James Waegelein’s Article Analysis

Proper identification and management of risks is one of the critical factors of success and sustainability of any company’s operations in the market. Due to the enhanced development of electronic processing systems and their active implementation in recording and transferring of financial data, the risk of information security has become one of the primary exposures that are most often faced. Still, senior management of small firms and even large corporations is rather latent when it comes to increasing actual investments in information technologies and related expense amounts in their plans and budgets.

The paper provides thorough analysis of views and conclusions provided in the article of James Waegelein “The Influence of Long-term Performance Plans on Information Technology Expenditures” that was published in 2014 in the Journal of Applied Financial Research online. There are several shortfalls of the theory discussed along with a range of strong points. Also, it contains a description of a background theory on the analyzed matters along with several real world examples of current incentive plans implemented by large corporations to motivate their management staff. Finally, the work includes conclusions and recommendations for further possible research and models to be conducted in the field of managing IT security and proposed proper motivation programs for managers.

Theoretical Matters Addressed In The Essay

In his article Waegelein analyzes such issues as information technology (or security) risk and long-term incentive plans of management. So, a better understanding of these terms is important for further discussion of the author’s views and critical evaluation of them. For this reason some related theories are provided in this part.

Information Technology Risk

Definition of the information technology risk varies across sources but in general, can be summarized as follows: this is the possibility of facing unexpected losses due to shortfalls in the technologies implemented by an organization for data processing, monitoring and reporting. It can be noted that the statement does not restricts the risk only to operations with financial data as could be expected. Although high-tech companies are supposed to be much more sensitive to loosing non-financial data, other types of businesses can also suffer from problems with databases and innovative developments stored electronically.

There are basically two types of risk factors affecting information security of a company: internal and external. Internal or operational risk arises from manual data processing. It most often occurs in the financial or accounting departments of firms that do not provide sufficient funds and do not make enough efforts for implementation of accounting software. Practice shows that it is virtually impossible to avoid typing mistakes and unprofessional errors when all or significant part of accounting and reporting processes are conducted manually. Besides, reliance on personal input might cause delays in recording and reconciling collected data due to high volumes in some periods or absence of certain employees because of sick leave or vacation. Also, the risk is enhanced by the possibility of assigning not qualified enough staff with selected tasks that would cause improper reporting outcomes. All these factors lead to the risk of obtaining late and incorrect financial data at the end of the year (or another period of time) when important managerial and investors’ decisions have to be made.

The second type of risk comes from external factors. Low level of security of a company’s information system might be pervious to hackers’ attacks and viruses. Attacks of hackers seriously harm an organization’s competitiveness as they might attain technological innovations or important internal financial data and make them available for competing firms or even general public. Viruses are also very costly for harmed entities as they usually have to spend significant time and money resources for reinstallation of used software and reconstruction of data that might possibly be lost. Along with spoiling financial results in the current period due to additional costs for a system restoration, viruses also deteriorate competitive position of an entity as the company spends additional financial resources on reconstruction of backward data instead of investing in new projects that could bring money in future.

In order to maintain the information security risk, a company has to invest in hardware, software and people. Hardware investment assumes acquiring necessary technological equipment to process and safely store electronic data. Usage of such equipment (computers, servers, transmission lines, etc.) should be supplemented by installation and debugging of appropriate software. Moreover, a company needs to invest in modern accounting and financial data processing programs that can significantly facilitate operations of accounting department and shorten the time required for everyday recording and end-of-period closing procedures. Still, even existence of the best software and equipment does not ensure effective processing of financial information. As the third step, a company has to invest time and money into relevant training of professional employees and development and implementation of information security policies. Adequately installed and implemented financial data processing software and information security policies provide organizations of any type and size with strong benefits of time saving and visibility of progress in completion of the accounting (and possibly other) processes making it easier to monitor by managers and lowering the opportunity of losses due to unprofessional or delayed actions of employees. Besides, strict policies act as a tool for preventing unintentional or intentional fraud related to processing and storage of information while modern software and relevant training lessen the probability of serious harm caused by hacker attacks and viruses.

Incentive Plans of Management

Most companies establish certain incentive programs to motivate senior and other managing staff. Such additional motivation is necessary due to the conflict of interests between management and investors (owners) of an organization while managers are insiders and could conduct fraud actions to increase their personal wealth. In order to direct managers towards make decisions and allocate an entity’s resources in the way preferred by investors, owners create short- and long-term incentive plans. Besides, such plans also help to attract highly professional staff and keep them interested in current employment for longer periods.

