouseCoopers LLP in the book: Customer Relationship Management: Security, Audit and Control Features. The book contains an overview of CRM, provides a CRM risk management methodology, explores CRM risk areas and provides a comprehensive audit work program to address the key risks. Some of the content areas include: sales processes, marketing processes, customer contact center operations, field service operations, CRM infrastructure, data warehousing/data management, Integration and EAI, channel management, telephony and telecommunications, security, project management and benefits realization. Information Systems Audit and Control Foundation 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008, USA Phone +1.847.253.1545 Fax: +1.847.253.1443 E-mail: [email protected] Web site: www.isaca.org

2002 Information Systems Audit and Control Foundation

Page 8