Management Information Systems

管理信息系统

Management Information Systems

Background

A management information system (MIS) is a system or process that provides the information necessary to manage an organization effectively. MIS and the information it generates are generally considered essential components of prudent and reasonable business decisions.

The importance of maintaining a consistent approach to the development, use, and review of MIS systems within the institution must be an ongoing concern of both bank management and OCC examiners. MIS should have a clearly defined framework of guidelines, policies or practices, standards, and procedures for the organization. These should be followed throughout the institution in the development, maintenance, and use of all MIS.

MIS is viewed and used at many levels by management. It should be supportive of the institution's longer term strategic goals and objectives. To the other extreme it is also those everyday financial accounting systems that are used to ensure basic control is maintained over financial recordkeeping activities.

Financial accounting systems and subsystems are just one type of institutional MIS. Financial accounting systems are an important functional element or part of the total MIS structure. However, they are more narrowly focused on the internal balancing of an institution's books to the general ledger and other financial accounting subsystems. For example, accrual adjustments, reconciling and correcting entries used to reconcile the financial systems to the general ledger are not always immediately entered into other MIS systems. Accordingly, although MIS and accounting reconcilement totals for related listings and activities should be similar, they may not necessarily balance.

An institution's MIS should be designed to achieve the following goals:

? Enhance communication among employees.

? Deliver complex material throughout the institution.

? Provide an objective system for recording and aggregating information.

? Reduce expenses related to labor-intensive manual activities.

? Support the organization's strategic goals and direction.

Because MIS supplies decision makers with facts, it supports and enhances the overall decision making process. MIS also enhances job performance throughout an institution. At the most senior levels, it provides the data and information to help the board and management make strategic decisions. At other levels, MIS provides the means through which the institution's activities are monitored and information is distributed to management, employees, and customers.

Effective MIS should ensure the appropriate presentation formats and time frames required by operations and senior management are met. MIS can be maintained and developed by either manual or automated systems or a combination of both. It should always be sufficient to meet an institution's unique business goals and objectives. The effective deliveries of an institution's products and services are supported by the MIS. These systems should be accessible and useable at all appropriate levels of the organization.

管理信息系统

MIS is a critical component of the institution's overall risk management strategy. MIS supports management's ability to perform such reviews. MIS should be used to recognize, monitor, measure, limit, and manage risks. Risk management involves four main elements:

? Policies or practices.

? Operational processes.

? Staff and management.

? Feedback devices.

Frequently, operational processes and feedback devices are intertwined and cannot easily be viewed separately. The most efficient and useable MIS should be both operational and informational. As such, management can use MIS to measure performance, manage resources, and help an institution comply with regulatory requirements. One example of this would be the managing and reporting of loans to insiders. MIS can also be used by management to provide feedback on the effectiveness of risk controls. Controls are developed to support the proper management of risk through the institution's policies or practices, operational processes, and the assignment of duties and responsibilities to staff and managers.

Technology advances have increased both the availability and volume of information management and the directors have available for both planning and decision making. Correspondingly, technology also increases the potential for inaccurate reporting and flawed decision making. Because data can be extracted from many financial and transaction systems, appropriate control procedures must be set up to ensure that information is correct and relevant. In addition, since MIS often originates from multiple equipment platforms including mainframes, minicomputers, and microcomputers, controls must ensure that systems on smaller computers have processing controls that are as well defined and as effective as those commonly found on the traditionally larger mainframe systems.

All institutions must set up a framework of sound fundamental principles that identify risk, establish controls, and provide for effective MIS review and monitoring systems throughout the organization. Commonly, an organization may choose to establish and express these sound principles in writing. The OCC fully endorses and supports placing these principles in writing to enhance effective communications throughout the institution. If however, management follows sound fundamental principles and governs the risk in the MIS Review area, a written policy is not required by the OCC. If sound principles are not effectively practiced, the OCC may require management to establish written MIS policies to formally communicate risk parameters and controls in this area.

Sound fundamental principles for MIS review include proper internal controls, operating procedures and safeguards, and audit coverage. These principles are explained throughout this booklet.

Risks Associated With MIS

Risk reflects the potential, the likelihood, or the expectation of events that could adversely affect earnings or capital. Management uses MIS to help in the assessment of risk within an institution. Management decisions based upon ineffective, inaccurate, or incomplete MIS may increase risk in a number of areas such as credit quality, liquidity, market/ pricing, interest rate, or foreign currency. A flawed MIS causes operational risks and can adversely affect an organization's

管理信息系统

monitoring of its fiduciary, consumer, fair lending, Bank Secrecy Act, or other compliance-related activities.

Since management requires information to assess and monitor performance at all levels of the organization, MIS risk can extend to all levels of the operations. Additionally, poorly programmed or non-secure systems in which data can be manipulated and/ or systems requiring ongoing repairs can easily disrupt routine work flow and can lead to incorrect decisions or impaired planning.

Assessing Vulnerability To MIS Risk

To function effectively as an interacting, interrelated, and interdependent feedback tool for management and staff, MIS must be "useable." The five elements of a useable MIS system are: timeliness, accuracy, consistency, completeness, and relevance. The usefulness of MIS is hindered whenever one or more of these elements is compromised.

Timeliness

To simplify prompt decision making, an institution's MIS should be capable of providing and distributing current information to appropriate users. Information systems should be designed to expedite reporting of information. The system should be able to quickly collect and edit data, summarize results, and be able to adjust and correct errors promptly.

Accuracy

A sound system of automated and manual internal controls must exist throughout all information systems processing activities. Information should receive appropriate editing, balancing, and internal control checks. A comprehensive internal and external audit program should be employed to ensure the adequacy of internal controls.