Short-term incentive plans became increasingly popular at the beginning of XXI century. The easiest way of short-time motivation is assigning certain end-of-period cash bonuses depending on the level of a company’s (or a department’s) performance during a year or a quarter. Along with the development of financial markets, owners started wide implementation of stock options. This tool assumes that a manager is granted the right to buy certain number of a company’s shares at pre-specified price in case of achieving defined results by the end of a financial year. Such condition in the employment agreement in fact motivates managers to work harder to receive the bonus as money inflows in closer periods are generally valued more than when deferred in time. However, it also provides incentive to alter financial results for the current period to obtain higher personal wealth due to temporarily increased share quotes in the market after publication of strong financial statements. So, as short-term incentive plans generally cover one-year period, they do not eliminate conflict of interests between managers speculating on current share prices and owners of the company who intend to keep their shares for much longer time period.

Polishing Your Writing to Make it Shine

Long-term incentive policies are designed for a period of three to five years or in some rare cases can cover even longer time. They propose collection of management bonuses in the form of money, shares, or additional social benefits if the company maintains defined financial performance for a long period of time. In most cases, such plans include non-market performance criteria (i.e., not related to the quotes of company’s shares on a stock exchange) which might include return on assets, basic earnings per share, return on equity capital, profit margin, and others. Such plans are supposed to provide a lower level of motivation for employees interested in short-term benefits and increase of personal wealth as well as for those who doubt the firm’s and economy stability. But they act as a strong incentive tool for managers with longer-period attitude working in stable companies and developed countries as proposed bonuses are usually higher than those under short-term incentive plans. Moreover, long-term programs significantly decrease the conflict of interests between managers and owners restricting them with similar time frames and setting similar goals to be attained.

In practice, most large companies use a combination of short- and long-term incentive plans. For instance, the Coca-Cola Company employs short-term stock-based compensation combined with long-term performance strategy. Managers are compensated based on achievement of compound growth in the company’s economic profit for a period of selected four years. The long-term compensation is composed by 50 % of stock options to be granted after a four-year period and 50 % of “performance share units” that are fully accrued and paid in the end of the fourth year of the period (The Coca-Cola Company). Very close programs are established by PepsiCo, Inc., Unilever Group, Next, Inc. and a range of other corporations.

Overview of the Article and Position of the Author

Interrelation of information technology risk and management incentive plans is examined by the research paper of James Waegelein which represents a logical continuation of previous publications that are also reviewed in his article. It is obvious that the level of information security exposure directly depends on the amount of investment in information technology sphere budgeted and actually conducted by managers. The author states that managers that are compensated based on long-term incentive plans more readily invest in information technologies.
Previous research summarized in the article includes beliefs of the author that the market demonstrates positive reaction to new issues of shares when a company has long-term compensation plans. Also, existing long-term programs lead to the higher improvement of market attitudes and, consequently, of the quotes of stocks than a sequence of short-term plans. Waegelein notes that short-term plans might have an adverse effect on motivation while managers intend to “manipulate” with the relevant accounting data and policy judgments in order to obtain higher current results even at the expense of deteriorated future periods’ performance.

The article contains a model testing two hypotheses:

• 1) Existence of long-term incentive plan has a positive correlation with investment in information technologies as related to a company’s sales volume;
• 2) Percentage of long-term plans based on total amount of managers’ compensation are also positively related to the investment in information technologies.

The constructed model supports both theories as it has initially been projected by Waegelein. The author constructs the ordinary least squares equation based on the data of 175 US-based companies and finds that both existence of a plan and percentage of long-term based compensation are positively related with the amount of investment in information technologies. Moreover, additional variables included in the model allowed concluding that larger companies and high-tech firms are expected to spend more money on information technologies.

Findings of Waegelein are also supported by the fact that a wide range of managers is hired for a rather short period up to several years. So, without a long-term incentive plan covering significant portion of their employment contract they are motivated only to demonstrate short-term results. This makes it quite clear that managers reduce investments in non-profitable projects or ventures with longer expected time of pay off. As putting money in information technologies has often deferred a period of realizing benefits from it or might even provide no cash inflows or obvious cost savings except for being on the safe side from hacker attacks and viruses, this direction of investment is often abused by temporary assigned managers and those motivated by short-term programs.

Critical Evaluation

The model constructed by Waegelein does not take into consideration factors other than compensation plans that could motivate managers to invest in information technologies and reduce related information security exposure. Senter and Frantz enumerate a list of problems that might occur due to improper or insufficient information systems implemented in a firm. Such challenges include “redundant activities” and “unnecessary data checking” among others. Experts and professional managers would clearly understand that investing in information technologies costs less for a company than losing enormous amount of time on manual processing of the data (coupled with paying additional wages for this time or even higher overtime rates to employees of accounting department) and spending more money on lengthy and complicated internal and external verification of the information before publishing the end results (e.g., external auditors would require much higher fees if approval of the data requires more time to be spent by their professional staff).

Another important shortfall of the analyzed theory is that purchase of information technologies does not ensure their effective implementation. Managers and employees are often latent to arranging specific time for training on the new technologies. So, if acquired hardware or software does not enhance security just as it is purchased, there could still remain problems with the information risk even with extensive investments conducted at the top level. This notion is especially true when one analyzes the situation with information systems in governmental bodies. Although such organizations usually have sufficient financing that could be easily directed to purchasing information technologies, most of their employees prefer manual entering and processing almost all of the data (Miri). Besides, as it was noted by Senter and Frantz, a lot of companies lack knowledge of the existing technological developments and data processing, and storing systems that might lead to a purchase of inappropriate technology, which would be useless or would provide much lower benefits for a company than other modern alternatives requiring the same amount of investment. However, even with sufficient level of acquaintance with modern technologies and intention to invest, not all companies can find the right choice because of complexity (e.g., multinational corporations) or specifics (e.g., non-profit organizations funded by various grantors with differing reporting and processing requirements) of their business.

Also, Waegelein does not consider an ability of a company to invest in information technologies or any other project. It might happen that even conscious managers willing to improve the level of information security do not have any excessive funds to buy appropriate hardware or software and train employees. Another case occurs when a company has to choose between several long-term projects that are all mutually exclusive and not necessarily bring positive cash inflows. Investing in research and development could be an alternative to acquiring information technologies for the accounting department preferred not only by managers but also by the owners of an entity. The choice between such projects will definitely not depend on the type of incentive plan and compensation obtained by managers.

Finally, the article omits the fact that in practice a lot of companies discuss their annual budgets on general meetings with owners and even receive their approval. So, owners are often affecting the amounts of expenditures processed by managers during a year. Therefore, the amount of investment in information technologies clearly depends not only on the managers’ will and their motivation but also on the shareholders’ preferences.

Conclusions and Further Research

To sum up, research of Waegelein stays in line with current practice of most corporations where owners shift from short-term to long-term incentive plans of management compensation. Still, the logic behind the author’s statement that long-term incentive plans ensure higher investment in information technologies can be easily criticized from different points of view. In general, one needs to make too many assumptions to simplify the problem in accordance with the proposed model. Although Waegelein defines a long-term incentive plan as non-dependent on the market quotes of a company, practice shows that most corporations combine money unit and stock option compensation in such programs for their management. Besides, the choice of performance targets could also incorporate purely accounting outcomes (e.g., profit margin) along with market-related goals (e.g., price to earnings ratio). Also, one needs to take for granted that a company has funds available for investing in any type of projects and that there are no existing sufficient information security systems so that a corporation does not require any investments at the moment.

Further research on the issue could be done by extending the model to incorporate other incentives than compensation that managers have to acquire information technologies, decisions conducted on the annual general meetings by shareholders in respect to such investments which directly influence further actions of the managers, necessity of such investment and ability of an entity to find funds for it. Moreover, it would be useful to include employment patterns of the management staff as temporarily employed or constantly rotated managers have to definitely be motivated in other ways than long-term employed staff in order to seriously consider the risk of information security and need to invest in related technologies.

In general, I would suggest motivating only top level and long-term employed managers to invest in information technologies for a number of reasons.

• First of all, such managers usually already have long-term incentive plans so no changes on the shareholders’ level have to be implemented.
• Second, this level of management is the one that most of all needs to obtain timely annual reports to present them to shareholders.
• Besides, they decide on the cost of checking the data (i.e., choice and amount of fee to be paid to auditors) and are most cautious about processes’ monitoring possibility during a year.

Automated data processing system and high level of information security would provide the highest benefit for top-level managers allowing them to cut time and expenses on verification and reconciliation of financial data. And finally, top-level managers have the highest power and enough motivation tools to make managers of lower levels and general employees effectively implement the acquired information technologies and find time for practicing to use them.