Consistency

To be reliable, data should be processed and compiled consistently and uniformly. Variations in how data is collected and reported can distort information and trend analysis. In addition, because data collection and reporting processes will change over time, management must establish sound procedures to allow for systems changes. These procedures should be well defined and documented, clearly communicated to appropriate employees, and should include an effective monitoring system.

Completeness

Decision makers need complete and pertinent information in a summarized form. Reports should be designed to eliminate clutter and voluminous detail, thereby avoiding "information overload."

Relevance

Information provided to management must be relevant. Information that is inappropriate, unnecessary, or too detailed for effective decision making has no value. MIS must be appropriate to support the management level using it. The relevance and level of detail provided through MIS systems directly correlate to what is needed by the board of directors, executive management, departmental or area mid-level managers, etc. in the performance of their jobs.

管理信息系统

Achieving Sound MIS

The development of sound MIS is the result of the development and enforcement of a culture of system ownership. An "owner" is a system user who knows current customer and constituent needs and also has budget authority to fund new projects. Building "ownership" promotes pride in institution processes and helps ensure accountability.

Although MIS does not necessarily reduce expenses, the development of meaningful systems, and their proper use, will lessen the probability that erroneous decisions will be made because of inaccurate or untimely information. Erroneous decisions invariably misallocate and/ or waste resources. This may result in an adverse impact on earnings and/ or capital.

MIS which meets the five elements of useability is a critical ingredient to an institution's short- and long-range planning efforts. To achieve sound MIS, the organization's planning process should include consideration of MIS needs at both the tactical and strategic levels. For example, at a tactical level MIS systems and report output should support the annual operating plan and budgetary processes. They should also be used in support of the long term strategic MIS and business planning initiatives. Without the development of an effective MIS, it is more difficult for management to measure and monitor the success of new initiatives and the progress of ongoing projects. Two common examples of this would be the management of mergers and acquisitions or the continuing development and the introduction of new products and services.

Management needs to ensure that MIS systems are developed according to a sound methodology that encompasses the following phases:

? Appropriate analysis of system alternatives, approval points as the system is developed or acquired, and task organization.

? Program development and negotiation of contracts with equipment and software vendors.

? Development of user instructions, training, and testing of the system.

? Installation and maintenance of the system.

Management should also consider use of "project management techniques" to monitor progress as the MIS system is being developed. Internal controls must be woven into the processes and periodically reviewed by auditors.

Management also should ensure that managers and staff receive initial and ongoing training in MIS. In addition, user manuals should be available and provide the following information:

? A brief description of the application or system.

? Input instructions, including collection points and times to send updated information. ? Balancing and reconciliation procedures.

? A complete listing of output reports, including samples.

Depending on the size and complexity of its MIS system, an institution may need to use different manuals for different users such as first-level users, unit managers, and programmers.

MIS Reviews

By its very nature, management information is designed to meet the unique needs of individual institutions. As a result, MIS requirements will vary depending on the size and

管理信息系统

complexity of the operations. For example, systems suitable for community sized institutions will not necessarily be adequate for larger institutions. However, basic information needs or requirements are similar in all financial institutions regardless of size. The complexity of the operations and/ or activities, together with institution size, point to the need for MIS of varying degrees of complexity to support the decision-making processes. Examiners should base MIS reviews on an evaluation of whether the system(s) provide management and directors with the information necessary to guide operations, support timely decision making, and help management monitor progress toward reaching institutional goals and objectives. Although examiners should encourage management to develop sound information systems, they also should be reasonable in their expectations about what constitutes suitable MIS.

Examiner MIS reviews are normally focused on a specific area of activity, on a clearly identifiable departmental or functional basis, or as a part of the activity being examined within a larger department.

During the examination, the MIS review should occur at both a macro (big picture) level and also at the micro (functional/ product oriented view of the business) level. The examiner-in-charge of the MIS-review program should look at the useability and effectiveness of the corporate-wide MIS structure. The examiner should also collect MIS related observations and information from the examiners-in-charge of the other areas under review. It would be very difficult for one examiner to attempt to perform a detailed MIS review for all of an organization's functional and operational areas of activity. It is practical and reasonable, however, to have this lead examiner coordinate and consolidate the MIS reviews from the other examination areas. The MIS related feedback received from other area examiners provides important and practical input to the MIS review examiner. The consolidation, coordination, and analysis of this MIS feedback can be used to reach supportable macro- level conclusions and recommendations for corporate-wide MIS activities.

MIS reviews in the functional or product review areas generally should be performed by an examiner who is considered to be a subject matter expert (SME) in the area of activities or operations that are being supported by the MIS systems or processes under review. The SME must have a thorough and complete understanding of the baseline "business" supported by the MIS system(s) under review. A solid understanding of the business is fundamental to the completion of a meaningful MIS review. The decision regarding the overall quality and effectiveness of MIS generally should be made by the SME for the area under review. The SME for each area where MIS is under review must subsequently communicate MIS related findings, conclusions, and opinions to the examiner charged with the responsibility for the complete MIS review work program at that examination. This is clearly a collaborative effort among area SMEs and the examiner charged with the responsibility for this area of review.

The examiner coordinating the overall MIS review program should be a commercial examiner with broad experience and understanding which covers many areas of organizational operations and activity. Alternatively, a bank information systems (BIS) examiner could serve in this capacity. BIS examiners should be consulted whenever there are questions, issues, or concerns surrounding the use of information systems (IS) or electronic data processing (EDP) technology or the effectiveness of MIS-related internal controls in any automated area of the organization's activities.

When performing MIS reviews, examiners should use the guidelines in this booklet to